主页 / server / 问题 / 891664
Accepted
Matthieu Ducorps
Asked: 2018-01-11 17:40:25 +0800 CST

了解fail2ban机制

  • 772
  • 阿帕奇 2.4

  • Fail2ban 0.9.6

    本地监狱

[with_ip_only]
Maxretry = 3
Findtime = 600
Bantime= 60000
Banaction = iptables-allports

我让这个人 [46.xxx] 扫描我的服务器,我想知道为什么 fail2ban 报告最近 3 次已经禁止

阿帕奇日志 

   91.196.50.33 - - [10/Jan/2018:01:09:57 +0100] "GET http://testp3.pospr.waw.pl/testproxy.php HTTP/1.1" 302 508 "-" "Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0"
   141.8.132.40 - - [10/Jan/2018:01:40:05 +0100] "GET /robots.txt HTTP/1.1" 302 572 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)"
   141.8.132.19 - - [10/Jan/2018:01:40:09 +0100] "GET / HTTP/1.1" 302 572 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)"
   5.188.87.7 - - [10/Jan/2018:01:49:50 +0100] "GET / HTTP/1.0" 302 528 "-" "Mozilla/5.0"
   91.194.91.20 - - [10/Jan/2018:02:10:46 +0100] "GET /.well-known/pki-validation/3DAD39418D3F24D0A6FF8D853123CD9A.txt HTTP/1.1" 404 507 "-" "COMODO DCV"
   209.126.136.4 - - [10/Jan/2018:05:15:06 +0100] "GET / HTTP/1.1" 302 501 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
   46.234.217.87 - - [10/Jan/2018:07:00:09 +0100] "HEAD http://m.y.i.p:80/mysql/admin/ HTTP/1.1" 302 239 "-" "Mozilla/5.0 Jorgee"
   46.234.217.87 - - [10/Jan/2018:07:00:10 +0100] "HEAD http://m.y.i.p:80/mysql/dbadmin/ HTTP/1.1" 302 238 "-" "Mozilla/5.0 Jorgee"
   46.234.217.87 - - [10/Jan/2018:07:00:10 +0100] "HEAD http://m.y.i.p:80/mysql/sqlmanager/ HTTP/1.1" 302 238 "-" "Mozilla/5.0 Jorgee"
   46.234.217.87 - - [10/Jan/2018:07:00:10 +0100] "HEAD http://m.y.i.p:80/mysql/mysqlmanager/ HTTP/1.1" 302 238 "-" "Mozilla/5.0 Jorgee"
   46.234.217.87 - - [10/Jan/2018:07:00:10 +0100] "HEAD http://m.y.i.p:80/phpmyadmin/ HTTP/1.1" 302 238 "-" "Mozilla/5.0 Jorgee"
   46.234.217.87 - - [10/Jan/2018:07:00:10 +0100] "HEAD http://m.y.i.p:80/phpMyadmin/ HTTP/1.1" 302 238 "-" "Mozilla/5.0 Jorgee"
   46.234.217.87 - - [10/Jan/2018:07:00:10 +0100] "HEAD http://m.y.i.p:80/phpMyAdmin/ HTTP/1.1" 302 238 "-" "Mozilla/5.0 Jorgee"
   46.234.217.87 - - [10/Jan/2018:07:00:10 +0100] "HEAD http://m.y.i.p:80/phpmyAdmin/ HTTP/1.1" 302 238 "-" "Mozilla/5.0 Jorgee"
   46.234.217.87 - - [10/Jan/2018:07:00:10 +0100] "HEAD http://m.y.i.p:80/phpmyadmin2/ HTTP/1.1" 302 238 "-" "Mozilla/5.0 Jorgee"
   46.234.217.87 - - [10/Jan/2018:07:00:11 +0100] "HEAD http://m.y.i.p:80/phpmyadmin3/ HTTP/1.1" 302 238 "-" "Mozilla/5.0 Jorgee"
   46.234.217.87 - - [10/Jan/2018:07:00:11 +0100] "HEAD http://m.y.i.p:80/phpmyadmin4/ HTTP/1.1" 302 238 "-" "Mozilla/5.0 Jorgee"
   46.234.217.87 - - [10/Jan/2018:07:00:11 +0100] "HEAD http://m.y.i.p:80/2phpmyadmin/ HTTP/1.1" 302 238 "-" "Mozilla/5.0 Jorgee"
   52.41.211.72 - - [10/Jan/2018:07:21:08 +0100] "GET / HTTP/1.1" 302 522 "http://www.google.com/search?hl=fr&q=dictionary+english" "Magic Browser"
   192.95.50.93 - - [10/Jan/2018:08:17:16 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 0 "-" "-"

Fail2ban 日志

2018-01-10 07:00:09,900 fail2ban.filter         [5138]: INFO    [with_ip_only] Found 46.234.217.87
2018-01-10 07:00:10,109 fail2ban.filter         [5138]: INFO    [with_ip_only] Found 46.234.217.87
2018-01-10 07:00:10,513 fail2ban.filter         [5138]: INFO    [with_ip_only] Found 46.234.217.87
2018-01-10 07:00:10,585 fail2ban.filter         [5138]: INFO    [with_ip_only] Found 46.234.217.87
2018-01-10 07:00:10,688 fail2ban.filter         [5138]: INFO    [with_ip_only] Found 46.234.217.87
2018-01-10 07:00:10,755 fail2ban.filter         [5138]: INFO    [with_ip_only] Found 46.234.217.87
2018-01-10 07:00:10,820 fail2ban.filter         [5138]: INFO    [with_ip_only] Found 46.234.217.87
2018-01-10 07:00:10,883 fail2ban.filter         [5138]: INFO    [with_ip_only] Found 46.234.217.87
2018-01-10 07:00:10,966 fail2ban.filter         [5138]: INFO    [with_ip_only] Found 46.234.217.87
2018-01-10 07:00:11,005 fail2ban.actions        [5138]: NOTICE  [with_ip_only] Ban 46.234.217.87
2018-01-10 07:00:11,012 fail2ban.filter         [5138]: INFO    [f2b-loop1] Found 46.234.217.87
2018-01-10 07:00:11,014 fail2ban.filter         [5138]: INFO    [f2b-loop2] Found 46.234.217.87
2018-01-10 07:00:11,023 fail2ban.filter         [5138]: INFO    [with_ip_only] Found 46.234.217.87
2018-01-10 07:00:11,086 fail2ban.filter         [5138]: INFO    [with_ip_only] Found 46.234.217.87
2018-01-10 07:00:11,169 fail2ban.filter         [5138]: INFO    [with_ip_only] Found 46.234.217.87
2018-01-10 07:00:11,333 fail2ban.actions        [5138]: NOTICE  [with_ip_only] 46.234.217.87 already banned
2018-01-10 07:00:12,337 fail2ban.actions        [5138]: NOTICE  [with_ip_only] 46.234.217.87 already banned
2018-01-10 07:00:13,339 fail2ban.actions        [5138]: NOTICE  [with_ip_only] 46.234.217.87 already banned

我的猜测是:

  • 时间太短,无法创建 iptables 规则并拒绝此 ip。
  • 所有这些请求都驻留在同一个 tcp 会话中,因此即使创建了 iptables 规则,已经打开的 tcp 会话也不会被 iptables 剪切(拒绝)
  • 还要别的吗 ?

感谢您的任何意见。马思

apache-2.4

1 个回答

  1. Best Answer

    来自 Fail2ban 团队:

    如果它们在禁止后短时间内发生,您可以忽略该消息already banned,因为过滤器仍然可以捕获在 IP 被禁止之前在 LOG 文件中生成的故障(尚未应用 iptables 条目);
    v.0.9 的延迟相对较大(最多几秒),例如在 v.0.10 中您应该很少看到它。

    但是,如果您稍后会再次收到此消息(例如在被禁止后几分钟),则说明您的操作配置中有问题(IP 并未真正被禁止并且可以再次连接)。

    资料来源:使用 iptables 了解 fail2ban 机制

    • 0

相关问题