Hello,
kb két hónapja állítottam be egy serveren fail2ban-t.
Akkor kipróbáltam működött.
kb. 1hete viszont sok a próbálkozás.
Megnéztem conf. nem változott, fail2ban fut, restart+reinstall is volt.
Regex megtalálja a próbálkozásokat, iptables-chains ott van.
Amit találtam:
# fail2ban-client get ssh-iptables logpath
WARNING Beautifier error. Please report the error
ERROR Beautify [] with ['get', 'ssh-iptables', 'logpath'] failed
Current monitored log file(s):
[]
beállítások:
['set', 'loglevel', 3]
['set', 'logtarget', '/var/log/fail2ban.log']
['add', 'Dovecot-iptables', 'auto']
['set', 'Dovecot-iptables', 'addlogpath', '/var/log/dovecot/info.log']
['set', 'Dovecot-iptables', 'maxretry', 3]
['set', 'Dovecot-iptables', 'addignoreip', '127.0.0.1']
['set', 'Dovecot-iptables', 'findtime', 7200]
['set', 'Dovecot-iptables', 'bantime', 7200]
['set', 'Dovecot-iptables', 'addfailregex', 'Info.*(?:Aborted login).*rip=(?:::f{4,6}:)?(?P\\S*)']
['set', 'Dovecot-iptables', 'addaction', 'iptables-multiport']
['set', 'Dovecot-iptables', 'actionban', 'iptables-multiport', 'iptables -I fail2ban- 1 -s -j DROP']
['set', 'Dovecot-iptables', 'actionstop', 'iptables-multiport', 'iptables -D INPUT -p
-m multiport --dports
-j fail2ban-\niptables -F fail2ban-\niptables -X fail2ban-']
['set', 'Dovecot-iptables', 'actionstart', 'iptables-multiport', 'iptables -N fail2ban-\niptables -A fail2ban- -j RETURN\niptables -I INPUT -p
-m multiport --dports
-j fail2ban-']
['set', 'Dovecot-iptables', 'actionunban', 'iptables-multiport', 'iptables -D fail2ban- -s -j DROP']
['set', 'Dovecot-iptables', 'actioncheck', 'iptables-multiport', 'iptables -n -L INPUT | grep -q fail2ban-']
['set', 'Dovecot-iptables', 'setcinfo', 'iptables-multiport', 'protocol', 'tcp']
['set', 'Dovecot-iptables', 'setcinfo', 'iptables-multiport', 'name', 'DOVECOT']
['set', 'Dovecot-iptables', 'setcinfo', 'iptables-multiport', 'port', 'pop3,imap,pop3s,imaps']
['set', 'Dovecot-iptables', 'addaction', 'sendmail-whois']
['set', 'Dovecot-iptables', 'actionban', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : banned \nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe IP has just been banned by Fail2Ban after\n attempts against .\\n\\n\nHere are more information about :\\n\n`/usr/bin/whois `\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'Dovecot-iptables', 'actionstop', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : stopped\nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe jail has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'Dovecot-iptables', 'actionstart', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : started\nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe jail has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'Dovecot-iptables', 'actionunban', 'sendmail-whois', '']
['set', 'Dovecot-iptables', 'actioncheck', 'sendmail-whois', '']
['set', 'Dovecot-iptables', 'setcinfo', 'sendmail-whois', 'dest', 'root@enyim.hu']
['set', 'Dovecot-iptables', 'setcinfo', 'sendmail-whois', 'name', 'DOVECOT']
['set', 'Dovecot-iptables', 'setcinfo', 'sendmail-whois', 'sender', 'fail2ban@enyim.hu']
['add', 'ssh-iptables', 'auto']
['set', 'ssh-iptables', 'addlogpath', '/var/log/secure']
['set', 'ssh-iptables', 'maxretry', 3]
['set', 'ssh-iptables', 'addignoreip', '127.0.0.1']
['set', 'ssh-iptables', 'findtime', 7200]
['set', 'ssh-iptables', 'bantime', 7200]
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error: PAM: )?Authentication failure for .* from \\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Failed [-/\\w]+ for .* from (?: port \\d*)?(?: ssh\\d*)?$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*ROOT LOGIN REFUSED.* FROM \\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*[iI](?:llegal|nvalid) user .* from \\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User \\S+ from not allowed because not listed in AllowUsers$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*authentication failure; logname=\\S* uid=\\S* euid=\\S* tty=\\S* ruser=\\S* rhost=(?:\\s+user=.*)?\\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*refused connect from \\S+ \\(\\)\\s*$']
['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Address .* POSSIBLE BREAK-IN ATTEMPT\\s*$']
['set', 'ssh-iptables', 'addaction', 'iptables']
['set', 'ssh-iptables', 'actionban', 'iptables', 'iptables -I fail2ban- 1 -s -j DROP']
['set', 'ssh-iptables', 'actionstop', 'iptables', 'iptables -D INPUT -p
--dport
-j fail2ban-\niptables -F fail2ban-\niptables -X fail2ban-']
['set', 'ssh-iptables', 'actionstart', 'iptables', 'iptables -N fail2ban-\niptables -A fail2ban- -j RETURN\niptables -I INPUT -p
--dport
-j fail2ban-']
['set', 'ssh-iptables', 'actionunban', 'iptables', 'iptables -D fail2ban- -s -j DROP']
['set', 'ssh-iptables', 'actioncheck', 'iptables', 'iptables -n -L INPUT | grep -q fail2ban-']
['set', 'ssh-iptables', 'setcinfo', 'iptables', 'protocol', 'tcp']
['set', 'ssh-iptables', 'setcinfo', 'iptables', 'name', 'SSH']
['set', 'ssh-iptables', 'setcinfo', 'iptables', 'port', 'ssh']
['set', 'ssh-iptables', 'addaction', 'sendmail-whois']
['set', 'ssh-iptables', 'actionban', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : banned \nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe IP has just been banned by Fail2Ban after\n attempts against .\\n\\n\nHere are more information about :\\n\n`/usr/bin/whois `\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'ssh-iptables', 'actionstop', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : stopped\nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe jail has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'ssh-iptables', 'actionstart', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : started\nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe jail has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'ssh-iptables', 'actionunban', 'sendmail-whois', '']
['set', 'ssh-iptables', 'actioncheck', 'sendmail-whois', '']
['set', 'ssh-iptables', 'setcinfo', 'sendmail-whois', 'dest', 'root@enyim.hu']
['set', 'ssh-iptables', 'setcinfo', 'sendmail-whois', 'name', 'SSH']
['set', 'ssh-iptables', 'setcinfo', 'sendmail-whois', 'sender', 'fail2ban@enyim.hu']
['add', 'sasl-iptables', 'auto']
['set', 'sasl-iptables', 'addlogpath', '/var/log/maillog']
['set', 'sasl-iptables', 'maxretry', 3]
['set', 'sasl-iptables', 'addignoreip', '127.0.0.1']
['set', 'sasl-iptables', 'findtime', 7200]
['set', 'sasl-iptables', 'bantime', 7200]
['set', 'sasl-iptables', 'addfailregex', ': warning: [-._\\w]+\\[\\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed']
['set', 'sasl-iptables', 'addaction', 'iptables']
['set', 'sasl-iptables', 'actionban', 'iptables', 'iptables -I fail2ban- 1 -s -j DROP']
['set', 'sasl-iptables', 'actionstop', 'iptables', 'iptables -D INPUT -p
--dport
-j fail2ban-\niptables -F fail2ban-\niptables -X fail2ban-']
['set', 'sasl-iptables', 'actionstart', 'iptables', 'iptables -N fail2ban-\niptables -A fail2ban- -j RETURN\niptables -I INPUT -p
--dport
-j fail2ban-']
['set', 'sasl-iptables', 'actionunban', 'iptables', 'iptables -D fail2ban- -s -j DROP']
['set', 'sasl-iptables', 'actioncheck', 'iptables', 'iptables -n -L INPUT | grep -q fail2ban-']
['set', 'sasl-iptables', 'setcinfo', 'iptables', 'protocol', 'tcp']
['set', 'sasl-iptables', 'setcinfo', 'iptables', 'name', 'sasl']
['set', 'sasl-iptables', 'setcinfo', 'iptables', 'port', 'smtp']
['set', 'sasl-iptables', 'addaction', 'sendmail-whois']
['set', 'sasl-iptables', 'actionban', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : banned \nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe IP has just been banned by Fail2Ban after\n attempts against .\\n\\n\nHere are more information about :\\n\n`/usr/bin/whois `\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'sasl-iptables', 'actionstop', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : stopped\nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe jail has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'sasl-iptables', 'actionstart', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] : started\nFrom: Fail2Ban <>\nTo: \\n\nHi,\\n\nThe jail has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f ']
['set', 'sasl-iptables', 'actionunban', 'sendmail-whois', '']
['set', 'sasl-iptables', 'actioncheck', 'sendmail-whois', '']
['set', 'sasl-iptables', 'setcinfo', 'sendmail-whois', 'dest', 'root@enyim.hu']
['set', 'sasl-iptables', 'setcinfo', 'sendmail-whois', 'name', 'sasl']
['set', 'sasl-iptables', 'setcinfo', 'sendmail-whois', 'sender', 'fail2ban@enyim.hu']
['start', 'Dovecot-iptables']
['start', 'ssh-iptables']
['start', 'sasl-iptables']
Hozzászólások
up.
szerintetek mit rontok el?
CentOS 5.2-re frissítés megoldotta a problémát.
Üdv.
Gabriel
u.i. Miért kell nekem a debian-tól eltérni?!
Nem szeretnék ezért új topic-ot nyitni.
Ez gyűlik:
Ennyi. A próbálkozás folytatódik tovább, iptables-be a próbálkozó nem kerül be. WTF?
1 másodpercben csak 3-szor próbálkozik, utána vár.
nagyon cseles.
Ez nálam nem okoz gondot. 3 elhibázott próbálkozás, akár perces eltérésekkel -> 24 óra tiltás.
Alap konfiguráció, ill. a jail.local-ban van pár egyedi börtön.
csak leolvastam, amit láttam.
továbbá
2011-05-31 13:47:40,210 fail2ban.filter : INFO Set maxRetry = 5
ezt kellene a kérdezőnek visszaállítania 3-ra
All of this without restarting the server which is carefully watching your log files during the operation. Mmmmhhh... Three retries are a bit too agressive? Change the setting with:
# ./fail2ban-client set ssh maxretry 5
gondolom, innen jött :)
Meg volt az 5 próbálkozás, úgyhogy ez nem oszt nem szoroz.
Én csak egy féle képpen tudtam megbénítani a programot anno: Ha töröltem az iptables láncait és így nem tudta mibe fűzni az új szabályokat.
De egy program újraindítás után újra létrehozza és megy tovább. Akkor van gáz, ha egy automatikus script felülírja a szabályokat.
De ha a findtime 1200-ra van állítva és a maxretry meg 5-re, akkor a konfigom _elvileg_ jó. :) Az, hogy gyakorlatilag nem működik, az egy dolog és erre keresem a megoldást.
In Jail.conf there is a "backend" option, this can be set to "gamin", "polling" or "auto" which chooses whatever method is available.
If I set this to "polling" Fail2Ban started working but "auto" or "gamin"! it didn't.
e?
A jail.conf -omban backend = polling van.
fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/dovecot.conf
fail2ban nem dolgozik? tehat fail2ban fail 2 ban?