우분투 20.04. /var/log/nginx/access.log에 다음과 같은 엄청난 양의 레코드가 있습니다.
85.249.25.218 - - [15/Dec/2020:08:12:15 +0300] "POST /api/v1/device/analytics HTTP/1.1" 404 162 "-" "okhttp/4.8.1"
나는 failure2ban을 설치했고 내 /etc/fail2ban/jail.local의 내용은 다음과 같습니다:
[sshd]
enabled = true
maxretry = 3
findtime = 1w
bantime = 4w
protocol = all
port = all
banaction = iptables-allports
[nginx-botsearch]
enabled = true
maxretry = 3
findtime = 1w
bantime = 4w
protocol = all
port = all
logpath = %(nginx_error_log)s
banaction = iptables-allports
[nginx-custom2]
enabled = true
maxretry = 3
findtime = 1w
bantime = 4w
protocol = all
port = all
logpath = %(nginx_access_log)s
banaction = iptables-allports
/etc/fail2ban/filter.d/nginx-custom2.conf 필터링:
[Definition]
failregex = ^<HOST>.*GET \/api\/v1\/device\/.*
^<HOST>.*POST \/api\/v1\/device\/.*
^<HOST>.*PUT \/api\/v1\/device\/.*
ignoreregex =
Fail2ban은 내가 관심 있는 IP를 금지하고 이를 iptables에 넣습니다. 내 failure2ban-client -v status nginx-custom2 출력은 다음과 같습니다.
Status for the jail: nginx-custom2
|- Filter
| |- Currently failed: 11
| |- Total failed: 2962
| `- File list: /var/log/nginx/access.log
`- Actions
|- Currently banned: 88
|- Total banned: 88
`- Banned IP list: 176.59.129.174 176.59.129.44 176.59.130.124 176.59.132.106 176.59.133.195 176.59.134.14 176.59.142.78 176.59.146.203 176.59.151.46 176.59.193.194 176.59.194.205 176.59.200.101 176.59.200.92 176.59.201.16 176.59.201.174 176.59.32.58 176.59.32.99 176.59.33.4 176.59.33.43 176.59.33.86 176.59.34.97 176.59.38.189 176.59.39.47 176.59.43.227 176.59.46.102 176.59.46.210 176.59.49.240 176.59.52.215 176.59.68.151 176.99.82.18 178.176.48.132 178.67.194.209 178.67.196.94 188.113.141.148 213.234.251.192 213.27.48.88 213.87.250.113 217.118.64.2 217.118.93.139 31.13.144.102 31.173.241.11 31.173.80.23 37.29.40.213 37.29.41.108 37.29.41.208 46.187.12.73 46.45.200.129 62.133.162.154 80.83.237.30 80.83.237.34 83.149.21.218 83.234.120.247 85.115.243.47 85.115.248.16 85.115.248.250 85.140.0.111 85.140.0.159 85.140.0.9 85.140.1.20 85.140.1.225 85.140.12.183 85.140.19.132 85.140.2.127 85.140.4.36 85.140.4.92 85.174.194.255 85.174.198.90 85.249.163.166 85.249.25.218 85.26.164.108 85.26.164.151 85.26.165.234 85.26.165.238 85.26.232.91 85.26.233.73 85.26.235.207 89.113.138.149 89.113.138.255 89.113.139.227 89.113.140.202 89.178.132.99 93.88.25.3 95.153.129.19 95.153.129.237 109.197.205.118 85.115.248.36 176.59.140.152 176.59.68.199
iptables -L -n -v 출력은 다음과 같습니다.
Chain INPUT (policy ACCEPT 419 packets, 175K bytes)
pkts bytes target prot opt in out source destination
23438 6327K f2b-nginx-custom2 all -- * * 0.0.0.0/0 0.0.0.0/0
22460 6268K f2b-nginx-botsearch all -- * * 0.0.0.0/0 0.0.0.0/0
22460 6268K f2b-sshd all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 412 packets, 60919 bytes)
pkts bytes target prot opt in out source destination
Chain f2b-nginx-botsearch (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 87.26.121.231 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 8.129.209.71 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 47.98.190.243 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 171.244.49.242 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 157.131.240.194 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 149.129.137.131 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 128.106.166.8 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 103.76.228.45 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 103.44.245.166 0.0.0.0/0 reject-with icmp-port-unreachable
22460 6268K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f2b-nginx-custom2 (1 references)
pkts bytes target prot opt in out source destination
117 7020 REJECT all -- * * 176.59.68.199 0.0.0.0/0 reject-with icmp-port-unreachable
58 3480 REJECT all -- * * 176.59.140.152 0.0.0.0/0 reject-with icmp-port-unreachable
72 4320 REJECT all -- * * 85.115.248.36 0.0.0.0/0 reject-with icmp-port-unreachable
7 420 REJECT all -- * * 109.197.205.118 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 95.153.129.237 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 95.153.129.19 0.0.0.0/0 reject-with icmp-port-unreachable
23 1380 REJECT all -- * * 93.88.25.3 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 89.178.132.99 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 89.113.140.202 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 89.113.139.227 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 89.113.138.255 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 89.113.138.149 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.26.235.207 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.26.233.73 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.26.232.91 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.26.165.238 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.26.165.234 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.26.164.151 0.0.0.0/0 reject-with icmp-port-unreachable
17 1020 REJECT all -- * * 85.26.164.108 0.0.0.0/0 reject-with icmp-port-unreachable
32 1920 REJECT all -- * * 85.249.25.218 0.0.0.0/0 reject-with icmp-port-unreachable
189 11340 REJECT all -- * * 85.249.163.166 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.174.198.90 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.174.194.255 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.4.92 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.4.36 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.2.127 0.0.0.0/0 reject-with icmp-port-unreachable
15 900 REJECT all -- * * 85.140.19.132 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.12.183 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.1.225 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.1.20 0.0.0.0/0 reject-with icmp-port-unreachable
40 2400 REJECT all -- * * 85.140.0.9 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.0.159 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.0.111 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.115.248.250 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.115.248.16 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.115.243.47 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 83.234.120.247 0.0.0.0/0 reject-with icmp-port-unreachable
66 3960 REJECT all -- * * 83.149.21.218 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 80.83.237.34 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 80.83.237.30 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 62.133.162.154 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 46.45.200.129 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 46.187.12.73 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 37.29.41.208 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 37.29.41.108 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 37.29.40.213 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 31.173.80.23 0.0.0.0/0 reject-with icmp-port-unreachable
12 720 REJECT all -- * * 31.173.241.11 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 31.13.144.102 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 217.118.93.139 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 217.118.64.2 0.0.0.0/0 reject-with icmp-port-unreachable
7 420 REJECT all -- * * 213.87.250.113 0.0.0.0/0 reject-with icmp-port-unreachable
4 240 REJECT all -- * * 213.27.48.88 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 213.234.251.192 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 188.113.141.148 0.0.0.0/0 reject-with icmp-port-unreachable
210 12600 REJECT all -- * * 178.67.196.94 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 178.67.194.209 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 178.176.48.132 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.99.82.18 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.68.151 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.52.215 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.49.240 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.46.210 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.46.102 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.43.227 0.0.0.0/0 reject-with icmp-port-unreachable
7 420 REJECT all -- * * 176.59.39.47 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.38.189 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.34.97 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.33.86 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.33.43 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.33.4 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.32.99 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.32.58 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.201.174 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.201.16 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.200.92 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.200.101 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.194.205 0.0.0.0/0 reject-with icmp-port-unreachable
102 6120 REJECT all -- * * 176.59.193.194 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.151.46 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.146.203 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.142.78 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.134.14 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.133.195 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.132.106 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.130.124 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.129.44 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.129.174 0.0.0.0/0 reject-with icmp-port-unreachable
22460 6268K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
9 724 REJECT all -- * * 110.16.95.6 0.0.0.0/0 reject-with icmp-port-unreachable
18 1384 REJECT all -- * * 113.190.235.28 0.0.0.0/0 reject-with icmp-port-unreachable
45 3192 REJECT all -- * * 94.191.38.203 0.0.0.0/0 reject-with icmp-port-unreachable
20 1556 REJECT all -- * * 14.232.214.138 0.0.0.0/0 reject-with icmp-port-unreachable
18 1424 REJECT all -- * * 222.252.30.29 0.0.0.0/0 reject-with icmp-port-unreachable
31 2268 REJECT all -- * * 146.59.157.181 0.0.0.0/0 reject-with icmp-port-unreachable
11 660 REJECT all -- * * 110.35.79.23 0.0.0.0/0 reject-with icmp-port-unreachable
20 1512 REJECT all -- * * 190.202.32.2 0.0.0.0/0 reject-with icmp-port-unreachable
23 1732 REJECT all -- * * 190.79.227.81 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 103.127.108.96 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 103.123.246.130 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 101.36.110.215 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 101.109.245.158 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 1.245.61.144 0.0.0.0/0 reject-with icmp-port-unreachable
21387 6197K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ispmgr_allow_ip (0 references)
pkts bytes target prot opt in out source destination
Chain ispmgr_allow_sub (0 references)
pkts bytes target prot opt in out source destination
Chain ispmgr_deny_ip (0 references)
pkts bytes target prot opt in out source destination
Chain ispmgr_deny_sub (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (0 references)
pkts bytes target prot opt in out source destination
하지만 이미 금지된 IP의 /var/log/nginx/access.log에 여전히 기록이 있습니다. 또한 /var/log/fail2ban.log에 다음과 같은 많은 기록이 있습니다.
2020-12-15 08:23:38,156 fail2ban.actions [2803]: WARNING [nginx-custom2] 83.149.21.218 already banned
여기서 어디로 가야할지 이해하도록 도와주세요.
답변1
ufw출력물 에 체인이 보입니다 iptables. ufw를 사용하는 넷 필터 백엔드가 nftables? 내 기억이 맞다면 백엔드 스위치는 20.10까지 Ubuntu에 계획되어 있지만 아마도 직접 변경했거나 설치된 일부 서비스에서 변경했을 수도 있습니다(이 경우 nftables 금지 조치로 전환하는 것이 좋습니다).
낮은 수준의 net-filter를 사용하는 것이 틀린 것은 아니지만 ufw를 사용하는 경우 fall2ban에서 ufw-banning 작업을 사용하는 것에 반대하는 것은 무엇입니까?
그리고 아직 ispmanager가 있는 것 같은데...
어쨌든 iptables에는 모든 체인( ispmgr_*및 ufw-*)이 표시되지만 이에 대한 참조는 없습니다. 따라서 이상하게 구성되었거나 이 시스템의 방화벽 하위 시스템에 문제가 있는 것입니다.
VM인가요? (그렇다면 어느 것입니까?)...
시스템에서 iptables 커널 모듈이 전혀 사용(허용)됩니까?
그리고 ufw 백엔드는 정확히 무엇입니까?