Fail2ban nem elemzi a logokat, nem bannol senkit.

Linux-kezdő

Sziasztok,

egész hétvégén a Fail2ban-el játszok, de az az érzésem, hogy nem fut jól, soha nem Bannol egyetlen egy IP-t sem.


pl: #cat /var/log/mail.log | grep warning -> nem teljes csak a töredéke.......

Mar 7 07:24:32 admin postfix/smtpd[28061]: warning: hostname host-92-44-114-112.reverse.superonline.net does not resolve to address 92.44.114.112: Name or
Mar 7 08:58:33 admin postfix/smtpd[2477]: warning: hostname no-reverse-dns-configured.com does not resolve to address 89.248.171.131
Mar 7 08:58:35 admin postfix/smtpd[2477]: warning: unknown[89.248.171.131]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 7 09:30:20 admin postfix/smtpd[5809]: warning: hostname 114.79.160.30.dvois.com does not resolve to address 114.79.160.30: Name or service not known
Mar 7 10:02:20 admin postfix/smtpd[8868]: warning: hostname no-reverse-dns-configured.com does not resolve to address 89.248.171.131
Mar 7 10:02:20 admin postfix/smtpd[8874]: warning: hostname no-reverse-dns-configured.com does not resolve to address 89.248.171.131
Mar 7 10:02:22 admin postfix/smtpd[8868]: warning: unknown[89.248.171.131]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 7 10:02:26 admin postfix/smtpd[8874]: warning: unknown[89.248.171.131]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 7 10:56:26 admin postfix/smtpd[11919]: warning: hostname ip248-156.ibw.com does not resolve to address 187.49.248.156: Name or service not known
Mar 7 10:59:21 admin postfix/smtpd[12056]: warning: hostname main.akare.com.tr does not resolve to address 176.58.88.17: Name or service not known
Mar 7 11:13:43 admin postfix/smtpd[14376]: warning: hostname mail.sintercom.co.in does not resolve to address 114.143.188.236
Mar 7 11:23:53 admin postfix/smtpd[15019]: warning: hostname we.love.servers.at.ioflood.com does not resolve to address 184.164.73.180
Mar 7 11:26:37 admin postfix/smtpd[15078]: warning: hostname abts-north-static-160.136.160.122.airtelbroadband.in does not resolve to address 122.160.136.ot known
Mar 7 11:56:48 admin postfix/smtpd[16783]: warning: hostname 78.187.215.246.static.ttnet.com.tr does not resolve to address 78.187.215.246: Name or servic
Mar 7 11:58:19 admin postfix/smtpd[16783]: warning: hostname no-reverse-dns-configured.com does not resolve to address 89.248.171.131
Mar 7 11:58:21 admin postfix/smtpd[16783]: warning: unknown[89.248.171.131]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Hasonló a helyzet a syslogban szerintem vannak benne próbálkozások, de nem történik semmi.


# fail2ban-client status
Status
|- Number of jail: 31
`- Jail list: pure-ftpd, sendmail-auth, xinetd-fail, imscp, apache-multiport, apache-overflows, ssh, sasl, apache, apache-noscript, apache-modsecurity, pam-generic, ssh-iptables, postfix, ip-blacklist, apache-nohome, ssh-ddos, thp-ssh, ssh-blocklist, dropbear, mysqld-auth, sasl-iptables, rainloop, ssh-bsd-ipfw, roundcube, apache-tcpwrapper, dovecot, apache-badbots, nginx-http-auth, sendmail-reject, proftpd

A Fail2ban hibamentesen fut a rendszeremben!

Elvileg ezek közül valamelyik szűrőnek meg kellene fognia már a fail2bannek. Ezzel szeszemben a Fail2ban logja üres, csak az indítási bejegyzéseim vannak Info logbejegyzés mellett..

Tűzfalamban is meg vannak a fail2ban bejegyzések.

#iptables -L -n | grep fail2ban
fail2ban-thp-ssh tcp -- 0.0.0.0/0 0.0.0.0/0
fail2ban-ip-blacklist tcp -- 0.0.0.0/0 0.0.0.0/0
fail2ban-imscp tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8080,4443
fail2ban-mysqld-auth tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 3306
fail2ban-sasl tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587,143,220,993,110,995
fail2ban-postfix tcp -- 0.0.0.0/0 0.0.0.0/0
fail2ban-proftpd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20,990,989
fail2ban-rainloop tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8080,4443
fail2ban-roundcube tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8080,4443
fail2ban-apache-noscript tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-apache-multiport tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-apache tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 3791
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
fail2ban-dovecot tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 110,995,143,993,587,465,4190
fail2ban-BadBots tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-nginx-http-auth tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-apache-nohome tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-apache-overflows tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-apache-modsecurity tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-sasl tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
fail2ban-sendmail-auth tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 587,465,25
fail2ban-sendmail-auth tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 587,465,25
fail2ban-pureftpd tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
fail2ban-dropbear tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
fail2ban-ssh-ddos tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
fail2ban-pam all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-BadBots (1 references)
Chain fail2ban-SSH (1 references)
Chain fail2ban-apache (1 references)
Chain fail2ban-apache-modsecurity (1 references)
Chain fail2ban-apache-multiport (1 references)
Chain fail2ban-apache-nohome (1 references)
Chain fail2ban-apache-noscript (1 references)
Chain fail2ban-apache-overflows (1 references)
Chain fail2ban-dovecot (1 references)
Chain fail2ban-dropbear (1 references)
Chain fail2ban-imscp (1 references)
Chain fail2ban-ip-blacklist (1 references)
Chain fail2ban-mysqld-auth (1 references)
Chain fail2ban-nginx-http-auth (1 references)
Chain fail2ban-pam (1 references)
Chain fail2ban-postfix (1 references)
Chain fail2ban-proftpd (1 references)
Chain fail2ban-pureftpd (1 references)
Chain fail2ban-rainloop (1 references)
Chain fail2ban-roundcube (1 references)
Chain fail2ban-sasl (2 references)
Chain fail2ban-sendmail-auth (2 references)
Chain fail2ban-ssh (1 references)
Chain fail2ban-ssh-ddos (1 references)
Chain fail2ban-thp-ssh (1 references)
Chain fail2ban-xinetd-fail (0 references)
Chain fail2ban-xinetd-fail-log (0 references)
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 6/min burst 2 LOG flags 0 level 4 prefix "fail2ban-xinetd-fail:DROP "

Megnéztem már az Debian GNU/Linux 8.3 (jessie) alap csomagját, legfrissebbet 0.9-es verziót és most a Fail2Ban v0.8.14 fut, de egyik sem talált soha semmit. Amit tapasztalok, hogy a log elemzések nem futnak, le valamiért, nem elemzi a logokat megfelelően a Fail2ban.

Előre is köszönöm a segítségeteket és bízok benne, hogy rá tudok jönni a "hiba" okára, illetve kíváncsi lennék, hogy másnál mi a helyzet, mert nem csak egy szerveren van fent, hanem Ubuntu 14.04és ott is ugyan ez a helyzet. Így lehet más is hamis biztonság érzetben van....

Kalmi

  • 5252 megtekintés

( csupka91 v | 2016. 03. 07., h – 12:36 )

Szia,

Hasonló cípőben voltam mint Te egy héttel ezelőtt. Először nézd meg, hogy jó-e a filter file:

fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix-sasl.conf

Igen, ezeket is teszteltem, de ebben sem vagyok biztos, hogy a szűrő rendben van-e. Fontos, hogy gyári szűrőket használok nem nyúltam bele egyikbe se!


#fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix-sasl.conf

Running tests
=============

Use failregex file : /etc/fail2ban/filter.d/postfix-sasl.conf
Use log file : /var/log/mail.log

Results
=======

Failregex: 32 total
|- #) [# of hits] regular expression
| 1) [32] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [24450] MONTH Day Hour:Minute:Second
`-

Lines: 24450 lines, 0 ignored, 32 matched, 24418 missed
Missed line(s): too many to print. Use --print-all-missed to print all 24418 lines

Igazából nem értem ezt sem: "Missed line(s): too many to print. Use --print-all-missed to print all 24418 lines" Akkor nem vizsgálja a logot???

Ha ezt megnézem egy szűrt log-ra.

# fail2ban-regex mail.log /etc/fail2ban/filter.d/postfix-sasl.conf

Running tests
=============

Use failregex file : /etc/fail2ban/filter.d/postfix-sasl.conf
Use log file : mail.log

Results
=======

Failregex: 12 total
|- #) [# of hits] regular expression
| 1) [12] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[ \(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authent ication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [16] MONTH Day Hour:Minute:Second
`-

Lines: 16 lines, 0 ignored, 12 matched, 4 missed
|- Missed line(s):
| Mar 4 18:14:28 admin postfix/smtpd[27859]: warning: hostname 187-35-128-90.dsl.telesp.net.br does not resolve to address 187.35.128.90: Name or service not known
| Mar 4 18:14:44 admin postfix/smtpd[27746]: warning: hostname 187-35-128-90.dsl.telesp.net.br does not resolve to address 187.35.128.90: Name or service not known
| Mar 4 18:38:53 admin postfix/smtpd[28595]: warning: hostname cpe-69-80-121-105.futuretk.com does not resolve to address 69.80.121.105: Name or service not known
| Mar 4 18:40:10 admin postfix/smtpd[28595]: warning: hostname no-reverse-dns-configured.com does not resolve to address 89.248.171.131
`-

A mail.log tartalma:

#cat mail.log
Mar 4 18:14:02 admin postfix/smtpd[27819]: warning: unknown[187.35.128.90]: SASL PLAIN authentication failed: Connection lost to authentication server
Mar 4 18:14:07 admin postfix/smtpd[27746]: warning: unknown[187.35.128.90]: SASL CRAM-MD5 authentication failed: Connection lost to authentication server
Mar 4 18:14:13 admin postfix/smtpd[27819]: warning: unknown[187.35.128.90]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 4 18:14:17 admin postfix/smtpd[27746]: warning: unknown[187.35.128.90]: SASL PLAIN authentication failed: Connection lost to authentication server
Mar 4 18:14:27 admin postfix/smtpd[27746]: warning: unknown[187.35.128.90]: SASL LOGIN authentication failed: Connection lost to authentication server
Mar 4 18:14:28 admin postfix/smtpd[27859]: warning: hostname 187-35-128-90.dsl.telesp.net.br does not resolve to address 187.35.128.90: Name or service not known
Mar 4 18:14:39 admin postfix/smtpd[27859]: warning: unknown[187.35.128.90]: SASL CRAM-MD5 authentication failed: Connection lost to authentication server
Mar 4 18:14:41 admin postfix/smtpd[27859]: warning: unknown[187.35.128.90]: SASL PLAIN authentication failed: Connection lost to authentication server
Mar 4 18:14:43 admin postfix/smtpd[27859]: warning: unknown[187.35.128.90]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 4 18:14:44 admin postfix/smtpd[27746]: warning: hostname 187-35-128-90.dsl.telesp.net.br does not resolve to address 187.35.128.90: Name or service not known
Mar 4 18:14:47 admin postfix/smtpd[27746]: warning: unknown[187.35.128.90]: SASL CRAM-MD5 authentication failed: PDUwMTQ4NzQ1NTc2ODYxNTMuMTQ1NzExMTY4NEBhZG1pbj4=
Mar 4 18:14:53 admin postfix/smtpd[27746]: warning: unknown[187.35.128.90]: SASL PLAIN authentication failed: PDUwMTQ4NzQ1NTc2ODYxNTMuMTQ1NzExMTY4NEBhZG1pbj4=
Mar 4 18:14:59 admin postfix/smtpd[27746]: warning: unknown[187.35.128.90]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Mar 4 18:38:53 admin postfix/smtpd[28595]: warning: hostname cpe-69-80-121-105.futuretk.com does not resolve to address 69.80.121.105: Name or service not known
Mar 4 18:40:10 admin postfix/smtpd[28595]: warning: hostname no-reverse-dns-configured.com does not resolve to address 89.248.171.131
Mar 4 18:40:12 admin postfix/smtpd[28595]: warning: unknown[89.248.171.131]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Jelez, de szerintem itt csak az IP-ket kellene vissza adni, nem?
Esetleg valami jogosultságot nem kap a Logokhoz?

Nálad mi a helyzet, hogyan oldottad meg?