fail2ban未能禁止Ubuntu 14.04

我想保护我的网络服务器免受暴力攻击(首先通过ssh).所以我安装了fail2ban.我不能让它禁止我.

这是我的/etc/fail2ban/jail.local：

[DEFAULT]
bantime  = 300
findtime = 600
maxretry = 4
backend = auto
usedns = warn
destemail = moj.adres@gmail.com
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT

(...)
action = %(action_mw)s

(...)

[ssh]

enabled  = true
port     = anyport
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 4

只启用了ssh,我没有更改任何省略的内容.

根据这种配置,我应该在4次登录尝试失败后被禁止300秒.我被允许6但没有禁令. /var/log/auth.log看起来很不错.这是显示我的6次登录失败的片段：

Jul  8 09:51:09 nazwaserwera sshd[1798]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=abod34.neoplus.adsl.tpnet.pl  user=my-admin
Jul  8 09:51:10 nazwaserwera sshd[1798]: Failed password for my-admin from 83.8.19.34 port 56451 ssh2
Jul  8 09:51:27 nazwaserwera sshd[1798]: message repeated 5 times: [ Failed password for my-admin from 83.8.19.34 port 56451 ssh2]
Jul  8 09:51:27 nazwaserwera sshd[1798]: Disconnecting: Too many authentication failures for my-admin [preauth]
Jul  8 09:51:27 nazwaserwera sshd[1798]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=abod34.neoplus.adsl.tpnet.pl  user=my-admin

这是sudo iptables -L输出：

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

在这里重新启动fail2ban后,在/var/log/fail2ban.log中写了什么：

2014-07-08 11:26:12,538 fail2ban.server : INFO   Stopping all jails
2014-07-08 11:26:13,141 fail2ban.jail   : INFO   Jail 'ssh' stopped
2014-07-08 11:26:13,142 fail2ban.server : INFO   Exiting Fail2ban
2014-07-08 11:26:16,825 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11
2014-07-08 11:26:16,826 fail2ban.jail   : INFO   Creating new jail 'ssh'
2014-07-08 11:26:17,024 fail2ban.jail   : INFO   Jail 'ssh' uses pyinotify
2014-07-08 11:26:17,141 fail2ban.jail   : INFO   Initiated 'pyinotify' backend
2014-07-08 11:26:17,142 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2014-07-08 11:26:17,144 fail2ban.filter : INFO   Set maxRetry = 4
2014-07-08 11:26:17,145 fail2ban.filter : INFO   Set findtime = 600
2014-07-08 11:26:17,145 fail2ban.actions: INFO   Set banTime = 300
2014-07-08 11:26:17,438 fail2ban.jail   : INFO   Jail 'ssh' started
2014-07-08 11:26:17,619 fail2ban.actions.action: ERROR  iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports anyport -j fail2ban-ssh returned 200

这里有一些相关的东西：

>我使用非标准端口进行ssh连接：

港口4444

在/ etc / ssh / sshd_conf中设置
>我记得在更改配置文件后重新启动服务(fail2ban,ssh)
>我从fail2ban收到电子邮件,但只告诉我它已启动或停止

我在谷歌搜索过一个解决方案,但找不到合适的解决方案.任何帮助,将不胜感激.

解决了！

根据我在jail.local中的配置

maxretry = 4

fail2ban应在auth.log文件中搜索5行(1 4),其中包含每个登录尝试失败的警报.但是仔细观察我的auth.log,我注意到我得到的最大值是2.这里记录了6次失败的登录尝试：

Jul  8 09:51:10 nazwaserwera sshd[1798]: Failed password for my-admin from 83.8.19.34 port 56451 ssh2
Jul  8 09:51:27 nazwaserwera sshd[1798]: message repeated 5 times: [ Failed password for my-admin from 83.8.19.34 port 56451 ssh2]

你可以看到而不是6行我只得到两行,第二行说“消息重复5次”.

解决方案非常简单：我刚刚在/etc/rsyslog.conf中将RepeatedMsgReduction从on更改为off.然后重新启动rsyslog和fail2ban.