我已经配置了fail2ban来监控我正在获取的某种恶意流量模式并禁止关联的IP地址.
一切似乎都很有效 – 正则表达式正确地匹配模式,并且问题IP地址被添加到iptables.
但是,当我检查Apache日志时,我仍然会收到被禁止的IP地址的命中.好像iptables根本没有运行.
因此,让我分享一些细节,以确认一切都配置正确.
首先,我将清除并重新加载iptables规则:
$sudo iptables -F
$cat /etc/iptables.firewall.rules
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections
#
# The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
$sudo iptables-restore < /etc/iptables.firewall.rules
$sudo iptables -nvL
Chain INPUT (policy ACCEPT 0 packets,0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable
14 1432 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets,0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets,0 bytes)
pkts bytes target prot opt in out source destination
11 1638 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
现在,这是fail2ban配置的样子:
$cat /etc/fail2ban/filter.d/apache-xmlrpc.conf [Definition] failregex = .*:80 <HOST> .*POST .*xmlrpc\.PHP.* ignoreregex = $cat /etc/fail2ban/jail.local [apache-xmlrpc] enabled = true port = http,https filter = apache-xmlrpc logpath = /var/log/apache2/other_vhosts_access.log maxretry = 6 $fail2ban-regex /var/log/apache2/other_vhosts_access.log /etc/fail2ban/filter.d/apache-xmlrpc.conf Running tests ============= Use regex file : /etc/fail2ban/filter.d/apache-xmlrpc.conf Use log file : /var/log/apache2/other_vhosts_access.log Results ======= Failregex |- Regular expressions: | [1] .*:80 <HOST> .*POST .*xmlrpc\.PHP.* | `- Number of matches: [1] 29 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Addresses found: [1] 80.82.70.239 (Sat Jul 13 02:41:52 2013) 80.82.70.239 (Sat Jul 13 02:41:53 2013) 80.82.70.239 (Sat Jul 13 02:41:55 2013) 80.82.70.239 (Sat Jul 13 02:41:56 2013) 80.82.70.239 (Sat Jul 13 02:41:57 2013) 80.82.70.239 (Sat Jul 13 02:41:58 2013) 80.82.70.239 (Sat Jul 13 02:41:59 2013) 80.82.70.239 (Sat Jul 13 02:42:00 2013) 80.82.70.239 (Sat Jul 13 02:42:02 2013) 80.82.70.239 (Sat Jul 13 02:42:03 2013) 80.82.70.239 (Sat Jul 13 02:42:04 2013) 80.82.70.239 (Sat Jul 13 02:42:05 2013) 80.82.70.239 (Sat Jul 13 02:42:06 2013) 80.82.70.239 (Sat Jul 13 02:42:07 2013) 80.82.70.239 (Sat Jul 13 02:42:09 2013) 80.82.70.239 (Sat Jul 13 02:42:10 2013) 80.82.70.239 (Sat Jul 13 02:42:11 2013) 80.82.70.239 (Sat Jul 13 02:42:12 2013) 80.82.70.239 (Sat Jul 13 02:42:13 2013) 80.82.70.239 (Sat Jul 13 02:42:15 2013) 80.82.70.239 (Sat Jul 13 02:42:16 2013) 80.82.70.239 (Sat Jul 13 02:42:17 2013) 80.82.70.239 (Sat Jul 13 02:42:18 2013) 80.82.70.239 (Sat Jul 13 02:42:19 2013) 80.82.70.239 (Sat Jul 13 02:42:20 2013) 80.82.70.239 (Sat Jul 13 02:42:22 2013) 80.82.70.239 (Sat Jul 13 02:42:23 2013) 80.82.70.239 (Sat Jul 13 02:42:24 2013) 80.82.70.239 (Sat Jul 13 02:42:25 2013) Date template hits: 0 hit(s): MONTH Day Hour:Minute:Second 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 70 hit(s): Day/MONTH/Year:Hour:Minute:Second 0 hit(s): Month/Day/Year:Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Year.Month.Day Hour:Minute:Second 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] 0 hit(s): Day-Month-Year Hour:Minute:Second 0 hit(s): TAI64N 0 hit(s): Epoch 0 hit(s): ISO 8601 0 hit(s): Hour:Minute:Second 0 hit(s): <Month/Day/Year@Hour:Minute:Second> Success,the total number of match is 29 However,look at the above section 'Running tests' which could contain important information.
如您所见,我在过滤器中设置了failregex并启用了过滤器.使用fail2ban-regex,过滤器确实在我正在监视的日志文件中找到匹配项. (我正在积极地受到有问题的IP地址的攻击,这使得测试非常简单.)
所以现在我重新启动fail2ban并遵守规则生效:
$sudo service fail2ban restart * Restarting authentication failure monitor fail2ban [ OK ] $tail /var/log/fail2ban.log -n 50 2013-07-13 02:42:58,014 fail2ban.server : INFO Stopping all jails 2013-07-13 02:42:58,745 fail2ban.jail : INFO Jail 'apache-xmlrpc' stopped 2013-07-13 02:42:59,439 fail2ban.jail : INFO Jail 'ssh' stopped 2013-07-13 02:42:59,440 fail2ban.server : INFO Exiting Fail2ban 2013-07-13 02:43:08,055 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6 2013-07-13 02:43:08,057 fail2ban.jail : INFO Creating new jail 'ssh' 2013-07-13 02:43:08,111 fail2ban.jail : INFO Jail 'ssh' uses Gamin 2013-07-13 02:43:08,397 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2013-07-13 02:43:08,404 fail2ban.filter : INFO Set maxRetry = 6 2013-07-13 02:43:08,414 fail2ban.filter : INFO Set findtime = 600 2013-07-13 02:43:08,435 fail2ban.actions: INFO Set banTime = 600 2013-07-13 02:43:09,277 fail2ban.jail : INFO Creating new jail 'apache-xmlrpc' 2013-07-13 02:43:09,277 fail2ban.jail : INFO Jail 'apache-xmlrpc' uses Gamin 2013-07-13 02:43:09,283 fail2ban.filter : INFO Added logfile = /var/log/apache2/other_vhosts_access.log 2013-07-13 02:43:09,286 fail2ban.filter : INFO Set maxRetry = 6 2013-07-13 02:43:09,289 fail2ban.filter : INFO Set findtime = 600 2013-07-13 02:43:09,292 fail2ban.actions: INFO Set banTime = 600 2013-07-13 02:43:09,458 fail2ban.jail : INFO Jail 'ssh' started 2013-07-13 02:43:09,792 fail2ban.jail : INFO Jail 'apache-xmlrpc' started 2013-07-13 02:43:11,361 fail2ban.actions: WARNING [apache-xmlrpc] Ban 80.82.70.239 $sudo iptables -nvL Chain INPUT (policy ACCEPT 0 packets,0 bytes) pkts bytes target prot opt in out source destination 244 39277 fail2ban-apache-xmlrpc tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 101 7716 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * * 0.0.0.0/0 127.0.0.0/8 reject-with icmp-port-unreachable 3404 582K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 349 20900 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 12 720 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 2 80 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: " 2 80 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets,0 bytes) pkts bytes target prot opt in out source destination 3331 4393K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-apache-xmlrpc (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 80.82.70.239 0.0.0.0/0 244 39277 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-ssh (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 223.4.147.8 0.0.0.0/0 101 7716 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
正如fail2ban日志所示,规则集似乎已正确配置.您已经可以看到有问题的IP地址被立即捕获并被禁止. iptables的输出显示它实际上被删除了.
但是,我已经观察到在fail2ban-apache-xmlrpc链下匹配的IP地址没有丢弃的数据包.果然,我检查了apache日志:
$tail /var/log/apache2/other_vhosts_access.log www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:43:53 +0000] "POST /xmlrpc.PHP HTTP/1.1" 403 474 "-" "-" www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:43:54 +0000] "POST /xmlrpc.PHP HTTP/1.1" 403 474 "-" "-" www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:43:56 +0000] "POST /xmlrpc.PHP HTTP/1.1" 403 474 "-" "-" www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:43:57 +0000] "POST /xmlrpc.PHP HTTP/1.1" 403 474 "-" "-" www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:43:58 +0000] "POST /xmlrpc.PHP HTTP/1.1" 403 474 "-" "-" www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:43:59 +0000] "POST /xmlrpc.PHP HTTP/1.1" 403 474 "-" "-" www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:44:00 +0000] "POST /xmlrpc.PHP HTTP/1.1" 403 474 "-" "-" www.--SNIP--.com:80 80.82.70.239 - - [13/Jul/2013:02:44:02 +0000] "POST /xmlrpc.PHP HTTP/1.1" 403 474 "-" "-"
不,它没有被阻止!我还可以在fail2ban日志中确认这一点:
$tail /var/log/fail2ban.log 2013-07-13 02:52:30,757 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned 2013-07-13 02:52:37,767 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned 2013-07-13 02:52:44,783 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned 2013-07-13 02:52:51,814 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned 2013-07-13 02:52:58,830 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned 2013-07-13 02:53:05,842 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned 2013-07-13 02:53:11,858 fail2ban.actions: WARNING [apache-xmlrpc] Unban 80.82.70.239 2013-07-13 02:53:12,910 fail2ban.actions: WARNING [apache-xmlrpc] Ban 80.82.70.239 2013-07-13 02:53:20,118 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned 2013-07-13 02:53:27,129 fail2ban.actions: WARNING [apache-xmlrpc] 80.82.70.239 already banned
它不断出现在apache日志中,因此fail2ban试图继续禁止它!
老实说,我无法弄清楚为什么iptables没有从这个IP地址中丢弃流量.规则顺序对我来说似乎是正确的,DROP先于其他任何东西.
我有谷歌的一些结果,人们有类似的问题,但似乎总是回到一个问题,他们在非标准端口上禁止SSH流量.在我的情况下,我只是想在标准的http端口80上禁止IP地址.
我希望我只是忽略了一些非常简单的东西.这是在Linode上运行Ubuntu 12.04的VPS.如果有人有任何想法,请告诉我.非常感谢…
编辑:这是iptables -S的输出
$sudo iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N fail2ban-apache-xmlrpc -N fail2ban-ssh -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-xmlrpc -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A INPUT -j DROP -A FORWARD -j DROP -A OUTPUT -j ACCEPT -A fail2ban-apache-xmlrpc -s 80.82.70.239/32 -j DROP -A fail2ban-apache-xmlrpc -j RETURN -A fail2ban-ssh -s 223.4.147.8/32 -j DROP -A fail2ban-ssh -j RETURN
iptables -s输出看起来是正确的,我不知道80.82.70.239/32是如何通过防火墙进入任何:80的服务器上.我的第一个猜测是你在服务器前面有一个代理/负载均衡器,Apache正在记录HTTP_X_FORWARDED_FOR标头或者所谓的调用.如果事实证明是这种情况,则必须将防火墙逻辑移至代理/负载均衡器或向下移动到应用程序级别(Apache使用FORWARDED_FOR标头并拒绝访问.
原文链接:https://www.f2er.com/ubuntu/348764.html无论哪种方式:
我将采取的下一步行动是捕获您在上面发布的iptables -s的输出.禁用fail2ban并加载配置,并将fail2ban链和IP地址阻止到iptables中.
但是,请按照以下第一条规则执行此操作:
-A INPUT -p tcp --dport 80 -j LOG --log-prefix "HTTP: "
如果你感觉更好,诱捕80和443就可以了.我们的想法是,如果我们注意来自可疑来源的数据包,来自FIREWALL的日志可能会显示我们遗漏的内容.
