We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
А fail2ban вообще работает??!
А fail2ban вообще работает??!
Последняя веста на 9 дебиане. Настроены несколько своих правил в fail2ban (создавал в /etc/fail2ban/filter.d), прописал в fail2ban уже через панель, а не в конфигах.
В логах fail2ban видно исполнение правила и потом множественные записи already banned. В iptables видно правило соответствующей секции, в случае исполнения события IP становится REJECT, но по факту этот адрес по-прежнему имеет доступ.
Если же забанить IP напрямую руками в настройках фаервола в панели - он банится. Причем срабатывает правило, только если указать порт. Без порта тоже не работает блокировка - тоже непонятно.
Что я делаю не так? Почему iptables не срабатывает по команде файл2бана?
В логах fail2ban видно исполнение правила и потом множественные записи already banned. В iptables видно правило соответствующей секции, в случае исполнения события IP становится REJECT, но по факту этот адрес по-прежнему имеет доступ.
Если же забанить IP напрямую руками в настройках фаервола в панели - он банится. Причем срабатывает правило, только если указать порт. Без порта тоже не работает блокировка - тоже непонятно.
Что я делаю не так? Почему iptables не срабатывает по команде файл2бана?
Re: А fail2ban вообще работает??!
Плюс логе вот такое:
SpoilerShow
2018-09-27 18:05:33,152 fail2ban.action [22024]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-rule1[ \t]' -- stdout: b''
2018-09-27 18:05:33,153 fail2ban.action [22024]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-rule1[ \t]' -- stderr: b''
2018-09-27 18:05:33,153 fail2ban.action [22024]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-rule1[ \t]' -- returned 1
2018-09-27 18:05:33,153 fail2ban.CommandAction [22024]: ERROR Invariant check failed. Trying to restore a sane environment
2018-09-27 18:05:34,119 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule1 -s 188.230.238.79 -j REJECT --reject-with icmp-port-unreachable -- stdout: b''
2018-09-27 18:05:34,120 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule1 -s 188.230.238.79 -j REJECT --reject-with icmp-port-unreachable -- stderr: b'iptables: No chain/target/match by that name.\n'
2018-09-27 18:05:34,120 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule1 -s 188.230.238.79 -j REJECT --reject-with icmp-port-unreachable -- returned 1
2018-09-27 18:05:34,120 fail2ban.actions [22024]: ERROR Failed to execute unban jail 'rule1' action 'iptables-multiport' info '{'matches': '188.230.238.79 - - [27/Sep/2018:10:27:23 +0300] "GET /rule1/index.php?route=common/login HTTP/1.0" 403 1689 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2900.63 Safari/537.36"', 'failures': 1, 'ip': '188.230.238.79', 'time': 1538059831.0357623}': Error unbanning 188.230.238.79
2018-09-27 18:05:34,251 fail2ban.jail [22024]: INFO Jail 'rule1' stopped
2018-09-27 18:05:35,185 fail2ban.jail [22024]: INFO Jail 'cgibin-auth' stopped
2018-09-27 18:05:36,573 fail2ban.jail [22024]: INFO Jail 'ssh-iptables' stopped
2018-09-27 18:05:36,939 fail2ban.actions [22024]: NOTICE [rule2] Unban 104.131.27.166
2018-09-27 18:05:37,053 fail2ban.action [22024]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-rule2[ \t]' -- stdout: b''
2018-09-27 18:05:37,054 fail2ban.action [22024]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-rule2[ \t]' -- stderr: b''
2018-09-27 18:05:37,054 fail2ban.action [22024]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-rule2[ \t]' -- returned 1
2018-09-27 18:05:37,054 fail2ban.CommandAction [22024]: ERROR Invariant check failed. Trying to restore a sane environment
2018-09-27 18:05:37,720 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 104.131.27.166 -j REJECT --reject-with icmp-port-unreachable -- stdout: b''
2018-09-27 18:05:37,720 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 104.131.27.166 -j REJECT --reject-with icmp-port-unreachable -- stderr: b'iptables: No chain/target/match by that name.\n'
2018-09-27 18:05:37,721 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 104.131.27.166 -j REJECT --reject-with icmp-port-unreachable -- returned 1
2018-09-27 18:05:37,721 fail2ban.actions [22024]: ERROR Failed to execute unban jail 'rule2' action 'iptables-multiport' info '{'matches': '104.131.27.166 - - [27/Sep/2018:03:54:56 +0300] "GET /path/scripts/setup.php HTTP/1.0" 404 40116 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0"', 'failures': 1, 'ip': '104.131.27.166', 'time': 1538059829.0856495}': Error unbanning 104.131.27.166
2018-09-27 18:05:37,721 fail2ban.actions [22024]: NOTICE [rule2] Unban 107.170.20.63
2018-09-27 18:05:38,099 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 107.170.20.63 -j REJECT --reject-with icmp-port-unreachable -- stdout: b''
2018-09-27 18:05:38,099 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 107.170.20.63 -j REJECT --reject-with icmp-port-unreachable -- stderr: b'iptables: No chain/target/match by that name.\n'
2018-09-27 18:05:38,100 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 107.170.20.63 -j REJECT --reject-with icmp-port-unreachable -- returned 1
2018-09-27 18:05:38,100 fail2ban.actions [22024]: ERROR Failed to execute unban jail 'rule2' action 'iptables-multiport' info '{'matches': '107.170.20.63 - - [27/Sep/2018:07:30:03 +0300] "GET /path/scripts/setup.php HTTP/1.0" 404 40116 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0"', 'failures': 1, 'ip': '107.170.20.63', 'time': 1538059829.3500142}': Error unbanning 107.170.20.63
2018-09-27 18:05:38,100 fail2ban.actions [22024]: NOTICE [rule2] Unban 113.201.62.253
2018-09-27 18:05:38,378 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 113.201.62.253 -j REJECT --reject-with icmp-port-unreachable -- stdout: b''
2018-09-27 18:05:38,378 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 113.201.62.253 -j REJECT --reject-with icmp-port-unreachable -- stderr: b'iptables: No chain/target/match by that name.\n'
2018-09-27 18:05:38,378 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 113.201.62.253 -j REJECT --reject-with icmp-port-unreachable -- returned 1
2018-09-27 18:05:38,378 fail2ban.actions [22024]: ERROR Failed to execute unban jail 'rule2' action 'iptables-multiport' info '{'matches': '113.201.62.253 - - [26/Sep/2018:22:28:06 +0300] "GET /path/scripts/setup.php HTTP/1.0" 404 40116 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0"', 'failures': 1, 'ip': '113.201.62.253', 'time': 1538059829.7506356}': Error unbanning 113.201.62.253
2018-09-27 18:05:38,379 fail2ban.actions [22024]: NOTICE [rule2] Unban 182.18.144.44
2018-09-27 18:05:38,678 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 182.18.144.44 -j REJECT --reject-with icmp-port-unreachable -- stdout: b''
2018-09-27 18:05:38,679 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 182.18.144.44 -j REJECT --reject-with icmp-port-unreachable -- stderr: b'iptables: No chain/target/match by that name.\n'
2018-09-27 18:05:33,153 fail2ban.action [22024]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-rule1[ \t]' -- stderr: b''
2018-09-27 18:05:33,153 fail2ban.action [22024]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-rule1[ \t]' -- returned 1
2018-09-27 18:05:33,153 fail2ban.CommandAction [22024]: ERROR Invariant check failed. Trying to restore a sane environment
2018-09-27 18:05:34,119 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule1 -s 188.230.238.79 -j REJECT --reject-with icmp-port-unreachable -- stdout: b''
2018-09-27 18:05:34,120 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule1 -s 188.230.238.79 -j REJECT --reject-with icmp-port-unreachable -- stderr: b'iptables: No chain/target/match by that name.\n'
2018-09-27 18:05:34,120 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule1 -s 188.230.238.79 -j REJECT --reject-with icmp-port-unreachable -- returned 1
2018-09-27 18:05:34,120 fail2ban.actions [22024]: ERROR Failed to execute unban jail 'rule1' action 'iptables-multiport' info '{'matches': '188.230.238.79 - - [27/Sep/2018:10:27:23 +0300] "GET /rule1/index.php?route=common/login HTTP/1.0" 403 1689 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2900.63 Safari/537.36"', 'failures': 1, 'ip': '188.230.238.79', 'time': 1538059831.0357623}': Error unbanning 188.230.238.79
2018-09-27 18:05:34,251 fail2ban.jail [22024]: INFO Jail 'rule1' stopped
2018-09-27 18:05:35,185 fail2ban.jail [22024]: INFO Jail 'cgibin-auth' stopped
2018-09-27 18:05:36,573 fail2ban.jail [22024]: INFO Jail 'ssh-iptables' stopped
2018-09-27 18:05:36,939 fail2ban.actions [22024]: NOTICE [rule2] Unban 104.131.27.166
2018-09-27 18:05:37,053 fail2ban.action [22024]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-rule2[ \t]' -- stdout: b''
2018-09-27 18:05:37,054 fail2ban.action [22024]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-rule2[ \t]' -- stderr: b''
2018-09-27 18:05:37,054 fail2ban.action [22024]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-rule2[ \t]' -- returned 1
2018-09-27 18:05:37,054 fail2ban.CommandAction [22024]: ERROR Invariant check failed. Trying to restore a sane environment
2018-09-27 18:05:37,720 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 104.131.27.166 -j REJECT --reject-with icmp-port-unreachable -- stdout: b''
2018-09-27 18:05:37,720 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 104.131.27.166 -j REJECT --reject-with icmp-port-unreachable -- stderr: b'iptables: No chain/target/match by that name.\n'
2018-09-27 18:05:37,721 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 104.131.27.166 -j REJECT --reject-with icmp-port-unreachable -- returned 1
2018-09-27 18:05:37,721 fail2ban.actions [22024]: ERROR Failed to execute unban jail 'rule2' action 'iptables-multiport' info '{'matches': '104.131.27.166 - - [27/Sep/2018:03:54:56 +0300] "GET /path/scripts/setup.php HTTP/1.0" 404 40116 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0"', 'failures': 1, 'ip': '104.131.27.166', 'time': 1538059829.0856495}': Error unbanning 104.131.27.166
2018-09-27 18:05:37,721 fail2ban.actions [22024]: NOTICE [rule2] Unban 107.170.20.63
2018-09-27 18:05:38,099 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 107.170.20.63 -j REJECT --reject-with icmp-port-unreachable -- stdout: b''
2018-09-27 18:05:38,099 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 107.170.20.63 -j REJECT --reject-with icmp-port-unreachable -- stderr: b'iptables: No chain/target/match by that name.\n'
2018-09-27 18:05:38,100 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 107.170.20.63 -j REJECT --reject-with icmp-port-unreachable -- returned 1
2018-09-27 18:05:38,100 fail2ban.actions [22024]: ERROR Failed to execute unban jail 'rule2' action 'iptables-multiport' info '{'matches': '107.170.20.63 - - [27/Sep/2018:07:30:03 +0300] "GET /path/scripts/setup.php HTTP/1.0" 404 40116 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0"', 'failures': 1, 'ip': '107.170.20.63', 'time': 1538059829.3500142}': Error unbanning 107.170.20.63
2018-09-27 18:05:38,100 fail2ban.actions [22024]: NOTICE [rule2] Unban 113.201.62.253
2018-09-27 18:05:38,378 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 113.201.62.253 -j REJECT --reject-with icmp-port-unreachable -- stdout: b''
2018-09-27 18:05:38,378 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 113.201.62.253 -j REJECT --reject-with icmp-port-unreachable -- stderr: b'iptables: No chain/target/match by that name.\n'
2018-09-27 18:05:38,378 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 113.201.62.253 -j REJECT --reject-with icmp-port-unreachable -- returned 1
2018-09-27 18:05:38,378 fail2ban.actions [22024]: ERROR Failed to execute unban jail 'rule2' action 'iptables-multiport' info '{'matches': '113.201.62.253 - - [26/Sep/2018:22:28:06 +0300] "GET /path/scripts/setup.php HTTP/1.0" 404 40116 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0"', 'failures': 1, 'ip': '113.201.62.253', 'time': 1538059829.7506356}': Error unbanning 113.201.62.253
2018-09-27 18:05:38,379 fail2ban.actions [22024]: NOTICE [rule2] Unban 182.18.144.44
2018-09-27 18:05:38,678 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 182.18.144.44 -j REJECT --reject-with icmp-port-unreachable -- stdout: b''
2018-09-27 18:05:38,679 fail2ban.action [22024]: ERROR iptables -w -D f2b-rule2 -s 182.18.144.44 -j REJECT --reject-with icmp-port-unreachable -- stderr: b'iptables: No chain/target/match by that name.\n'
Re: А fail2ban вообще работает??!
Добавил в /usr/local/vesta/data/firewall/chains.conf вот такое:
CHAIN='WEB' PORT='80,443' PROTOCOL='TCP'
и вроде завелось-забанилось.
Верно поступил?
PS. По поводу "Trying to restore a sane environment" в логе файл2бана нашел такое решение: https://blog.laimbock.com/2013/01/11/fa ... nt-page-1/
CHAIN='WEB' PORT='80,443' PROTOCOL='TCP'
и вроде завелось-забанилось.
Верно поступил?
PS. По поводу "Trying to restore a sane environment" в логе файл2бана нашел такое решение: https://blog.laimbock.com/2013/01/11/fa ... nt-page-1/