Fail2banはブロックするIPのリストをかなり蓄積しました。
# fail2ban-client banned
[{'sshd': ['101.126.34.231', '106.58.179.182', '117.50.187.153', '119.91.54.127', '121.250.190.129', '124.220.15.172', '124.230.124.250', '141.98.11.169', '143.42.206.215', '178.128.176.210', '178.242.168.227', '178.79.139.171', '180.101.88.197', '180.101.88.236', '182.155.240.180', '185.196.10.93', '185.196.9.45', '188.126.89.85', '218.92.0.112', '218.92.0.113', '218.92.0.118', '218.92.0.22', '218.92.0.27', '218.92.0.29', '218.92.0.33', '218.92.0.34', '218.92.0.40', '218.92.0.43', '218.92.0.52', '218.92.0.53', '218.92.0.55', '218.92.0.56', '218.92.0.76', '220.119.65.20', '27.150.190.3', '35.175.150.123', '36.88.46.154', '37.201.181.129', '43.136.107.134', '47.107.35.168', '47.242.46.55', '61.177.172.179', '68.183.207.53', '70.44.38.158', '78.159.117.241', '79.124.62.59', '79.27.58.101', '82.64.25.86', '85.209.11.254', '85.209.11.27', '87.92.88.193', '88.153.31.218', '170.64.189.121', '170.64.202.148', '170.64.150.4', '101.43.214.76', '79.95.123.68', '116.110.12.221', '61.177.203.30', '61.177.172.160', '159.89.108.180', '218.92.0.107', '218.92.0.28', '180.101.88.196', '218.92.0.45', '211.252.161.44', '201.17.133.138', '218.92.0.51', '51.12.86.255', '218.92.0.24']}]
しかし、私はファイアウォールでポート22だけを特別にブロックする豊富なルールを作成するのを見ました。私はIPを完全にブロックすることを好みます。
私はそれが有望に見えることがわかりました。つまり、完全ブロックfirewallcmd-ipsetに設定すると停止します。banaction
# cat /etc/fail2ban/jail.d/local.conf
[DEFAULT]
bantime = 48h
ignoreip = 127.0.0.1/8 ::1 192.168.0.1/24
banaction = firewallcmd-ipset
banaction_allports = firewallcmd-ipset
[sshd]
enabled = true
mode = aggressive
# systemctl reload-or-restart fail2ban
# firewall-cmd --get-ipsets
A. fail2ban-client bannedipsのリストがまだ残っているので、Fail2banリロード時に再適用すればいいのではないですか?
構成を復元しても、豊富なルールが再生成されないようです。
B. IPがポート22に接続されているときだけでなく、IPを完全にブロックするには、fall2banをどのように設定する必要がありますか?
私のようにブロックを設定しても役に立たないようです。
バージョン情報:
# dnf info fail2ban
Last metadata expiration check: 1:32:01 ago on Wed 14 Feb 2024 02:16:34 PM CET.
Installed Packages
Name : fail2ban
Version : 1.0.2
Release : 7.el9
Architecture : noarch
Size : 0.0
Source : fail2ban-1.0.2-7.el9.src.rpm
Repository : @System
From repo : epel
Summary : Daemon to ban hosts that cause multiple authentication errors
URL : http://fail2ban.sourceforge.net/
License : GPLv2+
Description : Fail2Ban scans log files and bans IP addresses that makes too many password
: failures. It updates firewall rules to reject the IP address. These rules can
: be defined by the user. Fail2Ban can read multiple log files such as sshd or
: Apache web server ones.
:
: Fail2Ban is able to reduce the rate of incorrect authentications attempts
: however it cannot eliminate the risk that weak authentication presents.
: Configure services to use only two factor or public/private authentication
: mechanisms if you really want to protect services.
:
: This is a meta-package that will install the default configuration. Other
: sub-packages are available to install support for other actions and
: configurations.
rich_rulesを使用した手動ブロックが機能しているようです。
# fail2ban-client -vvv set sshd banip 1.2.3.4
+ 128 7FA2A3E7F740 fail2ban.configreader INFO Loading configs for fail2ban under /etc/fail2ban
+ 129 7FA2A3E7F740 fail2ban.configreader DEBUG Reading configs for fail2ban under /etc/fail2ban
+ 130 7FA2A3E7F740 fail2ban.configreader DEBUG Reading config files: /etc/fail2ban/fail2ban.conf
+ 130 7FA2A3E7F740 fail2ban.configparserinc INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
+ 131 7FA2A3E7F740 fail2ban.configparserinc TRACE Reading file: /etc/fail2ban/fail2ban.conf
+ 132 7FA2A3E7F740 fail2ban.configparserinc INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
+ 132 7FA2A3E7F740 fail2ban.configparserinc TRACE Shared file: /etc/fail2ban/fail2ban.conf
+ 132 7FA2A3E7F740 fail2ban INFO Using socket file /var/run/fail2ban/fail2ban.sock
+ 132 7FA2A3E7F740 fail2ban INFO Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log
+ 133 7FA2A3E7F740 fail2ban HEAVY CMD: ['set', 'sshd', 'banip', '1.2.3.4']
+ 5092 7FA2A3E7F740 fail2ban HEAVY OK : 1
+ 5092 7FA2A3E7F740 fail2ban.beautifier HEAVY Beautify 1 with ['set', 'sshd', 'banip', '1.2.3.4']
1
+ 5093 7FA2A3E7F740 fail2ban DEBUG Exit with code 0
# grep 1.2.3.4 /var/log/fail2ban.log
2024-02-22 10:13:10,387 fail2ban.actions [1023]: NOTICE [sshd] Ban 1.2.3.4
# firewall-cmd --list-all | tail -2
rich rules:
rule family="ipv4" source address="1.2.3.4" port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
ただし、ファイアウォールを設定すると、ファイアウォールに禁止されている兆候は見えませんbanaction。banaction_allportsfirewallcmd-ipset
# grep banaction /etc/fail2ban/jail.d/local.conf
banaction = firewallcmd-ipset
banaction_allports = firewallcmd-ipset
# systemctl reload-or-restart fail2ban
# fail2ban-client -vvv set sshd unbanip 1.2.3.4
+ 99 7F648518C740 fail2ban.configreader INFO Loading configs for fail2ban under /etc/fail2ban
+ 99 7F648518C740 fail2ban.configreader DEBUG Reading configs for fail2ban under /etc/fail2ban
+ 100 7F648518C740 fail2ban.configreader DEBUG Reading config files: /etc/fail2ban/fail2ban.conf
+ 100 7F648518C740 fail2ban.configparserinc INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
+ 100 7F648518C740 fail2ban.configparserinc TRACE Reading file: /etc/fail2ban/fail2ban.conf
+ 101 7F648518C740 fail2ban.configparserinc INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
+ 101 7F648518C740 fail2ban.configparserinc TRACE Shared file: /etc/fail2ban/fail2ban.conf
+ 101 7F648518C740 fail2ban INFO Using socket file /var/run/fail2ban/fail2ban.sock
+ 101 7F648518C740 fail2ban INFO Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log
+ 101 7F648518C740 fail2ban HEAVY CMD: ['set', 'sshd', 'unbanip', '1.2.3.4']
+ 114 7F648518C740 fail2ban HEAVY OK : 1
+ 114 7F648518C740 fail2ban.beautifier HEAVY Beautify 1 with ['set', 'sshd', 'unbanip', '1.2.3.4']
1
+ 115 7F648518C740 fail2ban DEBUG Exit with code 0
# fail2ban-client -vvv set sshd banip 1.2.3.4
+ 119 7F848CB9C740 fail2ban.configreader INFO Loading configs for fail2ban under /etc/fail2ban
+ 119 7F848CB9C740 fail2ban.configreader DEBUG Reading configs for fail2ban under /etc/fail2ban
+ 120 7F848CB9C740 fail2ban.configreader DEBUG Reading config files: /etc/fail2ban/fail2ban.conf
+ 121 7F848CB9C740 fail2ban.configparserinc INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
+ 121 7F848CB9C740 fail2ban.configparserinc TRACE Reading file: /etc/fail2ban/fail2ban.conf
+ 122 7F848CB9C740 fail2ban.configparserinc INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
+ 122 7F848CB9C740 fail2ban.configparserinc TRACE Shared file: /etc/fail2ban/fail2ban.conf
+ 123 7F848CB9C740 fail2ban INFO Using socket file /var/run/fail2ban/fail2ban.sock
+ 123 7F848CB9C740 fail2ban INFO Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log
+ 124 7F848CB9C740 fail2ban HEAVY CMD: ['set', 'sshd', 'banip', '1.2.3.4']
+ 125 7F848CB9C740 fail2ban HEAVY OK : 1
+ 126 7F848CB9C740 fail2ban.beautifier HEAVY Beautify 1 with ['set', 'sshd', 'banip', '1.2.3.4']
1
+ 126 7F848CB9C740 fail2ban DEBUG Exit with code 0
# firewall-cmd --get-ipsets
# firewall-cmd --list-all | tail -2
icmp-blocks:
rich rules:
# grep 1.2.3.4 /var/log/fail2ban.log
2024-02-22 10:13:10,387 fail2ban.actions [1023]: NOTICE [sshd] Ban 1.2.3.4
2024-02-22 10:22:54,923 fail2ban.actions [1023]: NOTICE [sshd] Unban 1.2.3.4
2024-02-22 10:23:13,954 fail2ban.actions [1023]: NOTICE [sshd] Ban 1.2.3.4
期待通りに動作するので不便です。私が何を間違っているのでしょうか?