Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] Manually banip, the SSH login log shows successful login, and I thought I was successfully invaded. #7335

Open
uinpc opened this issue Dec 11, 2024 · 9 comments
Assignees

Comments

@uinpc
Copy link

uinpc commented Dec 11, 2024

Contact Information

No response

1Panel Version

1.10.21-lts

Problem Description

Snipaste_2024-12-11_21-59-59
手动banip,在SSH登录日志里显示成功登录,还以为密钥被偷了。
还有分号也能显示登录成功,真是奇怪的

Steps to Reproduce

fail2ban-client set sshd banip 106.55.203.129 手动banip

The expected correct result

No response

Related log output

root@VM-0-15-ubuntu:/data/banip# sudo grep "81.69.102.153" /var/log/auth.log
Dec 10 21:39:26 localhost sudo:     root : TTY=pts/1 ; PWD=/data ; USER=root ; COMMAND=/usr/sbin/ufw deny from 81.69.102.153
Dec 10 21:39:26 localhost sudo:     root : TTY=pts/1 ; PWD=/data ; USER=root ; COMMAND=/usr/local/bin/fail2ban-client set sshd banip 81.69.102.153
Dec 11 02:56:34 localhost sudo:     root : TTY=pts/1 ; PWD=/data ; USER=root ; COMMAND=/usr/local/bin/fail2ban-client set sshd banip 81.69.102.153
Dec 11 21:50:47 localhost sudo:     root : TTY=pts/1 ; PWD=/data/banip ; USER=root ; COMMAND=/usr/bin/grep 81.69.102.153 /var/log/auth.log
root@VM-0-15-ubuntu:/data/banip# sudo grep "106.55.203.129" /var/log/auth.log
Dec 10 21:38:58 localhost sudo:     root : TTY=pts/1 ; PWD=/data ; USER=root ; COMMAND=/usr/sbin/ufw deny from 106.55.203.129
Dec 10 21:38:59 localhost sudo:     root : TTY=pts/1 ; PWD=/data ; USER=root ; COMMAND=/usr/local/bin/fail2ban-client set sshd banip 106.55.203.129
Dec 11 02:56:22 localhost sudo:     root : TTY=pts/1 ; PWD=/data ; USER=root ; COMMAND=/usr/local/bin/fail2ban-client set sshd banip 106.55.203.129
Dec 11 21:51:17 localhost sudo:     root : TTY=pts/1 ; PWD=/data/banip ; USER=root ; COMMAND=/usr/bin/grep 106.55.203.129 /var/log/auth.log

Additional Information

No response

@wanghe-fit2cloud wanghe-fit2cloud changed the title [Bug] 手动banip,在SSH登录日志里显示成功登录,还以为被成功入侵了 [Bug] Manually banip, the SSH login log shows successful login, and I thought I was successfully invaded. Dec 11, 2024
@ssongliu
Copy link
Member

感谢反馈,麻烦截图看一下 cat /var/log/auth.log | grep -a Accepted

@wanghe-fit2cloud
Copy link
Member

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿


Thanks for the feedback, please take a screenshot cat /var/log/auth.log | grep -a Accepted

@uinpc
Copy link
Author

uinpc commented Dec 12, 2024

Snipaste_2024-12-12_11-20-08
Snipaste_2024-12-12_11-29-33
通过命令看日志,登录成功的只有我的IP,而且分号登录成功也是一条命令造成的

@wanghe-fit2cloud
Copy link
Member

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿


Snipaste_2024-12-12_11-20-08
Snipaste_2024-12-12_11-29-33
Looking at the log through the command, the only successful login is my IP, and the successful login with a semicolon is also caused by a single command.

@ssongliu
Copy link
Member

ssongliu commented Dec 12, 2024

麻烦加一波我,我远程看看这个问题,登陆日志有点奇怪
是有建了个计划任务加 fail2ban 吗?麻烦把具体操作描述一下
WechatIMG375

@uinpc
Copy link
Author

uinpc commented Dec 12, 2024

只复现了分号登录成功的日志,
sudo grep 'Accepted publickey' /var/log/auth.log
面板上SSH登录日志,提取成功日志可能根据关键字 'Accepted publickey'
日志中出现的6次计划任务记录,是因为忘了脚本改黑名单输出路径,
至于计划任务执行的脚本,也是为了提取Accepted publickey的IP,
我的想法是把auth.log中有攻击行为的IP都列入黑名单,
所以要排除Accepted publickey的IP,
有些IP只攻击一次,fail2ban不会主动加黑名单,所以写个脚本。

手动banip的登录成功日志没有复现出来,
从日志看,那2个IP是没有攻击记录的,
当时的命令就是这个:
sudo ufw deny from 81.69.102.153 sudo ufw deny from 106.55.203.129 sudo fail2ban-client set sshd banip 81.69.102.153 sudo fail2ban-client set sshd banip 106.55.203.129

@wanghe-fit2cloud
Copy link
Member

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿


Only the log of successful semicolon login is reproduced.
sudo grep 'Accepted publickey' /var/log/auth.log
SSH login log on the panel, the extraction success log may be based on the keyword 'Accepted publickey'
The 6 scheduled task records that appear in the log are because the script forgot to change the blacklist output path.
As for the script for scheduled task execution, it is also to extract the IP of the Accepted publickey.
My idea is to blacklist all IPs with offensive behavior in auth.log.
Therefore, we need to exclude the IP of Accepted publickey.
Some IPs are only attacked once and fail2ban will not take the initiative to blacklist them, so I wrote a script.

The login success log of manual banip is not reproduced.
From the logs, there are no attack records for those two IPs.
The command at that time was this:
sudo ufw deny from 81.69.102.153 sudo ufw deny from 106.55.203.129 sudo fail2ban-client set sshd banip 81.69.102.153 sudo fail2ban-client set sshd banip 106.55.203.129

@ssongliu
Copy link
Member

只复现了分号登录成功的日志, sudo grep 'Accepted publickey' /var/log/auth.log 面板上SSH登录日志,提取成功日志可能根据关键字 'Accepted publickey' 日志中出现的6次计划任务记录,是因为忘了脚本改黑名单输出路径, 至于计划任务执行的脚本,也是为了提取Accepted publickey的IP, 我的想法是把auth.log中有攻击行为的IP都列入黑名单, 所以要排除Accepted publickey的IP, 有些IP只攻击一次,fail2ban不会主动加黑名单,所以写个脚本。

手动banip的登录成功日志没有复现出来, 从日志看,那2个IP是没有攻击记录的, 当时的命令就是这个: sudo ufw deny from 81.69.102.153 sudo ufw deny from 106.55.203.129 sudo fail2ban-client set sshd banip 81.69.102.153 sudo fail2ban-client set sshd banip 106.55.203.129

后面版本考虑直接过滤正常请求的时候,加上 Accepted password 或者 Accepted publickey

@wanghe-fit2cloud
Copy link
Member

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿


Only the semicolon login successful log is reproduced. sudo grep 'Accepted publickey' /var/log/auth.log SSH login log on the panel. The successful extraction log may be based on the keyword 'Accepted publickey' 6 that appears in the log. This scheduled task record is because I forgot to change the blacklist output path with the script. As for the script for scheduled task execution, it is also to extract the IP of the Accepted publickey. My idea is to blacklist all the IPs with offensive behavior in the auth.log. , Therefore, we need to exclude IPs with Accepted publickey. Some IPs are only attacked once and fail2ban will not actively add them to the blacklist, so we wrote a script.

The login success log of manual banip is not reproduced. From the log, there is no attack record for those two IPs. The command at that time was this: sudo ufw deny from 81.69.102.153 sudo ufw deny from 106.55.203.129 sudo fail2ban- client set sshd banip 81.69.102.153 sudo fail2ban-client set sshd banip 106.55.203.129

Later versions consider adding Accepted password or Accepted publickey when directly filtering normal requests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants