Fail2ban IP가 차단되었지만 여전히 로그인을 시도 중입니다.

모든 것이 괜찮은 것 같습니다. iptables에 차단된 것으로 표시되지만 여전히 인증 시도가 발생합니다.

Fail2ban을 구성했습니다.

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8
bantime  = 864000
maxretry = 3

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3

Fail2ban 로그에 차단되었음을 표시합니다.

2016-01-17 06:25:02,218 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2016-01-17 06:25:03,275 fail2ban.filter : INFO   Log rotation detected for /var/log/auth.log
2016-01-17 06:25:54,330 fail2ban.filter : INFO   Log rotation detected for /var/log/auth.log
2016-01-19 13:21:33,459 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned
2016-01-19 13:21:45,472 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned
2016-01-19 13:22:28,522 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned
2016-01-19 13:22:38,534 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned
2016-01-19 13:22:53,550 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned
2016-01-19 13:23:47,609 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned
2016-01-20 12:58:54,982 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned
2016-01-20 12:59:41,030 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned
2016-01-20 12:59:55,046 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned
2016-01-20 13:00:06,057 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned
2016-01-20 13:00:37,091 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned
2016-01-20 13:01:20,137 fail2ban.actions: WARNING [ssh] xxx.xxx.xxx.xxx already banned

iptables-Ln

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22
ACCEPT     tcp  --  0.0.0.0/0            some_IP_I_need        tcp spts:1024:65535 dpt:port_of_websrv state NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  some_IP_I_need        0.0.0.0/0            tcp spts:1024:65535 dpt:port_of_websrv state NEW,ESTABLISHED

Chain fail2ban-ssh (2 references)
target     prot opt source               destination         
DROP       all  --  xxx.xxx.xxx.xxx      0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

그런데 아직도 일부 인증요청이 있는데 왜 그럴까요?

Jan 20 12:59:55 pdwhost sshd[659439]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx  user=root
Jan 20 12:59:55 pdwhost sshd[659441]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx  user=root
Jan 20 12:59:57 pdwhost sshd[659439]: Failed password for root from xxx.xxx.xxx.xxx port 43728 ssh2
Jan 20 12:59:57 pdwhost sshd[659439]: fatal: Read from socket failed: Connection reset by peer [preauth]
Jan 20 12:59:57 pdwhost sshd[659441]: Failed password for root from xxx.xxx.xxx.xxx port 43729 ssh2
Jan 20 12:59:57 pdwhost sshd[659441]: fatal: Read from socket failed: Connection reset by peer [preauth]

저는 가능하다면 보통 비표준 포트에서 서비스를 실행합니다. 이 줄은 왜 포트 22(ssh는 다른 포트에 있음)를 표시하는지 궁금합니다. 이 부분을 어딘가에서 변경해야 합니까?

fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22

그리고 이 IP를 신고하는 것이 의미가 있나요? 욥바 출신.