Fail2ban没有阻止IP

时间:2018-05-01 14:49:13

标签: fail2ban

我安装了Fail2ban并试图让它阻止IP。根据日志,它检测SSH扫描并将IP地址添加到禁止列表中,但我仍然可以通过禁止列表中的互联网上的测试IP进行SSH连接。

OS = openSUSE Leap 42.2

Fail2ban v0.10.3

jail.local:

[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.1.0/24

ignorecommand =
bantime  = 1d
findtime  = 600
maxretry = 3

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
abuseipdb[abuseipdb_apikey="my_key", abuseipdb_category="18,22"]
logpath  = /var/log/messages
maxretry = 3

IP地址正在被提取并说它已经被禁止了? fail2ban.log文件:

2018-05-01 15:21:59,207 fail2ban.filter         [20450]: INFO    [ssh-iptables] Found x.x.x.x - 2018-05-01 15:21:59
2018-05-01 15:22:02,315 fail2ban.filter         [20450]: INFO    [ssh-iptables] Found x.x.x.x - 2018-05-01 15:22:02
2018-05-01 15:22:02,324 fail2ban.filter         [20450]: INFO    [ssh-iptables] Found x.x.x.x - 2018-05-01 15:22:02
2018-05-01 15:22:02,364 fail2ban.actions        [20450]: NOTICE  [ssh-iptables] x.x.x.x already banned

fail2ban-client status ssh-iptables的状态

Status for the jail: ssh-iptables
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     51
|  `- File list:        /var/log/messages
    `- Actions
|- Currently banned: 47
|- Total banned:     437

IP表的输出:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-SSH    tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain f2b-SSH (1 references)
target     prot opt source               destination

除了没有任何东西被发送到AbuseIPDB。我缺少什么想法?

我已经阅读了几个论坛,但似乎无法让它发挥作用。

2 个答案:

答案 0 :(得分:1)

首先确保fail2ban在版本v0.10.0中,知道这个输入:

fail2ban-client -V

https://www.abuseipdb.com的报告功能仅来自此版本。

如果您有以前的版本,则应执行以下操作:

sudo nano /etc/fail2ban/action.d/abuseipdb.conf

将链接https://github.com/fail2ban/fail2ban/blob/0.11/config/action.d/abuseipdb.conf的内容粘贴到文件中并保存。

然后打开/etc/fail2ban/jail.local并在包含 action =%(action_)s 的行之前粘贴以下内容:

# Report ban via abuseipdb.com.
#
# See action.d / abuseipdb.conf for usage example and details.
#
action_abuseipdb = abuseipdb

然后在与您要报告的服务相对应的jail中添加以下内容(这里我使用了残酷的力量ssh作为示例):

 # Ban IP and report to AbuseIPDB for SSH Brute-Forcing
action =% (action_) s
         % (action_abuseipdb) s [abuseipdb_apikey = "my-api-key", abuseipdb_category = "18,22"]

填写" my-api-key"在网站abuseipdb上创建密钥,然后

fail2ban-client reload

如果您有任何疑问,请参考:

https://www.abuseipdb.com/fail2ban.html

答案 1 :(得分:0)

管理以使其正常运行。重启fail2ban修复了阻塞问题。奇怪的是,我做了一个fail2ban客户端重新加载,这没有帮助。不得不杀死并重启服务。

通过更改jail.local文件修复了Abuseipdb 

action   = iptables[name=SSH, port=ssh, protocol=tcp]
           abuseipdb[abuseipdb_category="18,22"]
相关问题
最新问题