%20%ED%9B%84%EC%97%90%20%EB%A1%9C%EA%B9%85%EC%9D%84%20%EC%A4%91%EC%A7%80%ED%95%A9%EB%8B%88%EB%8B%A4..png)
작업한 지 3~4일 후에 Fail2ban 로그를 보고 싶을 때마다 로그가 .gz로 압축되는 것을 확인했는데, 문제가 없습니다.
-rw-r--r--. 1 root root 90034 May 1 12:49 dmesg.old
-rw-------. 1 root root 0 Jun 14 03:13 fail2ban.log
-rw-------. 1 root root 8974 May 24 02:22 fail2ban.log-20150524.gz
-rw-------. 1 root root 20 May 24 03:44 fail2ban.log-20150601.gz
-rw-------. 1 root root 20 Jun 1 03:30 fail2ban.log-20150607.gz
-rw-------. 1 root root 4785 Jun 14 03:10 fail2ban.log-20150614.gz
문제는 내 주요 failure2ban.log에서 볼 수 있듯이 작동이 중지된다는 것입니다. 여기에는 0바이트가 있고 아무것도 없습니다.
Fail2ban에는 기록할 내용이 없을 수도 있다고 생각했는데, 보안 로그를 살펴보니 다음과 같은 내용이 있었습니다.
Jun 18 09:24:52 localserver sshd[9641]: input_userauth_request: invalid user Exit [preauth]
Jun 18 09:24:53 localserver sshd[9641]: Connection closed by 123.56.112.165 [preauth]
Jun 18 10:03:19 localserver sshd[10218]: Invalid user alina from 123.56.112.165
Jun 18 10:03:19 localserver sshd[10218]: input_userauth_request: invalid user alina [preauth]
Jun 18 10:03:20 localserver sshd[10218]: Connection closed by 123.56.112.165 [preauth]
Jun 18 10:11:24 localserver sshd[10329]: Invalid user kadmin from 173.201.39.212
Jun 18 10:11:24 localserver sshd[10329]: input_userauth_request: invalid user kadmin [preauth]
Jun 18 10:11:24 localserver sshd[10329]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:24 localserver sshd[10331]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:25 localserver sshd[10333]: Invalid user guest from 173.201.39.212
Jun 18 10:11:25 localserver sshd[10333]: input_userauth_request: invalid user guest [preauth]
Jun 18 10:11:25 localserver sshd[10333]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:25 localserver sshd[10335]: Invalid user pi from 173.201.39.212
Jun 18 10:11:25 localserver sshd[10335]: input_userauth_request: invalid user pi [preauth]
Jun 18 10:11:25 localserver sshd[10335]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:26 localserver sshd[10337]: Invalid user ubnt from 173.201.39.212
Jun 18 10:11:26 localserver sshd[10337]: input_userauth_request: invalid user ubnt [preauth]
Jun 18 10:11:26 localserver sshd[10337]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:26 localserver sshd[10339]: Invalid user xbian from 173.201.39.212
Jun 18 10:11:26 localserver sshd[10339]: input_userauth_request: invalid user xbian [preauth]
Jun 18 10:11:26 localserver sshd[10339]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:26 localserver sshd[10341]: Invalid user admin from 173.201.39.212
Jun 18 10:11:26 localserver sshd[10341]: input_userauth_request: invalid user admin [preauth]
Jun 18 10:11:27 localserver sshd[10341]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:42:29 localserver sshd[10741]: Invalid user andrei from 123.56.112.165
Jun 18 10:42:29 localserver sshd[10741]: input_userauth_request: invalid user andrei [preauth]
Jun 18 10:42:29 localserver sshd[10741]: Connection closed by 123.56.112.165 [preauth]
공격이 여전히 존재하고 Fail2ban이 이에 대해 아무 조치도 취하지 않기 때문에 이것이 나를 화나게 합니다. Fail2ban이 여전히 작동하는지 확인했는데 다음과 같습니다.
sudo fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: ssh-iptables
또한 로그 경로가 올바른지 확인했습니다.
# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
# Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
[recidive]
logpath = /var/log/fail2ban.log
port = all
protocol = all
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
sudo fail2ban-client status ssh-iptables다음과 같은 결과를 제공합니다.
Status for the jail: ssh-iptables
|- Filter
| |- Currently failed: 0
| |- Total failed: 1089
| `- File list: /var/log/secure
`- Actions
|- Currently banned: 0
|- Total banned: 137
`- Banned IP list:
이 문제를 해결하는 데 도움이 될 수 있는 다른 아이디어가 있습니까?