Fail2ban -为docker-container日志创建第二个sshd-jail不起作用

Question

我在Ubuntu18.04.3上有一个Linux机器，并且有一个有效的fail2ban配置(就像在我所有的主机上一样)。

在本例中，我设置了一个停靠容器，它充当多个用户的sftp服务器-停靠容器有一个正在运行的rsyslogd，并将登录事件写入/var/log/auth.log - /var/log挂载到主机系统的/myapp/log/sftp。

因此，我在jail.local中使用此配置片段创建了第二个sshd-jail

[myapp-sftp]
filter=sshd
enabled = true
findtime = 1200
maxretry = 2
mode = aggressive
backend = polling
logpath=/myapp/log/sftp/auth.log

日志文件/myapp/log/sftp/auth.log绝对在那里，里面充满了很多失败的登录尝试--来自我自己和其他人。

但是监狱永远不会被fail2ban.log中的found日志条目触发。我已经重置了fail2ban数据库..。也不知道可能出了什么问题。

我尝试了backend = polling和默认的pyinotify。

检查fail2ban-regex说它匹配..

# fail2ban-regex /myapp/log/sftp/auth.log /etc/fail2ban/filter.d/sshd.conf

Running tests
=============

Use   failregex filter file : sshd, basedir: /etc/fail2ban
Use         maxlines : 1
Use      datepattern : Default Detectors
Use         log file : /myapp/log/sftp/auth.log
Use         encoding : UTF-8


Results
=======

Failregex: 268 total
|-  #) [# of hits] regular expression
|   3) [64] ^Failed \S+ for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
|   4) [29] ^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
|   6) [64] ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?\s*$
|  21) [111] ^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [642] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 642 lines, 0 ignored, 268 matched, 374 missed
[processed in 0.13 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 374 lines

和

# fail2ban-client status myapp-sftp
Status for the jail: myapp-sftp
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /myapp/log/sftp/auth.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

# cat /var/log/fail2ban.log | grep myapp
2019-08-21 10:35:33,647 fail2ban.jail           [649]: INFO    Creating new jail 'wippex-sftp'
2019-08-21 10:35:33,647 fail2ban.jail           [649]: INFO    Jail 'myapp-sftp' uses pyinotify {}
2019-08-21 10:35:33,664 fail2ban.server         [649]: INFO    Jail myapp-sftp is not a JournalFilter instance
2019-08-21 10:35:33,665 fail2ban.filter         [649]: INFO    Added logfile: '/wippex/log/sftp.log' (pos = 0, hash = 287d8cc2e307c5f427aa87c4c649ced889d6bf6a)
2019-08-21 10:35:33,689 fail2ban.jail           [649]: INFO    Jail 'myapp-sftp' started

我真的从来没有得到一个预期的found条目...也不是禁令。欢迎任何想法。

# fail2ban-server -V
Fail2Ban v0.10.2

Copyright (c) 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors
Copyright of modifications held by their respective authors.

来自/myapp/log/sftp/auth.log的日志示例

Aug 21 14:03:13 a9ede63166d9 sshd[202]: Failed password for invalid user mapp from 95.85.16.178 port 41766 ssh2
Aug 21 14:03:13 a9ede63166d9 sshd[202]: Received disconnect from 95.85.16.178 port 41766:11: Normal Shutdown, Thank you for playing [preauth]
Aug 21 14:03:13 a9ede63166d9 sshd[202]: Disconnected from 95.85.16.178 port 41766 [preauth]
Aug 21 14:03:49 a9ede63166d9 sshd[204]: Connection from 95.85.16.178 port 34722 on 172.17.0.3 port 22
Aug 21 14:03:49 a9ede63166d9 sshd[204]: Invalid user mapp from 95.85.16.178 port 34722
Aug 21 14:03:49 a9ede63166d9 sshd[204]: input_userauth_request: invalid user mapp [preauth]
Aug 21 14:03:49 a9ede63166d9 sshd[204]: error: Could not get shadow information for NOUSER
Aug 21 14:03:49 a9ede63166d9 sshd[204]: Failed password for invalid user mapp from 95.85.16.178 port 34722 ssh2
Aug 21 14:03:49 a9ede63166d9 sshd[204]: Received disconnect from 95.85.16.178 port 34722:11: Normal Shutdown, Thank you for playing [preauth]
Aug 21 14:03:49 a9ede63166d9 sshd[204]: Disconnected from 95.85.16.178 port 34722 [preauth]

Answer 1

问题已经“解决”了。docker容器只是使用了与主机不同的时区，并且日志文件时间戳不包含时区。

因此，fail2ban假设时间戳是在与其运行环境相同的时区写入的(在主机上)，并且没有解释“旧的”日志条目(2小时。diff)。

请参阅https://github.com/fail2ban/fail2ban/issues/2486

我只需将主机时区设置为UTC now -但现在将尝试将rsyncd设置为使用时区日期格式