Ubuntu 12.04 서버에서 여러 서비스가 실행되고 있고 fall2ban이 설정되어 있지만 공격 IP를 차단하지 않습니다. SSH는 포트 22에서 실행됩니다.
감옥 프로필
[DEFAULT]
bantime = 600
maxretry = 3
banaction = iptables-multiport
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action = %(action_)s
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
정규식 검사
fail2ban-regex /var/log/auth.log.1 /etc/fail2ban/filter.d/sshd.conf
Failregex
|- Regular expressions:
| [1] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error: PAM: )?Authentication failure for
.* from <HOST>\s*$
| [2] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error: PAM: )?User not known to the unde
rlying authentication module for .* from <HOST>\s*$
| [3] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Failed (?:password|publickey) for .* from <
HOST>(?: port \d*)?(?: ssh\d*)?$
| [4] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*ROOT LOGIN REFUSED.* FROM <HOST>\s*$
| [5] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s
*$
| [6] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*User .+ from <HOST> not allowed because not
listed in AllowUsers$
| [7] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*authentication failure; logname=\S* uid=\S*
euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
| [8] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*refused connect from \S+ \(<HOST>\)\s*$
| [9] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT
!*\s*$
| [10] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*User .+ from <HOST> not allowed because no
ne of user's groups are listed in AllowGroups\s*$
|
`- Number of matches:
[1] 0 match(es)
[2] 0 match(es)
[3] 2810 match(es)
[4] 0 match(es)
[5] 2378 match(es)
[6] 0 match(es)
[7] 0 match(es)
[8] 0 match(es)
[9] 0 match(es)
[10] 0 match(es)
[...]
Date template hits:
380718 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>
Success, the total number of match is 5188
확인 로그
Jul 26 14:17:49 servername sshd[12930]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:17:51 servername sshd[12930]: Failed password for root from 91.117.124.14 port 37340 ssh2
Jul 26 14:17:51 servername sshd[12930]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:17:51 servername sshd[12932]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:17:53 servername sshd[12932]: Failed password for root from 91.117.124.14 port 38980 ssh2
Jul 26 14:17:54 servername sshd[12932]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:17:54 servername sshd[12934]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:17:56 servername sshd[12934]: Failed password for root from 91.117.124.14 port 40576 ssh2
Jul 26 14:17:56 servername sshd[12934]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:17:57 servername sshd[12936]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:17:58 servername sshd[12936]: Failed password for root from 91.117.124.14 port 42148 ssh2
Jul 26 14:17:58 servername sshd[12936]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:17:59 servername sshd[12938]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:18:01 servername CRON[12940]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul 26 14:18:01 servername sshd[12938]: Failed password for root from 91.117.124.14 port 43589 ssh2
Jul 26 14:18:01 servername sshd[12938]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:18:01 servername CRON[12940]: pam_unix(cron:session): session closed for user root
Jul 26 14:18:01 servername sshd[12982]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:18:03 servername sshd[12982]: Failed password for root from 91.117.124.14 port 44989 ssh2
Jul 26 14:18:03 servername sshd[12982]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:18:04 servername sshd[12985]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:18:06 servername sshd[12985]: Failed password for root from 91.117.124.14 port 46546 ssh2
Jul 26 14:18:06 servername sshd[12985]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:18:06 servername sshd[12987]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:18:09 servername sshd[12987]: Failed password for root from 91.117.124.14 port 48192 ssh2
Jul 26 14:18:09 servername sshd[12987]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:18:09 servername sshd[12989]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:18:11 servername sshd[12989]: Failed password for root from 91.117.124.14 port 49739 ssh2
Jul 26 14:18:11 servername sshd[12989]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:18:11 servername sshd[12991]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14 user=root
Jul 26 14:18:13 servername sshd[12991]: Failed password for root from 91.117.124.14 port 51193 ssh2
로그인 시도가 20분 이상 계속되었지만, Fail2ban에서는 아무 일도 일어나지 않았습니다.
답변1
정규 표현식이 구성된 로그 파일을 사용할 때 fall2ban이 아무것도 차단하지 않는 이유를 파악하는 데 도움이 되는 디버깅이 추가되었습니다.
fail2ban-client set loglevel DEBUG
제 경우에는 귀하와 비슷한 문제에 직면했습니다. 구성 검사는 정상이었고, 감옥은 실행 중이었고, 로그 파일은 정확했으며, fail2ban-regex
.
2016-02-17 11:27:57,450 fail2ban.datedetector [30443]: DEBUG Got time 1455722877.000000 for "u'Feb 17 10:27:57'" using template (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
2016-02-17 11:27:57,450 fail2ban.filter [30443]: DEBUG Processing line with time:1455722877.0 and ip:8.8.8.8
2016-02-17 11:27:57,450 fail2ban.filter [30443]: DEBUG Ignore line since time 1455722877.0 < 1455726477.45 - 600
시차는 findtime
(600)을 초과하며 실제로는 3600초, 즉 1시간입니다. 이전에는 시스템 시간대가 변경되어 시스템이 다시 시작되지 않았습니다. 시스템 로그의 시간은 모두 시스템 시간과 한 시간 다릅니다. rsyslogd를 다시 시작하면 새 로그 항목이 올바른 시간으로 기록되며, fall2ban은 더 이상 이러한 로그 항목을 무시하지 않습니다.