나는 iptables가 포함된 Debian 10, Fail2Ban v0.10.6을 사용하고 필터가 <SUBNET>작동합니다. 이제 Ubuntu 22.04, Fail2Ban v0.11.2가 있고 nftables에서 작동하도록 만들려고 합니다. jail.localnftables에만 추가했습니다 . 내 구성:
# /etc/fail2ban/fail2ban.conf
[DEFAULT]
loglevel = INFO
logtarget = /var/log/fail2ban.log
syslogsocket = auto
socket = /var/run/fail2ban/fail2ban.sock
pidfile = /var/run/fail2ban/fail2ban.pid
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
dbpurgeage = 1d
dbmaxmatches = 10
[Definition]
[Thread]
# /etc/fail2ban/jail.local
[DEFAULT]
banaction = nftables-multiport
banaction_allports = nftables-allports
# /etc/fail2ban/jail.d/00-geologger.conf
[geologger]
enabled = true
__name__ = geologger
filter = geologger
action = %(action_)s
port = ssh,2222,smtp,465,submission
logpath = /var/log/geologger.log
backend = %(default_backend)s
bantime = 1m
maxretry = 1
findtime = 30m
# /etc/fail2ban/filter.d/geologger.conf
[INCLUDES]
before = common.conf
[Definition]
mode = normal
failregex = ipv4_addr=\([\d\./:]+-<SUBNET>\).*$
ignoreregex =
# nft list ruleset:
table ip filter {
chain INPUT {
}
chain FORWARD {
}
chain f2b-geologger {
}
}
table inet f2b-table {
chain f2b-chain {
type filter hook input priority filter - 1; policy accept;
}
}
다음은 failure2ban.log의 오류입니다.
2023-02-03 14:09:18,948 fail2ban.filter [3985]: INFO [geologger] Found 178.127.150.0/24 - 2023-02-03 14:09:18
2023-02-03 14:09:19,552 fail2ban.actions [3985]: NOTICE [geologger] Ban 178.127.150.0/24
2023-02-03 14:09:19,673 fail2ban.utils [3985]: ERROR 7fc55d851980 -- exec: nft add table inet f2b-table
nft -- add chain inet f2b-table f2b-chain \{ type filter hook input priority -1 \; \}
nft add set inet f2b-table addr-set-geologger \{ type ipv4_addr\; \}
for proto in $(echo 'tcp' | sed 's/,/ /g'); do
nft add rule inet f2b-table f2b-chain $proto dport \{ $(echo 'ssh,2222,smtp,465,submission' | sed s/:/-/g) \} ip saddr @addr-set-geologger reject
done
2023-02-03 14:09:19,674 fail2ban.utils [3985]: ERROR 7fc55d851980 -- stderr: 'Error: Could not process rule: Numerical result out of range'
2023-02-03 14:09:19,674 fail2ban.utils [3985]: ERROR 7fc55d851980 -- stderr: 'add set inet f2b-table addr-set-geologger { type ipv4_addr; }'
2023-02-03 14:09:19,674 fail2ban.utils [3985]: ERROR 7fc55d851980 -- stderr: '^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^'
2023-02-03 14:09:19,674 fail2ban.utils [3985]: ERROR 7fc55d851980 -- stderr: 'Error: No such file or directory'
2023-02-03 14:09:19,674 fail2ban.utils [3985]: ERROR 7fc55d851980 -- stderr: 'add rule inet f2b-table f2b-chain tcp dport { ssh,2999,smtp,465,submission } ip saddr @addr-set-geologger reject'
2023-02-03 14:09:19,674 fail2ban.utils [3985]: ERROR 7fc55d851980 -- stderr: ' ^^^^^^^^^^^^^^^^^^^'
2023-02-03 14:09:19,674 fail2ban.utils [3985]: ERROR 7fc55d851980 -- returned 1
2023-02-03 14:09:19,674 fail2ban.actions [3985]: ERROR Failed to execute ban jail 'geologger' action 'nftables-multiport' info 'ActionInfo({'ip': '178.127.150.0/24', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7fc55efa4940>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7fc55efa5000>})': Error starting action Jail('geologger')/nftables-multiport: 'Script error'
어떻게 고치나요?
답변1
여기에는 두 가지 문제가 있습니다. 1. 세트의 길이는 다음보다 작아야 합니다.16nftables에 서브넷을 추가하려면 세트에 flags interval. 그래서 내 수정 사항은 다음과 같습니다.
# /etc/fail2ban/action.d/nftables-multiport.local
[Init]
addr_set = as-<name>
[Definition]
_nft_add_set = <nftables> add set <table_family> <table> <addr_set> \{ type <addr_type>\; flags interval\;\}
<_nft_for_proto-<type>-iter>
<nftables> add rule <table_family> <table> <chain> %(rule_stat)s
<_nft_for_proto-<type>-done>