Hello,
kb két hónapja állítottam be egy serveren fail2ban-t.
Akkor kipróbáltam működött.
kb. 1hete viszont sok a próbálkozás.
Megnéztem conf. nem változott, fail2ban fut, restart+reinstall is volt.
Regex megtalálja a próbálkozásokat, iptables-chains ott van.
Amit találtam:
# fail2ban-client get ssh-iptables logpath
WARNING Beautifier error. Please report the error
ERROR Beautify [] with ['get', 'ssh-iptables', 'logpath'] failed
Current monitored log file(s):
[]
beállítások:
['set', 'loglevel', 3]
['set', 'logtarget', '/var/log/fail2ban.log']
['add', 'Dovecot-iptables', 'auto']
['set', 'Dovecot-iptables', 'addlogpath', '/var/log/dovecot/info.log']
['set', 'Dovecot-iptables', 'maxretry', 3]
['set', 'Dovecot-iptables', 'addignoreip', '127.0.0.1']
['set', 'Dovecot-iptables', 'findtime', 7200]
['set', 'Dovecot-iptables', 'bantime', 7200]
['set', 'Dovecot-iptables', 'addfailregex', 'Info.*(?:Aborted login).*rip=(?:::f{4,6}:)?(?P\\S*)']
['set', 'Dovecot-iptables', 'addaction', 'iptables-multiport']
['set', 'Dovecot-iptables', 'actionban', 'iptables-multiport', 'iptables -I fail2ban- 1 -s -j DROP']
['set', 'Dovecot-iptables', 'actionstop', 'iptables-multiport', 'iptables -D INPUT -p
-m multiport --dports
-j fail2ban-\niptables -F fail2ban-\niptables -X fail2ban-']
['set', 'Dovecot-iptables', 'actionstart', 'iptables-multiport', 'iptables -N fail2ban-\niptables -A fail2ban- -j RETURN\niptables -I INPUT -p
-m multiport --dports
-j fail2ban-']
['set', 'Dovecot-iptables', 'actionunban', 'iptables-multiport', 'iptables -D fail2ban- -s -j DROP']
['set', 'Dovecot-iptables', 'actioncheck', 'iptables-multiport', 'iptables -n -L INPUT | grep -q fail2ban-']
['set', 'Dovecot-iptables', 'setcinfo', 'iptables-multiport', 'protocol', 'tcp']
['set', 'Dovecot-iptables', 'setcinfo', 'iptables-multiport', 'name', 'DOVECOT']
['set', 'Dovecot-iptables', 'setcinfo', 'iptables-multiport', 'port', 'pop3,imap,pop3s,imaps']
['set', 'Dovecot-iptables', 'addaction', 'sendmail-whois']
['set', 'Dovecot-iptables', 'actionban', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : banned \nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe IP has just been banned by Fail2Ban after\n attempts against .\\n\\n\nHere are more information about :\\n\n`/usr/bin/whois `\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'Dovecot-iptables', 'actionstop', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : stopped\nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe jail has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'Dovecot-iptables', 'actionstart', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : started\nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe jail has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'Dovecot-iptables', 'actionunban', 'sendmail-whois', '']
['set', 'Dovecot-iptables', 'actioncheck', 'sendmail-whois', '']
['set', 'Dovecot-iptables', 'setcinfo', 'sendmail-whois', 'dest', 'root@enyim.hu']
['set', 'Dovecot-iptables', 'setcinfo', 'sendmail-whois', 'name', 'DOVECOT']
['set', 'Dovecot-iptables', 'setcinfo', 'sendmail-whois', 'sender', 'fail2ban@enyim.hu']
['add', 'ssh-iptables', 'auto']
['set', 'ssh-iptables', 'addlogpath', '/var/log/secure']
['set', 'ssh-iptables', 'maxretry', 3]
['set', 'ssh-iptables', 'addignoreip', '127.0.0.1']
['set', 'ssh-iptables', 'findtime', 7200]
['set', 'ssh-iptables', 'bantime', 7200]
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error: PAM: )?Authentication failure for .* from \\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Failed [-/\\w]+ for .* from (?: port \\d*)?(?: ssh\\d*)?$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*ROOT LOGIN REFUSED.* FROM \\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*[iI](?:llegal|nvalid) user .* from \\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User \\S+ from not allowed because not listed in AllowUsers$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*authentication failure; logname=\\S* uid=\\S* euid=\\S* tty=\\S* ruser=\\S* rhost=(?:\\s+user=.*)?\\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*refused connect from \\S+ \\(\\)\\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Address .* POSSIBLE BREAK-IN ATTEMPT\\s*$']
['set', 'ssh-iptables', 'addaction', 'iptables']
['set', 'ssh-iptables', 'actionban', 'iptables', 'iptables -I fail2ban- 1 -s -j DROP']
['set', 'ssh-iptables', 'actionstop', 'iptables', 'iptables -D INPUT -p
--dport
-j fail2ban-\niptables -F fail2ban-\niptables -X fail2ban-']
['set', 'ssh-iptables', 'actionstart', 'iptables', 'iptables -N fail2ban-\niptables -A fail2ban- -j RETURN\niptables -I INPUT -p
--dport
-j fail2ban-']
['set', 'ssh-iptables', 'actionunban', 'iptables', 'iptables -D fail2ban- -s -j DROP']
['set', 'ssh-iptables', 'actioncheck', 'iptables', 'iptables -n -L INPUT | grep -q fail2ban-']
['set', 'ssh-iptables', 'setcinfo', 'iptables', 'protocol', 'tcp']
['set', 'ssh-iptables', 'setcinfo', 'iptables', 'name', 'SSH']
['set', 'ssh-iptables', 'setcinfo', 'iptables', 'port', 'ssh']
['set', 'ssh-iptables', 'addaction', 'sendmail-whois']
['set', 'ssh-iptables', 'actionban', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : banned \nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe IP has just been banned by Fail2Ban after\n attempts against .\\n\\n\nHere are more information about :\\n\n`/usr/bin/whois `\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'ssh-iptables', 'actionstop', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : stopped\nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe jail has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'ssh-iptables', 'actionstart', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : started\nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe jail has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'ssh-iptables', 'actionunban', 'sendmail-whois', '']
['set', 'ssh-iptables', 'actioncheck', 'sendmail-whois', '']
['set', 'ssh-iptables', 'setcinfo', 'sendmail-whois', 'dest', 'root@enyim.hu']
['set', 'ssh-iptables', 'setcinfo', 'sendmail-whois', 'name', 'SSH']
['set', 'ssh-iptables', 'setcinfo', 'sendmail-whois', 'sender', 'fail2ban@enyim.hu']
['add', 'sasl-iptables', 'auto']
['set', 'sasl-iptables', 'addlogpath', '/var/log/maillog']
['set', 'sasl-iptables', 'maxretry', 3]
['set', 'sasl-iptables', 'addignoreip', '127.0.0.1']
['set', 'sasl-iptables', 'findtime', 7200]
['set', 'sasl-iptables', 'bantime', 7200]
['set', 'sasl-iptables', 'addfailregex', ': warning: [-._\\w]+\\[\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed']
['set', 'sasl-iptables', 'addaction', 'iptables']
['set', 'sasl-iptables', 'actionban', 'iptables', 'iptables -I fail2ban- 1 -s -j DROP']
['set', 'sasl-iptables', 'actionstop', 'iptables', 'iptables -D INPUT -p
--dport
-j fail2ban-\niptables -F fail2ban-\niptables -X fail2ban-']
['set', 'sasl-iptables', 'actionstart', 'iptables', 'iptables -N fail2ban-\niptables -A fail2ban- -j RETURN\niptables -I INPUT -p
--dport
-j fail2ban-']
['set', 'sasl-iptables', 'actionunban', 'iptables', 'iptables -D fail2ban- -s -j DROP']
['set', 'sasl-iptables', 'actioncheck', 'iptables', 'iptables -n -L INPUT | grep -q fail2ban-']
['set', 'sasl-iptables', 'setcinfo', 'iptables', 'protocol', 'tcp']
['set', 'sasl-iptables', 'setcinfo', 'iptables', 'name', 'sasl']
['set', 'sasl-iptables', 'setcinfo', 'iptables', 'port', 'smtp']
['set', 'sasl-iptables', 'addaction', 'sendmail-whois']
['set', 'sasl-iptables', 'actionban', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : banned \nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe IP has just been banned by Fail2Ban after\n attempts against .\\n\\n\nHere are more information about :\\n\n`/usr/bin/whois `\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'sasl-iptables', 'actionstop', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : stopped\nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe jail has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'sasl-iptables', 'actionstart', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : started\nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe jail has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'sasl-iptables', 'actionunban', 'sendmail-whois', '']
['set', 'sasl-iptables', 'actioncheck', 'sendmail-whois', '']
['set', 'sasl-iptables', 'setcinfo', 'sendmail-whois', 'dest', 'root@enyim.hu']
['set', 'sasl-iptables', 'setcinfo', 'sendmail-whois', 'name', 'sasl']
['set', 'sasl-iptables', 'setcinfo', 'sendmail-whois', 'sender', 'fail2ban@enyim.hu']
['start', 'Dovecot-iptables']
['start', 'ssh-iptables']
['start', 'sasl-iptables']
- 2802 megtekintés
Hozzászólások
up.
szerintetek mit rontok el?
- A hozzászóláshoz be kell jelentkezni
CentOS 5.2-re frissítés megoldotta a problémát.
Üdv.
Gabriel
u.i. Miért kell nekem a debian-tól eltérni?!
- A hozzászóláshoz be kell jelentkezni
Nem szeretnék ezért új topic-ot nyitni.
Ez gyűlik:
2011.05.31 13:43:16 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.20
2011.05.31 13:43:16 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:16 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:19 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:19 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.20
2011.05.31 13:43:19 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:20 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:20 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:20 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.20
2011.05.31 13:43:22 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:22 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:22 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.20
2011.05.31 13:43:24 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:24 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.21
2011.05.31 13:43:24 dovecot: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=46.166.137.231, lip=95.140.32.20
# ############# jail.conf:
[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/messages
maxretry = 5
findtime = 1200
bantime = 120
# ############# dovecot.conf
[Definition]
failregex = (?: pop3-login: Authentication failure).*rip=(?P\S*),.*
(?: pop3-login: Aborted login).*rip=(?P\S*),.*
(?: pop3-login: Disconnected).*rip=(?P\S*),.*
(?: imap-login: Authentication failure).*rip=(?P\S*),.*
(?: imap-login: Aborted login).*rip=(?P\S*),.*
(?: imap-login: Disconnected).*rip=(?P\S*),.*
ignoreregex =
# ################# /var/log/fail2ban.log
2011-05-31 13:47:40,193 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2011-05-31 13:47:40,193 fail2ban.jail : INFO Creating new jail 'dovecot-pop3imap'
2011-05-31 13:47:40,194 fail2ban.jail : INFO Jail 'dovecot-pop3imap' uses poller
2011-05-31 13:47:40,209 fail2ban.filter : INFO Added logfile = /var/log/messages
2011-05-31 13:47:40,210 fail2ban.filter : INFO Set maxRetry = 5
2011-05-31 13:47:40,211 fail2ban.filter : INFO Set findtime = 1200
2011-05-31 13:47:40,212 fail2ban.actions: INFO Set banTime = 120
2011-05-31 13:47:40,229 fail2ban.jail : INFO Jail 'dovecot-pop3imap' started
Ennyi. A próbálkozás folytatódik tovább, iptables-be a próbálkozó nem kerül be. WTF?
- A hozzászóláshoz be kell jelentkezni
1 másodpercben csak 3-szor próbálkozik, utána vár.
nagyon cseles.
- A hozzászóláshoz be kell jelentkezni
Ez nálam nem okoz gondot. 3 elhibázott próbálkozás, akár perces eltérésekkel -> 24 óra tiltás.
Alap konfiguráció, ill. a jail.local-ban van pár egyedi börtön.
- A hozzászóláshoz be kell jelentkezni
csak leolvastam, amit láttam.
továbbá
2011-05-31 13:47:40,210 fail2ban.filter : INFO Set maxRetry = 5
ezt kellene a kérdezőnek visszaállítania 3-ra
All of this without restarting the server which is carefully watching your log files during the operation. Mmmmhhh... Three retries are a bit too agressive? Change the setting with:
# ./fail2ban-client set ssh maxretry 5
gondolom, innen jött :)
- A hozzászóláshoz be kell jelentkezni
Meg volt az 5 próbálkozás, úgyhogy ez nem oszt nem szoroz.
Én csak egy féle képpen tudtam megbénítani a programot anno: Ha töröltem az iptables láncait és így nem tudta mibe fűzni az új szabályokat.
De egy program újraindítás után újra létrehozza és megy tovább. Akkor van gáz, ha egy automatikus script felülírja a szabályokat.
- A hozzászóláshoz be kell jelentkezni
De ha a findtime 1200-ra van állítva és a maxretry meg 5-re, akkor a konfigom _elvileg_ jó. :) Az, hogy gyakorlatilag nem működik, az egy dolog és erre keresem a megoldást.
- A hozzászóláshoz be kell jelentkezni
In Jail.conf there is a "backend" option, this can be set to "gamin", "polling" or "auto" which chooses whatever method is available.
If I set this to "polling" Fail2Ban started working but "auto" or "gamin"! it didn't.
e?
- A hozzászóláshoz be kell jelentkezni
A jail.conf -omban backend = polling van.
- A hozzászóláshoz be kell jelentkezni
fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/dovecot.conf
- A hozzászóláshoz be kell jelentkezni
fail2ban nem dolgozik? tehat fail2ban fail 2 ban?
- A hozzászóláshoz be kell jelentkezni