https://blog.jarao.work/categories/magic/ Recent content in 奇技淫巧 on Jarao's Blog Hugo -- gohugo.io zh-cn Wed, 11 Jun 2025 07:47:44 +0000 https://blog.jarao.work/articles/2025/06/v6-dns/ Wed, 11 Jun 2025 07:47:42 +0000 https://blog.jarao.work/articles/2025/06/v6-dns/ <img src="https://blog.jarao.work/articles/2025/06/v6-dns/cover.jpg" alt="Featured image of post 在OpenWrt上遇到的v6 DNS相关问题" /><p><em>封面PID=126010542</em></p> <p>由于OpenWrt的dhcp服务默认是下发IPv6的dns给客户端的，导致AdguardHome的日志中会出现很多IPv4混杂IPv6的客户端，对于排查问题不是很友好<img src="https://blog.jarao.work/alu/40.png" loading="lazy" >遂决定禁用IPv6的dns下发，让所有客户端只通过IPv4 dns来查询解析。</p> <h2 id="禁用v6-dns服务">禁用v6 DNS服务 </h2><p>根据<a class="link" href="https://openwrt.org/zh/docs/guide-user/base-system/dhcp_configuration#%E4%B8%BA_odhcpd_%E7%A6%81%E7%94%A8_ipv6_dns" target="_blank" rel="noopener" >官方文档</a>介绍，禁用调odhcpd的v6 dns：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">uci <span class="nb">set</span> dhcp.lan.dns_service<span class="o">=</span><span class="s2">&#34;0&#34;</span> </span></span><span class="line"><span class="cl">uci <span class="nb">set</span> dhcp.lan.ra_dns<span class="o">=</span><span class="s2">&#34;0&#34;</span> </span></span><span class="line"><span class="cl">uci commit dhcp </span></span><span class="line"><span class="cl">service odhcpd restart </span></span></code></pre></td></tr></table> </div> </div><p>同时，修改dhcp下发的dns地址为自建的服务地址，我是直接在op上跑的，所以就是路由器本身：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">uci -q delete dhcp.lan.dhcp_option </span></span><span class="line"><span class="cl">uci add_list dhcp.lan.dhcp_option<span class="o">=</span><span class="s2">&#34;6,192.168.1.1&#34;</span> </span></span><span class="line"><span class="cl">uci commit dhcp </span></span><span class="line"><span class="cl">service dnsmasq restart </span></span></code></pre></td></tr></table> </div> </div><p>这样重新连接网络，客户端就不会再拿到IPv6的dns啦。查询也都是走的v4，效果如图：</p> <p><img src="https://blog.jarao.work/articles/2025/06/v6-dns/image.png" width="1206" height="790" srcset="https://blog.jarao.work/articles/2025/06/v6-dns/image_hu_4ca16731e64fd8e6.png 480w, https://blog.jarao.work/articles/2025/06/v6-dns/image_hu_8db97dab5eba1f00.png 1024w" loading="lazy" alt="日志" class="gallery-image" data-flex-grow="152" data-flex-basis="366px" ></p> <h2 id="dns污染问题">DNS污染问题 </h2><p>去年手机换成了小米15，然后发现访问谷歌时不时会出现dns污染，通过查看服务日志发现v4的查询记录均是正常的，没发现返回了错误的ip。最后在v2ex的一贴讨论<sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup>中找到了线索，貌似是小米在系统中预设了几个公共DNS，导致有部分场景下DNS泄漏了。</p> <p>解决方法也比较简单，手动设置下DNS重定向就行了，由于我已经使用了AdguardHome代替了dnsmasq监听53端口，因此需要手动配置下防火墙转发：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1"># V4 DNS Hijack</span> </span></span><span class="line"><span class="cl">uci add firewall redirect </span></span><span class="line"><span class="cl">uci <span class="nb">set</span> firewall.@redirect<span class="o">[</span>-1<span class="o">]</span>.target<span class="o">=</span><span class="s1">&#39;DNAT&#39;</span> </span></span><span class="line"><span class="cl">uci <span class="nb">set</span> firewall.@redirect<span class="o">[</span>-1<span class="o">]</span>.family<span class="o">=</span><span class="s1">&#39;ipv4&#39;</span> </span></span><span class="line"><span class="cl">uci <span class="nb">set</span> firewall.@redirect<span class="o">[</span>-1<span class="o">]</span>.src<span class="o">=</span><span class="s1">&#39;lan&#39;</span> </span></span><span class="line"><span class="cl">uci <span class="nb">set</span> firewall.@redirect<span class="o">[</span>-1<span class="o">]</span>.src_dport<span class="o">=</span><span class="s1">&#39;53&#39;</span> </span></span><span class="line"><span class="cl">uci <span class="nb">set</span> firewall.@redirect<span class="o">[</span>-1<span class="o">]</span>.name<span class="o">=</span><span class="s1">&#39;DNS&#39;</span> </span></span><span class="line"><span class="cl">uci commit firewall </span></span></code></pre></td></tr></table> </div> </div><p>当然也不能忘了我们亲爱的v6 DNS<img src="https://blog.jarao.work/alu/106.png" loading="lazy" >由于我们没有提供v6服务给客户端，因此针对客户端的v6查询直接禁用即可：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1"># V6 DNS Block</span> </span></span><span class="line"><span class="cl">uci add firewall rule </span></span><span class="line"><span class="cl">uci <span class="nb">set</span> firewall.@rule<span class="o">[</span>-1<span class="o">]</span>.src<span class="o">=</span><span class="s1">&#39;lan&#39;</span> </span></span><span class="line"><span class="cl">uci <span class="nb">set</span> firewall.@rule<span class="o">[</span>-1<span class="o">]</span>.dest<span class="o">=</span><span class="s1">&#39;*&#39;</span> </span></span><span class="line"><span class="cl">uci <span class="nb">set</span> firewall.@rule<span class="o">[</span>-1<span class="o">]</span>.family<span class="o">=</span><span class="s1">&#39;ipv6&#39;</span> </span></span><span class="line"><span class="cl">uci <span class="nb">set</span> firewall.@rule<span class="o">[</span>-1<span class="o">]</span>.dest_port<span class="o">=</span><span class="s1">&#39;53&#39;</span> </span></span><span class="line"><span class="cl">uci <span class="nb">set</span> firewall.@rule<span class="o">[</span>-1<span class="o">]</span>.target<span class="o">=</span><span class="s1">&#39;REJECT&#39;</span> </span></span><span class="line"><span class="cl">uci <span class="nb">set</span> firewall.@rule<span class="o">[</span>-1<span class="o">]</span>.name<span class="o">=</span><span class="s1">&#39;DNS6BLOCK&#39;</span> </span></span><span class="line"><span class="cl">uci commit firewall </span></span></code></pre></td></tr></table> </div> </div><h2 id="优先返回ipv4解析">优先返回IPv4解析 </h2><h3 id="问题">问题 </h3><p>我在本地有使用<code>jackett</code> + <code>flaresolverr</code> + <code>sonarr</code>进行pt资源的抓取，自动订阅番剧。<code>flaresolverr</code>可以简单理解为一个代理工具，负责帮我们处理jackett抓取pt资源时遇到的人机校验，主要是cloudflare的。然而flaresolverr要求自身访问的请求环境必须和客户端（<code>jackett</code>）一致，否则可能出现获取cookie无效的情况。</p> <p>在我的设备环境下有个比较尴尬的情况，就是这两服务的容器分别使用了IPv4和IPv6的解析去获取数据，导致没法绕过人机验证。</p> <p>那有什么办法可以解决吗？直接禁用容器IPv6？这会误伤我一些只支持v6的pt站点，比如北邮人。以我的场景，更希望实现的是如果一个域名同时拥有v4和v6地址时，所有客户端只使用v4的解析，但又不影响纯v6域名的访问。</p> <p>问为什么优先使用v4？因为现在国外一些域名的v6路由的异常的逆天抽象。不信？しょうがないなあ，让你看看拷贝漫画cdn域名的路由吧<img src="https://blog.jarao.work/alu/55.png" loading="lazy" >：</p> <p><img src="https://blog.jarao.work/articles/2025/06/v6-dns/image-1.png" width="2204" height="298" srcset="https://blog.jarao.work/articles/2025/06/v6-dns/image-1_hu_8b7a44ecd63f4e64.png 480w, https://blog.jarao.work/articles/2025/06/v6-dns/image-1_hu_f001b235c6354afd.png 1024w" loading="lazy" alt="拷贝漫画v6路由" class="gallery-image" data-flex-grow="739" data-flex-basis="1775px" ></p> <p><img src="https://blog.jarao.work/articles/2025/06/v6-dns/image-3.png" width="996" height="218" srcset="https://blog.jarao.work/articles/2025/06/v6-dns/image-3_hu_40a0eb0d1c23e812.png 480w, https://blog.jarao.work/articles/2025/06/v6-dns/image-3_hu_3d9da0c9c95d2f3e.png 1024w" loading="lazy" alt="拷贝漫画v4路由" class="gallery-image" data-flex-grow="456" data-flex-basis="1096px" ></p> <p>接下来介绍下DNS查询的逻辑。查询由客户端发起，并且由客户端指定查询的记录类型（比如A或AAAA），一般客户端会同时发起两个查询请求，分别查询v6和v4的解析记录，最后由客户端选择一个解析来访问服务（现代客户端一般会优先使用AAAA）。那目前就有两种解法，一是让客户端优先使用v4解析；二是尝试过滤查询结果。</p> <p>让客户端优先使用v4解析，大部分linux可以通过设置对应发行版的解析配置文件来解决，例如debain系的<code>/etc/gai.conf</code>文件<sup id="fnref:2"><a href="#fn:2" class="footnote-ref" role="doc-noteref">2</a></sup>，但是不巧的是这两容器使用的系统为alpine，并不支持配置<sup id="fnref:3"><a href="#fn:3" class="footnote-ref" role="doc-noteref">3</a></sup>，因此第一个方法可以排除。</p> <p>剩下一种方法便是过滤查询结果了，这里的简单思路是在客户端查询AAAA记录时，同时检查域名是否存在A记录，如果存在，则将AAAA的请求拦截并返回空给客户端，这样客户端拿不到AAAA记录，就只能使用A记录了。</p> <h3 id="代码实现">代码实现 </h3><p>这里用Go写了个简单的DNS服务器作过滤，实现这个效果：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="kd">func</span> <span class="nf">HandleDNSRequest</span><span class="p">(</span><span class="nx">writer</span> <span class="nx">dns</span><span class="p">.</span><span class="nx">ResponseWriter</span><span class="p">,</span> <span class="nx">req</span> <span class="o">*</span><span class="nx">dns</span><span class="p">.</span><span class="nx">Msg</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">c</span> <span class="o">:=</span> <span class="nb">new</span><span class="p">(</span><span class="nx">dns</span><span class="p">.</span><span class="nx">Client</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nx">c</span><span class="p">.</span><span class="nx">Net</span> <span class="p">=</span> <span class="s">&#34;udp&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="kd">var</span> <span class="nx">upstreamDNS</span> <span class="p">=</span> <span class="o">*</span><span class="nx">UpstreamAddress</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nx">resp</span><span class="p">,</span> <span class="nx">_</span><span class="p">,</span> <span class="nx">err</span> <span class="o">:=</span> <span class="nx">c</span><span class="p">.</span><span class="nf">Exchange</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">upstreamDNS</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="nx">err</span> <span class="o">!=</span> <span class="kc">nil</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">log</span><span class="p">.</span><span class="nf">Printf</span><span class="p">(</span><span class="s">&#34;Query upstream DNS error: %v\n&#34;</span><span class="p">,</span> <span class="nx">err</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">defer</span> <span class="nx">writer</span><span class="p">.</span><span class="nf">WriteMsg</span><span class="p">(</span><span class="nx">resp</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 非标准DNS查询，或结果为空，直接返回</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">Question</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">1</span> <span class="o">||</span> <span class="nb">len</span><span class="p">(</span><span class="nx">resp</span><span class="p">.</span><span class="nx">Answer</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 非AAAA查询，直接返回</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="nx">req</span><span class="p">.</span><span class="nx">Question</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">Qtype</span> <span class="o">!=</span> <span class="nx">dns</span><span class="p">.</span><span class="nx">TypeAAAA</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 尝试获取域名A记录</span> </span></span><span class="line"><span class="cl"> <span class="nx">m</span> <span class="o">:=</span> <span class="nb">new</span><span class="p">(</span><span class="nx">dns</span><span class="p">.</span><span class="nx">Msg</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nx">m</span><span class="p">.</span><span class="nf">SetQuestion</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">Question</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">Name</span><span class="p">,</span> <span class="nx">dns</span><span class="p">.</span><span class="nx">TypeA</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nx">r</span><span class="p">,</span> <span class="nx">_</span><span class="p">,</span> <span class="nx">err</span> <span class="o">:=</span> <span class="nx">c</span><span class="p">.</span><span class="nf">Exchange</span><span class="p">(</span><span class="nx">m</span><span class="p">,</span> <span class="nx">upstreamDNS</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="nx">err</span> <span class="o">!=</span> <span class="kc">nil</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">log</span><span class="p">.</span><span class="nf">Printf</span><span class="p">(</span><span class="s">&#34;Query upstream DNS error: %v\n&#34;</span><span class="p">,</span> <span class="nx">err</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="nx">r</span><span class="p">.</span><span class="nx">Answer</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="nx">_</span><span class="p">,</span> <span class="nx">rr</span> <span class="o">:=</span> <span class="k">range</span> <span class="nx">r</span><span class="p">.</span><span class="nx">Answer</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="nx">rr</span><span class="p">.</span><span class="nf">Header</span><span class="p">().</span><span class="nx">Rrtype</span> <span class="o">==</span> <span class="nx">dns</span><span class="p">.</span><span class="nx">TypeA</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1">// 存在A记录，则将AAAA响应清空</span> </span></span><span class="line"><span class="cl"> <span class="nx">resp</span><span class="p">.</span><span class="nx">Answer</span> <span class="p">=</span> <span class="nb">make</span><span class="p">([]</span><span class="nx">dns</span><span class="p">.</span><span class="nx">RR</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>测试下：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">$ nslookup -port=5367 www.google.com 127.0.0.1 </span></span><span class="line"><span class="cl">Server: 127.0.0.1 </span></span><span class="line"><span class="cl">Address: 127.0.0.1#5367 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Non-authoritative answer: </span></span><span class="line"><span class="cl">Name: www.google.com </span></span><span class="line"><span class="cl">Address: 142.250.76.132 </span></span></code></pre></td></tr></table> </div> </div><p>嗯~看起来效果不错，接下来再加些缓存优化，减少多次DNS查询带来的耗时：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="kd">func</span> <span class="nf">HandleDNSRequest</span><span class="p">(</span><span class="nx">writer</span> <span class="nx">dns</span><span class="p">.</span><span class="nx">ResponseWriter</span><span class="p">,</span> <span class="nx">req</span> <span class="o">*</span><span class="nx">dns</span><span class="p">.</span><span class="nx">Msg</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="o">...</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="nx">C</span> <span class="o">!=</span> <span class="kc">nil</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1">// 先查看缓存是否已有记录</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="nx">hasA</span><span class="p">,</span> <span class="nx">exist</span> <span class="o">:=</span> <span class="nx">C</span><span class="p">.</span><span class="nf">Get</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">Question</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">Name</span><span class="p">);</span> <span class="nx">exist</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1">// 是否存在A记录</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="nx">hasA</span><span class="p">.(</span><span class="kt">bool</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">resp</span><span class="p">.</span><span class="nx">Answer</span> <span class="p">=</span> <span class="nb">make</span><span class="p">([]</span><span class="nx">dns</span><span class="p">.</span><span class="nx">RR</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="o">...</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="nx">_</span><span class="p">,</span> <span class="nx">rr</span> <span class="o">:=</span> <span class="k">range</span> <span class="nx">r</span><span class="p">.</span><span class="nx">Answer</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="nx">rr</span><span class="p">.</span><span class="nf">Header</span><span class="p">().</span><span class="nx">Rrtype</span> <span class="o">==</span> <span class="nx">dns</span><span class="p">.</span><span class="nx">TypeA</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1">// 设置A缓存记录存在</span> </span></span><span class="line"><span class="cl"> <span class="nf">setARecordCache</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">Question</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">Name</span><span class="p">,</span> <span class="kc">true</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nx">resp</span><span class="p">.</span><span class="nx">Answer</span> <span class="p">=</span> <span class="nb">make</span><span class="p">([]</span><span class="nx">dns</span><span class="p">.</span><span class="nx">RR</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1">// 设置A缓存记录不存在</span> </span></span><span class="line"><span class="cl"> <span class="nf">setARecordCache</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">Question</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">Name</span><span class="p">,</span> <span class="kc">false</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>完美搞定<img src="https://blog.jarao.work/alu/43.png" loading="lazy" >完整代码可以去看我GitHub的仓库<a class="link" href="https://github.com/WROIATE/dns-filter" target="_blank" rel="noopener" >dns-filter</a>。</p> <div class="footnotes" role="doc-endnotes"> <hr> <ol> <li id="fn:1"> <p><a class="link" href="https://v2ex.com/t/838579" target="_blank" rel="noopener" >MIUI 通过硬编码内置了 DNS？</a>&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p> </li> <li id="fn:2"> <p><a class="link" href="https://man7.org/linux/man-pages/man5/gai.conf.5.html" target="_blank" rel="noopener" >gai.conf(5) — Linux manual page</a>&#160;<a href="#fnref:2" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p> </li> <li id="fn:3"> <p><a class="link" href="https://unix.stackexchange.com/questions/654660/how-to-resolve-ipv4-first-on-alpine-linux" target="_blank" rel="noopener" >How to resolve IPv4 first on Alpine Linux?</a>&#160;<a href="#fnref:3" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p> </li> </ol> </div> https://blog.jarao.work/articles/2023/10/fail2ban/ Thu, 19 Oct 2023 08:07:00 +0000 https://blog.jarao.work/articles/2023/10/fail2ban/ <img src="https://blog.jarao.work/articles/2023/10/fail2ban/cover.png" alt="Featured image of post 在OpenWrt上配置Fail2Ban" /><p><em>封面PID=112536466</em></p> <p>前段时间为了排查路由器的一些服务问题，去翻系统日志，发现自己的路由器因为有在公网上被扫了几百次（好家伙，我都换端口了还能扫😅），整个系统日志全是各种ssh连接失败的报错。虽然禁用了密码登录，但是整个日志被刷的太乱，导致正常运维都成问题，属实是伤害不高侮辱性极强了。于是为了保证我的路由器不被这些脚本小子搭讪，开始研究如何使用Fail2Ban来自动拉黑这些扫描的脚本机。</p> <h2 id="安装">安装 </h2><p>这块没什么好说的，不管是官方源还是目前国内普及的lean lede源都有fail2ban的包，直接opkg就行</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">opkg install fail2ban </span></span></code></pre></td></tr></table> </div> </div><p>安装好后在终端中输入<code>which fail2ban-client</code>，验证下是否安装成功，正常的话会输出对应的执行文件路径。</p> <h2 id="配置">配置 </h2><p>默认配置文件目录在<code>/etc/fail2ban</code>。Fail2Ban需要配置两个地方，一个是过滤规则，或者说是正则匹配逻辑；一个是配置具体封禁策略，包含hit次数，日志位置等。</p> <h3 id="过滤规则">过滤规则 </h3><p><code>/etc/fail2ban/filter.d</code>下是项目自带的默认过滤规则，而官方本身OpenWrt的dropbaer规则不能直接使用，不知道是不是因为迭代没跟上还是怎么的，dropbear的日志匹配逻辑对不上，因此需要我们自己修改过滤规则。下面给出我自己配置的规则供参考，把官方的<code>dropbear.conf</code>改了即可：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-toml" data-lang="toml"><span class="line"><span class="cl"><span class="c"># The standard Dropbear output doesn&#39;t provide enough information to</span> </span></span><span class="line"><span class="cl"><span class="c"># ban all types of attack. The Dropbear patch adds IP address</span> </span></span><span class="line"><span class="cl"><span class="c"># information to the &#39;exit before auth&#39; message which is always</span> </span></span><span class="line"><span class="cl"><span class="c"># produced for any form of non-successful login. It is that message</span> </span></span><span class="line"><span class="cl"><span class="c"># which this file matches.</span> </span></span><span class="line"><span class="cl"><span class="c">#</span> </span></span><span class="line"><span class="cl"><span class="c"># More information: http://bugs.debian.org/546913</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="nx">INCLUDES</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># Read common prefixes. If any customizations available -- read them from</span> </span></span><span class="line"><span class="cl"><span class="c"># common.local</span> </span></span><span class="line"><span class="cl"><span class="nx">before</span> <span class="p">=</span> <span class="nx">common</span><span class="p">.</span><span class="nx">conf</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="nx">Definition</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">_daemon</span> <span class="p">=</span> <span class="nx">dropbear</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">datepattern</span> <span class="p">=</span> <span class="err">^%%</span><span class="nx">a</span> <span class="err">%%</span><span class="nx">b</span> <span class="err">%%</span><span class="nx">d</span> <span class="err">%%</span><span class="nx">H</span><span class="err">:%%</span><span class="nx">M</span><span class="err">:%%</span><span class="nx">S</span> <span class="err">%%</span><span class="nx">Y</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">prefregex</span> <span class="p">=</span> <span class="err">^%(</span><span class="nx">__prefix_line</span><span class="err">)</span><span class="nx">s</span><span class="err">&lt;</span><span class="nx">F-CONTENT</span><span class="err">&gt;(?:</span><span class="p">[</span><span class="nx">Ll</span><span class="p">]</span><span class="nx">ogin</span><span class="err">|</span><span class="p">[</span><span class="nx">Bb</span><span class="p">]</span><span class="nx">ad</span><span class="err">|</span><span class="p">[</span><span class="nx">Ee</span><span class="p">]</span><span class="nx">xit</span><span class="err">)</span><span class="p">.</span><span class="err">+&lt;/</span><span class="nx">F-CONTENT</span><span class="err">&gt;$</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">failregex</span> <span class="p">=</span> <span class="err">^</span><span class="p">[</span><span class="nx">Ee</span><span class="p">]</span><span class="nx">xit</span> <span class="nx">before</span> <span class="nx">auth</span> <span class="nx">from</span> <span class="err">&lt;&lt;</span><span class="nx">HOST</span><span class="err">&gt;:\</span><span class="nx">d</span><span class="err">+&gt;:\</span><span class="nx">s</span><span class="p">.</span><span class="err">*$</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">ignoreregex</span> <span class="p">=</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># DEV Notes:</span> </span></span><span class="line"><span class="cl"><span class="c">#</span> </span></span><span class="line"><span class="cl"><span class="c"># The first two regexs here match the unmodified dropbear messages. It isn&#39;t</span> </span></span><span class="line"><span class="cl"><span class="c"># possible to match the source of the &#39;exit before auth&#39; messages from dropbear</span> </span></span><span class="line"><span class="cl"><span class="c"># as they don&#39;t include the &#34;from &lt;HOST&gt;&#34; bit.</span> </span></span><span class="line"><span class="cl"><span class="c">#</span> </span></span><span class="line"><span class="cl"><span class="c"># The second last failregex line we need to match with the modified dropbear.</span> </span></span><span class="line"><span class="cl"><span class="c">#</span> </span></span><span class="line"><span class="cl"><span class="c"># For the second regex the following apply:</span> </span></span><span class="line"><span class="cl"><span class="c">#</span> </span></span><span class="line"><span class="cl"><span class="c"># http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c</span> </span></span><span class="line"><span class="cl"><span class="c"># http://svn.dd-wrt.com/changeset/16642#file64</span> </span></span><span class="line"><span class="cl"><span class="c">#</span> </span></span><span class="line"><span class="cl"><span class="c"># http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c</span> </span></span><span class="line"><span class="cl"><span class="c">#</span> </span></span><span class="line"><span class="cl"><span class="c"># Author: Francis Russell</span> </span></span><span class="line"><span class="cl"><span class="c"># Zak B. Elep</span> </span></span></code></pre></td></tr></table> </div> </div><p>接下来，我们需要把系统日志重定向到系统文件中，使用以下命令操作：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">mkdir -p /tmp/log </span></span><span class="line"><span class="cl">touch /tmp/log/system.log </span></span><span class="line"><span class="cl">uci <span class="nb">set</span> system.@system<span class="o">[</span>0<span class="o">]</span>.log_file<span class="o">=</span><span class="s1">&#39;/tmp/log/system.log&#39;</span> </span></span><span class="line"><span class="cl">uci commit </span></span></code></pre></td></tr></table> </div> </div><p>这套过滤规则可以过滤出登录失败的主机ip。fail2ban也有专门的命令可以测试配置有效性，可以使用<code>fail2ban-regex /tmp/log/system.log /etc/fail2ban/filter.d/dropbear.conf</code>命令测试过滤匹配是否正确。</p> <p><img src="https://blog.jarao.work/articles/2023/10/fail2ban/image.png" width="1618" height="1220" srcset="https://blog.jarao.work/articles/2023/10/fail2ban/image_hu_79b8d9bc8eae7cd4.png 480w, https://blog.jarao.work/articles/2023/10/fail2ban/image_hu_c86847002c1cc521.png 1024w" loading="lazy" alt="验证规则" class="gallery-image" data-flex-grow="132" data-flex-basis="318px" ></p> <h3 id="封禁策略">封禁策略 </h3><p>随后我们还需要配置封禁策略，这个策略一般是放在<code>/etc/fail2ban/jail.d</code>目录下，我们可以在这个目录下面新建一个策略名为<code>dropbear.local</code>的文件，在其中配置命中策略：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-toml" data-lang="toml"><span class="line"><span class="cl"><span class="p">[</span><span class="nx">dropbear</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> </span></span><span class="line"><span class="cl"><span class="nx">filter</span> <span class="p">=</span> <span class="nx">dropbear</span> </span></span><span class="line"><span class="cl"><span class="c"># port为你对应的ssh端口</span> </span></span><span class="line"><span class="cl"><span class="nx">action</span> <span class="p">=</span> <span class="nx">iptables</span><span class="p">[</span><span class="nx">port</span><span class="p">=</span><span class="mi">22</span><span class="p">,</span> <span class="nx">protocol</span><span class="p">=</span><span class="nx">tcp</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="c"># 上一步创建的日志文件路径</span> </span></span><span class="line"><span class="cl"><span class="nx">logpath</span> <span class="p">=</span> <span class="err">/</span><span class="nx">tmp</span><span class="err">/</span><span class="nx">log</span><span class="err">/</span><span class="nx">system</span><span class="p">.</span><span class="nx">log</span> </span></span><span class="line"><span class="cl"><span class="nx">maxretry</span> <span class="p">=</span> <span class="mi">3</span> </span></span><span class="line"><span class="cl"><span class="nx">bantime</span> <span class="p">=</span> <span class="mi">604800</span> </span></span><span class="line"><span class="cl"><span class="nx">findtime</span> <span class="p">=</span> <span class="mi">86400</span> </span></span></code></pre></td></tr></table> </div> </div><p>这个封禁策略会将在一天内ssh登录失败3次的ip封禁一个星期。</p> <p>最后，我们使用命令<code>fail2ban-client start</code>启动Fail2Ban。</p> <h2 id="效果">效果 </h2><p>使用命令<code>fail2ban-client status dropbear</code>，查看当前dropbear规则的封禁情况</p> <p><img src="https://blog.jarao.work/articles/2023/10/fail2ban/image-1.png" width="2436" height="556" srcset="https://blog.jarao.work/articles/2023/10/fail2ban/image-1_hu_2b00affdf066a071.png 480w, https://blog.jarao.work/articles/2023/10/fail2ban/image-1_hu_466dc6e28791c2b8.png 1024w" loading="lazy" alt="规则状态" class="gallery-image" data-flex-grow="438" data-flex-basis="1051px" ></p> <p>可以看到，这封禁ip的数量还真不少，用ipip查了下，国内国外的都有。</p> <h2 id="进阶">进阶 </h2><h3 id="luci登录封禁">luci登录封禁 </h3><p>既然我们都把dropbear配了登录封禁，那么就顺道给web登录页面也配一个吧😉</p> <p>具体步骤和dropbear一样，由于我用的是nginx作为luci的服务器，而且修改了日志格式，因此以下配置仅供参考。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-toml" data-lang="toml"><span class="line"><span class="cl"><span class="p">[</span><span class="nx">INCLUDES</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c"># Read common prefixes.If any customizations available -- read them from</span> </span></span><span class="line"><span class="cl"><span class="c"># common.local</span> </span></span><span class="line"><span class="cl"><span class="nx">before</span> <span class="p">=</span> <span class="nx">common</span><span class="p">.</span><span class="nx">conf</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="nx">Definition</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">_daemon</span> <span class="p">=</span> <span class="nx">luci</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">datepattern</span> <span class="p">=</span> <span class="err">^\</span><span class="p">[</span><span class="err">%%</span><span class="nx">d</span><span class="err">/%%</span><span class="nx">b</span><span class="err">/%%</span><span class="nx">Y</span><span class="err">:%%</span><span class="nx">H</span><span class="err">:%%</span><span class="nx">M</span><span class="err">:%%</span><span class="nx">S</span> <span class="err">\</span><span class="mi">+0800</span><span class="err">\</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">prefregex</span> <span class="p">=</span> <span class="err">^</span><span class="p">.</span><span class="err">*</span><span class="nx">POST</span><span class="p">.</span><span class="err">*&lt;</span><span class="nx">F-CONTENT</span><span class="err">&gt;(?:</span><span class="mi">403</span><span class="err">)</span><span class="p">.</span><span class="err">+&lt;/</span><span class="nx">F-CONTENT</span><span class="err">&gt;$</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">failregex</span> <span class="p">=</span> <span class="err">^</span><span class="mi">403</span><span class="p">.</span><span class="err">*</span><span class="nx">from</span> <span class="err">&lt;</span><span class="nx">HOST</span><span class="err">&gt;$</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">ignoreregex</span> <span class="p">=</span> <span class="err">^</span><span class="mi">403</span><span class="p">.</span><span class="err">*</span><span class="nx">from</span> <span class="mf">127.0</span><span class="p">.</span><span class="mf">0.1</span><span class="err">$</span> </span></span></code></pre></td></tr></table> </div> </div><p>其中过滤规则的ignore是因为luci在第一次进入主页时会触发本地反代403，因此需要忽略。日期格式匹配可能需要自行根据自己的nginx日志进行调整。</p> <p>最后加上封禁策略：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-toml" data-lang="toml"><span class="line"><span class="cl"><span class="c"># luci web</span> </span></span><span class="line"><span class="cl"><span class="p">[</span><span class="nx">luci</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> </span></span><span class="line"><span class="cl"><span class="nx">filter</span> <span class="p">=</span> <span class="nx">luci</span> </span></span><span class="line"><span class="cl"><span class="nx">action</span> <span class="p">=</span> <span class="nx">iptables</span><span class="p">[</span><span class="nx">port</span><span class="p">=</span><span class="nx">https</span><span class="p">,</span> <span class="nx">protocol</span><span class="p">=</span><span class="nx">tcp</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nx">logpath</span> <span class="p">=</span> <span class="err">/</span><span class="nx">tmp</span><span class="err">/</span><span class="nx">log</span><span class="err">/</span><span class="nx">nginx</span><span class="err">/</span><span class="nx">access</span><span class="p">.</span><span class="nx">log</span> </span></span><span class="line"><span class="cl"><span class="nx">maxretry</span> <span class="p">=</span> <span class="mi">5</span> </span></span><span class="line"><span class="cl"><span class="nx">bantime</span> <span class="p">=</span> <span class="mi">604800</span> </span></span><span class="line"><span class="cl"><span class="nx">findtime</span> <span class="p">=</span> <span class="mi">1800</span> </span></span></code></pre></td></tr></table> </div> </div><p>重启Fail2Ban，收工！</p> https://blog.jarao.work/articles/2022/04/centos-8-eol/ Wed, 06 Apr 2022 02:02:27 +0800 https://blog.jarao.work/articles/2022/04/centos-8-eol/ <img src="https://blog.jarao.work/articles/2022/04/centos-8-eol/cover.jpg" alt="Featured image of post CentOS 8 EOL导致更新源失败" /><p><em>封面PID=97289746</em></p> <h2 id="问题">问题 </h2><p>这两天在自己服务器上安东西的时候突然发现CentOS 8的源更新报错了。</p> <p><img src="https://blog.jarao.work/articles/2022/04/centos-8-eol/img1.png" width="975" height="558" srcset="https://blog.jarao.work/articles/2022/04/centos-8-eol/img1_hu_b277d1e4112d5a6d.png 480w, https://blog.jarao.work/articles/2022/04/centos-8-eol/img1_hu_68e7815b7f205eb5.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="174" data-flex-basis="419px" ></p> <p>一下给我整懵了，记得上次update还是上次，没遇到这问题啊。第一反应是去看看源文件是不是出了什么岔子。</p> <p><img src="https://blog.jarao.work/articles/2022/04/centos-8-eol/img2.png" width="993" height="606" srcset="https://blog.jarao.work/articles/2022/04/centos-8-eol/img2_hu_21223b784161b67b.png 480w, https://blog.jarao.work/articles/2022/04/centos-8-eol/img2_hu_3582311b87d300e4.png 1024w" loading="lazy" class="gallery-image" data-flex-grow="163" data-flex-basis="393px" ></p> <p>然而实际上源文件的源url也是正常的，这就奇怪了，同时也检查了下域名解析的dns，一切正常。这个时候基本可以排除本地问题的可能性了，那还有可能就是官方的源出了什么问题了。</p> <h2 id="原因">原因 </h2><p>之后去官网一看才想起来，CentOS 8之前已经宣布在2021年年底放弃维护了，因此他的官方源也已经失效了&hellip;</p> <p><a class="link" href="https://www.centos.org/centos-linux-eol/" target="_blank" rel="noopener" >原文链接</a></p> <blockquote> <p>CentOS Linux 8 will reach End Of Life (EOL) on December 31st, 2021.<br> This content will be removed from our mirrors, and moved to vault.centos.org where it will be archived permanently, since we will not be able to provide updates to the content after the EOL date.</p></blockquote> <h2 id="解决方法">解决方法 </h2><p>根据通知原文描述，我们可以使用官方的归档源，官方归档域名是<a class="link" href="https://vault.centos.org" target="_blank" rel="noopener" ><em>vault.centos.org</em></a>，只需要把源文件的域名换成归档域名就行了。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1"># 在shell中使用sed直接修改所有源的域名</span> </span></span><span class="line"><span class="cl">sed -i <span class="s1">&#39;s/mirrorlist/#mirrorlist/g&#39;</span> /etc/yum.repos.d/CentOS-* </span></span><span class="line"><span class="cl">sed -i <span class="s1">&#39;s|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g&#39;</span> /etc/yum.repos.d/CentOS-* </span></span></code></pre></td></tr></table> </div> </div><p><img src="https://blog.jarao.work/articles/2022/04/centos-8-eol/img3.png" width="899" height="315" srcset="https://blog.jarao.work/articles/2022/04/centos-8-eol/img3_hu_c5403841d178bb3a.png 480w, https://blog.jarao.work/articles/2022/04/centos-8-eol/img3_hu_6a0d5a53c2eea9a0.png 1024w" loading="lazy" alt="搞定" class="gallery-image" data-flex-grow="285" data-flex-basis="684px" ></p> <p>但是官方论坛的版主还是建议尽快更换系统分支，因为更换归档源并不能解决根本问题，CentOS8后续不再维护才是真正的问题。</p> <blockquote> <p>No. Problem NOT solved. That just switches the repos to vault.centos.org but CentOS 8 is dead and will not receive any more updates. Your solution does not handle that.<br> You need to switch to a different distro, not just point to vault which is already stale and out of date.</p></blockquote> <p>顺带一提，CentOS 7将在2024年结束维护，以后再也没有免费的CentOS给我们用了，CentOS也要成时泪了。</p>