我在Ubuntu Xenial服务器上发现了一些奇怪的东西.
它在默认端口上有SSH,它有fail2ban.
Fail2ban正在检测服务器上的强力尝试并相应地记录:
它在默认端口上有SSH,它有fail2ban.
Fail2ban正在检测服务器上的强力尝试并相应地记录:
2017-01-12 10:58:19,927 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x 2017-01-12 11:03:27,808 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x 2017-01-12 11:08:37,936 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x 2017-01-12 11:13:51,538 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x 2017-01-12 11:18:57,939 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x 2017-01-12 11:24:10,399 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x 2017-01-12 11:29:23,161 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x 2017-01-12 11:34:34,064 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x 2017-01-12 11:39:44,540 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
x.x.x.x在所有实例中都是相同的IP,这个人只是网络钓鱼随机用户名,如auth.log中所示:
Jan 12 12:05:46 MYSERVER sshd[23579]: Invalid user journalist from x.x.x.x Jan 12 12:05:46 MYSERVER sshd[23579]: input_userauth_request: invalid user journalist [preauth] Jan 12 12:05:46 MYSERVER sshd[23579]: Received disconnect from x.x.x.x port 47995:11: normal Shutdown,Thank you for playing [preauth] Jan 12 12:05:46 MYSERVER sshd[23579]: disconnected from x.x.x.x port 47995 [preauth]
Fail2ban看到了他们,他把它们列为“发现”,但没有禁止.有任何想法吗?
编辑:
cat /etc/fail2ban/jail.d/myjails.local [apache-auth] enabled = true [sshd-ddos] enabled = true [recidive] enabled = true [dovecot] enabled = true [postfix] enabled=true
其余的配置文件保留原样,根据Ubuntu的默认设置,即/etc/fail2ban/jail.conf具有:
[sshd] port = ssh logpath = %(sshd_log)s [sshd-ddos] # This jail corresponds to the standard configuration in Fail2ban. # The mail-whois action send a notification e-mail with a whois request # in the body. port = ssh logpath = %(sshd_log)s
我们有:
cat /etc/fail2ban/jail.d/defaults-debian.conf [sshd] enabled = true
Fail2ban似乎没有禁止任何人 – 你提供的日志没有显示任何超过Ubuntu xenial随fail2ban一起提供的默认限制的人.
查看/etc/fail2ban/jail.conf,在[DEFAULT]部分中有参数findtime(默认600秒,所以10分钟)和maxretry(默认5次,在该查找窗口内).意味着每小时只尝试几个密码的人根本不会触发它.
请注意,您不需要更改此文件(也不应该,以便能够彻底升级它).您可以将[DEFAULT]块放入/etc/fail2ban/jail.d/myjails.local中,以及:
[DEFAULT] findtime = 3600 bantime = 3600 maxretry = 4
>查看jail.conf文件的开头,它实际上给出了一些关于如何以及为什么的提示.>别把自己锁起来.>你的密码应该足够强大,以便你知道几个人每小时尝试几个密码而不会在一百万年内找到任何东西.
