我有一台在 VPS 上运行的 Debian 10 服务器。我安装的唯一软件是:tinyproxy(http代理)和fail2ban
我已经包含了使用 ss 进行端口扫描的结果
我已将我的具体设置包含在fail2ban jam.local 文件中。
我在下面包含了fail2ban 日志和auth 日志的完整示例。
我不明白fail2ban 是否起作用,即根据fail2ban 所做的IP 表中的条目导致IP 被阻止。
例如:
auth.log 显示了 103.226.138.245 的大量条目,我不明白为什么。
我认为基于 IP 被阻止,恶意用户将无法尝试登录。然而,这些用户似乎确实能够尝试登录。
我的问题:
2024-01-23 10:54:06,466 fail2ban.filter [29045]: INFO [sshd] Found 139.59.92.218 - 2024-01-23 10:54:06
2024-01-23 10:54:06,467 fail2ban.filter [29045]: INFO [sshd] Found 139.59.92.218 - 2024-01-23 10:54:06
2024-01-23 10:54:06,504 fail2ban.actions [29045]: WARNING [sshd] 139.59.92.218 already banned
2024-01-23 10:54:07,171 fail2ban.filter [29045]: INFO [sshd] Found 103.226.138.245 - 2024-01-23 10:54:07
2024-01-23 10:54:07,172 fail2ban.filter [29045]: INFO [sshd] Found 103.226.138.245 - 2024-01-23 10:54:07
2024-01-23 10:54:07,907 fail2ban.actions [29045]: WARNING [sshd] 103.226.138.245 already banned
2024-01-23 10:54:08,079 fail2ban.filter [29045]: INFO [sshd] Found 139.59.92.218 - 2024-01-23 10:54:08
2024-01-23 10:54:08,154 fail2ban.filter [29045]: INFO [sshd] Found 103.226.138.245 - 2024-01-23 10:54:08
2024-01-23 10:54:13,469 fail2ban.filter [29045]: INFO [sshd] Found 130.61.35.0 - 2024-01-23 10:54:13
2024-01-23 10:54:13,471 fail2ban.filter [29045]: INFO [sshd] Found 130.61.35.0 - 2024-01-23 10:54:13
2024-01-23 10:54:13,917 fail2ban.actions [29045]: WARNING [sshd] 130.61.35.0 already banned
2024-01-23 10:54:15,077 fail2ban.filter [29045]: INFO [sshd] Found 130.61.35.0 - 2024-01-23 10:54:14
2024-01-23 10:54:15,079 fail2ban.filter [29045]: INFO [sshd] Found 159.89.94.43 - 2024-01-23 10:54:15
2024-01-23 10:54:16,685 fail2ban.filter [29045]: INFO [sshd] Found 206.189.229.70 - 2024-01-23 10:54:16
2024-01-23 10:54:16,686 fail2ban.filter [29045]: INFO [sshd] Found 206.189.229.70 - 2024-01-23 10:54:16
2024-01-23 10:54:16,687 fail2ban.filter [29045]: INFO [sshd] Found 159.89.94.43 - 2024-01-23 10:54:16
2024-01-23 10:54:17,123 fail2ban.actions [29045]: WARNING [sshd] 206.189.229.70 already banned
2024-01-23 10:54:17,123 fail2ban.actions [29045]: WARNING [sshd] 159.89.94.43 already banned
2024-01-23 10:54:18,764 fail2ban.filter [29045]: INFO [sshd] Found 206.189.229.70 - 2024-01-23 10:54:18
2024-01-23 10:54:18,765 fail2ban.filter [29045]: INFO [sshd] Found 103.86.180.10 - 2024-01-23 10:54:18
2024-01-23 10:54:18,766 fail2ban.filter [29045]: INFO [sshd] Found 103.86.180.10 - 2024-01-23 10:54:18
2024-01-23 10:54:19,127 fail2ban.actions [29045]: WARNING [sshd] 103.86.180.10 already banned
2024-01-23 10:54:20,658 fail2ban.filter [29045]: INFO [sshd] Found 103.86.180.10 - 2024-01-23 10:54:20
2024-01-23 10:54:24,981 fail2ban.filter [29045]: INFO [sshd] Found 34.84.82.194 - 2024-01-23 10:54:24
2024-01-23 10:54:24,983 fail2ban.filter [29045]: INFO [sshd] Found 34.84.82.194 - 2024-01-23 10:54:24
2024-01-23 10:54:25,136 fail2ban.actions [29045]: WARNING [sshd] 34.84.82.194 already banned
Run Code Online (Sandbox Code Playgroud)
Jan 23 10:54:06 racknerd-64d010 sshd[11576]: Invalid user wangyongxin from 139.59.92.218 port 33490
Jan 23 10:54:06 racknerd-64d010 sshd[11576]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:06 racknerd-64d010 sshd[11576]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=139.59.92.218
Jan 23 10:54:07 racknerd-64d010 sshd[11583]: Invalid user sunaz from 103.226.138.245 port 51052
Jan 23 10:54:07 racknerd-64d010 sshd[11583]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:07 racknerd-64d010 sshd[11583]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.226.138.245
Jan 23 10:54:08 racknerd-64d010 sshd[11576]: Failed password for invalid user wangyongxin from 139.59.92.218 port 33490 ssh2
Jan 23 10:54:08 racknerd-64d010 sshd[11583]: Failed password for invalid user sunaz from 103.226.138.245 port 51052 ssh2
Jan 23 10:54:08 racknerd-64d010 sshd[11576]: Received disconnect from 139.59.92.218 port 33490:11: Bye Bye [preauth]
Jan 23 10:54:08 racknerd-64d010 sshd[11576]: Disconnected from invalid user wangyongxin 139.59.92.218 port 33490 [preauth]
Jan 23 10:54:08 racknerd-64d010 sshd[11583]: Received disconnect from 103.226.138.245 port 51052:11: Bye Bye [preauth]
Jan 23 10:54:08 racknerd-64d010 sshd[11583]: Disconnected from invalid user sunaz 103.226.138.245 port 51052 [preauth]
Jan 23 10:54:13 racknerd-64d010 sshd[11586]: Invalid user tosi from 130.61.35.0 port 57576
Jan 23 10:54:13 racknerd-64d010 sshd[11586]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:13 racknerd-64d010 sshd[11586]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=130.61.35.0
Jan 23 10:54:14 racknerd-64d010 sshd[11586]: Failed password for invalid user tosi from 130.61.35.0 port 57576 ssh2
Jan 23 10:54:14 racknerd-64d010 sshd[11586]: Received disconnect from 130.61.35.0 port 57576:11: Bye Bye [preauth]
Jan 23 10:54:14 racknerd-64d010 sshd[11586]: Disconnected from invalid user tosi 130.61.35.0 port 57576 [preauth]
Jan 23 10:54:15 racknerd-64d010 sshd[11588]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=159.89.94.43 user=root
Jan 23 10:54:16 racknerd-64d010 sshd[11590]: Invalid user es_user from 206.189.229.70 port 37586
Jan 23 10:54:16 racknerd-64d010 sshd[11590]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:16 racknerd-64d010 sshd[11590]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=206.189.229.70
Jan 23 10:54:16 racknerd-64d010 sshd[11588]: Failed password for root from 159.89.94.43 port 60092 ssh2
Jan 23 10:54:17 racknerd-64d010 sshd[11588]: Received disconnect from 159.89.94.43 port 60092:11: Bye Bye [preauth]
Jan 23 10:54:17 racknerd-64d010 sshd[11588]: Disconnected from authenticating user root 159.89.94.43 port 60092 [preauth]
Jan 23 10:54:18 racknerd-64d010 sshd[11590]: Failed password for invalid user es_user from 206.189.229.70 port 37586 ssh2
Jan 23 10:54:18 racknerd-64d010 sshd[11592]: Invalid user mrmomeni from 103.86.180.10 port 37374
Jan 23 10:54:18 racknerd-64d010 sshd[11592]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:18 racknerd-64d010 sshd[11592]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.86.180.10
Jan 23 10:54:20 racknerd-64d010 sshd[11590]: Received disconnect from 206.189.229.70 port 37586:11: Bye Bye [preauth]
Jan 23 10:54:20 racknerd-64d010 sshd[11590]: Disconnected from invalid user es_user 206.189.229.70 port 37586 [preauth]
Jan 23 10:54:20 racknerd-64d010 sshd[11592]: Failed password for invalid user mrmomeni from 103.86.180.10 port 37374 ssh2
Jan 23 10:54:22 racknerd-64d010 sshd[11592]: Received disconnect from 103.86.180.10 port 37374:11: Bye Bye [preauth]
Jan 23 10:54:22 racknerd-64d010 sshd[11592]: Disconnected from invalid user mrmomeni 103.86.180.10 port 37374 [preauth]
Jan 23 10:54:24 racknerd-64d010 sshd[11594]: Invalid user fan1 from 34.84.82.194 port 53972
Jan 23 10:54:24 racknerd-64d010 sshd[11594]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:24 racknerd-64d010 sshd[11594]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=34.84.82.194
Jan 23 10:54:27 racknerd-64d010 sshd[11594]: Failed password for invalid user fan1 from 34.84.82.194 port 53972 ssh2
Jan 23 10:54:27 racknerd-64d010 sshd[11594]: Received disconnect from 34.84.82.194 port 53972:11: Bye Bye [preauth]
Jan 23 10:54:27 racknerd-64d010 sshd[11594]: Disconnected from invalid user fan1 34.84.82.194 port 53972 [preauth]
Jan 23 10:54:36 racknerd-64d010 sshd[11597]: Invalid user ckr from 43.135.163.185 port 48842
Jan 23 10:54:36 racknerd-64d010 sshd[11597]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:36 racknerd-64d010 sshd[11597]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.135.163.185
Jan 23 10:54:38 racknerd-64d010 sshd[11597]: Failed password for invalid user ckr from 43.135.163.185 port 48842 ssh2
Jan 23 10:54:39 racknerd-64d010 sshd[11597]: Received disconnect from 43.135.163.185 port 48842:11: Bye Bye [preauth]
Jan 23 10:54:39 racknerd-64d010 sshd[11597]: Disconnected from invalid user ckr 43.135.163.185 port 48842 [preauth]
Jan 23 10:54:44 racknerd-64d010 sshd[11599]: Invalid user scuser from 43.134.92.252 port 49834
Jan 23 10:54:44 racknerd-64d010 sshd[11599]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:44 racknerd-64d010 sshd[11599]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.134.92.252
Jan 23 10:54:46 racknerd-64d010 sshd[11599]: Failed password for invalid user scuser from 43.134.92.252 port 49834 ssh2
Jan 23 10:54:47 racknerd-64d010 sshd[11601]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.184.50.251 user=root
Jan 23 10:54:48 racknerd-64d010 sshd[11599]: Received disconnect from 43.134.92.252 port 49834:11: Bye Bye [preauth]
Jan 23 10:54:48 racknerd-64d010 sshd[11599]: Disconnected from invalid user scuser 43.134.92.252 port 49834 [preauth]
Jan 23 10:54:49 racknerd-64d010 sshd[11601]: Failed password for root from 201.184.50.251 port 39546 ssh2
Jan 23 10:54:51 racknerd-64d010 sshd[11601]: Received disconnect from 201.184.50.251 port 39546:11: Bye Bye [preauth]
Jan 23 10:54:51 racknerd-64d010 sshd[11601]: Disconnected from authenticating user root 201.184.50.251 port 39546 [preauth]
Run Code Online (Sandbox Code Playgroud)
ss -lntu 。我将 ssh 端口更改为 63xxx(隐藏):Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 5 127.0.0.1:61209 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:63xxx 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:8888 0.0.0.0:*
tcp LISTEN 0 128 [::]:63xxx [::]:*
tcp LISTEN 0 128 [::]:8888 [::]:*
Run Code Online (Sandbox Code Playgroud)
jail.local:[INCLUDES]
#before = paths-distro.conf
before = paths-debian.conf
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
#
# MISCELLANEOUS OPTIONS
#
# "ignorself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses.
#ignorself = true
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1 xxx.yyy.zzz.xxx
# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =
# "bantime" is the number of seconds that a host is banned.
bantime = 9000000
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 7200
# "maxretry" is the number of failures before a host get banned.
maxretry = 2
Run Code Online (Sandbox Code Playgroud)
#
# JAILS
#
#
# SSH servers
#
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
Run Code Online (Sandbox Code Playgroud)
===来自fail2ban日志最新信息: 2024-01-23 15:36:40,421 failed2ban.filter [12663]: 信息 [sshd] 找到 159.75.146.136 - 2024-01-23 15:36:40 2024-01-23 15:36:40,422 failed2ban.filter [12663]: 信息 [sshd] 找到 159.75.146.136 - 2024-01-23 15:36:40 2024-01-23 15:36:40,574 failed2ban.actions [12663]:警告 [sshd] 159.75.146.136 已被禁止
=== 来自授权日志最新 INGO: 1 月 23 日 15:36:40racknerd-64d010 sshd[27856]:来自 159.75.146.136 端口 50302 的用户 ali 无效 1 月 23 日 15:36:40racknerd-64d010 sshd[27856]: pam_unix(sshd:auth): 检查通过;用户未知 1 月 23 日 15:36:40racknerd-64d010 sshd[27856]: pam_unix(sshd:auth): 身份验证失败;logname= uid=0 euid=0 tty=ssh ruser= rhost=159.75.146.136 1 月 23 日 15:36:42racknerd-64d010 sshd[27856]:来自 159.75.146.136 端口 50302 ssh2 的无效用户 ali 的密码失败 1 月 23 日 15:36:43racknerd-64d010 sshd[27856]:从 159.75.146.136 端口 50302:11 收到断开连接:再见 [preauth]
===来自最新 INGO 的 IP 表:
0 0 拒绝全部 -- * * 159.75.164.110 0.0.0.0/0 拒绝 icmp 端口不可达
0 0 拒绝全部 -- * * 159.75.146.136 0.0.0.0/0 拒绝 icmp 端口不可达
0 0 拒绝全部 -- * * 159.75.127.125 0.0.0.0/0 拒绝 icmp 端口不可达
roa*_*ima 14
让我们看一下一个示例条目对:
\n在sshd身份验证日志中:
\n\nRun Code Online (Sandbox Code Playgroud)\nJan 23 10:54:18 racknerd-64d010 sshd[11592]: Invalid user mrmomeni from 103.86.180.10 port 37374\nJan 23 10:54:18 racknerd-64d010 sshd[11592]: pam_unix(sshd:auth): check pass; user unknown\nJan 23 10:54:18 racknerd-64d010 sshd[11592]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.86.180.10 \n
然后在fail2ban日志中:
\n\nRun Code Online (Sandbox Code Playgroud)\n2024-01-23 10:54:18,765 fail2ban.filter [29045]: INFO [sshd] Found 103.86.180.10 - 2024-01-23 10:54:18\n
好消息是fail2ban已经发现了故障,并将其记录在数据库中。
iptables -nvL现在检查forfail2ban链的输出sshd并确认存在违规 IP 地址的条目。它可能如下所示:
iptables -nvL f2b-sshd\nChain f2b-sshd (1 references)\n pkts bytes target prot opt in out source destination\n 85 5312 REJECT 0 -- * * 103.86.180.10 0.0.0.0/0 reject-with icmp-port-unreachable\n \xe2\x80\xa6\nRun Code Online (Sandbox Code Playgroud)\n事实上,现在您已经将其添加到您的问题中,我们可以看到有条目被添加到链中fail2ban。这是拒绝入站流量的实际工作发生的地方,其余的fail2ban都是有关管理这些规则的地方(Ban会产生新规则;Unban对应于其删除)。
唯一的问题是一次性评论,“我将 ssh 端口更改为 63xxx ”。你需要告诉fail2ban你你已经做到了!
[sshd]\nenabled = true\nport = ssh,63xxx\nlogpath = %(sshd_log)s\nbackend = %(sshd_backend)s\nRun Code Online (Sandbox Code Playgroud)\nfail2ban我们可以使用如下命令确认正在禁止正确端口上的流量(如果您没有看到我所得到的任何内容multiport\xe2\x80\xa6,那么它正在考虑所有端口):
iptables -nvL INPUT | awk '!($1+0) || /f2b-/'\n\nChain INPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target prot opt in out source destination\n77182 11M f2b-sshd 6 -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,63xxx \nRun Code Online (Sandbox Code Playgroud)\n现在让我们看看您的fail2ban.conf,它可以被覆盖fail2ban.local或 通过添加部分到fail2ban.d/:
\n\nRun Code Online (Sandbox Code Playgroud)\nbantime = 9000000\nfindtime = 7200\nmaxretry = 2\n
您已声明,如果在两小时(7200 秒)内有两个(或更多)条目针对同一服务和 IP 地址,则该 IP 地址将被禁止。您已要求将其禁止 104 天(9000000 秒),但除非您也增加了限制,否则无法满足您的要求dbpurgeage其默认值 28 天增加到至少 104 天,否则无法满足您的要求。
就我个人而言,我运行两个级别,如下所示:
\nsshbantime=86400(一天)、findtime=3600(一小时)、 (六次尝试maxretry=6)recidivebantime=2419200(四个星期)、findtime=432000(五天)、 (三次尝试maxretry=3)这将禁止一天内一小时内六次失败的ssh尝试,如果五天内有三次这样的禁令,他们将被进一步禁止四个星期。
为了让禁令能够管理这么长时间,我增加了时间dbpurgeage=2462400(四个星期零 12 小时)。
我还使用了稍微不同的规则操作,完全禁止主机,而不仅仅是针对特定端口,例如 22 或 63xxx。但那是另一天的事了。
\n