digijay's questions

Este é o meu filtro:

[Definition]
failregex = <HOST> .* "POST /customer/account/create.*$
            <HOST> .* "GET /customer/account/create.*$

e esta é a prisão correspondente:

[magento-customer]
enabled = true
port    = http,https
logpath = /var/lib/docker/volumes/shop_example_com_nginx/_data/logs/shop.example.com-access.log
findtime = 5m
maxretry = 5
bantime = 1d
banaction = iptables-multiport[blocktype=DROP]
banaction_allports = iptables-allports[blocktype=DROP]

Os endereços IP parecem ter sido banidos:

2024-03-22 09:57:35,779 fail2ban.filter         [995808]: INFO    [magento-customer] Found 180.178.50.130 - 2024-03-22 09:57:35
2024-03-22 09:57:35,987 fail2ban.filter         [995808]: INFO    [magento-customer] Found 180.178.50.130 - 2024-03-22 09:57:35
2024-03-22 09:57:36,149 fail2ban.filter         [995808]: INFO    [magento-customer] Found 180.178.50.130 - 2024-03-22 09:57:36
2024-03-22 09:57:36,263 fail2ban.filter         [995808]: INFO    [magento-customer] Found 180.178.50.130 - 2024-03-22 09:57:36
2024-03-22 09:57:37,479 fail2ban.filter         [995808]: INFO    [magento-customer] Found 180.178.50.130 - 2024-03-22 09:57:37
2024-03-22 09:57:37,547 fail2ban.filter         [995808]: INFO    [magento-customer] Found 180.178.50.130 - 2024-03-22 09:57:37
2024-03-22 09:57:37,709 fail2ban.actions        [995808]: WARNING [magento-customer] 180.178.50.130 already banned

Resultando nesta entrada iptables:

iptables -L | grep -a "180.178.50.130"
DROP       all  --  180.178.50.130       anywhere

No entanto, recebo constantemente entradas desse IP no nginx.log (os fusos horários são iguais no host e no contêiner do docker):

180.178.50.130 - - [22/Mar/2024:10:02:51 +0100] "POST /customer/account/createpost/ HTTP/1.1" 302 5 "https://shop.example.com/customer/account/create/" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
180.178.50.130 - - [22/Mar/2024:10:02:52 +0100] "POST /customer/account/createpost/ HTTP/1.1" 302 5 "https://shop.example.com/customer/account/create/" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
180.178.50.130 - - [22/Mar/2024:10:02:52 +0100] "GET /customer/account/create/ HTTP/1.1" 200 101026 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
180.178.50.130 - - [22/Mar/2024:10:02:53 +0100] "GET /customer/account/create/ HTTP/1.1" 200 101026 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

Como você pode ver no logpath acima, estou executando o nginx em um contêiner docker com as portas 80 e 443 expostas diretamente ao host, sem proxy de entrada/reverso em uso:

  nginx:
    […]
    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host

versão fail2ban. 0.11.2 é instalado diretamente no host.

O servidor é o único nó atrás de um gateway de failover, cujo endereço IP é adicionado à interface de rede assim:

ip address add 116.x.y.z/32 dev enp6s0

Os endereços IP do cliente estão sendo recebidos pelo servidor inalterados e iguais aos do contêiner docker nginx.

Aqui está a iptables-savesaída completa:

# iptables-save
# Generated by iptables-save v1.8.7 on Fri Mar 22 14:37:00 2024
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A OUTPUT -p udp -m udp --dport 4789 -m bpf --bytecode "7,32 0 0 4294963252,7 0 0 0,64 0 0 4,116 0 0 8,21 1 0 4097,6 0 0 0,6 0 0 4294967295" -j MARK --set-xmark 0xd0c4e3/0xffffffff
-A OUTPUT -p udp -m udp --dport 4789 -m bpf --bytecode "7,32 0 0 4294963252,7 0 0 0,64 0 0 4,116 0 0 8,21 1 0 4098,6 0 0 0,6 0 0 4294967295" -j MARK --set-xmark 0xd0c4e3/0xffffffff
-A OUTPUT -p udp -m udp --dport 4789 -m bpf --bytecode "7,32 0 0 4294963252,7 0 0 0,64 0 0 4,116 0 0 8,21 1 0 4101,6 0 0 0,6 0 0 4294967295" -j MARK --set-xmark 0xd0c4e3/0xffffffff
-A OUTPUT -p udp -m udp --dport 4789 -m bpf --bytecode "7,32 0 0 4294963252,7 0 0 0,64 0 0 4,116 0 0 8,21 1 0 4099,6 0 0 0,6 0 0 4294967295" -j MARK --set-xmark 0xd0c4e3/0xffffffff
COMMIT
# Completed on Fri Mar 22 14:37:00 2024
# Generated by iptables-save v1.8.7 on Fri Mar 22 14:37:00 2024
*filter
:INPUT DROP [631649:29166339]
:FORWARD DROP [87:4724]
:OUTPUT ACCEPT [34097:2318474]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:f2b-magento-customer - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-magento-customer
-A INPUT -p udp -m policy --dir in --pol none -m udp --dport 4789 -m bpf --bytecode "7,32 0 0 4294963252,7 0 0 0,64 0 0 4,116 0 0 8,21 1 0 4099,6 0 0 0,6 0 0 4294967295" -j DROP
-A INPUT -p udp -m policy --dir in --pol none -m udp --dport 4789 -m bpf --bytecode "7,32 0 0 4294963252,7 0 0 0,64 0 0 4,116 0 0 8,21 1 0 4101,6 0 0 0,6 0 0 4294967295" -j DROP
-A INPUT -p udp -m policy --dir in --pol none -m udp --dport 4789 -m bpf --bytecode "7,32 0 0 4294963252,7 0 0 0,64 0 0 4,116 0 0 8,21 1 0 4098,6 0 0 0,6 0 0 4294967295" -j DROP
-A INPUT -p udp -m policy --dir in --pol none -m udp --dport 4789 -m bpf --bytecode "7,32 0 0 4294963252,7 0 0 0,64 0 0 4,116 0 0 8,21 1 0 4097,6 0 0 0,6 0 0 4294967295" -j DROP
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker_gwbridge -j DOCKER
-A FORWARD -i docker_gwbridge ! -o docker_gwbridge -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A FORWARD -i docker_gwbridge -o docker_gwbridge -j DROP
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER -d 172.18.0.7/32 ! -i docker_gwbridge -o docker_gwbridge -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.0.7/32 ! -i docker_gwbridge -o docker_gwbridge -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker_gwbridge ! -o docker_gwbridge -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker_gwbridge -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A f2b-magento-customer -s 103.242.14.161/32 -j DROP
-A f2b-magento-customer -s 103.242.14.156/32 -j DROP
-A f2b-magento-customer -s 103.242.14.239/32 -j DROP
-A f2b-magento-customer -s 103.242.14.222/32 -j DROP
-A f2b-magento-customer -s 154.12.26.174/32 -j DROP
-A f2b-magento-customer -s 154.12.84.126/32 -j DROP
-A f2b-magento-customer -s 154.12.26.164/32 -j DROP
-A f2b-magento-customer -s 154.12.84.68/32 -j DROP
-A f2b-magento-customer -s 103.116.247.155/32 -j DROP
-A f2b-magento-customer -s 103.108.67.209/32 -j DROP
-A f2b-magento-customer -s 154.12.23.218/32 -j DROP
-A f2b-magento-customer -s 52.128.224.138/32 -j DROP
-A f2b-magento-customer -s 148.66.23.226/32 -j DROP
-A f2b-magento-customer -s 182.16.79.226/32 -j DROP
-A f2b-magento-customer -s 182.16.20.194/32 -j DROP
-A f2b-magento-customer -s 180.178.45.18/32 -j DROP
-A f2b-magento-customer -s 52.128.224.146/32 -j DROP
-A f2b-magento-customer -s 182.16.82.146/32 -j DROP
-A f2b-magento-customer -s 148.66.23.58/32 -j DROP
-A f2b-magento-customer -s 148.66.23.42/32 -j DROP
-A f2b-magento-customer -s 182.16.9.186/32 -j DROP
-A f2b-magento-customer -s 111.68.6.66/32 -j DROP
-A f2b-magento-customer -s 111.68.10.170/32 -j DROP
-A f2b-magento-customer -s 112.121.165.90/32 -j DROP
-A f2b-magento-customer -s 216.118.233.234/32 -j DROP
-A f2b-magento-customer -s 112.121.165.34/32 -j DROP
-A f2b-magento-customer -s 180.178.44.242/32 -j DROP
-A f2b-magento-customer -s 180.178.50.130/32 -j DROP
-A f2b-magento-customer -s 182.16.44.42/32 -j DROP
-A f2b-magento-customer -s 52.128.230.50/32 -j DROP
-A f2b-magento-customer -s 52.128.247.66/32 -j DROP
-A f2b-magento-customer -s 112.121.172.98/32 -j DROP
-A f2b-magento-customer -s 148.66.20.122/32 -j DROP
-A f2b-magento-customer -s 154.12.93.254/32 -j DROP
-A f2b-magento-customer -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 32 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 32 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 443 -j ACCEPT
-A ufw-user-input -s 78.46.38.201/32 -p tcp -m tcp --dport 5666 -j ACCEPT
-A ufw-user-input -s 78.46.38.201/32 -p udp -m udp --dport 5666 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Fri Mar 22 14:37:00 2024
# Generated by iptables-save v1.8.7 on Fri Mar 22 14:37:00 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o docker_gwbridge -j MASQUERADE
-A POSTROUTING -s 172.18.0.7/32 -d 172.18.0.7/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.18.0.7/32 -d 172.18.0.7/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i docker_gwbridge -j RETURN
-A DOCKER ! -i docker_gwbridge -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.18.0.7:443
-A DOCKER ! -i docker_gwbridge -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.18.0.7:80
COMMIT
# Completed on Fri Mar 22 14:37:00 2024

O que devo fazer para que os endereços IP sejam banidos? Isso já não deveria acontecer quando o endereço está sendo descartado pelo iptables no host?

Eu tenho um contêiner docker Debian 11 no qual o sendmail v. 8.15.2 está instalado como MTA. Infelizmente, spamhaus.org colocou o IP do host na lista negra porque o cabeçalho HELO dos e-mails enviados deste contêiner contém o endereço IP local do contêiner do docker. A mensagem é:

{Host IP} está fazendo conexões SMTP com valores HELO que usam um endereço IP simples.

Seguindo outras respostas aqui, tentei adicionar o seguinte ao /etc/mail/sendmail.mc:

define(`confDOMAIN_NAME', `my-domain.example.com')dnl
define(`confHELO_NAME', `my-domain.example.com')dnl

e então

m4 sendmail.mc > sendmail.cf
service sendmail restart

que converte isso em

Djmy-domain.example.com
O HeloName=my-domain.example.com

em sendmail.cf. Mas sem sucesso, ao enviar um e-mail de teste ainda recebo

echo "Subject: sendmail test" | sendmail -v -f "[email protected]" [email protected]
…
050 250-STARTTLS
050 250 Ok
050 >>> STARTTLS
050 220 Ready to start TLS
050 >>> EHLO 10.0.1.248
…

Descobri então que também deveria adicionar o domínio do remetente desejado /etc/mail/local-host-names(reiniciando o serviço sendmail novamente), mas isso também não parece mudar nada. O mesmo que adicionar o nome de domínio /etc/hostscomo um loopback alternativo

127.0.1.1 my-domain.example.com

ou adicionando o domínio a /etc/mailname.

Alguém poderia me indicar uma solução?

Configurei um ha-cluster pacemaker/corosync em uma configuração de failover com dois nós: produtivo e em espera. Existem três partições DRBD. Tudo funciona bem até agora.

Estou usando o Nagios NRPE em ambos os nós para monitorar o servidor com icinga2 como ferramenta de relatório e visualização. Agora, como as partições DRBD no nó de espera não são montadas até que haja um switch de failover, sempre recebo avisos críticos para estes:

Portanto, este é um alerta falso. Eu já me deparei com DISABLE_SVC_CHECK e tentei implementá-lo, aqui está um exemplo:

echo "[`date +%s`] DISABLE_SVC_CHECK;$host_name;$service_name" >> "/var/run/icinga2/cmd/icinga2.cmd"

Não existe uma maneira fácil/prática recomendada para desabilitar essa verificação para DRBD no nó de espera no Nagios ou no Icinga2? É claro que quero que essa verificação entre em vigor para o modo de espera após um failover.

Eu tenho um servidor remoto executando o servidor Ubuntu 16.04 que trava na inicialização. Para encontrar o erro, inicializei-o no modo de recuperação, montei os dispositivos em /mnt e fiz chroot em /mnt.

Aqui está o que eu fiz até agora:

root@rescue ~ # mount /dev/md2 /mnt
root@rescue ~ # mount /dev /mnt/dev
root@rescue ~ # mount /dev/pts /mnt/dev/pts
root@rescue ~ # mount /proc /mnt/proc
root@rescue ~ # mount /sys /mnt/sys
root@rescue ~ # chroot /mnt

Agora, quando tento ler o log de inicialização usando journalctl, recebo

root@rescue ~ # journalctl
No journal files were found.
-- No entries --

Alguma sugestão de como obter as entradas do log de inicialização? Por falar nisso. não há /var/log/boot.log