내 서버에 루트로 로그인을 시도하는 봇이 많았기 때문에 기본 설정으로 Fail2ban을 설치했습니다. 설치했는데 아무것도 바뀌지 않았습니다. Fail2ban 감옥 IP 목록을 확인했는데 아무것도 없습니다.
내 보안 로그는 다음과 같습니다.
May 19 09:11:25 localhost sshd[6080]: Failed password for root from 43.255.188.160 port 52111 ssh2
May 19 09:11:25 localhost unix_chkpwd[6083]: password check failed for user (root)
May 19 09:11:25 localhost sshd[6080]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:28 localhost sshd[6080]: Failed password for root from 43.255.188.160 port 52111 ssh2
May 19 09:11:28 localhost unix_chkpwd[6084]: password check failed for user (root)
May 19 09:11:28 localhost sshd[6080]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:29 localhost sshd[6080]: Failed password for root from 43.255.188.160 port 52111 ssh2
May 19 09:11:29 localhost sshd[6080]: Received disconnect from 43.255.188.160: 11: [preauth]
May 19 09:11:29 localhost sshd[6080]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.160 user=root
May 19 09:11:30 localhost unix_chkpwd[6087]: password check failed for user (root)
May 19 09:11:30 localhost sshd[6085]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.160 user=root
May 19 09:11:30 localhost sshd[6085]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:31 localhost sshd[6085]: Failed password for root from 43.255.188.160 port 39053 ssh2
May 19 09:11:31 localhost unix_chkpwd[6088]: password check failed for user (root)
May 19 09:11:31 localhost sshd[6085]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:33 localhost sshd[6085]: Failed password for root from 43.255.188.160 port 39053 ssh2
May 19 09:11:33 localhost unix_chkpwd[6089]: password check failed for user (root)
May 19 09:11:33 localhost sshd[6085]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:36 localhost sshd[6085]: Failed password for root from 43.255.188.160 port 39053 ssh2
May 19 09:11:36 localhost sshd[6085]: Received disconnect from 43.255.188.160: 11: [preauth]
May 19 09:11:36 localhost sshd[6085]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.160 user=root
May 19 09:11:36 localhost unix_chkpwd[6093]: password check failed for user (root)
May 19 09:11:36 localhost sshd[6091]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.160 user=root
May 19 09:11:36 localhost sshd[6091]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:38 localhost sshd[6091]: Failed password for root from 43.255.188.160 port 53516 ssh2
May 19 09:11:38 localhost unix_chkpwd[6094]: password check failed for user (root)
May 19 09:11:38 localhost sshd[6091]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:40 localhost sshd[6091]: Failed password for root from 43.255.188.160 port 53516 ssh2
May 19 09:11:40 localhost unix_chkpwd[6095]: password check failed for user (root)
May 19 09:11:40 localhost sshd[6091]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:42 localhost sshd[6091]: Failed password for root from 43.255.188.160 port 53516 ssh2
May 19 09:11:42 localhost sshd[6091]: Received disconnect from 43.255.188.160: 11: [preauth]
May 19 09:11:42 localhost sshd[6091]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.160 user=root
May 19 09:11:43 localhost unix_chkpwd[6098]: password check failed for user (root)
May 19 09:11:43 localhost sshd[6096]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.160 user=root
May 19 09:11:43 localhost sshd[6096]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:44 localhost sshd[6096]: Failed password for root from 43.255.188.160 port 40323 ssh2
May 19 09:11:44 localhost unix_chkpwd[6099]: password check failed for user (root)
May 19 09:11:44 localhost sshd[6096]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:46 localhost sshd[6096]: Failed password for root from 43.255.188.160 port 40323 ssh2
May 19 09:11:46 localhost unix_chkpwd[6100]: password check failed for user (root)
May 19 09:11:46 localhost sshd[6096]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Fail2ban을 활성화했습니다(이미 실행 중이라고 표시됨).
fail2ban-client start
ERROR Server already running
어제 이후의 상태는 다음과 같습니다.
fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:
Fail2ban을 활성화하기 위해 내가 하고 있지 않은 일이 있나요?
답변1
PermitRootLogin no누군가 지적했듯이 만약을 대비해 sshd_config에서 이 지시어를 사용하는 것이 좋은 습관이라고 생각합니다 .
내 로컬 감옥에는 ssh 섹션이 있지만 이제 ssh-iptables 섹션이 누락되어 iptables에 규칙을 추가하고 이제 작동합니다.
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = 5