Fail2Ban bloqueia o meu endereço IP devido ao tráfego bloqueado, como posso impedir que ele me banir?

1

Eu preciso saber qual programa ou qual regra específica está proibindo meu ip, como acontece frequentemente quando estou programando. Ele irá banir o IP interno dos meus roteadores, já que estou me conectando através da LAN. Então, depois de cerca de 10 minutos, ele desativa o IP. Eu preciso saber o que está fazendo isso.

Aqui está o log do kernel,

Jul 24 12:40:35 buntubox-001 kernel: [68405.371388] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:42:40 buntubox-001 kernel: [68530.812091] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:44:46 buntubox-001 kernel: [68656.252761] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:46:51 buntubox-001 kernel: [68781.693450] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:48:56 buntubox-001 kernel: [68907.134130] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:51:02 buntubox-001 kernel: [69032.574810] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:53:07 buntubox-001 kernel: [69158.015484] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:55:13 buntubox-001 kernel: [69283.456341] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:57:18 buntubox-001 kernel: [69408.896851] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:59:24 buntubox-001 kernel: [69534.337509] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:01:29 buntubox-001 kernel: [69659.778153] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:03:35 buntubox-001 kernel: [69785.218879] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:05:40 buntubox-001 kernel: [69910.659585] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:07:45 buntubox-001 kernel: [70036.100269] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:09:51 buntubox-001 kernel: [70161.540931] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:11:56 buntubox-001 kernel: [70286.981572] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:14:02 buntubox-001 kernel: [70412.422228] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:16:07 buntubox-001 kernel: [70537.862891] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:18:13 buntubox-001 kernel: [70663.303475] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:20:18 buntubox-001 kernel: [70788.744104] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Aqui está o log do fail2ban:

2017-07-24 06:25:17,215 fail2ban.server [1219]: INFO rollover performed on /var/log/fail2ban.log

2017-07-24 06:25:50,566 fail2ban.filter [1219]: INFO Log rotation detected for /var/log/auth.log

2017-07-24 06:27:31,632 fail2ban.filter [1219]: INFO [sshd] Found 177.129.242.80

2017-07-24 07:42:37,836 fail2ban.filter [1219]: INFO [sshd] Found 171.25.193.131

2017-07-24 07:44:27,693 fail2ban.filter [1219]: INFO [sshd] Found 87.154.220.202

2017-07-24 07:44:27,760 fail2ban.filter [1219]: INFO [sshd] Found 87.154.220.202

2017-07-24 08:17:01,802 fail2ban.filter [1219]: INFO [sshd] Found 119.193.140.164

2017-07-24 09:44:05,257 fail2ban.filter [1219]: INFO [sshd] Found 91.197.232.103

2017-07-24 13:09:25,355 fail2ban.filter [1219]: INFO [sshd] Found 218.68.140.168

E finalmente aqui está o meu iptables -L

root@buntubox-001:/var/www/html# iptables -L

Chain INPUT (policy DROP)

target prot opt source destination

DROP all -- 192.168.1.1 anywhere

f2b-sshd tcp -- anywhere anywhere multiport dports ssh

ufw-before-logging-input all -- anywhere anywhere

ufw-before-input all -- anywhere anywhere

ufw-after-input all -- anywhere anywhere

ufw-after-logging-input all -- anywhere anywhere

ufw-reject-input all -- anywhere anywhere

ufw-track-input all -- anywhere anywhere

 

Chain FORWARD (policy DROP)

target prot opt source destination

DROP all -- 192.168.1.1 anywhere

ufw-before-logging-forward all -- anywhere anywhere

ufw-before-forward all -- anywhere anywhere

ufw-after-forward all -- anywhere anywhere

ufw-after-logging-forward all -- anywhere anywhere

ufw-reject-forward all -- anywhere anywhere

ufw-track-forward all -- anywhere anywhere

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

ufw-before-logging-output all -- anywhere anywhere

ufw-before-output all -- anywhere anywhere

ufw-after-output all -- anywhere anywhere

ufw-after-logging-output all -- anywhere anywhere

ufw-reject-output all -- anywhere anywhere

ufw-track-output all -- anywhere anywhere

 

Chain f2b-sshd (1 references)

target prot opt source destination

RETURN all -- anywhere anywhere

 

Chain ufw-after-forward (1 references)

target prot opt source destination

 

Chain ufw-after-input (1 references)

target prot opt source destination

ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns

ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm

ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn

ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds

ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps

ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc

ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST

 

Chain ufw-after-logging-forward (1 references)

target prot opt source destination

LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

 

Chain ufw-after-logging-input (1 references)

target prot opt source destination

LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

 

Chain ufw-after-logging-output (1 references)

target prot opt source destination

 

Chain ufw-after-output (1 references)

target prot opt source destination

 

Chain ufw-before-forward (1 references)

target prot opt source destination

ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED

ACCEPT icmp -- anywhere anywhere icmp destination-unreachable

ACCEPT icmp -- anywhere anywhere icmp source-quench

ACCEPT icmp -- anywhere anywhere icmp time-exceeded

ACCEPT icmp -- anywhere anywhere icmp parameter-problem

ACCEPT icmp -- anywhere anywhere icmp echo-request

ufw-user-forward all -- anywhere anywhere

 

Chain ufw-before-input (1 references)

target prot opt source destination

ACCEPT all -- anywhere anywhere

ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED

ufw-logging-deny all -- anywhere anywhere ctstate INVALID

DROP all -- anywhere anywhere ctstate INVALID

ACCEPT icmp -- anywhere anywhere icmp destination-unreachable

ACCEPT icmp -- anywhere anywhere icmp source-quench

ACCEPT icmp -- anywhere anywhere icmp time-exceeded

ACCEPT icmp -- anywhere anywhere icmp parameter-problem

ACCEPT icmp -- anywhere anywhere icmp echo-request

ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc

ufw-not-local all -- anywhere anywhere

ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns

ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900

ufw-user-input all -- anywhere anywhere

 

Chain ufw-before-logging-forward (1 references)

target prot opt source destination

 

Chain ufw-before-logging-input (1 references)

target prot opt source destination

 

Chain ufw-before-logging-output (1 references)

target prot opt source destination

 

Chain ufw-before-output (1 references)

target prot opt source destination

ACCEPT all -- anywhere anywhere

ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED

ufw-user-output all -- anywhere anywhere

 

Chain ufw-logging-allow (0 references)

target prot opt source destination

LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

 

Chain ufw-logging-deny (2 references)

target prot opt source destination

RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10

LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

 

Chain ufw-not-local (1 references)

target prot opt source destination

RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL

RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST

RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST

ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10

DROP all -- anywhere anywhere

 

Chain ufw-reject-forward (1 references)

target prot opt source destination

 

Chain ufw-reject-input (1 references)

target prot opt source destination

 

Chain ufw-reject-output (1 references)

target prot opt source destination

 

Chain ufw-skip-to-policy-forward (0 references)

target prot opt source destination

DROP all -- anywhere anywhere

 

Chain ufw-skip-to-policy-input (7 references)

target prot opt source destination

DROP all -- anywhere anywhere

 

Chain ufw-skip-to-policy-output (0 references)

target prot opt source destination

ACCEPT all -- anywhere anywhere

 

Chain ufw-track-forward (1 references)

target prot opt source destination

 

Chain ufw-track-input (1 references)

target prot opt source destination

 

Chain ufw-track-output (1 references)

target prot opt source destination

ACCEPT tcp -- anywhere anywhere ctstate NEW

ACCEPT udp -- anywhere anywhere ctstate NEW

 

Chain ufw-user-forward (1 references)

target prot opt source destination

 

Chain ufw-user-input (1 references)

target prot opt source destination

ACCEPT tcp -- anywhere anywhere tcp dpt:http

ACCEPT udp -- anywhere anywhere udp dpt:http

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

ACCEPT udp -- anywhere anywhere udp dpt:ssh

ACCEPT tcp -- anywhere anywhere tcp dpt:http /* 'dapp_Apache' */

ACCEPT all -- 192.168.1.1 anywhere

ACCEPT all -- 192.168.1.0/24 anywhere

 

Chain ufw-user-limit (0 references)

target prot opt source destination

LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "

REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

 

Chain ufw-user-limit-accept (0 references)

target prot opt source destination

ACCEPT all -- anywhere anywhere

 

Chain ufw-user-logging-forward (0 references)

target prot opt source destination

 

Chain ufw-user-logging-input (0 references)

target prot opt source destination

 

Chain ufw-user-logging-output (0 references)

target prot opt source destination

 

Chain ufw-user-output (1 references)

target prot opt source destination

Obrigado antecipadamente

    
por Riz-waan 25.07.2017 / 16:28

1 resposta

3

O problema principal aqui é o Multicast (baseado em seus logs). IGMP significa "Internet Group Management Protocol" e é um protocolo de comunicação usado por hosts e roteadores adjacentes em redes IPv4 para estabelecer associações a grupos de multicast. Na maioria das redes, isso não é necessário e pode ser ignorado com segurança.

O endereço IP que você está vendo no "destino" é o endereço multicast padrão - 224.0.0.1 . É mais do que provável que seus sistemas estejam tentando usar o IGMP. Para evitar isso, configure uma regra anterior à sua regra de LOG que apenas faz um DROP em pacotes Multicast. Por exemplo:

sudo iptables -I INPUT 1 -m pkttype --pkt-type multicast -j DROP

Isso eliminará o tráfego e não acionará as entradas de log - isso significará que o Fail2Ban não vê uma mensagem de log sobre isso e, portanto, você pode simplesmente "soltar" o tráfego e o F2B ignorará como ele não sabe sobre isso dos logs.

(Note que se você usar o UFW, pode ser mais difícil adicionar esse tipo de regra - o UFW não é tão versátil quanto o straight- iptables )

Note que temos uma caixa PSAD na rede de um cliente, no Ubuntu, e deixamos cair silenciosamente o tráfego Multicast, já que não nos importamos com o tráfego IGMP / Multicast nas redes que estamos monitorando - só acionamos em outros tráfego que não esperamos (nossos scanners de rede regulares para determinar sistemas não autorizados que não são nossos, por exemplo, estão na lista de permissões e "DROP" no início do conjunto de regras para que o PSAD e o F2B não o vejam).

% bl0ck_qu0te%     
por Thomas Ward 25.07.2017 / 16:39