Ubuntu 20.04. У меня в /var/log/nginx/access.log огромное количество записей, которые выглядят примерно так:
85.249.25.218 - - [15/Dec/2020:08:12:15 +0300] "POST /api/v1/device/analytics HTTP/1.1" 404 162 "-" "okhttp/4.8.1"
Я установил fail2ban, содержимое моего /etc/fail2ban/jail.local следующее:
[sshd]
enabled = true
maxretry = 3
findtime = 1w
bantime = 4w
protocol = all
port = all
banaction = iptables-allports
[nginx-botsearch]
enabled = true
maxretry = 3
findtime = 1w
bantime = 4w
protocol = all
port = all
logpath = %(nginx_error_log)s
banaction = iptables-allports
[nginx-custom2]
enabled = true
maxretry = 3
findtime = 1w
bantime = 4w
protocol = all
port = all
logpath = %(nginx_access_log)s
banaction = iptables-allports
Фильтр /etc/fail2ban/filter.d/nginx-custom2.conf:
[Definition]
failregex = ^<HOST>.*GET \/api\/v1\/device\/.*
^<HOST>.*POST \/api\/v1\/device\/.*
^<HOST>.*PUT \/api\/v1\/device\/.*
ignoreregex =
Fail2ban банит интересующие меня IP-адреса и помещает их в iptables. Мой вывод fail2ban-client -v status nginx-custom2 выглядит так:
Status for the jail: nginx-custom2
|- Filter
| |- Currently failed: 11
| |- Total failed: 2962
| `- File list: /var/log/nginx/access.log
`- Actions
|- Currently banned: 88
|- Total banned: 88
`- Banned IP list: 176.59.129.174 176.59.129.44 176.59.130.124 176.59.132.106 176.59.133.195 176.59.134.14 176.59.142.78 176.59.146.203 176.59.151.46 176.59.193.194 176.59.194.205 176.59.200.101 176.59.200.92 176.59.201.16 176.59.201.174 176.59.32.58 176.59.32.99 176.59.33.4 176.59.33.43 176.59.33.86 176.59.34.97 176.59.38.189 176.59.39.47 176.59.43.227 176.59.46.102 176.59.46.210 176.59.49.240 176.59.52.215 176.59.68.151 176.99.82.18 178.176.48.132 178.67.194.209 178.67.196.94 188.113.141.148 213.234.251.192 213.27.48.88 213.87.250.113 217.118.64.2 217.118.93.139 31.13.144.102 31.173.241.11 31.173.80.23 37.29.40.213 37.29.41.108 37.29.41.208 46.187.12.73 46.45.200.129 62.133.162.154 80.83.237.30 80.83.237.34 83.149.21.218 83.234.120.247 85.115.243.47 85.115.248.16 85.115.248.250 85.140.0.111 85.140.0.159 85.140.0.9 85.140.1.20 85.140.1.225 85.140.12.183 85.140.19.132 85.140.2.127 85.140.4.36 85.140.4.92 85.174.194.255 85.174.198.90 85.249.163.166 85.249.25.218 85.26.164.108 85.26.164.151 85.26.165.234 85.26.165.238 85.26.232.91 85.26.233.73 85.26.235.207 89.113.138.149 89.113.138.255 89.113.139.227 89.113.140.202 89.178.132.99 93.88.25.3 95.153.129.19 95.153.129.237 109.197.205.118 85.115.248.36 176.59.140.152 176.59.68.199
А вывод iptables -L -n -v такой:
Chain INPUT (policy ACCEPT 419 packets, 175K bytes)
pkts bytes target prot opt in out source destination
23438 6327K f2b-nginx-custom2 all -- * * 0.0.0.0/0 0.0.0.0/0
22460 6268K f2b-nginx-botsearch all -- * * 0.0.0.0/0 0.0.0.0/0
22460 6268K f2b-sshd all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 412 packets, 60919 bytes)
pkts bytes target prot opt in out source destination
Chain f2b-nginx-botsearch (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 87.26.121.231 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 8.129.209.71 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 47.98.190.243 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 171.244.49.242 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 157.131.240.194 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 149.129.137.131 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 128.106.166.8 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 103.76.228.45 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 103.44.245.166 0.0.0.0/0 reject-with icmp-port-unreachable
22460 6268K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f2b-nginx-custom2 (1 references)
pkts bytes target prot opt in out source destination
117 7020 REJECT all -- * * 176.59.68.199 0.0.0.0/0 reject-with icmp-port-unreachable
58 3480 REJECT all -- * * 176.59.140.152 0.0.0.0/0 reject-with icmp-port-unreachable
72 4320 REJECT all -- * * 85.115.248.36 0.0.0.0/0 reject-with icmp-port-unreachable
7 420 REJECT all -- * * 109.197.205.118 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 95.153.129.237 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 95.153.129.19 0.0.0.0/0 reject-with icmp-port-unreachable
23 1380 REJECT all -- * * 93.88.25.3 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 89.178.132.99 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 89.113.140.202 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 89.113.139.227 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 89.113.138.255 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 89.113.138.149 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.26.235.207 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.26.233.73 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.26.232.91 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.26.165.238 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.26.165.234 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.26.164.151 0.0.0.0/0 reject-with icmp-port-unreachable
17 1020 REJECT all -- * * 85.26.164.108 0.0.0.0/0 reject-with icmp-port-unreachable
32 1920 REJECT all -- * * 85.249.25.218 0.0.0.0/0 reject-with icmp-port-unreachable
189 11340 REJECT all -- * * 85.249.163.166 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.174.198.90 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.174.194.255 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.4.92 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.4.36 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.2.127 0.0.0.0/0 reject-with icmp-port-unreachable
15 900 REJECT all -- * * 85.140.19.132 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.12.183 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.1.225 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.1.20 0.0.0.0/0 reject-with icmp-port-unreachable
40 2400 REJECT all -- * * 85.140.0.9 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.0.159 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.140.0.111 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.115.248.250 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.115.248.16 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.115.243.47 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 83.234.120.247 0.0.0.0/0 reject-with icmp-port-unreachable
66 3960 REJECT all -- * * 83.149.21.218 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 80.83.237.34 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 80.83.237.30 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 62.133.162.154 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 46.45.200.129 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 46.187.12.73 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 37.29.41.208 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 37.29.41.108 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 37.29.40.213 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 31.173.80.23 0.0.0.0/0 reject-with icmp-port-unreachable
12 720 REJECT all -- * * 31.173.241.11 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 31.13.144.102 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 217.118.93.139 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 217.118.64.2 0.0.0.0/0 reject-with icmp-port-unreachable
7 420 REJECT all -- * * 213.87.250.113 0.0.0.0/0 reject-with icmp-port-unreachable
4 240 REJECT all -- * * 213.27.48.88 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 213.234.251.192 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 188.113.141.148 0.0.0.0/0 reject-with icmp-port-unreachable
210 12600 REJECT all -- * * 178.67.196.94 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 178.67.194.209 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 178.176.48.132 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.99.82.18 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.68.151 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.52.215 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.49.240 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.46.210 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.46.102 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.43.227 0.0.0.0/0 reject-with icmp-port-unreachable
7 420 REJECT all -- * * 176.59.39.47 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.38.189 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.34.97 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.33.86 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.33.43 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.33.4 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.32.99 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.32.58 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.201.174 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.201.16 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.200.92 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.200.101 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.194.205 0.0.0.0/0 reject-with icmp-port-unreachable
102 6120 REJECT all -- * * 176.59.193.194 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.151.46 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.146.203 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.142.78 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.134.14 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.133.195 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.132.106 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.130.124 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.129.44 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 176.59.129.174 0.0.0.0/0 reject-with icmp-port-unreachable
22460 6268K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
9 724 REJECT all -- * * 110.16.95.6 0.0.0.0/0 reject-with icmp-port-unreachable
18 1384 REJECT all -- * * 113.190.235.28 0.0.0.0/0 reject-with icmp-port-unreachable
45 3192 REJECT all -- * * 94.191.38.203 0.0.0.0/0 reject-with icmp-port-unreachable
20 1556 REJECT all -- * * 14.232.214.138 0.0.0.0/0 reject-with icmp-port-unreachable
18 1424 REJECT all -- * * 222.252.30.29 0.0.0.0/0 reject-with icmp-port-unreachable
31 2268 REJECT all -- * * 146.59.157.181 0.0.0.0/0 reject-with icmp-port-unreachable
11 660 REJECT all -- * * 110.35.79.23 0.0.0.0/0 reject-with icmp-port-unreachable
20 1512 REJECT all -- * * 190.202.32.2 0.0.0.0/0 reject-with icmp-port-unreachable
23 1732 REJECT all -- * * 190.79.227.81 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 103.127.108.96 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 103.123.246.130 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 101.36.110.215 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 101.109.245.158 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 1.245.61.144 0.0.0.0/0 reject-with icmp-port-unreachable
21387 6197K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ispmgr_allow_ip (0 references)
pkts bytes target prot opt in out source destination
Chain ispmgr_allow_sub (0 references)
pkts bytes target prot opt in out source destination
Chain ispmgr_deny_ip (0 references)
pkts bytes target prot opt in out source destination
Chain ispmgr_deny_sub (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (0 references)
pkts bytes target prot opt in out source destination
НО я все еще получаю записи в моем /var/log/nginx/access.log с IP-адресов, которые уже забанены. Также я получаю много записей в моем /var/log/fail2ban.log, которые выглядят так:
2020-12-15 08:23:38,156 fail2ban.actions [2803]: WARNING [nginx-custom2] 83.149.21.218 already banned
Помогите мне, пожалуйста, понять, куда двигаться дальше.
решение1
Я вижу ufwцепочки в вашем iptablesвыводе. Может ли быть, что ваш бэкенд net-filter, который ufwиспользует, является nftables? Если я правильно помню, переключение бэкенда запланировано для Ubuntu к 20.10, но, возможно, вы изменили его самостоятельно или установили какую-то службу (в этом случае вам лучше переключиться на действие запрета nftables).
Хотя это не было бы ошибкой при использовании низкоуровневого сетевого фильтра, но если вы используете UFW, что говорит против использования действия по запрету UFW в Fail2Ban?
И, кажется, ispmanager все еще существует...
В любом случае, я вижу все цепочки ( ispmgr_*и ufw-*) в iptables, но никаких ссылок на них. Так что либо он настроен странно, либо что-то не так с вашей подсистемой брандмауэра в этой системе.
Это виртуальная машина? (если да, то какая?)...
Используется ли (разрешен) ли вообще модуль ядра iptables в вашей системе?
И какой именно у вас бэкенд ufw?