我正在尝试在 Centos 7 上使用 Apache 启用fail2ban。我有一个应用程序,当登录失败时,它会向错误日志写入特定的字符串。
使用禁止 IP 列表中的正确 IP 地址进行响应,
> fail2ban-client status appname
Status for the jail: appname
|- Filter
| |- Currently failed: 1
| |- Total failed: 7
| `- File list: /var/log/httpd/api.appname-error.log
`- Actions
|- Currently banned: 1
|- Total banned: 3
`- Banned IP list: 10.50.0.68
但是当我查看 iptables 时,我发现它阻止了与我的应用程序相对应的第 1 行中的所有传入流量,已编辑:在问题底部添加了更详细的 iptables
> iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 REJECT tcp -- anywhere anywhere multiport dports https,http match-set f2b-appname src reject-with icmp-port-unreachable
2 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
3 ACCEPT all -- anywhere anywhere
4 INPUT_direct all -- anywhere anywhere
5 INPUT_ZONES_SOURCE all -- anywhere anywhere
6 INPUT_ZONES all -- anywhere anywhere
7 DROP all -- anywhere anywhere ctstate INVALID
8 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
这是我的过滤器,/etc/fail2ban/filter.d/appname.conf:
[Definition]
failregex = client <HOST>(.*)fail2ban\-appname\-login\-fail
Jail.local 很短:
[DEFAULT]
bantime = 1200
findtime = 3600
maxmatches = 4
[appname]
enabled = true
filter = appname
action = iptables-ipset-proto6[name=appname, port="https,http", protocol=tcp]
logpath = /var/log/httpd/api.appname-error.log
maxretry = 3
mode = normal
backend = auto
apache php 日志文件中的典型行:
[Sun Nov 26 10:22:31.255875 2023] [php7:notice] [pid 1837] [client 10.50.0.68:36530] fail2ban-appname-login-fail
更详细的 iptables 输出:
> sudo iptables-save -c
# Generated by iptables-save v1.4.21 on Mon Nov 27 07:42:05 2023
*nat
:PREROUTING ACCEPT [18229:1086560]
:INPUT ACCEPT [17668:1053268]
:OUTPUT ACCEPT [10696:675656]
:POSTROUTING ACCEPT [10696:675656]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
[18230:1087136] -A PREROUTING -j PREROUTING_direct
[18230:1087136] -A PREROUTING -j PREROUTING_ZONES_SOURCE
[18230:1087136] -A PREROUTING -j PREROUTING_ZONES
[10696:675656] -A OUTPUT -j OUTPUT_direct
[10696:675656] -A POSTROUTING -j POSTROUTING_direct
[10696:675656] -A POSTROUTING -j POSTROUTING_ZONES_SOURCE
[10696:675656] -A POSTROUTING -j POSTROUTING_ZONES
[2972:212273] -A POSTROUTING_ZONES -o eth0 -g POST_public
[7724:463383] -A POSTROUTING_ZONES -g POST_public
[10696:675656] -A POST_public -j POST_public_log
[10696:675656] -A POST_public -j POST_public_deny
[10696:675656] -A POST_public -j POST_public_allow
[18229:1086560] -A PREROUTING_ZONES -i eth0 -g PRE_public
[1:576] -A PREROUTING_ZONES -g PRE_public
[18230:1087136] -A PRE_public -j PRE_public_log
[18230:1087136] -A PRE_public -j PRE_public_deny
[18230:1087136] -A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Nov 27 07:42:05 2023
# Generated by iptables-save v1.4.21 on Mon Nov 27 07:42:05 2023
*mangle
:PREROUTING ACCEPT [315975:53668565]
:INPUT ACCEPT [315975:53668565]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [301701:219207592]
:POSTROUTING ACCEPT [301701:219207592]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
[315976:53669141] -A PREROUTING -j PREROUTING_direct
[315976:53669141] -A PREROUTING -j PREROUTING_ZONES_SOURCE
[315976:53669141] -A PREROUTING -j PREROUTING_ZONES
[315975:53668565] -A INPUT -j INPUT_direct
[0:0] -A FORWARD -j FORWARD_direct
[301701:219207592] -A OUTPUT -j OUTPUT_direct
[301701:219207592] -A POSTROUTING -j POSTROUTING_direct
[170984:20172057] -A PREROUTING_ZONES -i eth0 -g PRE_public
[144992:33497084] -A PREROUTING_ZONES -g PRE_public
[315976:53669141] -A PRE_public -j PRE_public_log
[315976:53669141] -A PRE_public -j PRE_public_deny
[315976:53669141] -A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Nov 27 07:42:05 2023
# Generated by iptables-save v1.4.21 on Mon Nov 27 07:42:05 2023
*security
:INPUT ACCEPT [315132:53613699]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [301701:219207592]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
[315132:53613699] -A INPUT -j INPUT_direct
[0:0] -A FORWARD -j FORWARD_direct
[301701:219207592] -A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Mon Nov 27 07:42:05 2023
# Generated by iptables-save v1.4.21 on Mon Nov 27 07:42:05 2023
*raw
:PREROUTING ACCEPT [315975:53668565]
:OUTPUT ACCEPT [301701:219207592]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
[315976:53669141] -A PREROUTING -j PREROUTING_direct
[315976:53669141] -A PREROUTING -j PREROUTING_ZONES_SOURCE
[315976:53669141] -A PREROUTING -j PREROUTING_ZONES
[301701:219207592] -A OUTPUT -j OUTPUT_direct
[170984:20172057] -A PREROUTING_ZONES -i eth0 -g PRE_public
[144992:33497084] -A PREROUTING_ZONES -g PRE_public
[315976:53669141] -A PRE_public -j PRE_public_log
[315976:53669141] -A PRE_public -j PRE_public_deny
[315976:53669141] -A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Nov 27 07:42:05 2023
# Generated by iptables-save v1.4.21 on Mon Nov 27 07:42:05 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [132432:168012162]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
[459:26548] -A INPUT -p tcp -m multiport --dports 443,80 -m set --match-set f2b-appname src -j REJECT --reject-with icmp-port-unreachable
[289740:52097048] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[7724:463383] -A INPUT -i lo -j ACCEPT
[17676:1053754] -A INPUT -j INPUT_direct
[17676:1053754] -A INPUT -j INPUT_ZONES_SOURCE
[17676:1053754] -A INPUT -j INPUT_ZONES
[8:486] -A INPUT -m conntrack --ctstate INVALID -j DROP
[0:0] -A INPUT -j REJECT --reject-with icmp-host-prohibited
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i lo -j ACCEPT
[0:0] -A FORWARD -j FORWARD_direct
[0:0] -A FORWARD -j FORWARD_IN_ZONES_SOURCE
[0:0] -A FORWARD -j FORWARD_IN_ZONES
[0:0] -A FORWARD -j FORWARD_OUT_ZONES_SOURCE
[0:0] -A FORWARD -j FORWARD_OUT_ZONES
[0:0] -A FORWARD -m conntrack --ctstate INVALID -j DROP
[0:0] -A FORWARD -j REJECT --reject-with icmp-host-prohibited
[144991:33496508] -A OUTPUT -o lo -j ACCEPT
[156710:185711084] -A OUTPUT -j OUTPUT_direct
[0:0] -A FORWARD_IN_ZONES -i eth0 -g FWDI_public
[0:0] -A FORWARD_IN_ZONES -g FWDI_public
[0:0] -A FORWARD_OUT_ZONES -o eth0 -g FWDO_public
[0:0] -A FORWARD_OUT_ZONES -g FWDO_public
[0:0] -A FWDI_public -j FWDI_public_log
[0:0] -A FWDI_public -j FWDI_public_deny
[0:0] -A FWDI_public -j FWDI_public_allow
[0:0] -A FWDI_public -p icmp -j ACCEPT
[0:0] -A FWDO_public -j FWDO_public_log
[0:0] -A FWDO_public -j FWDO_public_deny
[0:0] -A FWDO_public -j FWDO_public_allow
[17676:1053754] -A INPUT_ZONES -i eth0 -g IN_public
[0:0] -A INPUT_ZONES -g IN_public
[17676:1053754] -A IN_public -j IN_public_log
[17676:1053754] -A IN_public -j IN_public_deny
[17676:1053754] -A IN_public -j IN_public_allow
[0:0] -A IN_public -p icmp -j ACCEPT
[11:660] -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
[17651:1052260] -A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
[6:348] -A IN_public_allow -p tcp -m tcp --dport 3306 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
COMMIT
# Completed on Mon Nov 27 07:42:05 2023
我原以为 IP 地址会出现在 iptables -L INPUT --line-numbers 的“源”中,但很惊讶地看到“任何地方”。
我不明白,如果fail2ban在禁止的IP列表中显示我的IP地址,为什么它不在iptables中只使用该IP地址?
我该如何诊断或纠正这个问题?
感谢您!
该行:
相当于:
如果所有匹配项的计算结果均为 true,则执行目标规则(通过 引入)。
-j如果任何匹配结果为 false,则会在到达目标规则之前停止规则的处理,并继续处理下一个规则。具有附加条件,例如:“并且还匹配任何 IP 源地址”,这将是
-s 0.0.0.0/0或作为“并且还匹配任何 IP 目标地址”(-d 0.0.0.0/0),该条件始终为真,不会改变结果(逻辑推理:(x且为真)<=> x)。这种情况很常见,尽管iptables(当它仍然是 时iptables-legacy)用于始终存储此类源和目标信息,即使使用 0.0.0.0/0,它也不会显示在旨在可重现的规则集输出中(iptables-save或iptables -S),但仍显示anywhere为iptables -L因为无论如何,此类信息都有一个固定的栏目。这里重要的是在fail2ban的配置中看到的ipset :
添加从日志中检索到的 IP 地址(当此类日志的条件适用等时,通常会出现错误)...
...以及iptables规则
-m set中关联的匹配模块。该规则告诉我们,对于传入的目标 TCP 端口 443 或 80(否则不会进一步),它将在 ipset 集中查找源地址,如果找到,则评估为true ,导致终端(不进行进一步处理) ) target:禁止,否则继续规则集中的下一条规则。f2b-appnameREJECT这意味着fail2ban使用该命令
ipset将IP条目添加到IP集,然后可以通过iptables进行检查(在数据包路径期间),iptables将通过拒绝任何匹配来做出反应。因此,要检查已添加的内容,请运行:
或者更准确地说,如果还有其他人:
应该以类似以下内容结尾:
笔记:
iptables-ipset-proto6尽管它的名称可以处理 IPv4 和 IPv6(通过检查/etc/fail2ban/action.d/iptables-ipset-proto6.conf->iptables-ipset.conf处理每个协议的方式不同)ipset--由于历史原因,接受以或不开头的子命令。