作業してから3〜4日後にFail2banログを見たいときはいつでも、ログが.gzに圧縮されることを確認しましたが、問題はありません。
-rw-r--r--. 1 root root 90034 May 1 12:49 dmesg.old
-rw-------. 1 root root 0 Jun 14 03:13 fail2ban.log
-rw-------. 1 root root 8974 May 24 02:22 fail2ban.log-20150524.gz
-rw-------. 1 root root 20 May 24 03:44 fail2ban.log-20150601.gz
-rw-------. 1 root root 20 Jun 1 03:30 fail2ban.log-20150607.gz
-rw-------. 1 root root 4785 Jun 14 03:10 fail2ban.log-20150614.gz
問題は、私の主要なfailure2ban.logに見られるように動作が停止することです。ここには0バイトがあり、何もありません。
Fail2banには記録する内容がないかもしれないと思いましたが、セキュリティログを見てみると次のような内容がありました。
Jun 18 09:24:52 localserver sshd[9641]: input_userauth_request: invalid user Exit [preauth]
Jun 18 09:24:53 localserver sshd[9641]: Connection closed by 123.56.112.165 [preauth]
Jun 18 10:03:19 localserver sshd[10218]: Invalid user alina from 123.56.112.165
Jun 18 10:03:19 localserver sshd[10218]: input_userauth_request: invalid user alina [preauth]
Jun 18 10:03:20 localserver sshd[10218]: Connection closed by 123.56.112.165 [preauth]
Jun 18 10:11:24 localserver sshd[10329]: Invalid user kadmin from 173.201.39.212
Jun 18 10:11:24 localserver sshd[10329]: input_userauth_request: invalid user kadmin [preauth]
Jun 18 10:11:24 localserver sshd[10329]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:24 localserver sshd[10331]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:25 localserver sshd[10333]: Invalid user guest from 173.201.39.212
Jun 18 10:11:25 localserver sshd[10333]: input_userauth_request: invalid user guest [preauth]
Jun 18 10:11:25 localserver sshd[10333]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:25 localserver sshd[10335]: Invalid user pi from 173.201.39.212
Jun 18 10:11:25 localserver sshd[10335]: input_userauth_request: invalid user pi [preauth]
Jun 18 10:11:25 localserver sshd[10335]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:26 localserver sshd[10337]: Invalid user ubnt from 173.201.39.212
Jun 18 10:11:26 localserver sshd[10337]: input_userauth_request: invalid user ubnt [preauth]
Jun 18 10:11:26 localserver sshd[10337]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:26 localserver sshd[10339]: Invalid user xbian from 173.201.39.212
Jun 18 10:11:26 localserver sshd[10339]: input_userauth_request: invalid user xbian [preauth]
Jun 18 10:11:26 localserver sshd[10339]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:11:26 localserver sshd[10341]: Invalid user admin from 173.201.39.212
Jun 18 10:11:26 localserver sshd[10341]: input_userauth_request: invalid user admin [preauth]
Jun 18 10:11:27 localserver sshd[10341]: Received disconnect from 173.201.39.212: 11: Bye Bye [preauth]
Jun 18 10:42:29 localserver sshd[10741]: Invalid user andrei from 123.56.112.165
Jun 18 10:42:29 localserver sshd[10741]: input_userauth_request: invalid user andrei [preauth]
Jun 18 10:42:29 localserver sshd[10741]: Connection closed by 123.56.112.165 [preauth]
攻撃がまだ存在し、Fail2banがこれに対して何もしないので、これは私を怒らせます。 Fail2banがまだ機能していることを確認しましたが、
sudo fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: ssh-iptables
また、ログパスが正しいことを確認しました。
# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
# Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
[recidive]
logpath = /var/log/fail2ban.log
port = all
protocol = all
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
sudo fail2ban-client status ssh-iptables次の結果を提供します。
Status for the jail: ssh-iptables
|- Filter
| |- Currently failed: 0
| |- Total failed: 1089
| `- File list: /var/log/secure
`- Actions
|- Currently banned: 0
|- Total banned: 137
`- Banned IP list:
この問題を解決するのに役立つ可能性がある他のアイデアはありますか?