최근에 auditd내 데비안 컴퓨터에 이 패키지를 설치했습니다. 나는 몇 가지 테스트를 수행 auditctl하고 디렉토리를 감시하는 규칙을 만들고 무언가를 입증한 다음 삭제하고 지웠습니다 auditd.
그 후에도 여전히 이러한 항목이 kern.log.
May 1 08:29:55 trinity kernel: [5654985.963656] type=1325 audit(1462087795.379:71): table=filter family=2 entries=58
May 1 08:29:55 trinity kernel: [5654985.963736] type=1300 audit(1462087795.379:71): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bf9a75a0 a2=b7750ff4 a3=2250 items=0 ppid=13411 pid=13412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 1 11:29:33 trinity kernel: [5665764.295688] type=1325 audit(1462098573.714:72): table=filter family=2 entries=57
May 1 11:29:33 trinity kernel: [5665764.295765] type=1300 audit(1462098573.714:72): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfda2ba0 a2=b77adff4 a3=22e4 items=0 ppid=32410 pid=32411 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 1 19:48:03 trinity kernel: [5695674.149293] type=1325 audit(1462128483.567:73): table=filter family=2 entries=58
May 1 19:48:03 trinity kernel: [5695674.149370] type=1300 audit(1462128483.567:73): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bffb3910 a2=b76cfff4 a3=2378 items=0 ppid=20765 pid=20766 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 1 20:40:53 trinity kernel: [5698844.383281] type=1325 audit(1462131653.801:74): table=filter family=2 entries=59
May 1 20:40:53 trinity kernel: [5698844.383357] type=1300 audit(1462131653.801:74): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfe7d880 a2=b7761ff4 a3=22e4 items=0 ppid=26521 pid=26522 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 2 05:53:28 trinity kernel: [5731999.457579] type=1325 audit(1462164808.877:75): table=filter family=2 entries=58
May 2 05:53:28 trinity kernel: [5731999.457657] type=1300 audit(1462164808.877:75): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfc307b0 a2=b77a8ff4 a3=2250 items=0 ppid=20606 pid=20607 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 2 08:02:07 trinity kernel: [5739717.728041] type=1325 audit(1462172527.145:76): table=filter family=2 entries=57
May 2 08:02:07 trinity kernel: [5739717.728130] type=1300 audit(1462172527.145:76): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfb655f0 a2=b76f7ff4 a3=21bc items=0 ppid=2530 pid=2531 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 2 09:36:04 trinity kernel: [5745355.212056] type=1325 audit(1462178164.630:77): table=filter family=2 entries=56
May 2 09:36:04 trinity kernel: [5745355.212135] type=1300 audit(1462178164.630:77): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfb26040 a2=b7764ff4 a3=2250 items=0 ppid=12830 pid=12831 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 2 10:37:32 trinity kernel: [5749043.125431] type=1325 audit(1462181852.547:78): table=filter family=2 entries=57
May 2 10:37:32 trinity kernel: [5749043.125507] type=1300 audit(1462181852.547:78): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfae3220 a2=b76e7ff4 a3=21bc items=0 ppid=19175 pid=19176 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 2 12:14:13 trinity kernel: [5754843.852220] type=1325 audit(1462187653.271:79): table=filter family=2 entries=56
May 2 12:14:13 trinity kernel: [5754843.852297] type=1300 audit(1462187653.271:79): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfe58c60 a2=b76ecff4 a3=2128 items=0 ppid=29308 pid=29309 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 2 12:41:59 trinity kernel: [5756510.071418] type=1325 audit(1462189319.490:80): table=filter family=2 entries=55
May 2 12:41:59 trinity kernel: [5756510.071496] type=1300 audit(1462189319.490:80): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfe31480 a2=b7722ff4 a3=2094 items=0 ppid=32586 pid=32587 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 2 12:58:14 trinity kernel: [5757485.373768] type=1325 audit(1462190294.794:81): table=filter family=2 entries=54
May 2 12:58:14 trinity kernel: [5757485.373846] type=1300 audit(1462190294.794:81): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bf8cb380 a2=b7754ff4 a3=2128 items=0 ppid=1736 pid=1737 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 2 14:34:51 trinity kernel: [5763282.057294] type=1325 audit(1462196091.475:82): table=filter family=2 entries=55
May 2 14:34:51 trinity kernel: [5763282.057370] type=1300 audit(1462196091.475:82): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfce29f0 a2=b7736ff4 a3=2094 items=0 ppid=12057 pid=12058 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 2 15:31:28 trinity kernel: [5766679.552808] type=1325 audit(1462199488.973:83): table=filter family=2 entries=54
May 2 15:31:28 trinity kernel: [5766679.552884] type=1300 audit(1462199488.973:83): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfc402f0 a2=b7718ff4 a3=2128 items=0 ppid=18365 pid=18366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
이는 iptables명령이 어떤 이유로 감사 경고를 생성했음을 나타냅니다. 이러한 항목은 설치 및 제거될 때까지 표시되지 않습니다 auditd.
/var/log타임스탬프를 조사한 결과 이는 금지된 IP 주소를 추가하기 위한 구성 fail2ban변경 과 관련이 있는 것으로 나타났습니다.iptables
auditd트리거에는 문제가 없지만 이미 삭제 했기 때문에 비활성화하는 방법을 모르겠습니다 auditctl. 다시 설치 auditd하고 실행하면 auditctl -l규칙이 반환되지 않습니다.
iptables이러한 항목이 지금 생성되는 이유는 무엇 kern.log이며 설치 전 구성으로 되돌리려면 어떻게 해야 합니까 auditd?
데비안 버전은 7.10입니다.
고쳐 쓰다:
흥미롭게도 auditd커널 항목은 재설치 중에는 나타나지 않고 제거된 경우에만 나타납니다. 그래서 전혀 없었습니다. 설치했는데 auditd여전히 없었습니다. 삭제했더니 auditd나타나기 시작했습니다. 이를 설치하면 auditd해당 항목이 다시 억제되고, 제거하면 해당 항목이 나타납니다.
apt의 역사.로그를 보면,
Start-Date: 2016-04-26 11:47:13
Commandline: apt-get install auditd
Install: auditd:i386 (1.7.18-1.1)
End-Date: 2016-04-26 11:47:20
Start-Date: 2016-04-26 11:48:39
Commandline: apt-get remove auditd
Remove: auditd:i386 (1.7.18-1.1)
End-Date: 2016-04-26 11:48:42
Start-Date: 2016-04-26 11:48:46
Commandline: apt-get purge auditd
Purge: auditd:i386 ()
End-Date: 2016-04-26 11:48:47
Start-Date: 2016-05-03 11:17:43
Commandline: apt-get install auditd
Install: auditd:i386 (1.7.18-1.1)
End-Date: 2016-05-03 11:17:50
Start-Date: 2016-05-03 14:46:14
Commandline: apt-get remove auditd
Remove: auditd:i386 (1.7.18-1.1)
End-Date: 2016-05-03 14:46:17
Start-Date: 2016-05-03 14:47:24
Commandline: apt-get purge auditd
Purge: auditd:i386 ()
End-Date: 2016-05-03 14:47:25
그런 다음 에서 kern.log,
root@trinity:/var/log# cat kern.log* | grep filter | sort
Apr 26 13:30:54 trinity kernel: [5241045.164714] type=1325 audit(1461673854.583:9): table=filter family=2 entries=62
Apr 26 13:32:53 trinity kernel: [5241164.339388] type=1325 audit(1461673973.758:10): table=filter family=2 entries=63
Apr 26 22:05:15 trinity kernel: [5271906.481895] type=1325 audit(1461704715.901:11): table=filter family=2 entries=62
Apr 27 02:28:01 trinity kernel: [5287671.603861] type=1325 audit(1461720481.020:12): table=filter family=2 entries=61
Apr 27 08:44:33 trinity kernel: [5310263.791931] type=1325 audit(1461743073.208:13): table=filter family=2 entries=60
Apr 27 11:07:33 trinity kernel: [5318844.230913] type=1325 audit(1461751653.650:14): table=filter family=2 entries=59
Apr 27 11:11:25 trinity kernel: [5319076.553128] type=1325 audit(1461751885.972:15): table=filter family=2 entries=58
Apr 27 12:31:29 trinity kernel: [5323879.969177] type=1325 audit(1461756689.387:16): table=filter family=2 entries=59
Apr 27 16:22:10 trinity kernel: [5337721.409895] type=1325 audit(1461770530.830:17): table=filter family=2 entries=58
Apr 27 17:18:25 trinity kernel: [5341095.909392] type=1325 audit(1461773905.329:18): table=filter family=2 entries=59
Apr 27 20:25:45 trinity kernel: [5352335.879430] type=1325 audit(1461785145.297:19): table=filter family=2 entries=60
Apr 27 21:19:06 trinity kernel: [5355537.157802] type=1325 audit(1461788346.575:20): table=filter family=2 entries=59
Apr 27 21:23:49 trinity kernel: [5355820.549272] type=1325 audit(1461788629.970:21): table=filter family=2 entries=58
Apr 27 21:53:23 trinity kernel: [5357593.916306] type=1325 audit(1461790403.338:22): table=filter family=2 entries=57
Apr 28 01:32:28 trinity kernel: [5370739.384433] type=1325 audit(1461803548.804:23): table=filter family=2 entries=58
Apr 28 03:35:24 trinity kernel: [5378115.178977] type=1325 audit(1461810924.598:24): table=filter family=2 entries=59
Apr 28 04:44:17 trinity kernel: [5382247.691370] type=1325 audit(1461815057.108:25): table=filter family=2 entries=60
Apr 28 05:47:42 trinity kernel: [5386052.769582] type=1325 audit(1461818862.189:26): table=filter family=2 entries=59
Apr 28 06:49:40 trinity kernel: [5389770.729248] type=1325 audit(1461822580.149:27): table=filter family=2 entries=58
Apr 28 07:03:26 trinity kernel: [5390596.850019] type=1325 audit(1461823406.267:28): table=filter family=2 entries=59
Apr 28 07:54:25 trinity kernel: [5393655.953013] type=1325 audit(1461826465.374:29): table=filter family=2 entries=60
Apr 28 17:19:02 trinity kernel: [5427533.079358] type=1325 audit(1461860342.498:30): table=filter family=2 entries=59
Apr 28 17:40:50 trinity kernel: [5428840.833735] type=1325 audit(1461861650.252:31): table=filter family=2 entries=60
Apr 28 22:11:09 trinity kernel: [5445060.419843] type=1325 audit(1461877869.838:32): table=filter family=2 entries=59
Apr 28 22:20:05 trinity kernel: [5445596.145146] type=1325 audit(1461878405.563:33): table=filter family=2 entries=60
Apr 29 01:34:17 trinity kernel: [5457247.685479] type=1325 audit(1461890057.103:34): table=filter family=2 entries=61
Apr 29 03:08:41 trinity kernel: [5462912.272201] type=1325 audit(1461895721.690:35): table=filter family=2 entries=62
Apr 29 04:05:43 trinity kernel: [5466333.873413] type=1325 audit(1461899143.292:36): table=filter family=2 entries=63
Apr 29 05:27:26 trinity kernel: [5471237.463612] type=1325 audit(1461904046.880:37): table=filter family=2 entries=64
Apr 29 05:57:55 trinity kernel: [5473065.931068] type=1325 audit(1461905875.349:38): table=filter family=2 entries=63
Apr 29 07:43:16 trinity kernel: [5479387.398790] type=1325 audit(1461912196.819:39): table=filter family=2 entries=62
Apr 29 07:59:20 trinity kernel: [5480350.703929] type=1325 audit(1461913160.122:40): table=filter family=2 entries=61
Apr 29 09:01:10 trinity kernel: [5484060.685008] type=1325 audit(1461916870.105:41): table=filter family=2 entries=62
Apr 29 09:08:56 trinity kernel: [5484527.328113] type=1325 audit(1461917336.744:42): table=filter family=2 entries=61
Apr 29 09:28:40 trinity kernel: [5485710.910410] type=1325 audit(1461918520.327:43): table=filter family=2 entries=60
Apr 29 09:35:24 trinity kernel: [5486115.462325] type=1325 audit(1461918924.881:44): table=filter family=2 entries=59
Apr 29 11:58:55 trinity kernel: [5494725.939858] type=1325 audit(1461927535.357:45): table=filter family=2 entries=58
Apr 29 12:29:44 trinity kernel: [5496575.471597] type=1325 audit(1461929384.889:46): table=filter family=2 entries=57
Apr 29 14:38:01 trinity kernel: [5504271.706427] type=1325 audit(1461937081.127:47): table=filter family=2 entries=58
Apr 29 17:01:28 trinity kernel: [5512879.168191] type=1325 audit(1461945688.583:48): table=filter family=2 entries=57
Apr 29 19:31:41 trinity kernel: [5521892.127411] type=1325 audit(1461954701.545:49): table=filter family=2 entries=56
Apr 29 19:34:02 trinity kernel: [5522033.333315] type=1325 audit(1461954842.755:50): table=filter family=2 entries=55
Apr 29 20:00:13 trinity kernel: [5523604.428545] type=1325 audit(1461956413.851:51): table=filter family=2 entries=54
Apr 29 20:34:45 trinity kernel: [5525676.172737] type=1325 audit(1461958485.593:52): table=filter family=2 entries=53
Apr 29 20:57:39 trinity kernel: [5527050.000970] type=1325 audit(1461959859.421:53): table=filter family=2 entries=54
Apr 29 21:03:22 trinity kernel: [5527393.467046] type=1325 audit(1461960202.886:54): table=filter family=2 entries=53
Apr 29 23:18:37 trinity kernel: [5535508.254569] type=1325 audit(1461968317.673:55): table=filter family=2 entries=52
Apr 30 00:29:58 trinity kernel: [5539788.920100] type=1325 audit(1461972598.339:56): table=filter family=2 entries=53
Apr 30 03:12:14 trinity kernel: [5549524.805118] type=1325 audit(1461982334.225:57): table=filter family=2 entries=54
Apr 30 03:56:03 trinity kernel: [5552154.294060] type=1325 audit(1461984963.713:58): table=filter family=2 entries=55
Apr 30 05:31:18 trinity kernel: [5557868.878686] type=1325 audit(1461990678.296:59): table=filter family=2 entries=54
Apr 30 05:51:28 trinity kernel: [5559079.495954] type=1325 audit(1461991888.912:60): table=filter family=2 entries=55
Apr 30 11:18:56 trinity kernel: [5578727.564823] type=1325 audit(1462011536.983:61): table=filter family=2 entries=56
Apr 30 11:38:34 trinity kernel: [5579905.149630] type=1325 audit(1462012714.569:62): table=filter family=2 entries=57
Apr 30 11:58:54 trinity kernel: [5581124.785297] type=1325 audit(1462013934.204:63): table=filter family=2 entries=56
Apr 30 12:28:32 trinity kernel: [5582903.150044] type=1325 audit(1462015712.567:64): table=filter family=2 entries=55
Apr 30 14:41:21 trinity kernel: [5590871.696820] type=1325 audit(1462023681.116:65): table=filter family=2 entries=54
Apr 30 17:58:37 trinity kernel: [5602708.432415] type=1325 audit(1462035517.855:66): table=filter family=2 entries=55
Apr 30 20:07:46 trinity kernel: [5610456.713610] type=1325 audit(1462043266.133:67): table=filter family=2 entries=56
May 1 00:15:50 trinity kernel: [5625341.571375] type=1325 audit(1462058150.990:68): table=filter family=2 entries=57
May 1 01:56:34 trinity kernel: [5631384.621056] type=1325 audit(1462064194.039:69): table=filter family=2 entries=58
May 1 03:47:50 trinity kernel: [5638061.478266] type=1325 audit(1462070870.899:70): table=filter family=2 entries=57
May 1 08:29:55 trinity kernel: [5654985.963656] type=1325 audit(1462087795.379:71): table=filter family=2 entries=58
May 1 11:29:33 trinity kernel: [5665764.295688] type=1325 audit(1462098573.714:72): table=filter family=2 entries=57
May 1 19:48:03 trinity kernel: [5695674.149293] type=1325 audit(1462128483.567:73): table=filter family=2 entries=58
May 1 20:40:53 trinity kernel: [5698844.383281] type=1325 audit(1462131653.801:74): table=filter family=2 entries=59
May 2 05:53:28 trinity kernel: [5731999.457579] type=1325 audit(1462164808.877:75): table=filter family=2 entries=58
May 2 08:02:07 trinity kernel: [5739717.728041] type=1325 audit(1462172527.145:76): table=filter family=2 entries=57
May 2 09:36:04 trinity kernel: [5745355.212056] type=1325 audit(1462178164.630:77): table=filter family=2 entries=56
May 2 10:37:32 trinity kernel: [5749043.125431] type=1325 audit(1462181852.547:78): table=filter family=2 entries=57
May 2 12:14:13 trinity kernel: [5754843.852220] type=1325 audit(1462187653.271:79): table=filter family=2 entries=56
May 2 12:41:59 trinity kernel: [5756510.071418] type=1325 audit(1462189319.490:80): table=filter family=2 entries=55
May 2 12:58:14 trinity kernel: [5757485.373768] type=1325 audit(1462190294.794:81): table=filter family=2 entries=54
May 2 14:34:51 trinity kernel: [5763282.057294] type=1325 audit(1462196091.475:82): table=filter family=2 entries=55
May 2 15:31:28 trinity kernel: [5766679.552808] type=1325 audit(1462199488.973:83): table=filter family=2 entries=54
May 2 15:58:13 trinity kernel: [5768283.694922] type=1325 audit(1462201093.113:84): table=filter family=2 entries=55
May 2 16:42:33 trinity kernel: [5770944.249180] type=1325 audit(1462203753.667:85): table=filter family=2 entries=56
May 2 23:25:56 trinity kernel: [5795147.404091] type=1325 audit(1462227956.820:86): table=filter family=2 entries=57
May 3 03:41:43 trinity kernel: [5810493.831850] type=1325 audit(1462243303.249:87): table=filter family=2 entries=58
May 3 04:44:46 trinity kernel: [5814276.874392] type=1325 audit(1462247086.292:88): table=filter family=2 entries=57
May 3 06:57:06 trinity kernel: [5822217.391993] type=1325 audit(1462255026.809:89): table=filter family=2 entries=56
May 3 08:21:19 trinity kernel: [5827270.101048] type=1325 audit(1462260079.522:90): table=filter family=2 entries=55
May 3 11:03:16 trinity kernel: [5836986.964890] type=1325 audit(1462269796.383:91): table=filter family=2 entries=54
May 3 16:19:19 trinity kernel: [5855950.133701] type=1325 audit(1462288759.553:306): table=filter family=2 entries=56
커널 로그는 3월 14일로 돌아가며 감사의 첫 번째 항목을 표시합니다.
데이터 양이 많은데 오늘 11시 3분과 16시 19분 사이에 공백이 있는 것을 볼 수 있습니다. 하지만 이 기간 동안 fail2banIP 주소 3개가 차단되고 iptables가 업데이트되었습니다. 따라서 auditd설치 시 감사 항목이 생성되지 않습니다.
2016-05-01 08:29:55,374 fail2ban.actions: WARNING [ssh] Unban 113.107.24.247
2016-05-01 11:29:33,708 fail2ban.actions: WARNING [ssh] Ban 52.37.98.155
2016-05-01 19:48:03,560 fail2ban.actions: WARNING [ssh] Ban 185.70.184.135
2016-05-01 20:40:53,795 fail2ban.actions: WARNING [ssh] Unban 185.103.252.142
2016-05-02 05:53:28,816 fail2ban.actions: WARNING [ssh] Unban 185.110.132.54
2016-05-02 08:02:07,030 fail2ban.actions: WARNING [ssh] Unban 202.203.179.129
2016-05-02 09:36:04,623 fail2ban.actions: WARNING [ssh] Ban 42.116.173.198
2016-05-02 10:37:32,536 fail2ban.actions: WARNING [ssh] Unban 125.212.232.159
2016-05-02 12:14:13,263 fail2ban.actions: WARNING [ssh] Unban 146.0.77.32
2016-05-02 12:41:59,482 fail2ban.actions: WARNING [ssh] Unban 112.217.150.112
2016-05-02 12:58:14,786 fail2ban.actions: WARNING [ssh] Ban 210.211.99.15
2016-05-02 14:34:51,468 fail2ban.actions: WARNING [ssh] Unban 179.43.144.43
2016-05-02 15:31:28,963 fail2ban.actions: WARNING [ssh] Ban 37.54.25.239
2016-05-02 15:58:13,105 fail2ban.actions: WARNING [ssh] Ban 125.212.232.63
2016-05-02 16:42:33,660 fail2ban.actions: WARNING [ssh] Ban 146.0.77.32
2016-05-02 23:25:56,812 fail2ban.actions: WARNING [ssh] Ban 193.201.225.31
2016-05-03 03:41:43,242 fail2ban.actions: WARNING [ssh] Unban 42.112.131.91
2016-05-03 04:44:46,285 fail2ban.actions: WARNING [ssh] Unban 173.208.220.131
2016-05-03 06:57:06,803 fail2ban.actions: WARNING [ssh] Unban 193.201.225.29
2016-05-03 08:21:19,512 fail2ban.actions: WARNING [ssh] Unban 185.22.65.27
2016-05-03 11:03:16,375 fail2ban.actions: WARNING [ssh] Ban 173.208.129.210
2016-05-03 13:30:55,106 fail2ban.actions: WARNING [ssh] Unban 58.187.224.226
2016-05-03 14:01:26,542 fail2ban.actions: WARNING [ssh] Ban 221.11.92.253
2016-05-03 14:32:17,009 fail2ban.actions: WARNING [ssh] Ban 82.204.67.66
2016-05-03 16:19:19,543 fail2ban.actions: WARNING [ssh] Ban 169.54.174.138
답변1
일부 서버가 수신 대기하는 곳마다 감사 항목이 생성됩니다.audit_log_acct_message.
내가 아는 한 시스템 호출 102은 getuid()사용법을 확인할 수 있습니다 ausyscall 102(이 모든 것을 다 마친 후에는 설치하기가 두렵습니다 auditctl:P).
감사 메시지는 iptables자체적으로 호출되지 않고 커널 어딘가에서 호출됩니다. audit_enable=0시작할 때 이를 사용하거나 제거 할 수 있습니다 audit=0. 그러나 이것이 소유권 문제를 해결하지는 못합니다(설치 시 auditctl부팅 옵션에 이 활성화 트리거를 추가했을 수도 있습니다).
동일한 작업을 수행하는 경우 추가 조사를 통해 최신 데비안을 확인하고 grep데비안 7과 함께 제공된 버전의 커널 소스를 추가로 확인해야 합니다.
커널 매개변수설명하다:
audit= [KNL] Enable the audit sub-system
Format: { "0" | "1" } (0 = disabled, 1 = enabled)
0 - kernel audit is disabled and can not be enabled
until the next reboot
unset - kernel audit is initialized but disabled and
will be fully enabled by the userspace auditd.
1 - kernel audit is initialized and partially enabled,
storing at most audit_backlog_limit messages in
RAM until it is fully enabled by the userspace
auditd.
Default: unset
따라서 이전에는 초기화되지 않았으며 제거 시 초기화가 발생 auditd하고 제거 후에 메시지가 생성되지만 커널에 의해 포착됩니다... 여전히 커널 공간에서 재부팅 및/또는 audit다른 방법으로 비활성화를 설정(및 재부팅)하는 방법을 잘 모르겠습니다 boot=0.