Fail2ban 不阻止 IP
Fail2ban not blocking IP
我已经安装了 Fail2ban 并试图让它阻止 IP。根据日志,它检测 SSH 扫描并将 IP 地址添加到禁止列表,但我仍然可以从 Internet 上被禁止列表上的测试 IP SSH 登录。
OS = openSUSE Leap 42.2
Fail2ban v0.10.3
jail.local:
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.1.0/24
ignorecommand =
bantime = 1d
findtime = 600
maxretry = 3
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
abuseipdb[abuseipdb_apikey="my_key", abuseipdb_category="18,22"]
logpath = /var/log/messages
maxretry = 3
正在获取 IP 地址并表示其已被禁止?
fail2ban.log 文件:
2018-05-01 15:21:59,207 fail2ban.filter [20450]: INFO [ssh-iptables] Found x.x.x.x - 2018-05-01 15:21:59
2018-05-01 15:22:02,315 fail2ban.filter [20450]: INFO [ssh-iptables] Found x.x.x.x - 2018-05-01 15:22:02
2018-05-01 15:22:02,324 fail2ban.filter [20450]: INFO [ssh-iptables] Found x.x.x.x - 2018-05-01 15:22:02
2018-05-01 15:22:02,364 fail2ban.actions [20450]: NOTICE [ssh-iptables] x.x.x.x already banned
fail2ban-client status ssh-iptables 状态
Status for the jail: ssh-iptables
|- Filter
| |- Currently failed: 1
| |- Total failed: 51
| `- File list: /var/log/messages
`- Actions
|- Currently banned: 47
|- Total banned: 437
IP 表的输出:
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-SSH tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-SSH (1 references)
target prot opt source destination
除此之外,没有任何内容被发送到 AbuseIPDB。有什么我想念的吗?
我浏览了几个论坛,但似乎无法正常工作。
设法让它工作。重新启动 fail2ban 修复了阻塞问题。很奇怪,因为我重新加载了 fail2ban-client,但没有帮助。必须终止并重新启动服务。
通过更改 jail.local 文件
修复了 Abuseipdb
action = iptables[name=SSH, port=ssh, protocol=tcp]
abuseipdb[abuseipdb_category="18,22"]
首先确定fail2ban是v0.10.0版本,要知道这个输入:
fail2ban-client -V
https://www.abuseipdb.com 的报告功能仅是此版本的原生功能。
如果您有以前的版本,您应该执行以下操作:
sudo nano /etc/fail2ban/action.d/abuseipdb.conf
将linkhttps://github.com/fail2ban/fail2ban/blob/0.11/config/action.d/abuseipdb.conf的内容粘贴到文件中并保存。
然后打开/etc/fail2ban/jail.local,在action =% (action_) s行前粘贴如下内容:
# Report ban via abuseipdb.com.
#
# See action.d / abuseipdb.conf for usage example and details.
#
action_abuseipdb = abuseipdb
然后在你要举报的服务对应的jail中添加如下内容(这里我以brutal force ssh为例):
# Ban IP and report to AbuseIPDB for SSH Brute-Forcing
action =% (action_) s
% (action_abuseipdb) s [abuseipdb_apikey = "my-api-key", abuseipdb_category = "18,22"]
使用您在网站上创建的密钥 abuseipdb 填写 "my-api-key",然后
fail2ban-client reload
如果您有任何疑问,请参考此处:
我已经安装了 Fail2ban 并试图让它阻止 IP。根据日志,它检测 SSH 扫描并将 IP 地址添加到禁止列表,但我仍然可以从 Internet 上被禁止列表上的测试 IP SSH 登录。
OS = openSUSE Leap 42.2
Fail2ban v0.10.3
jail.local:
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.1.0/24
ignorecommand =
bantime = 1d
findtime = 600
maxretry = 3
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
abuseipdb[abuseipdb_apikey="my_key", abuseipdb_category="18,22"]
logpath = /var/log/messages
maxretry = 3
正在获取 IP 地址并表示其已被禁止? fail2ban.log 文件:
2018-05-01 15:21:59,207 fail2ban.filter [20450]: INFO [ssh-iptables] Found x.x.x.x - 2018-05-01 15:21:59
2018-05-01 15:22:02,315 fail2ban.filter [20450]: INFO [ssh-iptables] Found x.x.x.x - 2018-05-01 15:22:02
2018-05-01 15:22:02,324 fail2ban.filter [20450]: INFO [ssh-iptables] Found x.x.x.x - 2018-05-01 15:22:02
2018-05-01 15:22:02,364 fail2ban.actions [20450]: NOTICE [ssh-iptables] x.x.x.x already banned
fail2ban-client status ssh-iptables 状态
Status for the jail: ssh-iptables
|- Filter
| |- Currently failed: 1
| |- Total failed: 51
| `- File list: /var/log/messages
`- Actions
|- Currently banned: 47
|- Total banned: 437
IP 表的输出:
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-SSH tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-SSH (1 references)
target prot opt source destination
除此之外,没有任何内容被发送到 AbuseIPDB。有什么我想念的吗?
我浏览了几个论坛,但似乎无法正常工作。
设法让它工作。重新启动 fail2ban 修复了阻塞问题。很奇怪,因为我重新加载了 fail2ban-client,但没有帮助。必须终止并重新启动服务。
通过更改 jail.local 文件
修复了 Abuseipdbaction = iptables[name=SSH, port=ssh, protocol=tcp]
abuseipdb[abuseipdb_category="18,22"]
首先确定fail2ban是v0.10.0版本,要知道这个输入:
fail2ban-client -V
https://www.abuseipdb.com 的报告功能仅是此版本的原生功能。
如果您有以前的版本,您应该执行以下操作:
sudo nano /etc/fail2ban/action.d/abuseipdb.conf
将linkhttps://github.com/fail2ban/fail2ban/blob/0.11/config/action.d/abuseipdb.conf的内容粘贴到文件中并保存。
然后打开/etc/fail2ban/jail.local,在action =% (action_) s行前粘贴如下内容:
# Report ban via abuseipdb.com.
#
# See action.d / abuseipdb.conf for usage example and details.
#
action_abuseipdb = abuseipdb
然后在你要举报的服务对应的jail中添加如下内容(这里我以brutal force ssh为例):
# Ban IP and report to AbuseIPDB for SSH Brute-Forcing
action =% (action_) s
% (action_abuseipdb) s [abuseipdb_apikey = "my-api-key", abuseipdb_category = "18,22"]
使用您在网站上创建的密钥 abuseipdb 填写 "my-api-key",然后
fail2ban-client reload
如果您有任何疑问,请参考此处: