3un*_*d80 20 postfix iptables fail2ban
我的 Centos 服务器上运行着 Fail2Ban。(配置如下)
在我的var/log/messages我注意到一些非常奇怪的事情:
Jun 19 12:09:32 localhost fail2ban.actions: INFO [postfix] 114.43.245.205 already banned
我配置了 Fail2Ban 以将禁止的 IP 添加到 iptables。
我的 jail.conf:
[postfix]
enabled = true
filter = postfix
action = iptables
port = smtp,ssmtp
filter = postfix
logpath = /var/log/maillog
bantime = 43200
maxretry = 2
我的 postfix.conf:
[INCLUDES]
before = common.conf
[Definition]
failregex = reject: RCPT from (.*)\[<HOST>\]: 550 5.1.1
reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1
reject: RCPT from (.*)\[<HOST>\]: 554 5.7.1
reject: RCPT from (.*)\[<HOST>\]: (.*)@yahoo.com.tw
ignoreregex =
我的问题是已经被阻止的人如何iptables仍然连接到服务器?
小智 15
此处另一个答案中推荐的累犯监狱并没有为我解决这个问题。然而,我最终解决了这个问题,所以这是我的方法,以防它对其他人有帮助。
默认情况下,Fail2ban 仅阻止 TCP。至少在我的设置中,当机器人返回尝试通过 UDP 阻止端口时,我注意到出现了“已被禁止”消息。
要解决此问题,请告诉 Fail2ban 阻止所有协议的端口,而不仅仅是 TCP。您需要在/etc/fail2ban/jail.conf和您在/etc/fail2ban/action.d/中使用的每个操作的[Init] 部分进行此更改。
改变这个:
# Default protocol
protocol = tcp
到:
# Default protocol
protocol = all
接下来,我禁用了 ICMP 回显请求,因此被阻止的 IP 无法访问服务器:
添加这两行:
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
之后,运行fail2ban-client reload,你应该不会再看到这些“已经被禁止”的消息,除非你被一个在阻止生效之前进行了几次访问尝试的IP发送了垃圾邮件。
此外,通过在每个监狱中使用操作 iptables-allports 来阻止每个罪犯的所有端口而不是他们试图访问的端口也很重要。否则,他们可能会触发另一个监狱并最终在日志中显示为“已被禁止”。
小智 5
如果您使用 Docker 容器来运行应用程序,但在主机上进行fail2ban,您可能会遇到此问题: https: //github.com/fail2ban/fail2ban/issues/2292
借用那里的解决方法,这可能可以通过在监狱中配置以下行来解决:
[YOUR-JAIL-NAME]
chain = DOCKER-USER
...
或者对于 Kubernetes
chain = KUBE-FIREWALL
有关更多信息,请参阅:https://github.com/fail2ban/fail2ban/issues/2292#issuecomment-593216779
在某些情况下,另一种选择可能是使用主机网络而不是 Docker 网络,请参阅:https ://docs.docker.com/network/host/
如果您查看 的输出iptables-save,您将看到fail2ban链已设置,因此它们根据过滤器定义的规则评估数据包,例如:
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -A INPUT -p tcp -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-ssh -j RETURN
在应用其他路由规则并且流量被拒绝之前,流量仍会到达服务器。fail2ban仍然看到这个初始流量,这就是为什么您会看到“已禁止”消息。此外,还有针对累犯的特殊过滤器 ( /etc/fail2ban/filter.d/recidive.conf):
# Fail2Ban filter for repeat bans
#
# This filter monitors the fail2ban log file, and enables you to add long
# time bans for ip addresses that get banned by fail2ban multiple times.
#
# Reasons to use this: block very persistent attackers for a longer time,
# stop receiving email notifications about the same attacker over and
# over again.
#
# This jail is only useful if you set the 'findtime' and 'bantime' parameters
# in jail.conf to a higher value than the other jails. Also, this jail has its
# drawbacks, namely in that it works only with iptables, or if you use a
# different blocking mechanism for this jail versus others (e.g. hostsdeny
# for most jails, and shorewall for this one).
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = fail2ban\.server\.actions
# The name of the jail that this filter is used for. In jail.conf, name the
# jail using this filter 'recidive', or change this line!
_jailname = recidive
failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)WARNING\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
[Init]
journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=4
# Author: Tom Hendrikx, modifications by Amir Caspi
| 归档时间: |
|
| 查看次数: |
20857 次 |
| 最近记录: |