我刚注意到我的服务器上有一个ssh暴力,它实际上应该被fail2ban禁止,但由于某种原因它并没有禁止它.大多数有fail2ban问题的人,似乎都有正则表达式的问题,这在这里似乎没问题.
jail.conf的一部分
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6 findtime = 6000 bantime = 86400
fail2ban-client status ssh
Status for the jail: ssh |- filter | |- File list: /var/log/auth.log | |- Currently failed: 0 | `- Total failed: 0 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 0
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
Running tests ============= Use regex file : /etc/fail2ban/filter.d/sshd.conf Use log file : /var/log/auth.log Results ======= Failregex |- Regular expressions: | [1] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S +\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error: PAM: )?Authentication failure for .* from\s*$ | [2] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S +\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$ | [3] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S +\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Failed (?:password|publickey) for .* from (?: port \d*)?(?: ssh\d*)?$ | [4] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S +\))?[\]\)]?:?(?:\[\d+\])?:)?\s*ROOT LOGIN REFUSED.* FROM \s*$ | [5] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S +\))?[\]\)]?:?(?:\[\d+\])?:)?\s*[iI](?:llegal|nvalid) user .* from \s*$ | [6] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S +\))?[\]\)]?:?(?:\[\d+\])?:)?\s*User .+ from not allowed because not listed in AllowUsers$ | [7] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S +\))?[\]\)]?:?(?:\[\d+\])?:)?\s*authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost= (?:\s+user=.*)?\s*$ | [8] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S +\))?[\]\)]?:?(?:\[\d+\])?:)?\s*refused connect from \S+ \( \)\s*$ | [9] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S +\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Address .* POSSIBLE BREAK-IN ATTEMPT!*\s*$ | [10] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\ S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*User .+ from not allowed because none of user's groups are listed in AllowGroups\s*$ | `- Number of matches: [1] 0 match(es) [2] 0 match(es) [3] 380 match(es) [4] 0 match(es) [5] 353 match(es) [6] 26 match(es) [7] 0 match(es) [8] 0 match(es) [9] 0 match(es) [10] 0 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Addresses found: [1] [2] [3] 198.245.50.151 (Sat Dec 21 15:18:12 2013) 198.245.50.151 (Sat Dec 21 15:18:15 2013) 198.245.50.151 (Sat Dec 21 15:18:18 2013) 198.245.50.151 (Sat Dec 21 15:18:21 2013) 198.245.50.151 (Sat Dec 21 15:18:24 2013) .................. Date template hits: 23379 hit(s): MONTH Day Hour:Minute:Second 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year .................. Success, the total number of match is 759
任何想法,为什么fail2ban不禁止,即使我有很多正则表达式匹配?
问候,鱼
这个问题很老了,但我遇到了同样的问题,经过多次搜索,终于找到了解决方案.
我的问题是由于我的时区发生了变化:前一段时间,我使用以下命令来设置我的正确时区.
sudo dpkg-reconfigure tzdata
我的系统时间还可以,但是auth.log中的条目时间确实发生了变化.这就是fail2ban的问题:它必须比较auth.log的条目以检查它是否必须禁止,保留或取消...并且由于错误的时间,记录的条目总是被认为太旧了.
我只需要重新启动syslog守护进程:
sudo service rsyslog restart
然后,auth.log中的时间不再转移,fail2ban成功完成了它的工作.
我希望这个能帮上忙!
好的,这不是官方的解决方案,但确实有效:
3个月完美运行,直到fail2ban升级并停止禁止.我可以说我有多难以解决这个问题,最后这是唯一有效的方法.
这应该工作
sudo service fail2ban stop sudo service fail2ban start
这不行
sudo service fail2ban restart
重要信息:使用其他设备(3G单元)测试故意失败的ssh日志记录以验证fail2ban是否正常工作.如果没有,服务停止/重新开始.有时一些jails无法正确加载.永远不要相信!!!!!
附注:
使用jail.local
启用了4个jail:ssh,dovecot,apache和wootwoot
所有的监狱作为一个魅力几个月没有问题
Ubuntu服务器14.04
fail2ban 0.9
在我再次使用Google搜索之前,我尝试了所有解决方案,并在ServerFault上找到答案:
跑步service rsyslog restart
是我需要做的所有事情,现在它按预期工作(当然,这里的所有解决方案都是必要的......).与这个问题的海报不同,我从未删除或编辑过日志文件,为什么这是我不知道的解决方案.