fail2ban未能禁止Ubuntu 14.04
我想保护我的web服务器免受暴力攻击(首先通过ssh)。所以我安装了fail2ban。但是我不能让它禁止我 这是我的/etc/fail2ban/jail.local:fail2ban未能禁止Ubuntu 14.04,ubuntu,ssh,Ubuntu,Ssh,我想保护我的web服务器免受暴力攻击(首先通过ssh)。所以我安装了fail2ban。但是我不能让它禁止我 这是我的/etc/fail2ban/jail.local: [DEFAULT] bantime = 300 findtime = 600 maxretry = 4 backend = auto usedns = warn destemail = moj.adres@gmail.com banaction = iptables-multiport mta = sendmail protoc
[DEFAULT]
bantime = 300
findtime = 600
maxretry = 4
backend = auto
usedns = warn
destemail = moj.adres@gmail.com
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT
(...)
action = %(action_mw)s
(...)
[ssh]
enabled = true
port = anyport
filter = sshd
logpath = /var/log/auth.log
maxretry = 4
只启用了ssh,我没有更改任何省略的内容
根据这个配置,我应该在4次登录失败后被禁止300秒。但是我被允许6岁,而且没有禁令。/var/log/auth.log看起来很好。下面是显示我6次登录失败的片段:
Jul 8 09:51:09 nazwaserwera sshd[1798]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=abod34.neoplus.adsl.tpnet.pl user=my-admin
Jul 8 09:51:10 nazwaserwera sshd[1798]: Failed password for my-admin from 83.8.19.34 port 56451 ssh2
Jul 8 09:51:27 nazwaserwera sshd[1798]: message repeated 5 times: [ Failed password for my-admin from 83.8.19.34 port 56451 ssh2]
Jul 8 09:51:27 nazwaserwera sshd[1798]: Disconnecting: Too many authentication failures for my-admin [preauth]
Jul 8 09:51:27 nazwaserwera sshd[1798]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=abod34.neoplus.adsl.tpnet.pl user=my-admin
这里是sudo iptables-L输出:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
下面是重新启动fail2ban后在/var/log/fail2ban.log中写入的内容:
2014-07-08 11:26:12,538 fail2ban.server : INFO Stopping all jails
2014-07-08 11:26:13,141 fail2ban.jail : INFO Jail 'ssh' stopped
2014-07-08 11:26:13,142 fail2ban.server : INFO Exiting Fail2ban
2014-07-08 11:26:16,825 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11
2014-07-08 11:26:16,826 fail2ban.jail : INFO Creating new jail 'ssh'
2014-07-08 11:26:17,024 fail2ban.jail : INFO Jail 'ssh' uses pyinotify
2014-07-08 11:26:17,141 fail2ban.jail : INFO Initiated 'pyinotify' backend
2014-07-08 11:26:17,142 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2014-07-08 11:26:17,144 fail2ban.filter : INFO Set maxRetry = 4
2014-07-08 11:26:17,145 fail2ban.filter : INFO Set findtime = 600
2014-07-08 11:26:17,145 fail2ban.actions: INFO Set banTime = 300
2014-07-08 11:26:17,438 fail2ban.jail : INFO Jail 'ssh' started
2014-07-08 11:26:17,619 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports anyport -j fail2ban-ssh returned 200
这里也有几件事与此相关:
- 我使用非标准端口进行ssh连接: 4444端口 在/etc/ssh/sshd_conf中设置
- 我记得在更改配置文件后重新启动服务(fail2ban,ssh)
- 我收到fail2ban的电子邮件,但只告诉我它已启动或停止
maxretry = 4
fail2ban应在auth.log文件中搜索5行(1+4),每行包含关于登录尝试失败的警报。但是更仔细地看我的auth.log,我发现我得到的最大值是2。以下是如何记录6次失败的登录尝试:
Jul 8 09:51:10 nazwaserwera sshd[1798]: Failed password for my-admin from 83.8.19.34 port 56451 ssh2
Jul 8 09:51:27 nazwaserwera sshd[1798]: message repeated 5 times: [ Failed password for my-admin from 83.8.19.34 port 56451 ssh2]
正如你所看到的,我只收到了两行,而第二行写着“消息重复了5次”
解决方案非常简单:
我刚刚在/etc/rsyslog.conf中将RepeatedMsgReducement从on更改为off。然后重新启动rsyslog和fail2ban。rsyslog配置文件包含
RepeatedMsgReduce
选项是/etc/rsyslog.conf
。