fail2ban nem dolgozik

Hello,

kb két hónapja állítottam be egy serveren fail2ban-t.
Akkor kipróbáltam működött.
kb. 1hete viszont sok a próbálkozás.

Megnéztem conf. nem változott, fail2ban fut, restart+reinstall is volt.
Regex megtalálja a próbálkozásokat, iptables-chains ott van.

Amit találtam:
# fail2ban-client get ssh-iptables logpath
WARNING Beautifier error. Please report the error
ERROR Beautify [] with ['get', 'ssh-iptables', 'logpath'] failed
Current monitored log file(s):
[]

beállítások:
['set', 'loglevel', 3]
['set', 'logtarget', '/var/log/fail2ban.log']
['add', 'Dovecot-iptables', 'auto']
['set', 'Dovecot-iptables', 'addlogpath', '/var/log/dovecot/info.log']
['set', 'Dovecot-iptables', 'maxretry', 3]
['set', 'Dovecot-iptables', 'addignoreip', '127.0.0.1']
['set', 'Dovecot-iptables', 'findtime', 7200]
['set', 'Dovecot-iptables', 'bantime', 7200]
['set', 'Dovecot-iptables', 'addfailregex', 'Info.*(?:Aborted login).*rip=(?:::f{4,6}:)?(?P\\S*)']
['set', 'Dovecot-iptables', 'addaction', 'iptables-multiport']
['set', 'Dovecot-iptables', 'actionban', 'iptables-multiport', 'iptables -I fail2ban- 1 -s -j DROP']
['set', 'Dovecot-iptables', 'actionstop', 'iptables-multiport', 'iptables -D INPUT -p
-m multiport --dports
-j fail2ban-\niptables -F fail2ban-\niptables -X fail2ban-']
['set', 'Dovecot-iptables', 'actionstart', 'iptables-multiport', 'iptables -N fail2ban-\niptables -A fail2ban- -j RETURN\niptables -I INPUT -p
-m multiport --dports
-j fail2ban-']
['set', 'Dovecot-iptables', 'actionunban', 'iptables-multiport', 'iptables -D fail2ban- -s -j DROP']
['set', 'Dovecot-iptables', 'actioncheck', 'iptables-multiport', 'iptables -n -L INPUT | grep -q fail2ban-']
['set', 'Dovecot-iptables', 'setcinfo', 'iptables-multiport', 'protocol', 'tcp']
['set', 'Dovecot-iptables', 'setcinfo', 'iptables-multiport', 'name', 'DOVECOT']
['set', 'Dovecot-iptables', 'setcinfo', 'iptables-multiport', 'port', 'pop3,imap,pop3s,imaps']
['set', 'Dovecot-iptables', 'addaction', 'sendmail-whois']
['set', 'Dovecot-iptables', 'actionban', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : banned \nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe IP has just been banned by Fail2Ban after\n attempts against .\\n\\n\nHere are more information about :\\n\n`/usr/bin/whois `\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'Dovecot-iptables', 'actionstop', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : stopped\nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe jail has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'Dovecot-iptables', 'actionstart', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : started\nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe jail has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'Dovecot-iptables', 'actionunban', 'sendmail-whois', '']
['set', 'Dovecot-iptables', 'actioncheck', 'sendmail-whois', '']
['set', 'Dovecot-iptables', 'setcinfo', 'sendmail-whois', 'dest', 'root@enyim.hu']
['set', 'Dovecot-iptables', 'setcinfo', 'sendmail-whois', 'name', 'DOVECOT']
['set', 'Dovecot-iptables', 'setcinfo', 'sendmail-whois', 'sender', 'fail2ban@enyim.hu']
['add', 'ssh-iptables', 'auto']
['set', 'ssh-iptables', 'addlogpath', '/var/log/secure']
['set', 'ssh-iptables', 'maxretry', 3]
['set', 'ssh-iptables', 'addignoreip', '127.0.0.1']
['set', 'ssh-iptables', 'findtime', 7200]
['set', 'ssh-iptables', 'bantime', 7200]
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error: PAM: )?Authentication failure for .* from \\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Failed [-/\\w]+ for .* from (?: port \\d*)?(?: ssh\\d*)?$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*ROOT LOGIN REFUSED.* FROM \\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*[iI](?:llegal|nvalid) user .* from \\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User \\S+ from not allowed because not listed in AllowUsers$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*authentication failure; logname=\\S* uid=\\S* euid=\\S* tty=\\S* ruser=\\S* rhost=(?:\\s+user=.*)?\\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*refused connect from \\S+ \\(\\)\\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Address .* POSSIBLE BREAK-IN ATTEMPT\\s*$']
['set', 'ssh-iptables', 'addaction', 'iptables']
['set', 'ssh-iptables', 'actionban', 'iptables', 'iptables -I fail2ban- 1 -s -j DROP']
['set', 'ssh-iptables', 'actionstop', 'iptables', 'iptables -D INPUT -p
--dport
-j fail2ban-\niptables -F fail2ban-\niptables -X fail2ban-']
['set', 'ssh-iptables', 'actionstart', 'iptables', 'iptables -N fail2ban-\niptables -A fail2ban- -j RETURN\niptables -I INPUT -p
--dport
-j fail2ban-']
['set', 'ssh-iptables', 'actionunban', 'iptables', 'iptables -D fail2ban- -s -j DROP']
['set', 'ssh-iptables', 'actioncheck', 'iptables', 'iptables -n -L INPUT | grep -q fail2ban-']
['set', 'ssh-iptables', 'setcinfo', 'iptables', 'protocol', 'tcp']
['set', 'ssh-iptables', 'setcinfo', 'iptables', 'name', 'SSH']
['set', 'ssh-iptables', 'setcinfo', 'iptables', 'port', 'ssh']
['set', 'ssh-iptables', 'addaction', 'sendmail-whois']
['set', 'ssh-iptables', 'actionban', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : banned \nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe IP has just been banned by Fail2Ban after\n attempts against .\\n\\n\nHere are more information about :\\n\n`/usr/bin/whois `\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'ssh-iptables', 'actionstop', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : stopped\nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe jail has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'ssh-iptables', 'actionstart', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : started\nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe jail has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'ssh-iptables', 'actionunban', 'sendmail-whois', '']
['set', 'ssh-iptables', 'actioncheck', 'sendmail-whois', '']
['set', 'ssh-iptables', 'setcinfo', 'sendmail-whois', 'dest', 'root@enyim.hu']
['set', 'ssh-iptables', 'setcinfo', 'sendmail-whois', 'name', 'SSH']
['set', 'ssh-iptables', 'setcinfo', 'sendmail-whois', 'sender', 'fail2ban@enyim.hu']
['add', 'sasl-iptables', 'auto']
['set', 'sasl-iptables', 'addlogpath', '/var/log/maillog']
['set', 'sasl-iptables', 'maxretry', 3]
['set', 'sasl-iptables', 'addignoreip', '127.0.0.1']
['set', 'sasl-iptables', 'findtime', 7200]
['set', 'sasl-iptables', 'bantime', 7200]
['set', 'sasl-iptables', 'addfailregex', ': warning: [-._\\w]+\\[\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed']
['set', 'sasl-iptables', 'addaction', 'iptables']
['set', 'sasl-iptables', 'actionban', 'iptables', 'iptables -I fail2ban- 1 -s -j DROP']
['set', 'sasl-iptables', 'actionstop', 'iptables', 'iptables -D INPUT -p
--dport
-j fail2ban-\niptables -F fail2ban-\niptables -X fail2ban-']
['set', 'sasl-iptables', 'actionstart', 'iptables', 'iptables -N fail2ban-\niptables -A fail2ban- -j RETURN\niptables -I INPUT -p
--dport
-j fail2ban-']
['set', 'sasl-iptables', 'actionunban', 'iptables', 'iptables -D fail2ban- -s -j DROP']
['set', 'sasl-iptables', 'actioncheck', 'iptables', 'iptables -n -L INPUT | grep -q fail2ban-']
['set', 'sasl-iptables', 'setcinfo', 'iptables', 'protocol', 'tcp']
['set', 'sasl-iptables', 'setcinfo', 'iptables', 'name', 'sasl']
['set', 'sasl-iptables', 'setcinfo', 'iptables', 'port', 'smtp']
['set', 'sasl-iptables', 'addaction', 'sendmail-whois']
['set', 'sasl-iptables', 'actionban', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : banned \nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe IP has just been banned by Fail2Ban after\n attempts against .\\n\\n\nHere are more information about :\\n\n`/usr/bin/whois `\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'sasl-iptables', 'actionstop', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : stopped\nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe jail has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'sasl-iptables', 'actionstart', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : started\nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe jail has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'sasl-iptables', 'actionunban', 'sendmail-whois', '']
['set', 'sasl-iptables', 'actioncheck', 'sendmail-whois', '']
['set', 'sasl-iptables', 'setcinfo', 'sendmail-whois', 'dest', 'root@enyim.hu']
['set', 'sasl-iptables', 'setcinfo', 'sendmail-whois', 'name', 'sasl']
['set', 'sasl-iptables', 'setcinfo', 'sendmail-whois', 'sender', 'fail2ban@enyim.hu']
['start', 'Dovecot-iptables']
['start', 'ssh-iptables']
['start', 'sasl-iptables']

Hozzászólások

CentOS 5.2-re frissítés megoldotta a problémát.

Üdv.
Gabriel

u.i. Miért kell nekem a debian-tól eltérni?!

Nem szeretnék ezért új topic-ot nyitni.

Ez gyűlik:

2011.05.31 13:43:16 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.20
2011.05.31 13:43:16 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:16 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:19 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:19 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.20
2011.05.31 13:43:19 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:20 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:20 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:20 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.20
2011.05.31 13:43:22 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:22 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:22 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.20
2011.05.31 13:43:24 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:24 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:24 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.20

# ############# jail.conf:
[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/messages
maxretry = 5
findtime = 1200
bantime = 120

# ############# dovecot.conf
[Definition]
failregex = (?: pop3-login: Authentication failure).*rip=(?P\S*),.*
(?: pop3-login: Aborted login).*rip=(?P\S*),.*
(?: pop3-login: Disconnected).*rip=(?P\S*),.*
(?: imap-login: Authentication failure).*rip=(?P\S*),.*
(?: imap-login: Aborted login).*rip=(?P\S*),.*
(?: imap-login: Disconnected).*rip=(?P\S*),.*
ignoreregex =

# ################# /var/log/fail2ban.log
2011-05-31 13:47:40,193 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2011-05-31 13:47:40,193 fail2ban.jail : INFO Creating new jail 'dovecot-pop3imap'
2011-05-31 13:47:40,194 fail2ban.jail : INFO Jail 'dovecot-pop3imap' uses poller
2011-05-31 13:47:40,209 fail2ban.filter : INFO Added logfile = /var/log/messages
2011-05-31 13:47:40,210 fail2ban.filter : INFO Set maxRetry = 5
2011-05-31 13:47:40,211 fail2ban.filter : INFO Set findtime = 1200
2011-05-31 13:47:40,212 fail2ban.actions: INFO Set banTime = 120
2011-05-31 13:47:40,229 fail2ban.jail : INFO Jail 'dovecot-pop3imap' started

Ennyi. A próbálkozás folytatódik tovább, iptables-be a próbálkozó nem kerül be. WTF?

csak leolvastam, amit láttam.

továbbá

2011-05-31 13:47:40,210 fail2ban.filter : INFO Set maxRetry = 5

ezt kellene a kérdezőnek visszaállítania 3-ra

All of this without restarting the server which is carefully watching your log files during the operation. Mmmmhhh... Three retries are a bit too agressive? Change the setting with:

# ./fail2ban-client set ssh maxretry 5

gondolom, innen jött :)

Meg volt az 5 próbálkozás, úgyhogy ez nem oszt nem szoroz.
Én csak egy féle képpen tudtam megbénítani a programot anno: Ha töröltem az iptables láncait és így nem tudta mibe fűzni az új szabályokat.
De egy program újraindítás után újra létrehozza és megy tovább. Akkor van gáz, ha egy automatikus script felülírja a szabályokat.

fail2ban nem dolgozik? tehat fail2ban fail 2 ban?