Здравствуйте.
Установил fail2ban на VPS. Создал jail.local, в нем указал:
[DEFAULT]
maxretry = 2
action = iptables
[sshd] enabled = true
port = 1111
filter = sshd
findtime = 180
logpath = /var/log/auth.log[/code]
action = iptables
[sshd] enabled = true
port = 1111
filter = sshd
findtime = 180
logpath = /var/log/auth.log[/code]
Запустил fail2ban.
Пытаюсь подключиться по паролю. 6 раз запрашивается, ввожу неправильный. После этого соединение разрывается. Но тут же можно подключаться снова и опять можно 6 раз пытаться вводить пароль.
/var/log/auth.log
Oct 31 13:47:30 vm-16ee4c7a sshd[7824]: Invalid user ddd from 213.87.161.173 port 2653
Oct 31 13:47:34 vm-16ee4c7a sshd[7824]: pam_unix(sshd:auth): check pass; user unknown
Oct 31 13:47:34 vm-16ee4c7a sshd[7824]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.87.161.173
Oct 31 13:47:36 vm-16ee4c7a sshd[7824]: Failed password for invalid user ddd from 213.87.161.173 port 2653 ssh2
Oct 31 13:47:40 vm-16ee4c7a sshd[7824]: pam_unix(sshd:auth): check pass; user unknown
Oct 31 13:47:42 vm-16ee4c7a sshd[7824]: Failed password for invalid user ddd from 213.87.161.173 port 2653 ssh2
Oct 31 13:47:45 vm-16ee4c7a sshd[7824]: pam_unix(sshd:auth): check pass; user unknown
Oct 31 13:47:48 vm-16ee4c7a sshd[7824]: Failed password for invalid user ddd from 213.87.161.173 port 2653 ssh2
Oct 31 13:47:51 vm-16ee4c7a sshd[7824]: pam_unix(sshd:auth): check pass; user unknown
Oct 31 13:47:53 vm-16ee4c7a sshd[7824]: Failed password for invalid user ddd from 213.87.161.173 port 2653 ssh2
Oct 31 13:47:57 vm-16ee4c7a sshd[7824]: pam_unix(sshd:auth): check pass; user unknown
Oct 31 13:48:00 vm-16ee4c7a sshd[7824]: Failed password for invalid user ddd from 213.87.161.173 port 2653 ssh2
Oct 31 13:48:04 vm-16ee4c7a sshd[7824]: pam_unix(sshd:auth): check pass; user unknown
Oct 31 13:48:05 vm-16ee4c7a sshd[7824]: Failed password for invalid user ddd from 213.87.161.173 port 2653 ssh2
Oct 31 13:48:05 vm-16ee4c7a sshd[7824]: error: maximum authentication attempts exceeded for invalid user ddd from 213.87.161.173 port 2653 ssh2 [preauth] Oct 31 13:48:05 vm-16ee4c7a sshd[7824]: Disconnecting invalid user ddd 213.87.161.173 port 2653: Too many authentication failures [preauth] Oct 31 13:48:05 vm-16ee4c7a sshd[7824]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.87.161.173
Oct 31 13:48:05 vm-16ee4c7a sshd[7824]: PAM service(sshd) ignoring max retries; 6 > 3
Oct 31 13:47:34 vm-16ee4c7a sshd[7824]: pam_unix(sshd:auth): check pass; user unknown
Oct 31 13:47:34 vm-16ee4c7a sshd[7824]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.87.161.173
Oct 31 13:47:36 vm-16ee4c7a sshd[7824]: Failed password for invalid user ddd from 213.87.161.173 port 2653 ssh2
Oct 31 13:47:40 vm-16ee4c7a sshd[7824]: pam_unix(sshd:auth): check pass; user unknown
Oct 31 13:47:42 vm-16ee4c7a sshd[7824]: Failed password for invalid user ddd from 213.87.161.173 port 2653 ssh2
Oct 31 13:47:45 vm-16ee4c7a sshd[7824]: pam_unix(sshd:auth): check pass; user unknown
Oct 31 13:47:48 vm-16ee4c7a sshd[7824]: Failed password for invalid user ddd from 213.87.161.173 port 2653 ssh2
Oct 31 13:47:51 vm-16ee4c7a sshd[7824]: pam_unix(sshd:auth): check pass; user unknown
Oct 31 13:47:53 vm-16ee4c7a sshd[7824]: Failed password for invalid user ddd from 213.87.161.173 port 2653 ssh2
Oct 31 13:47:57 vm-16ee4c7a sshd[7824]: pam_unix(sshd:auth): check pass; user unknown
Oct 31 13:48:00 vm-16ee4c7a sshd[7824]: Failed password for invalid user ddd from 213.87.161.173 port 2653 ssh2
Oct 31 13:48:04 vm-16ee4c7a sshd[7824]: pam_unix(sshd:auth): check pass; user unknown
Oct 31 13:48:05 vm-16ee4c7a sshd[7824]: Failed password for invalid user ddd from 213.87.161.173 port 2653 ssh2
Oct 31 13:48:05 vm-16ee4c7a sshd[7824]: error: maximum authentication attempts exceeded for invalid user ddd from 213.87.161.173 port 2653 ssh2 [preauth] Oct 31 13:48:05 vm-16ee4c7a sshd[7824]: Disconnecting invalid user ddd 213.87.161.173 port 2653: Too many authentication failures [preauth] Oct 31 13:48:05 vm-16ee4c7a sshd[7824]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.87.161.173
Oct 31 13:48:05 vm-16ee4c7a sshd[7824]: PAM service(sshd) ignoring max retries; 6 > 3
/var/log/fail2ban.log
2024-10-31 13:37:58,854 fail2ban.filter [6671]: INFO [sshd] Found 213.87.161.173 — 2024-10-31 13:37:58
2024-10-31 13:38:01,558 fail2ban.filter [6671]: INFO [sshd] Found 213.87.161.173 — 2024-10-31 13:38:01
2024-10-31 13:38:27,892 fail2ban.filter [6671]: INFO [sshd] Found 213.87.161.173 — 2024-10-31 13:38:27
2024-10-31 13:38:28,572 fail2ban.actions [6671]: NOTICE [sshd] Ban 213.87.161.173
2024-10-31 13:40:48,174 fail2ban.filter [6671]: INFO [sshd] Found 213.87.161.173 — 2024-10-31 13:40:48
2024-10-31 13:40:50,216 fail2ban.filter [6671]: INFO [sshd] Found 213.87.161.173 — 2024-10-31 13:40:50
2024-10-31 13:41:28,164 fail2ban.filter [6671]: INFO [sshd] Found 213.87.161.173 — 2024-10-31 13:41:28
2024-10-31 13:41:28,822 fail2ban.actions [6671]: WARNING [sshd] 213.87.161.173 already banned
2024-10-31 13:38:01,558 fail2ban.filter [6671]: INFO [sshd] Found 213.87.161.173 — 2024-10-31 13:38:01
2024-10-31 13:38:27,892 fail2ban.filter [6671]: INFO [sshd] Found 213.87.161.173 — 2024-10-31 13:38:27
2024-10-31 13:38:28,572 fail2ban.actions [6671]: NOTICE [sshd] Ban 213.87.161.173
2024-10-31 13:40:48,174 fail2ban.filter [6671]: INFO [sshd] Found 213.87.161.173 — 2024-10-31 13:40:48
2024-10-31 13:40:50,216 fail2ban.filter [6671]: INFO [sshd] Found 213.87.161.173 — 2024-10-31 13:40:50
2024-10-31 13:41:28,164 fail2ban.filter [6671]: INFO [sshd] Found 213.87.161.173 — 2024-10-31 13:41:28
2024-10-31 13:41:28,822 fail2ban.actions [6671]: WARNING [sshd] 213.87.161.173 already banned
iptables -L -n
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all — 213.87.161.173 0.0.0.0/0 reject-with icmp-port-unreachable
target prot opt source destination
REJECT all — 213.87.161.173 0.0.0.0/0 reject-with icmp-port-unreachable
Вопросы новичка:
Почему есть 6 попыток (указаны в MaxAuthTries 6), а не 2 (из jail.local)?
Что означает строка: PAM service(sshd) ignoring max retries; 6 > 3
Почему, вроде бы, все работает, по логам IP блокируется, а по факту — нет?
Linux.org.ru: Форум — Security
Ваша реакция?
+1
+1
+1
+1
+1
1
+1
+1