在Centos 7中将Fail2ban行为与防火墙D混淆 [英] Confuse about fail2ban behavior with firewallD in Centos 7

问题描述

我在Centos 6服务器中使用了fail2ban/iptables.
我移至Centos 7，现在使用的是fail2ban/firewallD(由Webmin/Virtualmin安装并带有默认设置)

I was using fail2ban/iptables in a Centos 6 server.
I moved to Centos 7 and now I am using fail2ban/firewallD (installed by Webmin/Virtualmin with their defaults)

这些是cat /var/log/maillog | grep "disconnect from unknown"的屏幕截图
cat /var/log/fail2ban.log | grep Ban仅显示

These are cat /var/log/maillog | grep "disconnect from unknown" screen shots
cat /var/log/fail2ban.log | grep Ban only displays

2019-10-27 16:52:22,975 fail2ban.actions [8792]:通知[proftpd]禁止111.225.204.32

2019-10-27 16:52:22,975 fail2ban.actions [8792]: NOTICE [proftpd] Ban 111.225.204.32

此外，tailf /var/log/fail2ban.log显示相同IP的多个已禁止".在这种情况下，fail2ban将在达到maxretry之后尝试禁止IP.

Furthermore tailf /var/log/fail2ban.log displays several "already banned" of the same IP. In this case fail2ban, after maxretry is reached it tries to ban the IP.

这是我的配置(部分)，我保留了它们的默认设置，但更改了禁酒时间.

Here are my configurations (partial), I left them as they were by defaults but changed bantimes.

jail.local

[后缀]
enabled = true
端口= smtp，465，提交
bantime = -1

[postfix]
enabled = true
port = smtp,465,submission
bantime = -1

[postfix-sasl]
enabled = true
端口= smtp，465，提交，imap3，imaps，pop3，pop3s
bantime = -1

[postfix-sasl]
enabled = true
port = smtp,465,submission,imap3,imaps,pop3,pop3s
bantime = -1

[鸽舍]
enabled = true
port = pop3，pop3s，imap，imaps，submission，465，sieve
bantime = -1

[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps,submission,465,sieve
bantime = -1

jail.conf

[默认]
findtime = 600
maxretry = 5
后端=自动
筛选器=％(__ name __)s
端口= 0:65535
banaction = iptables-multiport
banaction_allports = iptables-allports
action_ =％(banaction)s [name =％(__ name __)s，bantime =％(bantime)s"，port =％>(port)s"，protocol =％(protocol)s"，chain ="％(chain)s]
动作=％(action_)s

[DEFAULT]
findtime = 600
maxretry = 5
backend = auto
filter = %(__name__)s
port = 0:65535
banaction = iptables-multiport
banaction_allports = iptables-allports
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="% > (port)s", protocol="%(protocol)s", chain="%(chain)s"]
action = %(action_)s

jail.d/00-firewalld.conf

[默认]
banaction = firewallcmd-ipset

[DEFAULT]
banaction = firewallcmd-ipset

这些文件存在: action.d/firewallcmd-ipset.conf 和 filter.d/postfix.conf

firewall-cmd --direct --get-all-rules

ipv4过滤器INPUT_direct 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-default src -j REJECT-带有icmp-port-unreachable的拒绝
ipv4过滤器输入0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable
ipv4过滤器输入0 -p tcp -m multiport --dports 10000 -m set --match-set fail2ban-webmin-auth src -j REJECT --reject-with icmp-port-unreachable
ipv4过滤器输入0 -p tcp -m multiport --dports ssh，sftp -m set --match-set fail2ban-ssh-ddos src -j REJECT --reject-with icmp-port-unreachable

ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-default src -j REJECT --reject-with icmp-port-unreachable
ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable
ipv4 filter INPUT 0 -p tcp -m multiport --dports 10000 -m set --match-set fail2ban-webmin-auth src -j REJECT --reject-with icmp-port-unreachable
ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh,sftp -m set --match-set fail2ban-ssh-ddos src -j REJECT --reject-with icmp-port-unreachable

手动运行后
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='193.56.28.0/24' reject"
和
firewall-cmd --reload tailf /var/log/fail2ban.log的此输出
停了

After manually running
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='193.56.28.0/24' reject"
and
firewall-cmd --reload this output of tailf /var/log/fail2ban.log
stopped.

如何在达到maxretry值后将所有这些IP禁止使用? 在服务重启或重新加载后，它们会永远被禁止吗?

How can I get all those IPs banned after they reach maxretry value? Would they be banned forever despite service restart or reload?

修改1: 来自带有操作= firewalld-cmd ipset的fail2ban.log

Edit 1: From fail2ban.log with action=firewalld-cmd ipset

从fail2ban.log中，其中带有action = iptables-allports

From fail2ban.log with action=iptables-allports

似乎(我猜)有些东西正在刷新配置(我想应该是Webmin)，因为一段时间后，我开始收到类似failed to execute ban jail 'dovecot' action iptables-allports的错误日志，所以我尝试这样做: 在actions.d中创建了banning.conf

Edit 2:
It seems (I guess) something is flushing configurations (I guess it would be Webmin) because after a while I start getting error logs like failed to execute ban jail 'dovecot' action iptables-allports so I am trying this: in actions.d created banning.conf

[Definition]      

actionban = /usr/bin/firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='<IP>' reject"; ; /usr/bin/firewall-cmd --reload    

和在jail.local

and at jail.local

[DEFAULT]
banaction = iptables-multiport 
            banning 

但是我得到了Error in action definition banning
我知道这不是解决方案.
在移动服务器之前，我多年来一直使用fail2ban/iptables(非firewalld)，除了默认设置外，没有其他需要注意的地方.

But I get Error in action definition banning
I know this is not a solution.
Before moving the server I was using fail2ban/iptables (not firewalld) for years not having to pay attention beyond default settings.

推荐答案

如何在达到最大尝试值后将所有这些IP禁止使用?

How can I get all those IPs banned after they reach maxretry value?

您的问题可能与maxretry等无关.
如果此后您看到[jail] Ban 192.0.2.1和几条[jail] 192.0.2.1 already banned消息(尤其是在同一Jail/IP的禁令"消息后几分钟)，则意味着您的禁止操作(防火墙)根本不起作用(禁止后，入侵者IP仍然可以重复尝试.

Your issue has probably nothing with maxretry etc.
If you see [jail] Ban 192.0.2.1 and several [jail] 192.0.2.1 already banned messages hereafter (especially after some minutes after the "Ban" message for same Jail/IP), this means only that your banning action (firewalld) does not work at all (after ban, the intruder-IP is still able to repeat its attempts).

上次我们对此有某些问题(特别是结合使用firewalld + CentOS)-例如参见 https://github.com/firewalld/firewalld/issues/515 .
因此，请检查您的本机网络过滤器(iptables等)，如果您在fail2ban链之前看到一些(将已建立流量的白名单列出)规则，则表明您的配置不具备fail2ban(或任何禁止系统)的功能...这里可能成为您的答案- https://github.com/fail2ban/fail2ban/issues/2503#issuecomment-533105500 .

In the last time we had certain issues with that (especially with combination firewalld + CentOS) - see for example https://github.com/fail2ban/fail2ban/issues/1609 as well as related firewalld issue - https://github.com/firewalld/firewalld/issues/515.
So check your native net-filter (iptables, etc), if you see some (white-listing established traffic) rules before fail2ban chains, it looks like your configuration is not fail2ban (or whatever banning-system) capable... here may be the answer for you - https://github.com/fail2ban/fail2ban/issues/2503#issuecomment-533105500.

这是另一个类似的问题，示例摘录说明绕过fail2ban的错误iptables规则"-

Here is another similar issue with an example excerpt illustrating "wrong iptables rule that bypass fail2ban" - https://github.com/fail2ban/fail2ban/issues/2545#issuecomment-543347684

在这种情况下:

• 要么切换防火墙的后端(如上所述)；
• 或将fail2ban的禁止切换为本机(iptables/ipset/etc).
• 甚至添加一个动作来删除或终止被禁IP的活动已建立连接(使用诸如tcpkill，killcx，ss等之类的东西).

更新1

jail.local示例:

jail.local example:

[DEFAULT]
banaction = iptables-multiport
banaction_allports = iptables-allports

[postfix-sasl]
enabled = true
[dovecot]
enabled = true
...

如果在fail2ban重新加载后，您仍然可以在fail2ban.log中看到在ban和already banned之后的一些IP尝试，请在第一个禁令之前提供fail2ban 的日志摘录，否则可能会出现一些错误(因为already banned为时已晚，根本没有帮助).
如果没有错误，请提供iptables -nL的输出.

If after fail2ban reload you'd still see some IP making attempts after ban and already banned in fail2ban.log, provide log-excerpt of fail2ban by the first ban or else some possible errors around (because already banned is too late and does not help at all).
If no errors are there, provide output of iptables -nL.

这篇关于在Centos 7中将Fail2ban行为与防火墙D混淆的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！