きっかけ
サーバーから sshd のログで以下があった。
Exceeded MaxStartups
journalctl -u sshd -f
とすると、大量にsshdを試みられている
インストール
apt install fail2ban
- /etc/fail2ban/jail.local を書き換える
cd /etc/fail2ban/
cp jail.conf jail.local
- ipv6を無効にする
/etc/fail2ban/fail2ban.conf
- #allowipv6 = auto
+ allowipv6 = false
ログを確認
journalctl -u ssh.service -f
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| `- Total failed: 12
`- Actions
|- Currently banned: 1
|- Total banned: 3
`- Banned IP list: xxx.xxx.xxx.xxx
設定を修正
- port番号を変更している場合は修正する
- systemdのログで判定するにはbackendをsystemdに修正する
jail.conf
[sshd]
enabled = true
port = 2222
backend = systemd
maxretry = 5
findtime = 600
bantime = 3600
もしくは、auth.logで、portは22のままなら以下
jail.conf
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 5
findtime = 600
bantime = 3600
systemctl restart fail2ban
状態を確認
systemctl status fail2ban
ログ
grep ipv fail2ban.conf
# Option: allowipv6
allowipv6 = false
root@proxmox:/etc/fail2ban# /etc/init.d/fail2ban status
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
Active: active (running) since Thu 2025-10-02 15:23:03 JST; 13min ago
Docs: man:fail2ban(1)
Main PID: 2739684 (fail2ban-server)
Tasks: 5 (limit: 9349)
Memory: 28.7M
CPU: 929ms
CGroup: /system.slice/fail2ban.service
└─2739684 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Oct 02 15:23:03 proxmox systemd[1]: Started fail2ban.service - Fail2Ban Service.
Oct 02 15:23:04 proxmox fail2ban-server[2739684]: Server ready
banのログを確認
$ fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 5
| |- Total failed: 6
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: xxx.xxx.xxx.xxx
手動でbanするには
fail2ban-client set sshd banip xxx.xxx.xxx.xxx
手動でbanを解除するには
fail2ban-client set sshd unbanip xxx.xxx.xxx.xxx