1Panel-dev
[Bug] Manually banip, the SSH login log shows successful login, and I thought I was successfully invaded.
Contact Information
No response
1Panel Version
1.10.21-lts
Problem Description
手动banip,在SSH登录日志里显示成功登录,还以为密钥被偷了。
还有分号也能显示登录成功,真是奇怪的
Steps to Reproduce
fail2ban-client set sshd banip 106.55.203.129 手动banip
The expected correct result
No response
Related log output
root@VM-0-15-ubuntu:/data/banip# sudo grep "81.69.102.153" /var/log/auth.log
Dec 10 21:39:26 localhost sudo: root : TTY=pts/1 ; PWD=/data ; USER=root ; COMMAND=/usr/sbin/ufw deny from 81.69.102.153
Dec 10 21:39:26 localhost sudo: root : TTY=pts/1 ; PWD=/data ; USER=root ; COMMAND=/usr/local/bin/fail2ban-client set sshd banip 81.69.102.153
Dec 11 02:56:34 localhost sudo: root : TTY=pts/1 ; PWD=/data ; USER=root ; COMMAND=/usr/local/bin/fail2ban-client set sshd banip 81.69.102.153
Dec 11 21:50:47 localhost sudo: root : TTY=pts/1 ; PWD=/data/banip ; USER=root ; COMMAND=/usr/bin/grep 81.69.102.153 /var/log/auth.log
root@VM-0-15-ubuntu:/data/banip# sudo grep "106.55.203.129" /var/log/auth.log
Dec 10 21:38:58 localhost sudo: root : TTY=pts/1 ; PWD=/data ; USER=root ; COMMAND=/usr/sbin/ufw deny from 106.55.203.129
Dec 10 21:38:59 localhost sudo: root : TTY=pts/1 ; PWD=/data ; USER=root ; COMMAND=/usr/local/bin/fail2ban-client set sshd banip 106.55.203.129
Dec 11 02:56:22 localhost sudo: root : TTY=pts/1 ; PWD=/data ; USER=root ; COMMAND=/usr/local/bin/fail2ban-client set sshd banip 106.55.203.129
Dec 11 21:51:17 localhost sudo: root : TTY=pts/1 ; PWD=/data/banip ; USER=root ; COMMAND=/usr/bin/grep 106.55.203.129 /var/log/auth.log
Additional Information
No response
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
Thanks for the feedback, please take a screenshot cat /var/log/auth.log | grep -a Accepted
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
Looking at the log through the command, the only successful login is my IP, and the successful login with a semicolon is also caused by a single command.
只复现了分号登录成功的日志,
sudo grep 'Accepted publickey' /var/log/auth.log
面板上SSH登录日志,提取成功日志可能根据关键字 'Accepted publickey'
日志中出现的6次计划任务记录,是因为忘了脚本改黑名单输出路径,
至于计划任务执行的脚本,也是为了提取Accepted publickey的IP,
我的想法是把auth.log中有攻击行为的IP都列入黑名单,
所以要排除Accepted publickey的IP,
有些IP只攻击一次,fail2ban不会主动加黑名单,所以写个脚本。
手动banip的登录成功日志没有复现出来,
从日志看,那2个IP是没有攻击记录的,
当时的命令就是这个:
sudo ufw deny from 81.69.102.153 sudo ufw deny from 106.55.203.129 sudo fail2ban-client set sshd banip 81.69.102.153 sudo fail2ban-client set sshd banip 106.55.203.129
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
Only the log of successful semicolon login is reproduced.
sudo grep 'Accepted publickey' /var/log/auth.log
SSH login log on the panel, the extraction success log may be based on the keyword 'Accepted publickey'
The 6 scheduled task records that appear in the log are because the script forgot to change the blacklist output path.
As for the script for scheduled task execution, it is also to extract the IP of the Accepted publickey.
My idea is to blacklist all IPs with offensive behavior in auth.log.
Therefore, we need to exclude the IP of Accepted publickey.
Some IPs are only attacked once and fail2ban will not take the initiative to blacklist them, so I wrote a script.
The login success log of manual banip is not reproduced.
From the logs, there are no attack records for those two IPs.
The command at that time was this:
sudo ufw deny from 81.69.102.153 sudo ufw deny from 106.55.203.129 sudo fail2ban-client set sshd banip 81.69.102.153 sudo fail2ban-client set sshd banip 106.55.203.129
只复现了分号登录成功的日志,
sudo grep 'Accepted publickey' /var/log/auth.log面板上SSH登录日志,提取成功日志可能根据关键字 'Accepted publickey' 日志中出现的6次计划任务记录,是因为忘了脚本改黑名单输出路径, 至于计划任务执行的脚本,也是为了提取Accepted publickey的IP, 我的想法是把auth.log中有攻击行为的IP都列入黑名单, 所以要排除Accepted publickey的IP, 有些IP只攻击一次,fail2ban不会主动加黑名单,所以写个脚本。手动banip的登录成功日志没有复现出来, 从日志看,那2个IP是没有攻击记录的, 当时的命令就是这个:
sudo ufw deny from 81.69.102.153 sudo ufw deny from 106.55.203.129 sudo fail2ban-client set sshd banip 81.69.102.153 sudo fail2ban-client set sshd banip 106.55.203.129
后面版本考虑直接过滤正常请求的时候,加上 Accepted password 或者 Accepted publickey
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
Only the semicolon login successful log is reproduced.
sudo grep 'Accepted publickey' /var/log/auth.logSSH login log on the panel. The successful extraction log may be based on the keyword 'Accepted publickey' 6 that appears in the log. This scheduled task record is because I forgot to change the blacklist output path with the script. As for the script for scheduled task execution, it is also to extract the IP of the Accepted publickey. My idea is to blacklist all the IPs with offensive behavior in the auth.log. , Therefore, we need to exclude IPs with Accepted publickey. Some IPs are only attacked once and fail2ban will not actively add them to the blacklist, so we wrote a script.The login success log of manual banip is not reproduced. From the log, there is no attack record for those two IPs. The command at that time was this:
sudo ufw deny from 81.69.102.153 sudo ufw deny from 106.55.203.129 sudo fail2ban- client set sshd banip 81.69.102.153 sudo fail2ban-client set sshd banip 106.55.203.129
Later versions consider adding Accepted password or Accepted publickey when directly filtering normal requests.