fail2ban 之谜!
一切似乎都运行良好且配置良好,但服务器仍会收到连接尝试。
[moso@matrix ~]$ sudo systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2022-04-16 22:10:45 -03; 13h ago
Docs: man:fail2ban(1)
Process: 332 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 335 (fail2ban-server)
Tasks: 5 (limit: 19183)
Memory: 17.9M
CPU: 1min 945ms
CGroup: /system.slice/fail2ban.service
└─335 /usr/bin/python /usr/bin/fail2ban-server -xf start
Apr 16 22:10:45 matrix systemd[1]: Starting Fail2Ban Service...
Apr 16 22:10:45 matrix systemd[1]: Started Fail2Ban Service.
Apr 16 22:10:45 matrix fail2ban-server[335]: Server ready
[moso@matrix ~]$ sudo cat /etc/fail2ban/jail.d/sshd.local
[sshd]
enabled = true
filter = sshd
banaction = iptables
backend = systemd
maxretry = 3
findtime = 1d
bantime = 2w
ignoreip = 127.0.0.1/8 x1.y1.z1.w1/32 x2.y2.z2.w2/32
[moso@matrix ~]$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 10
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 179.43.156.154
[moso@matrix ~]$ sudo iptables -L -n | grep 179.43.156.154
REJECT all -- 179.43.156.154 0.0.0.0/0 reject-with icmp-port-unreachable
[moso@matrix ~]$ sudo cat /var/log/fail2ban.log
2022-04-16 22:10:45,655 fail2ban.server [335]: INFO Starting Fail2ban v0.11.2
2022-04-16 22:10:45,657 fail2ban.observer [335]: INFO Observer start...
2022-04-16 22:10:45,667 fail2ban.database [335]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2022-04-16 22:10:45,670 fail2ban.database [335]: WARNING New database created. Version '4'
2022-04-16 22:10:45,670 fail2ban.jail [335]: INFO Creating new jail 'sshd'
2022-04-16 22:10:45,706 fail2ban.jail [335]: INFO Jail 'sshd' uses systemd {}
2022-04-16 22:10:45,706 fail2ban.jail [335]: INFO Initiated 'systemd' backend
2022-04-16 22:10:45,707 fail2ban.filter [335]: INFO maxLines: 1
2022-04-16 22:10:45,723 fail2ban.filtersystemd [335]: INFO [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2022-04-16 22:10:45,723 fail2ban.filter [335]: INFO maxRetry: 3
2022-04-16 22:10:45,723 fail2ban.filter [335]: INFO findtime: 86400
2022-04-16 22:10:45,724 fail2ban.actions [335]: INFO banTime: 1209600
2022-04-16 22:10:45,724 fail2ban.filter [335]: INFO encoding: UTF-8
2022-04-16 22:10:45,725 fail2ban.jail [335]: INFO Jail 'sshd' started
2022-04-16 22:53:09,239 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-16 22:53:08
2022-04-17 00:33:22,995 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 00:33:22
2022-04-17 01:31:38,980 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 01:31:38
2022-04-17 01:31:39,266 fail2ban.actions [335]: NOTICE [sshd] Ban 179.43.156.154
2022-04-17 02:58:45,765 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 02:58:45
2022-04-17 05:40:59,243 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 05:40:58
2022-04-17 07:13:51,766 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 07:13:51
2022-04-17 07:13:52,130 fail2ban.actions [335]: WARNING [sshd] 179.43.156.154 already banned
2022-04-17 07:49:33,667 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 07:49:33
2022-04-17 08:20:44,205 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 08:20:44
2022-04-17 08:44:07,980 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 08:44:07
2022-04-17 08:44:08,129 fail2ban.actions [335]: WARNING [sshd] 179.43.156.154 already banned
2022-04-17 09:44:54,464 fail2ban.filter [335]: INFO [sshd] Found 179.43.156.154 - 2022-04-17 09:44:54
...
[moso@matrix ~]$ journalctl _SYSTEMD_UNIT=sshd.service
Apr 16 22:10:15 matrix sshd[151093]: Received signal 15; terminating.
-- Boot aa222dfff23f467ab30cd5125c7c3a55 --
Apr 16 22:10:45 matrix sshd[333]: Server listening on 0.0.0.0 port 2206.
Apr 16 22:53:08 matrix sshd[656]: Connection from 179.43.156.154 port 40138 on 38.105.209.109 port 2206 rdomain ""
Apr 16 22:53:08 matrix sshd[656]: Invalid user root root from 179.43.156.154 port 40138
Apr 16 22:53:08 matrix sshd[656]: Connection closed by invalid user root root 179.43.156.154 port 40138 [preauth]
Apr 17 00:33:22 matrix sshd[685]: Connection from 179.43.156.154 port 34498 on 38.105.209.109 port 2206 rdomain ""
Apr 17 00:33:22 matrix sshd[685]: Invalid user root root from 179.43.156.154 port 34498
Apr 17 00:33:22 matrix sshd[685]: Connection closed by invalid user root root 179.43.156.154 port 34498 [preauth]
Apr 17 01:31:38 matrix sshd[699]: Connection from 179.43.156.154 port 59372 on 38.105.209.109 port 2206 rdomain ""
Apr 17 01:31:38 matrix sshd[699]: Invalid user root root from 179.43.156.154 port 59372
Apr 17 01:31:38 matrix sshd[699]: Connection closed by invalid user root root 179.43.156.154 port 59372 [preauth]
Apr 17 02:58:44 matrix sshd[722]: Connection from 179.43.156.154 port 57448 on 38.105.209.109 port 2206 rdomain ""
Apr 17 02:58:45 matrix sshd[722]: Invalid user root root from 179.43.156.154 port 57448
Apr 17 02:58:45 matrix sshd[722]: Connection closed by invalid user root root 179.43.156.154 port 57448 [preauth]
Apr 17 05:40:58 matrix sshd[760]: Connection from 179.43.156.154 port 54992 on 38.105.209.109 port 2206 rdomain ""
Apr 17 05:40:58 matrix sshd[760]: Invalid user root root from 179.43.156.154 port 54992
Apr 17 05:40:58 matrix sshd[760]: Connection closed by invalid user root root 179.43.156.154 port 54992 [preauth]
Apr 17 07:13:51 matrix sshd[777]: Connection from 179.43.156.154 port 59646 on 38.105.209.109 port 2206 rdomain ""
Apr 17 07:13:51 matrix sshd[777]: Invalid user root root from 179.43.156.154 port 59646
Apr 17 07:13:51 matrix sshd[777]: Connection closed by invalid user root root 179.43.156.154 port 59646 [preauth]
Apr 17 07:49:33 matrix sshd[789]: Connection from 179.43.156.154 port 33684 on 38.105.209.109 port 2206 rdomain ""
Apr 17 07:49:33 matrix sshd[789]: Invalid user root root from 179.43.156.154 port 33684
Apr 17 07:49:33 matrix sshd[789]: Connection closed by invalid user root root 179.43.156.154 port 33684 [preauth]
Apr 17 08:20:43 matrix sshd[801]: Connection from 179.43.156.154 port 55522 on 38.105.209.109 port 2206 rdomain ""
Apr 17 08:20:44 matrix sshd[801]: Invalid user root root from 179.43.156.154 port 55522
Apr 17 08:20:44 matrix sshd[801]: Connection closed by invalid user root root 179.43.156.154 port 55522 [preauth]
Apr 17 08:44:07 matrix sshd[805]: Connection from 179.43.156.154 port 39862 on 38.105.209.109 port 2206 rdomain ""
Apr 17 08:44:07 matrix sshd[805]: Invalid user root root from 179.43.156.154 port 39862
Apr 17 08:44:07 matrix sshd[805]: Connection closed by invalid user root root 179.43.156.154 port 39862 [preauth]
Apr 17 09:44:54 matrix sshd[822]: Connection from 179.43.156.154 port 42592 on 38.105.209.109 port 2206 rdomain ""
Apr 17 09:44:54 matrix sshd[822]: Invalid user root root from 179.43.156.154 port 42592
Apr 17 09:44:54 matrix sshd[822]: Connection closed by invalid user root root 179.43.156.154 port 42592 [preauth]
...
为什么 IP 179.43.156.154 继续尝试连接,如果 fail2ban 似乎工作并且来自 179.43.156.154 的任何连接都应该被拒绝?(参见上面 iptables 的输出)
问题是……我!
我错误地认为fail2ban 禁止了检测到的端口(如上图所示,2206)。
导致我得出错误结论的另一件事是
sudo iptables -L -n | grep 179.43.156.154.我不考虑规则在哪个链中......
只在我在 sshd 上使用的端口添加一行,问题(由我引起)就解决了。
“一个人不可能学习他认为自己已经知道的东西。” ——爱比克泰德