更改 fail2ban 設定並使用 pf 阻擋
大家好,我是無能。今天是一篇無能中的無能文章。
咦!?fail2ban.log 裡怎麼出現奇怪的日誌了!
好吧好吧,正想看看 fail2ban 封鎖了什麼...結果一看
2024-07-24 20:52:43,027 fail2ban.utils [39963]: INFO HINT on 127: "Command not found". Make sure that all commands
in "{ iptables -w -C f2b-sshd -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-sshd || true; iptables -w -A f2b-sshd -j RE
TURN; }
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
{ iptables -w -C INPUT -p $proto -m multiport --dports ssh -j f2b-sshd
>/dev/null 2>&1; } || { iptables -w -I INPUT -p $proto -m multiport --dports ssh -j f2b-sshd; }
done" are in the PATH of fail
2ban-server process (grep -a PATH= /proc/pidof -x fail2ban-server/environ). You may want to start "fail2ban-server -f" separa
tely, initiate it with "fail2ban-client reload" in another shell session and observe if additional informative error messages a
ppear in the terminals.
咦,顯示說找不到指令...我完全忘記了!!!
FreeBSD 的情況下是用 pf 控制的啊...GNU/Linux 的情況下用 iptables 沒問題,但我明明在用 BSD 卻完全忘記了...所以,我將參考這個網站重新設定...https://dbdemon.com/pf_and_fail2ban因此,我將我的伺服器設定為 $exsrv1
# Fail2Ban
table <f2b> persist
anchor "f2b/*"
block drop in log quick on $exsrv1 from <f2b> to any
這樣就設定好了。話說,f2b/* 這樣可以作為正規表達式嗎...然後,重新設定 jail.conf。我乖乖地把它放到了 Default 區塊。
[DEFAULT]
banaction = pf[actiontype=<allports>]
banaction_allports = pf[actiontype=<allports>]
[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
bantime = 1w
findtime = 1d
maxretry = 5
[postfix]
enabled = true
port = smtp,ssmtp,submission
logpath = /var/log/maillog
bantime = 1w
findtime = 1d
maxretry = 10
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps,submission
logpath = /var/log/maillog
bantime = 1w
findtime = 1d
maxretry = 10
從設定檔來看,action.d/pf.conf 已經預設設定好了,查看後發現
看來像這樣,呼叫指令時似乎不需要特別修改。然後,重啟 fail2ban 和 pf,並檢查 fail2ban 的日誌,發現之前被封鎖的 IP 似乎會直接繼承下來。
# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 1
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 37
|- Total banned: 37
`- Banned IP list: *
這樣我會再觀察看看。
那麼。下次再見了。