我想保护我的网络服务器免受暴力攻击(首先通过ssh).所以我安装了fail2ban.我不能让它禁止我.
这是我的/etc/fail2ban/jail.local:
[DEFAULT]
bantime = 300
findtime = 600
maxretry = 4
backend = auto
usedns = warn
destemail = moj.adres@gmail.com
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT
(...)
action = %(action_mw)s
(...)
[ssh]
enabled = true
port = anyport
filter = sshd
logpath = /var/log/auth.log
maxretry = 4
只启用了ssh,我没有更改任何省略的内容.
根据这种配置,我应该在4次登录尝试失败后被禁止300秒.我被允许6但没有禁令./var/log/auth.log看起来很不错.这是显示我的6次登录失败的片段:
Jul 8 09:51:09 nazwaserwera sshd[1798]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=abod34.neoplus.adsl.tpnet.pl user=my-admin
Jul 8 09:51:10 nazwaserwera sshd[1798]: Failed password for my-admin from 83.8.19.34 port 56451 ssh2
Jul 8 09:51:27 nazwaserwera sshd[1798]: message repeated 5 times: [ Failed password for my-admin from 83.8.19.34 port 56451 ssh2]
Jul 8 09:51:27 nazwaserwera sshd[1798]: Disconnecting: Too many authentication failures for my-admin [preauth]
Jul 8 09:51:27 nazwaserwera sshd[1798]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=abod34.neoplus.adsl.tpnet.pl user=my-admin
这是sudo iptables -L输出:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
在这里重新启动fail2ban后,在/var/log/fail2ban.log中写了什么:
2014-07-08 11:26:12,538 fail2ban.server : INFO Stopping all jails
2014-07-08 11:26:13,141 fail2ban.jail : INFO Jail 'ssh' stopped
2014-07-08 11:26:13,142 fail2ban.server : INFO Exiting Fail2ban
2014-07-08 11:26:16,825 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11
2014-07-08 11:26:16,826 fail2ban.jail : INFO Creating new jail 'ssh'
2014-07-08 11:26:17,024 fail2ban.jail : INFO Jail 'ssh' uses pyinotify
2014-07-08 11:26:17,141 fail2ban.jail : INFO Initiated 'pyinotify' backend
2014-07-08 11:26:17,142 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2014-07-08 11:26:17,144 fail2ban.filter : INFO Set maxRetry = 4
2014-07-08 11:26:17,145 fail2ban.filter : INFO Set findtime = 600
2014-07-08 11:26:17,145 fail2ban.actions: INFO Set banTime = 300
2014-07-08 11:26:17,438 fail2ban.jail : INFO Jail 'ssh' started
2014-07-08 11:26:17,619 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports anyport -j fail2ban-ssh returned 200
这里有一些相关的东西:
我使用非标准端口进行ssh连接:
港口4444
在/ etc/ssh/sshd_conf中设置
我记得在更改配置文件后重启服务(fail2ban,ssh)
我收到来自fail2ban的电子邮件,但只告诉我它已启动或停止
我在谷歌搜索过一个解决方案,但找不到合适的解决方案.任何帮助,将不胜感激.
Krz*_*ski 11
解决了!
根据我在jail.local中的配置
maxretry = 4
fail2ban应该在auth.log文件中搜索5行(1 + 4),其中包含每个登录尝试失败的警报.但是仔细观察我的auth.log,我注意到我得到的最大值是2.这里记录了6次失败的登录尝试:
Jul 8 09:51:10 nazwaserwera sshd[1798]: Failed password for my-admin from 83.8.19.34 port 56451 ssh2
Jul 8 09:51:27 nazwaserwera sshd[1798]: message repeated 5 times: [ Failed password for my-admin from 83.8.19.34 port 56451 ssh2]
你可以看到而不是6行我只得到两行,第二行说"消息重复5次".
解决方案非常简单:我刚刚在/etc/rsyslog.conf中将RepeatedMsgReduction从on更改为off.然后重新启动rsyslog和fail2ban.
| 归档时间: |
|
| 查看次数: |
3936 次 |
| 最近记录: |