Fail2ban은 SSH를 통해 내 서버에 액세스하려는 IP를 차단하지 않습니다.

tag-icon tag-icon ssh fail2ban
Fail2ban은 SSH를 통해 내 서버에 액세스하려는 IP를 차단하지 않습니다.

내 서버에 루트로 로그인을 시도하는 봇이 많았기 때문에 기본 설정으로 Fail2ban을 설치했습니다. 설치했는데 아무것도 바뀌지 않았습니다. Fail2ban 감옥 IP 목록을 확인했는데 아무것도 없습니다.

내 보안 로그는 다음과 같습니다.

May 19 09:11:25 localhost sshd[6080]: Failed password for root from 43.255.188.160 port 52111 ssh2
May 19 09:11:25 localhost unix_chkpwd[6083]: password check failed for user (root)
May 19 09:11:25 localhost sshd[6080]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:28 localhost sshd[6080]: Failed password for root from 43.255.188.160 port 52111 ssh2
May 19 09:11:28 localhost unix_chkpwd[6084]: password check failed for user (root)
May 19 09:11:28 localhost sshd[6080]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:29 localhost sshd[6080]: Failed password for root from 43.255.188.160 port 52111 ssh2
May 19 09:11:29 localhost sshd[6080]: Received disconnect from 43.255.188.160: 11:  [preauth]
May 19 09:11:29 localhost sshd[6080]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.160  user=root
May 19 09:11:30 localhost unix_chkpwd[6087]: password check failed for user (root)
May 19 09:11:30 localhost sshd[6085]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.160  user=root
May 19 09:11:30 localhost sshd[6085]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:31 localhost sshd[6085]: Failed password for root from 43.255.188.160 port 39053 ssh2
May 19 09:11:31 localhost unix_chkpwd[6088]: password check failed for user (root)
May 19 09:11:31 localhost sshd[6085]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:33 localhost sshd[6085]: Failed password for root from 43.255.188.160 port 39053 ssh2
May 19 09:11:33 localhost unix_chkpwd[6089]: password check failed for user (root)
May 19 09:11:33 localhost sshd[6085]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:36 localhost sshd[6085]: Failed password for root from 43.255.188.160 port 39053 ssh2
May 19 09:11:36 localhost sshd[6085]: Received disconnect from 43.255.188.160: 11:  [preauth]
May 19 09:11:36 localhost sshd[6085]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.160  user=root
May 19 09:11:36 localhost unix_chkpwd[6093]: password check failed for user (root)
May 19 09:11:36 localhost sshd[6091]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.160  user=root
May 19 09:11:36 localhost sshd[6091]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:38 localhost sshd[6091]: Failed password for root from 43.255.188.160 port 53516 ssh2
May 19 09:11:38 localhost unix_chkpwd[6094]: password check failed for user (root)
May 19 09:11:38 localhost sshd[6091]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:40 localhost sshd[6091]: Failed password for root from 43.255.188.160 port 53516 ssh2
May 19 09:11:40 localhost unix_chkpwd[6095]: password check failed for user (root)
May 19 09:11:40 localhost sshd[6091]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:42 localhost sshd[6091]: Failed password for root from 43.255.188.160 port 53516 ssh2
May 19 09:11:42 localhost sshd[6091]: Received disconnect from 43.255.188.160: 11:  [preauth]
May 19 09:11:42 localhost sshd[6091]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.160  user=root
May 19 09:11:43 localhost unix_chkpwd[6098]: password check failed for user (root)
May 19 09:11:43 localhost sshd[6096]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.160  user=root
May 19 09:11:43 localhost sshd[6096]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:44 localhost sshd[6096]: Failed password for root from 43.255.188.160 port 40323 ssh2
May 19 09:11:44 localhost unix_chkpwd[6099]: password check failed for user (root)
May 19 09:11:44 localhost sshd[6096]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:46 localhost sshd[6096]: Failed password for root from 43.255.188.160 port 40323 ssh2
May 19 09:11:46 localhost unix_chkpwd[6100]: password check failed for user (root)
May 19 09:11:46 localhost sshd[6096]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"

Fail2ban을 활성화했습니다(이미 실행 중이라고 표시됨).

fail2ban-client start
ERROR  Server already running

어제 이후의 상태는 다음과 같습니다.

fail2ban-client status
Status
|- Number of jail:  0
`- Jail list:

Fail2ban을 활성화하기 위해 내가 하고 있지 않은 일이 있나요?

답변1

PermitRootLogin no누군가 지적했듯이 만약을 대비해 sshd_config에서 이 지시어를 사용하는 것이 좋은 습관이라고 생각합니다 .

내 로컬 감옥에는 ssh 섹션이 있지만 이제 ssh-iptables 섹션이 누락되어 iptables에 규칙을 추가하고 이제 작동합니다.

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]

logpath  = /var/log/secure
maxretry = 5

관련 정보