Did*_*ier 5 ipv6 fail2ban nftables
编辑:按照 Marco 的建议添加了额外的 .conf 文件管理器并稍微更改了措辞
我正在运行Fail2ban v0.10,它应该支持 IPv6。
我已经根据这些说明设置了带有 nftables 的 Fail2ban,但我对 nftables 使用了 'inet' 系列而不是 ip 系列,因为我想允许 IPv6 流量到我的服务器。
服务器可以通过 IPv6 访问,而且我的防火墙(nftables)似乎配置正确,就我所见(表 inet 过滤器)。
然而,'table inet fail2ban' 是我写这篇文章的原因,在我看来,Fail2ban 只读取 IPv4 日志,并阻止违规的 IPv4 主机。
我读对了吗?如果是这样,有谁知道我如何使 Fail2ban 也能处理 IPv6 流量?我知道 Fail2ban v0.10 更新日志指出,并非所有禁令行动都支持 IPv6,但我似乎找不到列表。
也欢迎提供指向我可以找到信息的链接,因为我自己似乎无法找到。
我只包含了 recidive jail 配置,因为我认为如果我可以让 jail 使用 IPv6,我可以对其他人做同样的事情,如果我误解了这个假设,请告诉我 :)
我的 nftables 规则集:
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
ct state { related, established} accept
ct state invalid drop
iifname "lo" accept
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
tcp dport ssh accept
tcp dport http accept
tcp dport https accept
limit rate 5/minute burst 5 packets counter packets 972 bytes 56710 log prefix " denied: " level debug
drop
}
chain forward {
type filter hook forward priority 0; policy accept;
drop
}
chain output {
type filter hook output priority 0; policy accept;
accept
}
}
table inet fail2ban {
set f2b-sshd {
type ipv4_addr
}
set f2b-nginx-botsearch {
type ipv4_addr
}
set f2b-recidive {
type ipv4_addr
}
chain INPUT {
type filter hook input priority 100; policy accept;
ip protocol hopopt-reserved ip saddr @f2b-recidive drop
tcp dport { http, https} ip saddr @f2b-nginx-botsearch drop
tcp dport { ssh} ip saddr @f2b-sshd drop
}
}
/etc/nftables/fail2ban.conf
#!/usr/sbin/nft -f
table inet fail2ban {
chain INPUT {
type filter hook input priority 100;
}
}
/etc/nftables.conf
#!/usr/bin/nft -f
table inet filter {
chain input {
type filter hook input priority 0;
ct state {established, related} accept
ct state invalid drop
iifname lo accept
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
tcp dport ssh accept
tcp dport http accept
tcp dport https accept
limit rate 5/minute burst 5 packets counter packets 0 bytes 0 log prefix " denied: " level debug
drop
}
chain forward {
type filter hook forward priority 0;
drop
}
chain output {
type filter hook output priority 0;
accept
}
}
include "/etc/nftables/fail2ban.conf"
/etc/fail2ban/action.d/nftables-common.local
[Init]
nftables_family = inet
nftables_table = fail2ban
blocktype = drop
nftables_set_prefix =
/etc/fail2ban/jail.local
[INCLUDES]
before = paths-arch.conf
[DEFAULT]
ignorecommand =
bantime = 1h
findtime = 10m
maxretry = 5
usedns = warn
logencoding = auto
enabled = false
filter = %(__name__)s
protocol = tcp
chain = INPUT
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = nftables-multiport
banaction_allports = nftables-allports
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
action_abuseipdb = abuseipdb
action = %(action_)s
[sshd]
enabled = true
mode = normal
filter = sshd[mode=%(mode)s]
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[nginx-botsearch]
enabled = true
port = http,https
logpath = %(nginx_error_log)s
maxretry = 2
[recidive]
enabled = true
logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = 1w
findtime = 1d
maxretry = 3
protocol = 0-255
/etc/fail2ban/filter.d/recidive.conf
[INCLUDES]
before = common.conf
[Definition]
_daemon = fail2ban\.actions\s*
_jailname = recidive
failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
/etc/fail2ban/filter.d/common.conf
[DEFAULT]
_daemon = \S*
__pid_re = (?:\[\d+\])
__daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?
__daemon_extra_re = \[ID \d+ \S+\]
__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?)
__kernel_prefix = kernel: \[ *\d+\.\d+\]
__hostname = \S+
__md5hex = (?:[\da-f]{2}:){15}[\da-f]{2}
__bsd_syslog_verbose = <[^.]+\.[^.]+>
__vserver = @vserver_\S+
__date_ambit = (?:\[\])
__prefix_line = %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)$
__pam_auth = pam_unix
datepattern = {^LN-BEG}