Fail2ban, adapté cette regex: - POSSIBLE BREAK-IN ATTEMPT!

loreleil · Février 21, 2016, 1:29pm

Salut,

Des log conséquents et répétitifs m’ont amené à établir une nouvelle regex pour le filtre sshd.conf

Fail2ban nativement, restait de marbre!

[quote]Oct 3 21:37:04 yunohost sshd[20004]: warning: /etc/hosts.allow, line 14: can’t verify hostname: getaddrinfo(adsl186-29130105.din.etb.net.co, AF_INET) failed
Oct 3 21:37:05 yunohost sshd[20004]: reverse mapping checking getaddrinfo for adsl186-29130105.din.etb.net.co [186.29.130.105] failed - POSSIBLE BREAK-IN ATTEMPT!
…
…
…
Oct 5 00:27:03 yunohost sshd[13256]: reverse mapping checking getaddrinfo for adsl186-28235088.sta.etb.net.co [186.28.235.88] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 5 00:27:03 yunohost sshd[13257]: Received disconnect from 186.28.235.88: 11: Goodbye
Oct 5 00:27:08 yunohost sshd[13302]: warning: /etc/hosts.allow, line 14: can’t verify hostname: getaddrinfo(adsl186-28235088.sta.etb.net.co, AF_INET) failed
Oct 5 00:27:12 yunohost sshd[13302]: reverse mapping checking getaddrinfo for adsl186-28235088.sta.etb.net.co [186.28.235.88] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 5 00:27:12 yunohost sshd[13303]: Received disconnect from 186.28.235.88: 11: Goodbye
[/quote]

* edit *

Notes:

fail2ban Installé : 0.8.6-3 0
Nécessite: python-gamin

[quote="/etc/fail2ban/jail.conf"]# “backend” specifies the backend used to get files modification. Available

options are “gamin”, “polling” and “auto”.

yoh: For some reason Debian shipped python-gamin didn’t work as expected

This issue left ToDo, so polling is default backend for now

backend = auto

[/quote]
Pour ce faire il suffit d’ajouter cette nouvelle regex.

[quote] ~ # cat /etc/fail2ban/filter.d/sshd.conf

Fail2Ban configuration file

Author: Cyril Jaquier

$Revision$

[INCLUDES]

Read common prefixes. If any customizations available – read them from

common.local

before = common.conf
[Definition]
_daemon = sshd

Option: failregex

Notes.: regex to match the password failures messages in the logfile. The

host must be matched by a group named “host”. The tag “” can

be used for standard IP/hostname matching and is only an alias for

(?:::f{4,6}:)?(?P[\w-.^_]+)

Values: TEXT

failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from \s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$
^%(__prefix_line)sFailed (?:password|publickey) for .* from (?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$
^%(__prefix_line)siI user .* from \s*$
^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=(?:\s+user=.)?\s$
^%(__prefix_line)srefused connect from \S+ ()\s*$
^%(__prefix_line)sAddress .* POSSIBLE BREAK-IN ATTEMPT!\s$
^%(__prefix_line)sreverse mapping checking getaddrinfo for .* [] failed - POSSIBLE BREAK-IN ATTEMPT!\s$

        ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$

Option: ignoreregex

Notes.: regex to ignore. If this regex matches, the line is ignored.

Values: TEXT

ignoreregex =
[/quote]
Testez cette dernière pour vous en convaincre.

[quote]~ # fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
Running tests

Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file : /var/log/auth.log
Results

Failregex
|- Regular expressions:
…
| [10] ^\s*(?:\S+ )?(?:kernel: [\d+.\d+] )?(?:@vserver_\S+ )?(?:(?:[\d+])?:\s+[[(]?sshd(?:(\S+))?[])]?:?|[[(]?sshd(?:(\S+))?[])]?:?(?:[\d+])?:)?\sreverse mapping checking getaddrinfo for . [] failed - POSSIBLE BREAK-IN ATTEMPT!\s*$

`- Number of matches:
[1] 0 match(es)
[2] 0 match(es)
[3] 0 match(es)
[4] 0 match(es)
[5] 2 match(es)
[6] 0 match(es)
[7] 0 match(es)
[8] 0 match(es)
[9] 0 match(es)
[10] 417 match(es)
[11] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary

Addresses found:
[1]
[2]
[3]
[4]
[5]
114.141.180.109 (Thu Oct 04 20:17:50 2012)
199.115.230.96 (Fri Oct 05 00:10:38 2012)
[6]
[7]
[8]
[9]
[10]
186.29.130.105 (Wed Oct 03 21:35:16 2012)
186.29.130.105 (Wed Oct 03 21:37:05 2012)
184.22.105.30 (Thu Oct 04 17:11:51 2012)
184.22.105.30 (Thu Oct 04 17:11:52 2012)
184.22.105.30 (Thu Oct 04 17:11:53 2012)
184.22.105.30 (Thu Oct 04 17:11:54 2012)
184.22.105.30 (Thu Oct 04 17:11:55 2012)
184.22.105.30 (Thu Oct 04 17:11:56 2012)
…
190.221.26.51 (Thu Oct 04 21:36:40 2012)
190.221.26.51 (Thu Oct 04 21:36:57 2012)
190.221.26.51 (Thu Oct 04 21:37:31 2012)
190.221.26.51 (Thu Oct 04 21:37:54 2012)
190.221.26.51 (Thu Oct 04 21:38:08 2012)
190.221.26.51 (Thu Oct 04 21:38:22 2012)
190.221.26.51 (Thu Oct 04 21:38:33 2012)
190.221.26.51 (Thu Oct 04 21:38:45 2012)
190.221.26.51 (Thu Oct 04 21:38:58 2012)
190.221.26.51 (Thu Oct 04 21:39:10 2012)
190.221.26.51 (Thu Oct 04 21:39:22 2012)
190.221.26.51 (Thu Oct 04 21:39:33 2012)
190.221.26.51 (Thu Oct 04 21:39:45 2012)
190.221.26.51 (Thu Oct 04 21:39:59 2012)
190.221.26.51 (Thu Oct 04 21:40:13 2012)
190.221.26.51 (Thu Oct 04 21:40:26 2012)
190.221.26.51 (Thu Oct 04 21:40:41 2012)
190.221.26.51 (Thu Oct 04 21:40:55 2012)
190.221.26.51 (Thu Oct 04 21:41:11 2012)
190.221.26.51 (Thu Oct 04 21:41:26 2012)
190.221.26.51 (Thu Oct 04 21:41:40 2012)
190.221.26.51 (Thu Oct 04 21:41:56 2012)
190.221.26.51 (Thu Oct 04 21:42:08 2012)
190.221.26.51 (Thu Oct 04 21:42:17 2012) …
190.221.26.51 (Thu Oct 04 21:47:43 2012)
190.221.26.51 (Thu Oct 04 21:47:55 2012)
186.28.235.88 (Fri Oct 05 00:27:03 2012)
186.28.235.88 (Fri Oct 05 00:27:12 2012)
186.28.235.88 (Fri Oct 05 00:29:45 2012)
186.28.235.88 (Fri Oct 05 00:30:09 2012)
186.28.235.88 (Fri Oct 05 00:30:46 2012)
186.28.235.88 (Fri Oct 05 00:31:30 2012)
[11]

Date template hits:
94964 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>
Success, the total number of match is 419
However, look at the above section ‘Running tests’ which could contain important
information.
~ # [/quote]

.-. /v\ // \\ /( )\ ^^-^^ . ^¿^ .

Fail2ban, adapté cette regex: - POSSIBLE BREAK-IN ATTEMPT!

options are “gamin”, “polling” and “auto”.

yoh: For some reason Debian shipped python-gamin didn’t work as expected

This issue left ToDo, so polling is default backend for now

Fail2Ban configuration file

Author: Cyril Jaquier

$Revision$

Read common prefixes. If any customizations available – read them from

common.local

Option: failregex

Notes.: regex to match the password failures messages in the logfile. The

host must be matched by a group named “host”. The tag “” can

be used for standard IP/hostname matching and is only an alias for

(?:::f{4,6}:)?(?P[\w-.^_]+)

Values: TEXT

Option: ignoreregex

Notes.: regex to ignore. If this regex matches, the line is ignored.

Values: TEXT

[quote]~ # fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf Running tests

Use regex file : /etc/fail2ban/filter.d/sshd.conf Use log file : /var/log/auth.log Results

Ignoreregex |- Regular expressions: | `- Number of matches: Summary

[quote]~ # fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
Running tests

Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file : /var/log/auth.log
Results

Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary