< OS 有关 4 台 Ubuntu VPSs 正在被攻击:nginx 之三> 记录、分析、防护的过程 配置 ufw Fail2Ban 保护网络上的主机
前言:
这是上两编的延续:
< OS 有关 4 台 Ubuntu VPSs 正在被攻击:ssh > 记录、分析、防护的过程 配置 ufw Fail2Ban iptables 保护网络上的主机-CSDN博客
< OS 有关 4 台 Ubuntu VPSs 正在被攻击:nginx > 记录、分析、防护的过程 配置 ufw Fail2Ban iptables 保护网络上的主机
上两编描述的是 ssh NGINX+iptables 的防御, 本文使用 ufw 替代 iptables,用 nginx+ufw 来做防御。
Nginx 正在被攻击 (实践:BJN)
通过以下几种方式来发现网络攻击
- 查看访问日志
- 查看错误日志
- 分析异常访问模式
sudo tail -n 200 /var/log/nginx/access.logsudo tail -n 200 /var/log/nginx/error.logsudo grep "404\|403\|500" /var/log/nginx/access.log | tail -50内容趋同于 https://blog.csdn.net/davenian/article/details/148951362 不再重复。
主要是修改:
- nginx sites fils
- fail.local
- 添加过滤器到 fail2ban\filter.d (同上一篇内容)
- mv /etc/fail2ban/filter.d/nginx-bjt-scan.conf /etc/fail2ban/filter.d/nginx-bjn-scan.conf
- change bjt->bjn in /etc/fail2ban/filter.d/nginx-bjn-scan.conf
- 新增 xfd.bestherbs.com 的 3 个检测
- xfd-api-abuse.conf
- xfd-scrape-abuse.conf
- xfd-scan.conf
新增加的 filters:
xfd-api-abuse.conf
[Definition]
# XFD API abuse detection - monitors excessive API usage
# This detects rapid API calls from the same IP that might indicate automated abuse
failregex = ^<HOST> .* "(?:GET|POST) /api/[^"]*" .* (?:200|201|400|401|403|404|429|500) .*$# Ignore legitimate health checks and normal API usage patterns
ignoreregex = ^<HOST> .* "(?:GET|POST) /api/health" .*$xfd-scan.conf
[Definition]
# XFD specific scan detection - combines general and application-specific patterns
failregex = ^<HOST> .* "(GET|POST) [^"]*(?:phpinfo|\.env|\.git|admin|config|backup|uploads|\.aws|debug|status|system_info|diagnostics|test\.php|info\.php)[^"]*" .*$^<HOST> .* "(GET|POST) [^"]*(?:partymgr|jasperserver|solr|owncloud|geoserver|WebInterface|aspera|zabbix)[^"]*" .*$^<HOST> .* "(GET|POST) [^"]*(?:login\.html|login\.do|login\.jsp|authLogin\.cgi|AppsLocalLogin\.jsp)[^"]*" .*$^<HOST> .* "(GET|POST) [^"]*(?:Telerik\.Web\.UI|sitecore\.version\.xml|cgi-bin|showLogin\.cc|xmldata)[^"]*" .*$^<HOST> .* "(GET|POST) [^"]*(?:var/www|tmp|logs|data|node_modules|\.docker|\.github)[^"]*" .*$^<HOST> .* "(GET|POST) /[a-zA-Z0-9]{4,8}(?:\s|/|$)[^"]*" .*$^<HOST> .* "[^"]*(?:wget|chmod|/tmp/|Mozi\.m|mstshash)[^"]*".*$^<HOST> .* "(?:GET|POST) [^"]*(?:wordpress|wp-admin|wp-login|drupal|joomla|phpmyadmin)" .*$^<HOST> .* "(?:GET|POST) [^"]*(?:sugar_version\.json|cf_scripts|favicon-32x32\.png|identity)" .*$^<HOST> .* "(?:GET|POST) [^"]*(?:helpdesk|internal_forms_authentication|PTZOptics)" .*$^<HOST> .* "(GET|POST) [^"]*(?:eval-stdin\.php|vendor/phpunit|actuator|node_modules)[^"]*" .*$ignoreregex =xfd-scrape-abuse.conf
[Definition]
# XFD scraping endpoint abuse detection
# Monitors the specific scraping endpoints for excessive usage
failregex = ^<HOST> .* "(?:GET|POST) /api/(?:scrape|batch_scrape|task_status)[^"]*" .* (?:200|201|400|401|403|404|429|500) .*$ignoreregex =例:nginx: bjn.halaldeli.cn
server {listen 443 ssl http2;server_name bjn.halaldeli.cn;# 隐藏 Nginx 版本信息server_tokens off;# SSL Configurationssl_certificate /etc/letsencrypt/cert/bjn.halaldeli.cn/fullchain.pem;ssl_certificate_key /etc/letsencrypt/cert/bjn.halaldeli.cn/privkey.pem;# SSL Settingsssl_session_cache shared:le_nginx_SSL:10m;ssl_session_timeout 1440m;ssl_session_tickets off;ssl_protocols TLSv1.2 TLSv1.3;ssl_prefer_server_ciphers off;ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";# 安全头设置 - 增强版add_header X-Frame-Options "SAMEORIGIN" always;add_header X-Content-Type-Options "nosniff" always;add_header X-XSS-Protection "1; mode=block" always;add_header Referrer-Policy "no-referrer-when-downgrade" always;add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;# 连接数限制(zone在nginx.conf中定义)limit_conn bjn_conn 20;# 客户端上传限制client_max_body_size 50M;client_body_timeout 10s;client_header_timeout 10s;# 超时设置proxy_connect_timeout 60s;proxy_send_timeout 60s;proxy_read_timeout 60s;# 日志格式access_log /var/log/nginx/bjn.halaldeli.cn.access.log;error_log /var/log/nginx/bjn.halaldeli.cn.error.log;# 阻止恶意 User-Agentif ($http_user_agent ~* (wget|curl|python|scanner|bot|sqlmap|nikto|masscan|nmap|gobuster|dirbuster)) {return 403;}# 阻止恶意请求方法if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {return 405;}# 阻止常见攻击路径 - 最高优先级location ~ ^/(admin|phpinfo|phpmyadmin|wp-admin|wp-login|mysql|solr|geoserver|jasperserver|owncloud|partymgr|zabbix|aspera|telerik)(?:/.*)?$ {limit_req zone=bjn_strict burst=1 nodelay;deny all;return 404;}# 阻止敏感文件和目录location ~ /\.(env|git|docker|aws|svn|bzr|hg) {deny all;return 404;}location ~ \.(sql|log|ini|conf|bak|old|tmp|backup)$ {deny all;return 404;}# 阻止特定扩展名的扫描location ~ \.(jsp|do|cgi|exp|asp|aspx|cfm|pl)$ {deny all;return 404;}# 阻止随机字符串扫描 - FIXED LINElocation ~ "^/[a-zA-Z0-9]{4,8}$" {deny all;return 404;}# 阻止目录遍历尝试location ~ \.\./.*$ {deny all;return 404;}# 静态文件缓存 - 高优先级location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {root /var/www/bjn.halaldeli.cn/app;expires 30d;add_header Cache-Control "public, immutable";add_header Vary Accept-Encoding;access_log off;# 防止静态文件目录的脚本执行location ~* \.(php|pl|py|jsp|asp|sh|cgi)$ {deny all;}}# 静态文件目录location /static/ {alias /var/www/bjn.halaldeli.cn/app/static/;expires 30d;add_header Cache-Control "public";access_log off;try_files $uri =404;# 安全设置:禁止执行脚本location ~* \.(php|pl|py|jsp|asp|sh|cgi)$ {deny all;}}# 上传文件目录 - 严格安全控制location /uploads/ {alias /var/www/bjn.halaldeli.cn/app/static/uploads/;expires 7d;add_header Cache-Control "public";access_log off;# 只允许特定文件类型location ~* \.(jpg|jpeg|png|gif|pdf|doc|docx|txt)$ {try_files $uri =404;}# 严格禁止执行脚本location ~* \.(php|pl|py|jsp|asp|sh|cgi|exe|bat)$ {deny all;return 404;}# 其他文件类型默认拒绝location ~ .* {deny all;return 404;}}# 图片目录location /images/ {alias /var/www/bjn.halaldeli.cn/images/;expires 7d;add_header Cache-Control "public";access_log off;autoindex off;# 只允许图片文件location ~* \.(jpg|jpeg|png|gif|svg|webp)$ {try_files $uri =404;}# 禁止其他文件类型location ~ .* {deny all;return 404;}}# API 转发 - 添加频率限制location /api/ {limit_req zone=bjn_api burst=50 nodelay;proxy_pass http://127.0.0.1:8882;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_set_header X-Forwarded-Host $host;proxy_set_header X-Forwarded-Port $server_port;# API 超时设置proxy_connect_timeout 30s;proxy_send_timeout 30s;proxy_read_timeout 30s;# 添加安全头proxy_hide_header X-Powered-By;proxy_hide_header Server;}# 健康检查端点location /health {limit_req zone=bjn_general burst=5 nodelay;proxy_pass http://127.0.0.1:8660/health;proxy_set_header Host $host;access_log off;}# 管理员面板 - 严格访问控制location /admin/ {limit_req zone=bjn_admin burst=5 nodelay;# IP 白名单(取消注释并设置您的管理IP)# allow 192.168.1.0/24;# allow 10.0.0.0/8;# allow YOUR_ADMIN_IP;# deny all;# 添加额外的安全头add_header X-Admin-Access "restricted" always;proxy_pass http://127.0.0.1:8660;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_set_header X-Forwarded-Host $host;proxy_set_header X-Forwarded-Port $server_port;# 隐藏服务器信息proxy_hide_header X-Powered-By;proxy_hide_header Server;}# 阻止常见扫描路径location ~ ^/(config|backup|logs|data|tmp|var|etc|proc|sys|root)/ {deny all;return 404;}# 禁止访问隐藏文件location ~ /\. {deny all;access_log off;log_not_found off;}# 阻止访问配置文件location ~ \.(env|log|ini|conf)$ {deny all;access_log off;log_not_found off;}# robots.txt 和 sitemap.xml(如果有的话)location = /robots.txt {proxy_pass http://127.0.0.1:8660;access_log off;}location = /sitemap.xml {proxy_pass http://127.0.0.1:8660;access_log off;}# 主应用代理 - 最后处理,添加频率限制location / {limit_req zone=bjn_general burst=20 nodelay;proxy_pass http://127.0.0.1:8660;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;proxy_set_header X-Forwarded-Host $host;proxy_set_header X-Forwarded-Port $server_port;# 支持 WebSocketproxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";# 缓冲设置proxy_buffering on;proxy_buffer_size 128k;proxy_buffers 4 256k;proxy_busy_buffers_size 256k;# 隐藏后端服务器信息proxy_hide_header X-Powered-By;proxy_hide_header Server;}
}# HTTP 重定向到 HTTPS
server {listen 80;server_name bjn.halaldeli.cn;# 隐藏版本信息server_tokens off;# 基础频率限制(zone在nginx.conf中定义)limit_req zone=bjn_http burst=10 nodelay;# 对于 Let's Encrypt 验证location /.well-known/acme-challenge/ {root /var/www/certbot;allow all;}# 阻止常见攻击路径location ~ ^/(admin|phpinfo|phpmyadmin|wp-admin|wp-login)/ {return 444; # 直接断开连接}# 阻止敏感文件location ~ /\.(env|git|docker) {return 444;}# 其他所有请求重定向到 HTTPSlocation / {return 301 https://$host$request_uri;}
}fail2ban + ufw 配置:
要保护的多个网站:
bjn.daven.us
bjn.halaldeli.cn
bjn.bestherbs.cn
[DEFAULT]
bantime = -1
findtime = 1800
maxretry = 3
backend = auto
banaction = ufw
banaction_allports = ufw
ignoreip = 127.0.0.1/8 ::1[sshd]
enabled = true
port = 9922
filter = sshd
logpath = /var/log/auth.log
backend = auto
bantime = -1
findtime = 1800
maxretry = 3
action = ufw[name=SSH, port=9922, protocol=tcp][ssh-scanner]
enabled = true
port = 9922
filter = ssh-scanner
logpath = /var/log/auth.log
maxretry = 2
bantime = -1
findtime = 600
action = ufw[name=SSH-SCANNER, port=9922, protocol=tcp][nginx-scan]
enabled = true
port = http,https,7033
logpath = /var/log/nginx/access.log/var/log/nginx/error.log/var/log/nginx/*.access.log
filter = nginx-scan
maxretry = 2
bantime = -1
findtime = 300
action = ufw[name=nginx-scan, port="http,https,7033", protocol=tcp][nginx-404-scan]
enabled = true
port = http,https,7033
logpath = /var/log/nginx/error.log/var/log/nginx/*.error.log
filter = nginx-404-scan
maxretry = 10
bantime = -1
findtime = 600
action = ufw[name=nginx-404-scan, port="http,https,7033", protocol=tcp][nginx-bjn-scan]
enabled = true
port = http,https
logpath = /var/log/nginx/bjn.bestherbs.cn.access.log
filter = nginx-bjn-scan
maxretry = 3
bantime = -1
findtime = 600
action = ufw[name=nginx-bjn-scan, port="http,https", protocol=tcp][nginx-bjndavenus-scan]
enabled = false
port = 7033,http,https
logpath = /var/log/nginx/bjn.daven.us.access.log
filter = nginx-bjndavenus-scan
maxretry = 1
bantime = -1
findtime = 300
action = ufw[name=nginx-bjn-scan, port="7033,http,https", protocol=tcp][DDD-access-protection]
enabled = true
port = 7033
filter = v2ray-access
logpath = /var/log/DDD/access.log
maxretry = 3
bantime = -1
findtime = 600
action = ufw[name=DDD-access, port="7033", protocol=tcp][DDD-error-protection]
enabled = true
port = 7033
filter = DDD-error
logpath = /var/log/DDD/error.log
maxretry = 1
bantime = -1
findtime = 300
action = ufw[name=DDD-error, port="7033", protocol=tcp][v2ray-connection-limit]
enabled = true
port = 7033
filter = DDD-connection-limit
logpath = /var/log/DDD/access.log
maxretry = 20
bantime = -1
findtime = 300
action = ufw[name=DDD-limit, port="7033", protocol=tcp]# NEW XFD PROTECTION SECTIONS
[xfd-scan-protection]
enabled = true
port = http,https
logpath = /var/log/nginx/xfd.bestherbs.cn.access.log
filter = xfd-scan
maxretry = 3
bantime = -1
findtime = 600
action = ufw[name=xfd-scan, port="http,https", protocol=tcp][xfd-404-scan]
enabled = true
port = http,https
logpath = /var/log/nginx/xfd.bestherbs.cn.error.log
filter = nginx-404-scan
maxretry = 8
bantime = -1
findtime = 600
action = ufw[name=xfd-404-scan, port="http,https", protocol=tcp][xfd-api-abuse]
enabled = true
port = http,https
logpath = /var/log/nginx/xfd.bestherbs.cn.access.log
filter = xfd-api-abuse
maxretry = 50
bantime = -1
findtime = 300
action = ufw[name=xfd-api-abuse, port="http,https", protocol=tcp][xfd-scrape-abuse]
enabled = true
port = http,https
logpath = /var/log/nginx/xfd.bestherbs.cn.access.log
filter = xfd-scrape-abuse
maxretry = 20
bantime = -1
findtime = 300
action = ufw[name=xfd-scrape-abuse, port="http,https", protocol=tcp]注: 关键词 已经被 DEL 代替
附件1: fail2ban-status.sh for bjn
#!/bin/bash# Enhanced Fail2ban Status Display Script
# Shows banned IPs, attack statistics, and security insights
# Version: 1.2 by Dave and Claude# Color codes for better visibility
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
PURPLE='\033[0;35m'
CYAN='\033[0;36m'
WHITE='\033[1;37m'
NC='\033[0m' # No Color# Configuration with better defaults
SHOW_GEOIP=true
MAX_RECENT_BANS=10
LOG_FILE="/var/log/fail2ban.log"
GEO_CACHE_FILE="/tmp/fail2ban_geo_cache"
GEO_CACHE_EXPIRE=86400 # 24 hours in seconds
MAX_PARALLEL_REQUESTS=3 # Reduced for better stability
GEO_TIMEOUT=3 # Increased for better success rate
SCRIPT_NAME=$(basename "$0")# Trap to cleanup on exit
trap cleanup EXIT INT TERMcleanup() {# Kill any background jobsjobs -p | xargs -r kill 2>/dev/null# Remove temporary files[[ -n "${temp_dir:-}" ]] && rm -rf "$temp_dir" 2>/dev/null
}# Function to log errors
log_error() {echo "$(date '+%Y-%m-%d %H:%M:%S') ERROR: $1" >&2
}# Enhanced command line handling
show_help() {cat << EOF$SCRIPT_NAME - Enhanced Fail2ban Status MonitorUSAGE:$SCRIPT_NAME [OPTIONS]OPTIONS:--help Show this help message--fast Fast mode (parallel geo lookups, shorter timeout)--no-geo Disable geolocation lookup--save Save report to timestamped file--clear-cache Clear geolocation cache--json Output in JSON format--quiet Suppress non-essential output--debug Enable debug modeEXAMPLES:$SCRIPT_NAME # Standard report$SCRIPT_NAME --fast --save # Fast report saved to file$SCRIPT_NAME --no-geo --quiet # Quick status without geo dataEOF
}# Parse command line arguments
SAVE_REPORT=false
JSON_OUTPUT=false
QUIET_MODE=false
DEBUG_MODE=falsewhile [[ $# -gt 0 ]]; docase $1 in--help|-h)show_helpexit 0;;--fast)SHOW_GEOIP=trueGEO_TIMEOUT=1MAX_PARALLEL_REQUESTS=5;;--no-geo)SHOW_GEOIP=false;;--save)SAVE_REPORT=true;;--json)JSON_OUTPUT=trueSHOW_GEOIP=false # Disable geo for JSON to keep it clean;;--quiet)QUIET_MODE=true;;--debug)DEBUG_MODE=trueset -x;;--clear-cache)if [[ -f "$GEO_CACHE_FILE" ]]; thenrm "$GEO_CACHE_FILE" && echo "✅ Geolocation cache cleared" || echo "❌ Failed to clear cache"elseecho "⚠️ No cache file found"fiexit 0;;*)echo "Unknown option: $1"echo "Use --help for usage information"exit 1;;esacshift
done# Function to print colored output (respects quiet mode)
print_colored() {local color=$1local text=$2if [[ "$JSON_OUTPUT" == "false" ]]; thenif [[ "$QUIET_MODE" == "false" || "$color" == "$RED" ]]; thenecho -e "${color}${text}${NC}"fifi
}# Function to debug print
debug_print() {[[ "$DEBUG_MODE" == "true" ]] && echo "DEBUG: $1" >&2
}# Enhanced geo cache functions with better error handling
init_geo_cache() {if [[ ! -f "$GEO_CACHE_FILE" ]]; thentouch "$GEO_CACHE_FILE" 2>/dev/null || {log_error "Cannot create geo cache file: $GEO_CACHE_FILE"SHOW_GEOIP=falsereturn 1}fi# Clean expired cache entries safelyif [[ -f "$GEO_CACHE_FILE" && -w "$GEO_CACHE_FILE" ]]; thenlocal current_time=$(date +%s)local temp_cache=$(mktemp) || return 1while IFS='|' read -r ip timestamp country org || [[ -n "$ip" ]]; doif [[ -n "$timestamp" && -n "$ip" ]] && (( current_time - timestamp < GEO_CACHE_EXPIRE )); thenecho "$ip|$timestamp|$country|$org" >> "$temp_cache"fidone < "$GEO_CACHE_FILE"mv "$temp_cache" "$GEO_CACHE_FILE" 2>/dev/null || rm -f "$temp_cache"fi
}# Enhanced geo lookup with better error handling and multiple providers
get_country_info() {local ip=$1local country=""local org=""# Validate IP formatif [[ ! "$ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; thenreturn 1fiif [[ "$SHOW_GEOIP" == "true" ]]; then# Check cache firstlocal cached=$(grep "^$ip|" "$GEO_CACHE_FILE" 2>/dev/null | tail -1 | cut -d'|' -f3-)if [[ -n "$cached" ]]; thencountry=$(echo "$cached" | cut -d'|' -f1)org=$(echo "$cached" | cut -d'|' -f2)else# Try multiple geo services for better reliabilitydebug_print "Looking up geo info for $ip"# Primary: ipinfo.ioif command -v curl >/dev/null 2>&1; thenlocal info=$(curl -s --connect-timeout "$GEO_TIMEOUT" --max-time "$GEO_TIMEOUT" \"http://ipinfo.io/${ip}/json" 2>/dev/null)if [[ $? -eq 0 && -n "$info" && "$info" != *"error"* ]]; thencountry=$(echo "$info" | grep -o '"country":"[^"]*"' | cut -d'"' -f4)org=$(echo "$info" | grep -o '"org":"[^"]*"' | cut -d'"' -f4 | cut -d' ' -f2- | head -c 30)fifi# Fallback: ip-api.com (if first failed)if [[ -z "$country" ]] && command -v curl >/dev/null 2>&1; thenlocal info2=$(curl -s --connect-timeout "$GEO_TIMEOUT" --max-time "$GEO_TIMEOUT" \"http://ip-api.com/json/${ip}?fields=country,org" 2>/dev/null)if [[ $? -eq 0 && -n "$info2" && "$info2" != *"fail"* ]]; thencountry=$(echo "$info2" | grep -o '"country":"[^"]*"' | cut -d'"' -f4)[[ -z "$org" ]] && org=$(echo "$info2" | grep -o '"org":"[^"]*"' | cut -d'"' -f4 | head -c 30)fifi# Last resort: whois (slower but more reliable)if [[ -z "$country" ]] && command -v whois >/dev/null 2>&1; thencountry=$(timeout "$GEO_TIMEOUT" whois "$ip" 2>/dev/null | \grep -i "country:" | head -1 | awk '{print $2}' | tr -d '\r\n')fi# Cache the result (even if empty)cache_geo_info "$ip" "$country" "$org"fifi# Format outputif [[ -n "$country" && -n "$org" ]]; thenecho "($country - $org)"elif [[ -n "$country" ]]; thenecho "($country)"elseecho ""fi
}# Enhanced cache function with error handling
cache_geo_info() {local ip=$1local country=$2local org=$3local timestamp=$(date +%s)if [[ -w "$GEO_CACHE_FILE" || ! -f "$GEO_CACHE_FILE" ]]; thenecho "$ip|$timestamp|$country|$org" >> "$GEO_CACHE_FILE" 2>/dev/nullfi
}# Enhanced batch geo lookup with better parallel processing
batch_geo_lookup() {local ips=("$@")temp_dir=$(mktemp -d) || return 1local pids=()debug_print "Starting batch lookup for ${#ips[@]} IPs"# Process IPs in batcheslocal count=0for ip in "${ips[@]}"; do# Check cache firstlocal cached=$(grep "^$ip|" "$GEO_CACHE_FILE" 2>/dev/null | tail -1 | cut -d'|' -f3-)if [[ -n "$cached" ]]; thenecho "$ip|$cached" > "$temp_dir/$ip.result"continuefi# Launch background lookup{local result=$(get_country_info "$ip")echo "$ip|$result" > "$temp_dir/$ip.result"} &pids+=($!)count=$((count + 1))# Limit concurrent processesif [[ $count -ge $MAX_PARALLEL_REQUESTS ]]; thendebug_print "Waiting for batch of $count processes"wait "${pids[@]}"pids=()count=0fidone# Wait for remaining processes[[ ${#pids[@]} -gt 0 ]] && wait "${pids[@]}"# Collect and output resultsfor ip in "${ips[@]}"; doif [[ -f "$temp_dir/$ip.result" ]]; thencat "$temp_dir/$ip.result"elseecho "$ip||" # Empty resultfidone
}# Enhanced format duration function
format_duration() {local seconds=$1if [[ ! "$seconds" =~ ^[0-9]+$ ]]; thenecho "N/A"returnfiif (( seconds < 60 )); thenecho "${seconds}s"elif (( seconds < 3600 )); thenecho "$((seconds/60))m $((seconds%60))s"elif (( seconds < 86400 )); thenecho "$((seconds/3600))h $((seconds%3600/60))m"elseecho "$((seconds/86400))d $((seconds%86400/3600))h"fi
}# Enhanced security validation
is_private_ip() {local ip=$1[[ "$ip" =~ ^10\. ]] || \[[ "$ip" =~ ^192\.168\. ]] || \[[ "$ip" =~ ^172\.(1[6-9]|2[0-9]|3[0-1])\. ]] || \[[ "$ip" =~ ^127\. ]] || \[[ "$ip" =~ ^169\.254\. ]]
}# JSON output functions
json_escape() {local string="$1"printf '%s' "$string" | sed 's/\\/\\\\/g; s/"/\\"/g; s/$/\\n/' | tr -d '\n'
}output_json() {local jails_data="$1"local total_banned="$2"local total_failed="$3"local active_jails="$4"cat << EOF
{"timestamp": "$(date -Iseconds)","summary": {"active_jails": $active_jails,"total_banned": $total_banned,"total_failed": $total_failed,"fail2ban_status": "running"},"jails": [$jails_data]
}
EOF
}# Enhanced attack pattern analysis
analyze_attack_patterns() {[[ ! -f "$LOG_FILE" || "$QUIET_MODE" == "true" ]] && returnprint_colored "$CYAN" "🔍 Attack Pattern Analysis:"echo " ----------------------------------------"# Most targeted services with better parsingprint_colored "$WHITE" " Top Targeted Services:"if grep -q "Ban " "$LOG_FILE" 2>/dev/null; thengrep "Ban " "$LOG_FILE" | tail -200 | \awk '{for(i=1;i<=NF;i++) if($i ~ /^\[.*\]$/) print $i}' | \sed 's/\[//g; s/\]//g' | sort | uniq -c | sort -nr | head -5 | \while read -r count service; doecho " 📊 $service: $count attacks"doneelseecho " 📊 No attack data found"fiecho ""
}# Main execution starts here
main() {# Initial checksif [[ $EUID -ne 0 && "$QUIET_MODE" == "false" ]]; thenprint_colored "$YELLOW" "⚠️ Note: Running without root privileges. Some features may be limited."echo ""fi# Check dependenciesif ! command -v fail2ban-client >/dev/null 2>&1; thenif [[ "$JSON_OUTPUT" == "true" ]]; thenecho '{"error": "fail2ban not installed"}'elseprint_colored "$RED" "❌ Fail2ban is not installed or not in PATH"fiexit 1fi# Check if fail2ban is runningif ! systemctl is-active --quiet fail2ban 2>/dev/null && ! pgrep -f fail2ban-server >/dev/null; thenif [[ "$JSON_OUTPUT" == "true" ]]; thenecho '{"error": "fail2ban not running"}'elseprint_colored "$RED" "❌ Fail2ban service is not running"print_colored "$YELLOW" " Try: sudo systemctl start fail2ban"fiexit 1fi# Initialize geo cache if neededif [[ "$SHOW_GEOIP" == "true" ]]; theninit_geo_cachefi# Clear screen for better presentation (unless in quiet/json mode)[[ "$QUIET_MODE" == "false" && "$JSON_OUTPUT" == "false" ]] && clear# Show header (unless JSON mode)if [[ "$JSON_OUTPUT" == "false" ]]; thenprint_colored "$PURPLE" "================================================"print_colored "$PURPLE" "🛡️ ENHANCED FAIL2BAN SECURITY STATUS REPORT"print_colored "$PURPLE" "================================================"print_colored "$GREEN" "📅 Report Time: $(date '+%Y-%m-%d %H:%M:%S')"if command -v uptime >/dev/null 2>&1; thenuptime_info=$(uptime -p 2>/dev/null || uptime | awk '{print $3,$4}' | sed 's/,//')print_colored "$GREEN" "⏰ System Uptime: $uptime_info"fiecho ""fi# Get jail informationlocal jailsjails=$(fail2ban-client status 2>/dev/null | grep "Jail list:" | cut -d: -f2 | tr ',' '\n' | sed 's/^[ \t]*//; s/[ \t]*$//' | grep -v '^$')if [[ -z "$jails" ]]; thenif [[ "$JSON_OUTPUT" == "true" ]]; thenoutput_json "" 0 0 0elseprint_colored "$YELLOW" "⚠️ No active jails found"fiexit 0fi# Process jailslocal total_banned=0local total_failed=0local active_jails=0local jails_json_data=""while IFS= read -r jail; do[[ -z "$jail" ]] && continueactive_jails=$((active_jails + 1))debug_print "Processing jail: $jail"# Get jail status with error handlinglocal status_outputstatus_output=$(fail2ban-client status "$jail" 2>/dev/null)if [[ $? -ne 0 ]]; thenlog_error "Failed to get status for jail: $jail"continuefi# Extract data safelylocal currently_failed currently_banned total_failed_jail total_banned_jail banned_ipscurrently_failed=$(echo "$status_output" | grep "Currently failed:" | awk '{print $NF}' | grep -o '[0-9]*' || echo "0")total_failed_jail=$(echo "$status_output" | grep "Total failed:" | awk '{print $NF}' | grep -o '[0-9]*' || echo "0")currently_banned=$(echo "$status_output" | grep "Currently banned:" | awk '{print $NF}' | grep -o '[0-9]*' || echo "0")total_banned_jail=$(echo "$status_output" | grep "Total banned:" | awk '{print $NF}' | grep -o '[0-9]*' || echo "0")banned_ips=$(echo "$status_output" | grep "Banned IP list:" | cut -d: -f2- | xargs)if [[ "$JSON_OUTPUT" == "true" ]]; then# Build JSON datalocal banned_ips_json=""if [[ -n "$banned_ips" ]]; thenbanned_ips_json=$(echo "$banned_ips" | sed 's/ /","/g; s/^/"/; s/$/"/')fi[[ -n "$jails_json_data" ]] && jails_json_data+=","jails_json_data+="{\"name\":\"$jail\",\"currently_failed\":$currently_failed,\"total_failed\":$total_failed_jail,\"currently_banned\":$currently_banned,\"total_banned\":$total_banned_jail,\"banned_ips\":[$banned_ips_json]}"else# Display jail informationprint_colored "$BLUE" "🏢 Jail: $jail"echo " ----------------------------------------"echo " 📈 Current Failed: $currently_failed"echo " 📊 Total Failed: $total_failed_jail"if [[ $currently_banned -gt 0 ]]; thenprint_colored "$RED" " 🚫 Currently Banned: $currently_banned"elseprint_colored "$GREEN" " ✅ Currently Banned: $currently_banned"fiecho " 📋 Total Banned: $total_banned_jail"# Display banned IPs with geo infoif [[ -n "$banned_ips" ]]; thenprint_colored "$RED" " 🔴 Banned IPs:"# Convert to array and processlocal ip_array=($banned_ips)if [[ "$SHOW_GEOIP" == "true" && ${#ip_array[@]} -gt 3 ]]; thenprint_colored "$YELLOW" " 🔍 Looking up geolocation data..."# Perform batch lookupwhile IFS='|' read -r ip geo_data; do[[ -z "$ip" ]] && continuelocal geo_display=""if [[ -n "$geo_data" && "$geo_data" != "|" ]]; thengeo_display=" $geo_data"fiif is_private_ip "$ip"; thenprint_colored "$YELLOW" " 🏠 $ip (Private Network)$geo_display"elseprint_colored "$RED" " 🌍 $ip$geo_display"fidone < <(batch_geo_lookup "${ip_array[@]}")else# Single IP processingfor ip in "${ip_array[@]}"; dolocal geo_info=""[[ "$SHOW_GEOIP" == "true" ]] && geo_info=$(get_country_info "$ip")if is_private_ip "$ip"; thenprint_colored "$YELLOW" " 🏠 $ip (Private Network) $geo_info"elseprint_colored "$RED" " 🌍 $ip $geo_info"fidonefielseprint_colored "$GREEN" " ✅ No banned IPs currently"fiecho ""fi# Accumulate statisticstotal_banned=$((total_banned + currently_banned))total_failed=$((total_failed + total_failed_jail))done <<< "$jails"# Output resultsif [[ "$JSON_OUTPUT" == "true" ]]; thenoutput_json "$jails_json_data" "$total_banned" "$total_failed" "$active_jails"else# Display summaryprint_colored "$PURPLE" "================================================"print_colored "$WHITE" "📊 Overall Statistics:"print_colored "$CYAN" " 🏢 Active Jails: $active_jails"if [[ $total_banned -gt 0 ]]; thenprint_colored "$RED" " 🚫 Total Banned IPs: $total_banned"elseprint_colored "$GREEN" " ✅ Total Banned IPs: $total_banned"fiprint_colored "$YELLOW" " 📈 Total Attack Attempts: $total_failed"print_colored "$PURPLE" "================================================"# Additional analysis[[ "$QUIET_MODE" == "false" ]] && analyze_attack_patterns# Final statusecho ""if [[ $total_banned -gt 0 ]]; thenprint_colored "$YELLOW" "⚠️ Server is under attack but protection is active"elseprint_colored "$GREEN" "🛡️ Server security protection is running normally"fiprint_colored "$PURPLE" "================================================"fi# Save report if requestedif [[ "$SAVE_REPORT" == "true" && "$JSON_OUTPUT" == "false" ]]; thenlocal report_file="/var/log/fail2ban-report-$(date +%Y%m%d-%H%M%S).txt"if bash "$0" --no-geo --quiet > "$report_file" 2>&1; thenprint_colored "$GREEN" "📄 Report saved to: $report_file"elseprint_colored "$RED" "❌ Failed to save report"fifi
}# Run main function
main "$@"附件2:脚本监控报告
================================================
🛡️ ENHANCED FAIL2BAN SECURITY STATUS REPORT
================================================
📅 Report Time: 2025-06-29 10:29:06
⏰ System Uptime: up 2 weeks, 3 hours, 22 minutes🏢 Jail: nginx-404-scan----------------------------------------📈 Current Failed: 0📊 Total Failed: 0✅ Currently Banned: 0📋 Total Banned: 0✅ No banned IPs currently🏢 Jail: nginx-bjn-scan----------------------------------------📈 Current Failed: 0📊 Total Failed: 0✅ Currently Banned: 0📋 Total Banned: 0✅ No banned IPs currently🏢 Jail: nginx-scan----------------------------------------📈 Current Failed: 0📊 Total Failed: 3🚫 Currently Banned: 1📋 Total Banned: 1🔴 Banned IPs:🌍 137.184.121.152 (US)🏢 Jail: ssh-scanner----------------------------------------📈 Current Failed: 1📊 Total Failed: 13🚫 Currently Banned: 94📋 Total Banned: 94🔴 Banned IPs:🔍 Looking up geolocation data...🌍 101.126.89.35 CN🌍 103.153.93.236 IN🌍 103.157.224.104 IN🌍 103.67.78.42 ID🌍 103.76.120.166 ID🌍 103.76.120.69 ID🌍 103.82.93.228 ID🌍 112.17.139.236 CN🌍 114.96.90.14 CN🌍 115.190.34.136 CN🌍 117.200.236.94 IN🌍 117.50.119.25 CN🌍 117.50.184.217 CN🌍 118.140.42.134 HK🌍 118.193.35.17 HK🌍 118.70.134.18 VN🌍 119.5.157.124 China🌍 119.96.157.188 CN🌍 120.77.37.64 CN🌍 121.204.210.92 CN🌍 122.226.186.251 CN🌍 123.58.213.127 HK🌍 139.59.56.121 AU🌍 14.103.114.85 CN🌍 14.103.115.181 CN🌍 14.103.118.106 CN🌍 14.103.118.117 CN🌍 14.103.139.80 CN🌍 14.103.170.143 CN🌍 14.103.195.108 CN🌍 14.103.195.87 CN🌍 14.22.82.116 CN🌍 14.225.220.202 VN🌍 14.55.144.22 KR🌍 140.246.131.86 AU🌍 141.98.10.64 LT🌍 147.185.132.209 US🌍 150.223.72.92 CN🌍 152.32.215.161 AU🌍 158.51.126.147 US🌍 161.132.47.244 UY🌍 165.154.227.94 AU🌍 165.22.215.186 US🌍 180.74.70.57 MY🌍 183.77.175.1 JP🌍 184.22.11.249 AU🌍 185.117.3.237 DE🌍 186.7.7.94 DO🌍 187.9.92.190🌍 190.167.79.58 DO🌍 190.167.91.34 DO🌍 193.248.181.237 FR🌍 193.70.2.2 FR🌍 195.24.199.124 EU🌍 201.131.212.19🌍 201.140.123.130 MX🌍 203.125.118.248 SG🌍 203.34.48.182 CN🌍 206.123.145.237 US🌍 217.154.223.177 DE🌍 218.60.8.248 CN🌍 23.94.194.145 US🌍 27.112.79.87 ID🌍 36.40.79.122 CN🌍 39.98.38.186 CN🌍 42.51.13.138 CN🌍 43.252.228.87 HK🌍 45.55.159.241 US🌍 47.237.31.133 US🌍 49.12.75.4 ZZ🌍 51.161.8.48 EU🌍 51.83.98.100 FR🌍 57.128.190.44 NL🌍 59.172.187.10 CN🌍 66.29.130.206 US🌍 8.219.167.89 AU🌍 8.219.197.92 AU🌍 8.219.94.137 AU🌍 8.222.164.88 AU🌍 8.222.238.80 AU🌍 8.243.50.114 Brazil|CTL LATAM, CTL Brazil🌍 81.192.46.49 EU🌍 82.64.8.153 FR🌍 83.244.88.242 PS🌍 88.170.164.47 FR🌍 91.235.177.74 KZ🌍 93.123.109.115 AD🌍 94.141.122.222 FI🌍 177.153.60.38🌍 102.210.80.6 (CI)🌍 14.103.107.26 (CN)🌍 103.182.132.154 (IN)🌍 186.125.27.81 (AR)🌍 45.172.152.74 (DO)🏢 Jail: sshd----------------------------------------📈 Current Failed: 0📊 Total Failed: 0🚫 Currently Banned: 3📋 Total Banned: 3🔴 Banned IPs:🌍 158.51.126.147 (US)🌍 206.123.145.237 (US)🌍 94.141.122.222 (FI)🏢 Jail: v2ray-access-protection----------------------------------------📈 Current Failed: 0📊 Total Failed: 0✅ Currently Banned: 0📋 Total Banned: 0✅ No banned IPs currently🏢 Jail: v2ray-connection-limit----------------------------------------📈 Current Failed: 0📊 Total Failed: 0✅ Currently Banned: 0📋 Total Banned: 0✅ No banned IPs currently🏢 Jail: v2ray-error-protection----------------------------------------📈 Current Failed: 0📊 Total Failed: 0✅ Currently Banned: 0📋 Total Banned: 0✅ No banned IPs currently🏢 Jail: xfd-404-scan----------------------------------------📈 Current Failed: 0📊 Total Failed: 0✅ Currently Banned: 0📋 Total Banned: 0✅ No banned IPs currently🏢 Jail: xfd-api-abuse----------------------------------------📈 Current Failed: 0📊 Total Failed: 0✅ Currently Banned: 0📋 Total Banned: 0✅ No banned IPs currently🏢 Jail: xfd-scan-protection----------------------------------------📈 Current Failed: 0📊 Total Failed: 0✅ Currently Banned: 0📋 Total Banned: 0✅ No banned IPs currently🏢 Jail: xfd-scrape-abuse----------------------------------------📈 Current Failed: 0📊 Total Failed: 0✅ Currently Banned: 0📋 Total Banned: 0✅ No banned IPs currently================================================
📊 Overall Statistics:🏢 Active Jails: 12🚫 Total Banned IPs: 98📈 Total Attack Attempts: 16
================================================
🔍 Attack Pattern Analysis:----------------------------------------Top Targeted Services:📊 ssh-scanner: 193 attacks📊 sshd: 6 attacks📊 nginx-scan: 1 attacks⚠️ Server is under attack but protection is active
================================================附件3: ufw status 结果
root@bjn:~# ufw status
Status: activeTo Action From
-- ------ ----
Anywhere REJECT 14.103.170.152 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 8.209.198.232 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 45.172.152.74 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 186.125.27.81 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 103.182.132.154 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 14.103.107.26 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 102.210.80.6 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 137.184.121.152 # by Fail2Ban after 2 attempts against nginx-scan
Anywhere REJECT 177.153.60.38 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 93.123.109.115 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 91.235.177.74 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 88.170.164.47 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 83.244.88.242 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 82.64.8.153 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 81.192.46.49 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 8.243.50.114 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 8.222.238.80 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 8.222.164.88 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 8.219.94.137 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 8.219.197.92 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 8.219.167.89 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 66.29.130.206 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 59.172.187.10 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 57.128.190.44 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 51.83.98.100 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 51.161.8.48 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 49.12.75.4 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 47.237.31.133 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 45.55.159.241 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 43.252.228.87 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 42.51.13.138 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 39.98.38.186 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 36.40.79.122 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 27.112.79.87 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 23.94.194.145 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 218.60.8.248 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 217.154.223.177 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 203.34.48.182 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 203.125.118.248 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 201.140.123.130 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 201.131.212.19 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 195.24.199.124 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 193.70.2.2 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 193.248.181.237 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 190.167.91.34 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 190.167.79.58 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 187.9.92.190 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 186.7.7.94 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 185.117.3.237 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 184.22.11.249 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 183.77.175.1 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 180.74.70.57 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 165.22.215.186 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 165.154.227.94 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 161.132.47.244 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 152.32.215.161 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 150.223.72.92 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 147.185.132.209 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 141.98.10.64 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 140.246.131.86 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 14.55.144.22 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 14.225.220.202 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 14.22.82.116 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 14.103.195.87 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 14.103.195.108 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 14.103.170.143 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 14.103.139.80 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 14.103.118.117 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 14.103.118.106 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 14.103.115.181 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 14.103.114.85 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 139.59.56.121 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 123.58.213.127 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 122.226.186.251 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 121.204.210.92 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 120.77.37.64 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 119.96.157.188 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 119.5.157.124 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 118.70.134.18 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 118.193.35.17 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 118.140.42.134 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 117.50.184.217 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 117.50.119.25 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 117.200.236.94 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 115.190.34.136 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 114.96.90.14 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 112.17.139.236 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 103.82.93.228 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 103.76.120.69 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 103.76.120.166 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 103.67.78.42 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 103.157.224.104 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 94.141.122.222 # by Fail2Ban after 3 attempts against SSH
Anywhere REJECT 103.153.93.236 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 206.123.145.237 # by Fail2Ban after 3 attempts against SSH
Anywhere REJECT 101.126.89.35 # by Fail2Ban after 2 attempts against SSH-SCANNER
Anywhere REJECT 158.51.126.147 # by Fail2Ban after 3 attempts against SSH
---
Anywhere DENY 162.142.125.217
Anywhere DENY 123.6.49.0/24
Anywhere DENY 167.172.168.117
Anywhere DENY 147.185.132.192
Anywhere DENY 211.95.135.58
Anywhere DENY 223.78.218.172
Anywhere DENY 34.205.146.41
Anywhere DENY 27.115.124.41
Anywhere DENY 196.251.70.166
--- root@bjn:~#