继上次Ubuntu:使用Fail2ban防止暴力破解SSH等服务后,出现了一些神奇的事情。

  • 设定最大尝试次数为3,监测时长为10分钟后,短时间内暴力登录基本消失;不过出现了更换IP暴力登录被封的记录,而且相当多;过了一个小时暴力登录卷土重来,而且自动调整为4-5分钟一次,成功避过Fail2ban。
  • 加大力度,设定最大尝试次数为2,监测时长为60分钟后,过了一段时间暴力登录也作出了对应的调整,而且使用的IP地址更多,甚至还有许多来自阿里云的恶意登录尝试。

无奈祭出最强利器,使用密钥登录,关闭密码登录,这下世界安静了,终于没有几分钟就收到一封Fail2ban的邮件了。

不过暴力登录似乎还没有停息的打算,这里吐槽一下,我把密码登录关闭了,你又没有用密钥暴力登录,瞎折腾啥么?

下面是SSH登录日志:

May 11 07:15:51 polarxiong sshd[11239]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May 11 07:15:52 polarxiong sshd[11239]: Received disconnect from 222.186.21.235: 11:  [preauth]
May 11 07:16:24 polarxiong sshd[11246]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May 11 07:16:25 polarxiong sshd[11246]: Received disconnect from 222.186.160.50: 11:  [preauth]
May 11 08:22:49 polarxiong sshd[11414]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May 11 08:22:51 polarxiong sshd[11414]: Received disconnect from 222.186.21.219: 11:  [preauth]
May 11 08:41:52 polarxiong sshd[11463]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May 11 08:41:53 polarxiong sshd[11463]: Received disconnect from 222.186.21.134: 11:  [preauth]
May 12 16:06:24 polarxiong sshd[28476]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May 12 16:06:26 polarxiong sshd[28476]: Received disconnect from 114.207.113.183: 11: Bye Bye [preauth]
May 12 16:06:26 polarxiong sshd[28478]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May 12 16:06:27 polarxiong sshd[28478]: Received disconnect from 114.207.113.183: 11: Bye Bye [preauth]
May 12 16:06:27 polarxiong sshd[28480]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May 12 16:06:29 polarxiong sshd[28480]: Received disconnect from 114.207.113.183: 11: Bye Bye [preauth]

虽然这样的连接尝试并没有太大意义,但想必还是占用了SSH资源,高频率的请求服务器肯定吃不消了,而对于Received disconnect from这样的情况Fail2ban默认也是不作出反应的,所以只能靠自己手动添加规则了。


Fail2ban实际采用的正则表达式来监控,即auth.log中正则表达式匹配且达到设定情况,即将对应IP禁封。

这里为了方便直接修改SSH的正则表达式,Fail2ban正则表达式规则存储目录是/etc/fail2ban/filter.d,这里要编辑的文件就是/etc/fail2ban/filter.d/sshd.conf

只需要在规则后面再加两行:

^%(__prefix_line)sReceived disconnect from <HOST>: \d*: Bye Bye \[preauth\]\s*$
^%(__prefix_line)sReceived disconnect from <HOST>: \d*:  \[preauth\]\s*$

这里对应的是我的情况,实际需要根据auth.log中内容作出相应修改。其中一些变量定义在common.conf中有定义,我也是瞎试了一堆终于这两条有用了。

文件修改保存后重启Fail2ban服务即可:

service fail2ban restart

过会再看看auth.log就会发现世界又安静了...不过似乎也没有安静:

May 27 06:09:01 polarxiong CRON[25995]: pam_unix(cron:session): session opened for user root by (uid=0)
May 27 06:09:01 polarxiong CRON[25995]: pam_unix(cron:session): session closed for user root
May 27 06:17:01 polarxiong CRON[26015]: pam_unix(cron:session): session opened for user root by (uid=0)
May 27 06:17:01 polarxiong CRON[26015]: pam_unix(cron:session): session closed for user root
May 27 06:20:01 polarxiong CRON[26018]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
May 27 06:20:01 polarxiong CRON[26018]: pam_unix(cron:session): session closed for user smmsp
May 27 06:25:01 polarxiong CRON[26037]: pam_unix(cron:session): session opened for user root by (uid=0)
May 27 06:39:01 polarxiong CRON[26085]: pam_unix(cron:session): session opened for user root by (uid=0)
May 27 06:39:01 polarxiong CRON[26085]: pam_unix(cron:session): session closed for user root
May 27 06:40:01 polarxiong CRON[26099]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
May 27 06:40:01 polarxiong CRON[26099]: pam_unix(cron:session): session closed for user smmsp
May 27 06:44:26 polarxiong CRON[26037]: pam_unix(cron:session): session closed for user root

还是有一些恼人的登录尝试,这个暂时还没有解决。