web-dev-qa-db-fra.com

Fail2Ban bloque mon adresse IP en raison d'un trafic bloqué. Comment puis-je l'empêcher de m'interdire?

J'ai besoin de savoir quel programme ou quelle règle spécifique interdit mon ip, car cela arrive souvent lorsque je programme. Cela interdira l’IP interne de mes routeurs puisque je me connecte via le réseau local. Au bout de 10 minutes environ, l’IP est annulé. J'ai besoin de savoir ce qui fait ça.

Voici le journal du noyau,

Jul 24 12:40:35 buntubox-001 kernel: [68405.371388] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:42:40 buntubox-001 kernel: [68530.812091] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:44:46 buntubox-001 kernel: [68656.252761] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:46:51 buntubox-001 kernel: [68781.693450] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:48:56 buntubox-001 kernel: [68907.134130] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:51:02 buntubox-001 kernel: [69032.574810] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:53:07 buntubox-001 kernel: [69158.015484] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:55:13 buntubox-001 kernel: [69283.456341] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:57:18 buntubox-001 kernel: [69408.896851] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 12:59:24 buntubox-001 kernel: [69534.337509] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:01:29 buntubox-001 kernel: [69659.778153] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:03:35 buntubox-001 kernel: [69785.218879] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:05:40 buntubox-001 kernel: [69910.659585] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:07:45 buntubox-001 kernel: [70036.100269] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:09:51 buntubox-001 kernel: [70161.540931] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:11:56 buntubox-001 kernel: [70286.981572] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:14:02 buntubox-001 kernel: [70412.422228] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:16:07 buntubox-001 kernel: [70537.862891] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:18:13 buntubox-001 kernel: [70663.303475] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Jul 24 13:20:18 buntubox-001 kernel: [70788.744104] [UFW BLOCK] IN=enp2s0 OUT= MAC=01:00:5e:00:00:01:d8:50:e6:ce:a9:f0:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x0$

Voici le journal fail2ban:

2017-07-24 06:25:17,215 fail2ban.server [1219]: INFO rollover performed on /var/log/fail2ban.log

2017-07-24 06:25:50,566 fail2ban.filter [1219]: INFO Log rotation detected for /var/log/auth.log

2017-07-24 06:27:31,632 fail2ban.filter [1219]: INFO [sshd] Found 177.129.242.80

2017-07-24 07:42:37,836 fail2ban.filter [1219]: INFO [sshd] Found 171.25.193.131

2017-07-24 07:44:27,693 fail2ban.filter [1219]: INFO [sshd] Found 87.154.220.202

2017-07-24 07:44:27,760 fail2ban.filter [1219]: INFO [sshd] Found 87.154.220.202

2017-07-24 08:17:01,802 fail2ban.filter [1219]: INFO [sshd] Found 119.193.140.164

2017-07-24 09:44:05,257 fail2ban.filter [1219]: INFO [sshd] Found 91.197.232.103

2017-07-24 13:09:25,355 fail2ban.filter [1219]: INFO [sshd] Found 218.68.140.168

Et enfin voici mon iptables -L

root@buntubox-001:/var/www/html# iptables -L

Chain INPUT (policy DROP)

target prot opt source destination

DROP all -- 192.168.1.1 anywhere

f2b-sshd tcp -- anywhere anywhere multiport dports ssh

ufw-before-logging-input all -- anywhere anywhere

ufw-before-input all -- anywhere anywhere

ufw-after-input all -- anywhere anywhere

ufw-after-logging-input all -- anywhere anywhere

ufw-reject-input all -- anywhere anywhere

ufw-track-input all -- anywhere anywhere

 

Chain FORWARD (policy DROP)

target prot opt source destination

DROP all -- 192.168.1.1 anywhere

ufw-before-logging-forward all -- anywhere anywhere

ufw-before-forward all -- anywhere anywhere

ufw-after-forward all -- anywhere anywhere

ufw-after-logging-forward all -- anywhere anywhere

ufw-reject-forward all -- anywhere anywhere

ufw-track-forward all -- anywhere anywhere

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

ufw-before-logging-output all -- anywhere anywhere

ufw-before-output all -- anywhere anywhere

ufw-after-output all -- anywhere anywhere

ufw-after-logging-output all -- anywhere anywhere

ufw-reject-output all -- anywhere anywhere

ufw-track-output all -- anywhere anywhere

 

Chain f2b-sshd (1 references)

target prot opt source destination

RETURN all -- anywhere anywhere

 

Chain ufw-after-forward (1 references)

target prot opt source destination

 

Chain ufw-after-input (1 references)

target prot opt source destination

ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns

ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm

ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn

ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:Microsoft-ds

ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps

ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc

ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST

 

Chain ufw-after-logging-forward (1 references)

target prot opt source destination

LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

 

Chain ufw-after-logging-input (1 references)

target prot opt source destination

LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

 

Chain ufw-after-logging-output (1 references)

target prot opt source destination

 

Chain ufw-after-output (1 references)

target prot opt source destination

 

Chain ufw-before-forward (1 references)

target prot opt source destination

ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED

ACCEPT icmp -- anywhere anywhere icmp destination-unreachable

ACCEPT icmp -- anywhere anywhere icmp source-quench

ACCEPT icmp -- anywhere anywhere icmp time-exceeded

ACCEPT icmp -- anywhere anywhere icmp parameter-problem

ACCEPT icmp -- anywhere anywhere icmp echo-request

ufw-user-forward all -- anywhere anywhere

 

Chain ufw-before-input (1 references)

target prot opt source destination

ACCEPT all -- anywhere anywhere

ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED

ufw-logging-deny all -- anywhere anywhere ctstate INVALID

DROP all -- anywhere anywhere ctstate INVALID

ACCEPT icmp -- anywhere anywhere icmp destination-unreachable

ACCEPT icmp -- anywhere anywhere icmp source-quench

ACCEPT icmp -- anywhere anywhere icmp time-exceeded

ACCEPT icmp -- anywhere anywhere icmp parameter-problem

ACCEPT icmp -- anywhere anywhere icmp echo-request

ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc

ufw-not-local all -- anywhere anywhere

ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns

ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900

ufw-user-input all -- anywhere anywhere

 

Chain ufw-before-logging-forward (1 references)

target prot opt source destination

 

Chain ufw-before-logging-input (1 references)

target prot opt source destination

 

Chain ufw-before-logging-output (1 references)

target prot opt source destination

 

Chain ufw-before-output (1 references)

target prot opt source destination

ACCEPT all -- anywhere anywhere

ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED

ufw-user-output all -- anywhere anywhere

 

Chain ufw-logging-allow (0 references)

target prot opt source destination

LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

 

Chain ufw-logging-deny (2 references)

target prot opt source destination

RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10

LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

 

Chain ufw-not-local (1 references)

target prot opt source destination

RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL

RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST

RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST

ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10

DROP all -- anywhere anywhere

 

Chain ufw-reject-forward (1 references)

target prot opt source destination

 

Chain ufw-reject-input (1 references)

target prot opt source destination

 

Chain ufw-reject-output (1 references)

target prot opt source destination

 

Chain ufw-skip-to-policy-forward (0 references)

target prot opt source destination

DROP all -- anywhere anywhere

 

Chain ufw-skip-to-policy-input (7 references)

target prot opt source destination

DROP all -- anywhere anywhere

 

Chain ufw-skip-to-policy-output (0 references)

target prot opt source destination

ACCEPT all -- anywhere anywhere

 

Chain ufw-track-forward (1 references)

target prot opt source destination

 

Chain ufw-track-input (1 references)

target prot opt source destination

 

Chain ufw-track-output (1 references)

target prot opt source destination

ACCEPT tcp -- anywhere anywhere ctstate NEW

ACCEPT udp -- anywhere anywhere ctstate NEW

 

Chain ufw-user-forward (1 references)

target prot opt source destination

 

Chain ufw-user-input (1 references)

target prot opt source destination

ACCEPT tcp -- anywhere anywhere tcp dpt:http

ACCEPT udp -- anywhere anywhere udp dpt:http

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

ACCEPT udp -- anywhere anywhere udp dpt:ssh

ACCEPT tcp -- anywhere anywhere tcp dpt:http /* 'dapp_Apache' */

ACCEPT all -- 192.168.1.1 anywhere

ACCEPT all -- 192.168.1.0/24 anywhere

 

Chain ufw-user-limit (0 references)

target prot opt source destination

LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "

REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

 

Chain ufw-user-limit-accept (0 references)

target prot opt source destination

ACCEPT all -- anywhere anywhere

 

Chain ufw-user-logging-forward (0 references)

target prot opt source destination

 

Chain ufw-user-logging-input (0 references)

target prot opt source destination

 

Chain ufw-user-logging-output (0 references)

target prot opt source destination

 

Chain ufw-user-output (1 references)

target prot opt source destination

Merci d'avance

serverfirewallfail2ban
1
Riz-waan

Le problème principal ici est la multidiffusion (basée sur vos journaux). IGMP signifie "Internet Group Management Protocol". Il s'agit d'un protocole de communication utilisé par les hôtes et les routeurs adjacents sur les réseaux IPv4 pour établir des appartenances à des groupes de multidiffusion. Dans la plupart des réseaux, cela n'est pas nécessaire et peut être ignoré en toute sécurité.

L'adresse IP que vous voyez sur la 'destination' est l'adresse multicast standard - 224.0.0.1. Il est fort probable que vos systèmes tentent d’utiliser IGMP. Pour éviter cela, configurez une règle plus tôt que votre règle LOG qui effectue simplement un contrôle DROP sur la multidiffusion. paquets. Par exemple:

Sudo iptables -I INPUT 1 -m pkttype --pkt-type multicast -j DROP

Cela va laisser tomber le trafic et ne pas déclencher des entrées de journal - cela signifiera donc que Fail2Ban ne verra pas de message de journal à ce sujet, et donc vous pourrez simplement " déposez le trafic et F2B l'ignorera car il ne le sait pas dans les journaux.

(Notez que si vous utilisez UFW, il peut être plus difficile d'ajouter ce type de règle - UFW n'est pas aussi polyvalent que straight -iptables)

Notez que nous avons une boîte PSAD sur le réseau d’un client, sous Ubuntu, et nous lâchons simplement le trafic Multicast car nous ne nous intéressons pas au trafic IGMP/Multicast sur les réseaux que nous surveillons - nous ne déclenchons que sur d’autres trafics que nous ne vous attendez pas (nos scanneurs réseau habituels pour déterminer les systèmes non fiables qui ne sont pas les nôtres, par exemple, sont inscrits sur la liste blanche et "DROP" plus tôt dans le jeu de règles, de sorte que PSAD et F2B ne le voient pas).

Ressources externes connexes: https://ubuntuforums.org/archive/index.php/t-2231716.html

3
Thomas Ward