Я настроил тюрьму для страницы входа в приложение PHP, но попытки входа не удались:
stephane@example:~$ tail -400f /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log
[15-Oct-2019 12:15:18 Europe/London] (10.255.0.2) [WARNING] fail2ban -- Failed admin login attempt for root at https://www.example.com:83
никогда не запускать бан:
Every 2.0s: fail2ban-client status learnintouch-admin example.com: Tue Oct 15 13:21:17 2019
Status for the jail: learnintouch-admin
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
Запуск на уровне DEBUG показывает fail2ban замечает, что файл журнала был изменен:
stephane@example:~$ sudo tail -f /var/log/fail2ban.log
[sudo] password for stephane:
2019-10-15 12:57:38,814 fail2ban.CommandAction [25514]: DEBUG Set blocktype = 'reject'
2019-10-15 12:57:38,814 fail2ban.CommandAction [25514]: DEBUG Set destination = 'any'
2019-10-15 12:57:38,814 fail2ban.CommandAction [25514]: DEBUG Set application = ''
2019-10-15 12:57:38,814 fail2ban.jail [25514]: DEBUG Starting jail 'learnintouch-admin'
2019-10-15 12:57:38,814 fail2ban.filterpoll [25514]: DEBUG /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-15 12:57:38,815 fail2ban.filter [25514]: DEBUG Seek to find time 1571136458.8108385 (2019-10-15 12:47:38), file size 0
2019-10-15 12:57:38,815 fail2ban.filter [25514]: DEBUG Position -1 from 0, found time None () within 0 seeks
2019-10-15 12:57:38,816 fail2ban.jail [25514]: INFO Jail 'learnintouch-admin' started
2019-10-15 13:15:18,414 fail2ban.filterpoll [25514]: DEBUG /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
Проверка регулярного выражения показывает, что это совпадение:
stephane@example:~/dev/docker/projects/learnintouch/www.example/app$ fail2ban-regex /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log "\(<HOST>\) \[WARNING\] fail2ban -- Failed admin login attempt for"
Running tests
=============
Use failregex line : \(<HOST>\) \[WARNING\] fail2ban -- Failed admin lo...
Use log file : /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log
Use encoding : UTF-8
Results
=======
Failregex: 6 total
|- #) [# of hits] regular expression
| 1) [6] \(<HOST>\) \[WARNING\] fail2ban -- Failed admin login attempt for
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [6] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 6 lines, 0 ignored, 6 matched, 0 missed
[processed in 0.02 sec]
Моя конфигурация /etc/fail2ban/jail.local файл содержит:
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 1800
findtime = 600
maxretry = 5
banaction = ufw
[sshd]
enabled = false
[learnintouch-admin]
enabled = true
port = 81,83
filter = learnintouch-admin.fail2ban
logpath = /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log
Конфигурация тюрьмы /etc/fail2ban/filter.d/learnintouch-admin.fail2ban.conf файл:
[INCLUDES]
before = common.conf
[Definition]
failregex = \(<HOST>\) \[WARNING\] fail2ban -- Failed admin login attempt for
Я установил fail2ban с помощью следующих команд:
sudo apt-get install fail2ban
sudo apt-get install iptables-persistent
Я настроил /etc/fail2ban/action.d/ufw.conf файл:
Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any port 83
actionunban = ufw delete deny from <ip> to any port 83
В ufw статус брандмауэра:
stephane@example:~/dev/docker/projects/user-rest/app$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp (OpenSSH) ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
3306 ALLOW IN 127.0.0.0
6379 ALLOW IN 127.0.0.0
8080 ALLOW IN Anywhere
81 ALLOW IN Anywhere
83 ALLOW IN Anywhere
8443 ALLOW IN Anywhere
9001 ALLOW IN Anywhere
5000 ALLOW IN 127.0.0.0
22 ALLOW IN Anywhere
22/tcp ALLOW IN Anywhere
Anywhere ALLOW IN Anywhere
82 ALLOW IN Anywhere
443 ALLOW IN Anywhere
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
8080 (v6) ALLOW IN Anywhere (v6)
81 (v6) ALLOW IN Anywhere (v6)
83 (v6) ALLOW IN Anywhere (v6)
8443 (v6) ALLOW IN Anywhere (v6)
9001 (v6) ALLOW IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)
22/tcp (v6) ALLOW IN Anywhere (v6)
Anywhere (v6) ALLOW IN Anywhere (v6)
82 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
Если я перезапускаю fail2ban и провалю 6 попыток входа подряд, журнал покажет только:
stephane@thalasoft:~$ sudo tail -f /var/log/fail2ban.log
2019-10-23 10:11:02,395 fail2ban.datetemplate [12908]: DEBUG constructed regex (?:^|\b|\W)(?iu)((?:(?P<Z>Z|[A-Z]{3,5}) )?(?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<Y>(?:201|202)\d))?)(?=\b|\W|$)
2019-10-23 10:11:02,395 fail2ban.datetemplate [12908]: DEBUG constructed regex ^(?:\W{0,2})?(?iu)((?:(?P<Z>Z|[A-Z]{3,5}) )?(?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<Y>(?:201|202)\d))?)(?=\b|\W|$)
2019-10-23 10:11:02,395 fail2ban.datetemplate [12908]: DEBUG constructed regex (?:^|\b|\W)(?iu)((?:(?P<z>Z|UTC|GMT|[+-][01]\d(?::?\d{2})?) )?(?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<Y>(?:201|202)\d))?)(?=\b|\W|$)
2019-10-23 10:11:02,395 fail2ban.datetemplate [12908]: DEBUG constructed regex ^(?:\W{0,2})?(?iu)((?:(?P<z>Z|UTC|GMT|[+-][01]\d(?::?\d{2})?) )?(?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9]) ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<Y>(?:201|202)\d))?)(?=\b|\W|$)
2019-10-23 10:11:02,399 fail2ban.datetemplate [12908]: DEBUG constructed regex (@[0-9a-f]{24})(?=\b|\W|$)
2019-10-23 10:11:02,399 fail2ban.datetemplate [12908]: DEBUG constructed regex ^(?:\W{0,2})?(@[0-9a-f]{24})(?=\b|\W|$)
2019-10-23 10:11:05,628 fail2ban.filterpoll [12908]: DEBUG /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-23 10:11:10,242 fail2ban.filterpoll [12908]: DEBUG /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-23 10:11:12,452 fail2ban.filterpoll [12908]: DEBUG /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-23 10:11:14,456 fail2ban.filterpoll [12908]: DEBUG /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-23 10:12:11,743 fail2ban.filterpoll [12908]: DEBUG /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-23 10:12:14,359 fail2ban.filterpoll [12908]: DEBUG /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-23 10:12:16,362 fail2ban.filterpoll [12908]: DEBUG /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
Конфигурация ввода и вывода iptables:
stephane@thalasoft:~$ sudo iptables -n -L INPUT
Chain INPUT (policy DROP)
target prot opt source destination
f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0
stephane@thalasoft:~$ sudo iptables -n -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-before-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-after-logging-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-reject-output all -- 0.0.0.0/0 0.0.0.0/0
ufw-track-output all -- 0.0.0.0/0 0.0.0.0/0
stephane@thalasoft:~$
ОБНОВЛЕНИЕ: я также установил fail2ban из источника, версию 0.10.4, а затем версию 0.10.3.
sudo apt-get remove fail2ban
wget https://github.com/fail2ban/fail2ban/archive/0.10.3.tar.gz
mv 0.10.3.tar.gz fail2ban-0.10.3.tar.gz
gzip -d fail2ban-0.10.3.tar.gz
tar -xvf fail2ban-0.10.3.tar
cd ~/programs/fail2ban-0.10.3
mkdir ~/programs/install/fail2ban
sudo python setup.py install --root=~/programs/install/fail2ban
sudo cp files/debian-initd /etc/init.d/fail2ban
sudo update-rc.d fail2ban defaults
sudo systemctl unmask fail2ban.service
sudo service fail2ban start
Но у меня все еще была одна и та же ошибка в обеих версиях источников.
ОБНОВЛЕНИЕ: я вижу много входящих заблокированных попыток входа в /var/log/ufw.log файл:
Oct 23 10:19:01 thalasoft kernel: [336294.072283] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:02:39:59:aa:fe:00:02:39:59:aa:08:00 SRC=218.92.0.204 DST=149.28.60.185 LEN=700 TOS=0x00 PREC=0x00 TTL=48 ID=55749 DF PROTO=TCP SPT=50112 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0
Oct 23 10:19:07 thalasoft kernel: [336300.735374] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:02:39:59:aa:fe:00:02:39:59:aa:08:00 SRC=185.156.73.52 DST=149.28.60.185 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=47855 PROTO=TCP SPT=55690 DPT=281 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 23 10:20:13 thalasoft kernel: [336366.115758] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:02:39:59:aa:fe:00:02:39:59:aa:08:00 SRC=185.156.73.52 DST=149.28.60.185 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=958 PROTO=TCP SPT=55690 DPT=147 WINDOW=1024 RES=0x00 SYN URGP=0
это даже если я остановил fail2ban сервер.
failregex = \(<HOST>\) \[WARNING\] fail2ban -- Failed admin login attempt for
не может работать, потому что перед HOST есть символы, попробуйте что-то вроде:
failregex = ^.*\(<HOST>\) \[WARNING\] fail2ban -- Failed admin login attempt for