Fail2ban은 차단할 IP 목록을 상당히 많이 축적했습니다.
# fail2ban-client banned
[{'sshd': ['101.126.34.231', '106.58.179.182', '117.50.187.153', '119.91.54.127', '121.250.190.129', '124.220.15.172', '124.230.124.250', '141.98.11.169', '143.42.206.215', '178.128.176.210', '178.242.168.227', '178.79.139.171', '180.101.88.197', '180.101.88.236', '182.155.240.180', '185.196.10.93', '185.196.9.45', '188.126.89.85', '218.92.0.112', '218.92.0.113', '218.92.0.118', '218.92.0.22', '218.92.0.27', '218.92.0.29', '218.92.0.33', '218.92.0.34', '218.92.0.40', '218.92.0.43', '218.92.0.52', '218.92.0.53', '218.92.0.55', '218.92.0.56', '218.92.0.76', '220.119.65.20', '27.150.190.3', '35.175.150.123', '36.88.46.154', '37.201.181.129', '43.136.107.134', '47.107.35.168', '47.242.46.55', '61.177.172.179', '68.183.207.53', '70.44.38.158', '78.159.117.241', '79.124.62.59', '79.27.58.101', '82.64.25.86', '85.209.11.254', '85.209.11.27', '87.92.88.193', '88.153.31.218', '170.64.189.121', '170.64.202.148', '170.64.150.4', '101.43.214.76', '79.95.123.68', '116.110.12.221', '61.177.203.30', '61.177.172.160', '159.89.108.180', '218.92.0.107', '218.92.0.28', '180.101.88.196', '218.92.0.45', '211.252.161.44', '201.17.133.138', '218.92.0.51', '51.12.86.255', '218.92.0.24']}]
그러나 나는 방화벽에서 포트 22만 특별히 차단하는 풍부한 규칙을 생성한다는 것을 보았습니다. 저는 IP를 완전히 차단하는 것을 선호합니다.
나는 그것이 유망해 보인다는 것을 알았습니다. 즉, 그러나 완전 차단 firewallcmd-ipset으로 설정하면 중지됩니다 .banaction
# cat /etc/fail2ban/jail.d/local.conf
[DEFAULT]
bantime = 48h
ignoreip = 127.0.0.1/8 ::1 192.168.0.1/24
banaction = firewallcmd-ipset
banaction_allports = firewallcmd-ipset
[sshd]
enabled = true
mode = aggressive
# systemctl reload-or-restart fail2ban
# firewall-cmd --get-ipsets
A. fail2ban-client bannedips 목록이 아직 남아있으니, Fail2ban 리로드시 다시 적용하면 되는거 아닌가요?
구성을 복원해도 풍부한 규칙이 다시 생성되지 않는 것 같습니다.
B. IP가 포트 22에 연결될 때뿐만 아니라 IP를 완전히 차단하려면 fall2ban을 어떻게 구성해야 합니까?
저처럼 차단을 설정해도 소용이 없을 것 같습니다.
버전 정보:
# dnf info fail2ban
Last metadata expiration check: 1:32:01 ago on Wed 14 Feb 2024 02:16:34 PM CET.
Installed Packages
Name : fail2ban
Version : 1.0.2
Release : 7.el9
Architecture : noarch
Size : 0.0
Source : fail2ban-1.0.2-7.el9.src.rpm
Repository : @System
From repo : epel
Summary : Daemon to ban hosts that cause multiple authentication errors
URL : http://fail2ban.sourceforge.net/
License : GPLv2+
Description : Fail2Ban scans log files and bans IP addresses that makes too many password
: failures. It updates firewall rules to reject the IP address. These rules can
: be defined by the user. Fail2Ban can read multiple log files such as sshd or
: Apache web server ones.
:
: Fail2Ban is able to reduce the rate of incorrect authentications attempts
: however it cannot eliminate the risk that weak authentication presents.
: Configure services to use only two factor or public/private authentication
: mechanisms if you really want to protect services.
:
: This is a meta-package that will install the default configuration. Other
: sub-packages are available to install support for other actions and
: configurations.
rich_rules를 사용한 수동 차단이 작동하는 것 같습니다.
# fail2ban-client -vvv set sshd banip 1.2.3.4
+ 128 7FA2A3E7F740 fail2ban.configreader INFO Loading configs for fail2ban under /etc/fail2ban
+ 129 7FA2A3E7F740 fail2ban.configreader DEBUG Reading configs for fail2ban under /etc/fail2ban
+ 130 7FA2A3E7F740 fail2ban.configreader DEBUG Reading config files: /etc/fail2ban/fail2ban.conf
+ 130 7FA2A3E7F740 fail2ban.configparserinc INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
+ 131 7FA2A3E7F740 fail2ban.configparserinc TRACE Reading file: /etc/fail2ban/fail2ban.conf
+ 132 7FA2A3E7F740 fail2ban.configparserinc INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
+ 132 7FA2A3E7F740 fail2ban.configparserinc TRACE Shared file: /etc/fail2ban/fail2ban.conf
+ 132 7FA2A3E7F740 fail2ban INFO Using socket file /var/run/fail2ban/fail2ban.sock
+ 132 7FA2A3E7F740 fail2ban INFO Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log
+ 133 7FA2A3E7F740 fail2ban HEAVY CMD: ['set', 'sshd', 'banip', '1.2.3.4']
+ 5092 7FA2A3E7F740 fail2ban HEAVY OK : 1
+ 5092 7FA2A3E7F740 fail2ban.beautifier HEAVY Beautify 1 with ['set', 'sshd', 'banip', '1.2.3.4']
1
+ 5093 7FA2A3E7F740 fail2ban DEBUG Exit with code 0
# grep 1.2.3.4 /var/log/fail2ban.log
2024-02-22 10:13:10,387 fail2ban.actions [1023]: NOTICE [sshd] Ban 1.2.3.4
# firewall-cmd --list-all | tail -2
rich rules:
rule family="ipv4" source address="1.2.3.4" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
하지만 방화벽을 설정할 때 방화벽에 금지된 흔적이 보이지 않습니다 banaction.banaction_allportsfirewallcmd-ipset
# grep banaction /etc/fail2ban/jail.d/local.conf
banaction = firewallcmd-ipset
banaction_allports = firewallcmd-ipset
# systemctl reload-or-restart fail2ban
# fail2ban-client -vvv set sshd unbanip 1.2.3.4
+ 99 7F648518C740 fail2ban.configreader INFO Loading configs for fail2ban under /etc/fail2ban
+ 99 7F648518C740 fail2ban.configreader DEBUG Reading configs for fail2ban under /etc/fail2ban
+ 100 7F648518C740 fail2ban.configreader DEBUG Reading config files: /etc/fail2ban/fail2ban.conf
+ 100 7F648518C740 fail2ban.configparserinc INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
+ 100 7F648518C740 fail2ban.configparserinc TRACE Reading file: /etc/fail2ban/fail2ban.conf
+ 101 7F648518C740 fail2ban.configparserinc INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
+ 101 7F648518C740 fail2ban.configparserinc TRACE Shared file: /etc/fail2ban/fail2ban.conf
+ 101 7F648518C740 fail2ban INFO Using socket file /var/run/fail2ban/fail2ban.sock
+ 101 7F648518C740 fail2ban INFO Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log
+ 101 7F648518C740 fail2ban HEAVY CMD: ['set', 'sshd', 'unbanip', '1.2.3.4']
+ 114 7F648518C740 fail2ban HEAVY OK : 1
+ 114 7F648518C740 fail2ban.beautifier HEAVY Beautify 1 with ['set', 'sshd', 'unbanip', '1.2.3.4']
1
+ 115 7F648518C740 fail2ban DEBUG Exit with code 0
# fail2ban-client -vvv set sshd banip 1.2.3.4
+ 119 7F848CB9C740 fail2ban.configreader INFO Loading configs for fail2ban under /etc/fail2ban
+ 119 7F848CB9C740 fail2ban.configreader DEBUG Reading configs for fail2ban under /etc/fail2ban
+ 120 7F848CB9C740 fail2ban.configreader DEBUG Reading config files: /etc/fail2ban/fail2ban.conf
+ 121 7F848CB9C740 fail2ban.configparserinc INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
+ 121 7F848CB9C740 fail2ban.configparserinc TRACE Reading file: /etc/fail2ban/fail2ban.conf
+ 122 7F848CB9C740 fail2ban.configparserinc INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
+ 122 7F848CB9C740 fail2ban.configparserinc TRACE Shared file: /etc/fail2ban/fail2ban.conf
+ 123 7F848CB9C740 fail2ban INFO Using socket file /var/run/fail2ban/fail2ban.sock
+ 123 7F848CB9C740 fail2ban INFO Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log
+ 124 7F848CB9C740 fail2ban HEAVY CMD: ['set', 'sshd', 'banip', '1.2.3.4']
+ 125 7F848CB9C740 fail2ban HEAVY OK : 1
+ 126 7F848CB9C740 fail2ban.beautifier HEAVY Beautify 1 with ['set', 'sshd', 'banip', '1.2.3.4']
1
+ 126 7F848CB9C740 fail2ban DEBUG Exit with code 0
# firewall-cmd --get-ipsets
# firewall-cmd --list-all | tail -2
icmp-blocks:
rich rules:
# grep 1.2.3.4 /var/log/fail2ban.log
2024-02-22 10:13:10,387 fail2ban.actions [1023]: NOTICE [sshd] Ban 1.2.3.4
2024-02-22 10:22:54,923 fail2ban.actions [1023]: NOTICE [sshd] Unban 1.2.3.4
2024-02-22 10:23:13,954 fail2ban.actions [1023]: NOTICE [sshd] Ban 1.2.3.4
예상대로 작동하기 때문에 불편합니다. 제가 뭘 잘못하고 있는 걸까요?