Bonjours,

Depuis un moment j’ai dasn les log de postfix:

Nov 13 05:55:40  postfix/smtpd[20574]: warning: 96.44.189.217: address not listed for hostname 96.44.189.217.static.quadranet.com
Nov 13 05:55:40  postfix/smtpd[20574]: connect from unknown[96.44.189.217]
Nov 13 05:55:40  postfix/smtpd[20577]: warning: 96.44.189.217: address not listed for hostname 96.44.189.217.static.quadranet.com
Nov 13 05:55:40  postfix/smtpd[20577]: connect from unknown[96.44.189.217]
Nov 13 05:55:40  postfix/smtpd[20578]: warning: 96.44.189.217: address not listed for hostname 96.44.189.217.static.quadranet.com
Nov 13 05:55:40  postfix/smtpd[20578]: connect from unknown[96.44.189.217]
Nov 13 05:55:43  postfix/smtpd[20579]: warning: 96.44.189.217: address not listed for hostname 96.44.189.217.static.quadranet.com
Nov 13 05:55:44  postfix/smtpd[20578]: warning: unknown[96.44.189.217]: SASL LOGIN authentication failed: encryption needed to use mechanism
Nov 13 05:55:44  postfix/smtpd[20574]: warning: unknown[96.44.189.217]: SASL LOGIN authentication failed: encryption needed to use mechanism
Nov 13 05:55:45  postfix/smtpd[20577]: warning: unknown[96.44.189.217]: SASL LOGIN authentication failed: encryption needed to use mechanism
Nov 13 05:55:45  postfix/smtpd[20587]: warning: 96.44.189.217: address not listed for hostname 96.44.189.217.static.quadranet.com
Nov 13 05:55:45  postfix/smtpd[20587]: connect from unknown[96.44.189.217]
Nov 13 05:55:45  postfix/smtpd[20588]: warning: 96.44.189.217: address not listed for hostname 96.44.189.217.static.quadranet.com
Nov 13 05:55:45  postfix/smtpd[20588]: connect from unknown[96.44.189.217]
Nov 13 05:55:45  postfix/smtpd[20589]: warning: 96.44.189.217: address not listed for hostname 96.44.189.217.static.quadranet.com
Nov 13 05:55:45  postfix/smtpd[20589]: connect from unknown[96.44.189.217]
Nov 13 05:55:46  postfix/smtpd[20578]: lost connection after AUTH from unknown[96.44.189.217]
Nov 13 05:55:46  postfix/smtpd[20578]: disconnect from unknown[96.44.189.217]
Nov 13 05:55:46  postfix/smtpd[20574]: lost connection after AUTH from unknown[96.44.189.217]
Nov 13 05:55:46  postfix/smtpd[20574]: disconnect from unknown[96.44.189.217]
Nov 13 05:55:46  postfix/smtpd[20577]: lost connection after AUTH from unknown[96.44.189.217]
Nov 13 05:55:46  postfix/smtpd[20577]: disconnect from unknown[96.44.189.217]
Nov 13 05:55:47  postfix/smtpd[20578]: warning: 96.44.189.217: address not listed for hostname 96.44.189.217.static.quadranet.com
Nov 13 05:55:47  postfix/smtpd[20578]: connect from unknown[96.44.189.217]
Nov 13 05:55:47  postfix/smtpd[20580]: warning: unknown[96.44.189.217]: SASL LOGIN authentication failed: encryption needed to use mechanism
Nov 13 05:55:48  postfix/smtpd[20581]: warning: unknown[96.44.189.217]: SASL LOGIN authentication failed: encryption needed to use mechanism
Nov 13 05:55:48  postfix/smtpd[20579]: warning: unknown[96.44.189.217]: SASL LOGIN authentication failed: encryption needed to use mechanism
Nov 13 05:55:48  postfix/smtpd[20583]: warning: unknown[96.44.189.217]: SASL LOGIN authentication failed: encryption needed to use mechanism
Nov 13 05:55:48  postfix/smtpd[20582]: warning: unknown[96.44.189.217]: SASL LOGIN authentication failed: encryption needed to use mechanism
Nov 13 05:55:48  postfix/smtpd[20586]: warning: unknown[96.44.189.217]: SASL LOGIN authentication failed: encryption needed to use mechanism
Nov 13 05:55:48  postfix/smtpd[20585]: warning: unknown[96.44.189.217]: SASL LOGIN authentication failed: encryption needed to use mechanism
Nov 13 05:55:48  postfix/smtpd[20584]: warning: unknown[96.44.189.217]: SASL LOGIN authentication failed: encryption needed to use mechanism
Nov 13 05:55:48  postfix/smtpd[20577]: warning: 96.44.189.217: address not listed for hostname 96.44.189.217.static.quadranet.com
Nov 13 05:55:48  postfix/smtpd[20577]: connect from unknown[96.44.189.217]
Nov 13 05:55:49  postfix/smtpd[20580]: lost connection after AUTH from unknown[96.44.189.217]
Nov 13 05:55:49  postfix/smtpd[20580]: disconnect from unknown[96.44.189.217]
Nov 13 05:55:49  postfix/smtpd[20579]: lost connection after AUTH from unknown[96.44.189.217]
Nov 13 05:55:49  postfix/smtpd[20579]: disconnect from unknown[96.44.189.217]
Nov 13 05:55:49  postfix/smtpd[20581]: lost connection after AUTH from unknown[96.44.189.217]

j’ai bien fail2ban activer mai bon visiblement sa ser a rien …
dans le log de fail2ban

2012-11-11 12:41:20,470 fail2ban.jail   : INFO   Jail 'courierauth' stopped
2012-11-11 12:41:20,470 fail2ban.server : INFO   Exiting Fail2ban
2012-11-11 12:42:07,615 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2012-11-11 12:42:07,615 fail2ban.jail   : INFO   Creating new jail 'couriersmtp'
2012-11-11 12:42:07,616 fail2ban.jail   : INFO   Jail 'couriersmtp' uses poller
2012-11-11 12:42:07,627 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2012-11-11 12:42:07,628 fail2ban.filter : INFO   Set maxRetry = 5
2012-11-11 12:42:07,628 fail2ban.filter : INFO   Set findtime = 600
2012-11-11 12:42:07,629 fail2ban.actions: INFO   Set banTime = 3600
2012-11-11 12:42:07,632 fail2ban.jail   : INFO   Creating new jail 'postfix'
2012-11-11 12:42:07,632 fail2ban.jail   : INFO   Jail 'postfix' uses poller
2012-11-11 12:42:07,633 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2012-11-11 12:42:07,633 fail2ban.filter : INFO   Set maxRetry = 5
2012-11-11 12:42:07,634 fail2ban.filter : INFO   Set findtime = 600
2012-11-11 12:42:07,634 fail2ban.actions: INFO   Set banTime = 3600
2012-11-11 12:42:07,637 fail2ban.jail   : INFO   Creating new jail 'sasl'
2012-11-11 12:42:07,637 fail2ban.jail   : INFO   Jail 'sasl' uses poller
2012-11-11 12:42:07,638 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2012-11-11 12:42:07,638 fail2ban.filter : INFO   Set maxRetry = 5
2012-11-11 12:42:07,639 fail2ban.filter : INFO   Set findtime = 600
2012-11-11 12:42:07,639 fail2ban.actions: INFO   Set banTime = 3600
2012-11-11 12:42:07,643 fail2ban.jail   : INFO   Creating new jail 'courierauth'
2012-11-11 12:42:07,643 fail2ban.jail   : INFO   Jail 'courierauth' uses poller
2012-11-11 12:42:07,644 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2012-11-11 12:42:07,644 fail2ban.filter : INFO   Set maxRetry = 5
2012-11-11 12:42:07,645 fail2ban.filter : INFO   Set findtime = 600
2012-11-11 12:42:07,645 fail2ban.actions: INFO   Set banTime = 3600
2012-11-11 12:42:07,649 fail2ban.jail   : INFO   Jail 'couriersmtp' started
2012-11-11 12:42:07,651 fail2ban.jail   : INFO   Jail 'postfix' started
2012-11-11 12:42:07,651 fail2ban.jail   : INFO   Jail 'sasl' started
2012-11-11 12:42:07,652 fail2ban.jail   : INFO   Jail 'courierauth' started

 cat /etc/fail2ban/
action.d/      fail2ban.conf  filter.d/      jail.conf      jail.conf.org  
ks29075:~# cat /etc/fail2ban/jail.conf
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 3600
maxretry = 5

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define 
# action_* variables. Can be overriden globally or per 
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
 
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section 
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME] 
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled = false
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter  = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6

[xinetd-fail]

enabled   = false
filter    = xinetd-fail
port      = all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2


[ssh-ddos]

enabled = false
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = false
port    = http,https
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = false
port      = http,https
filter    = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6

[apache-noscript]

enabled = false
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled = false
port    = http,https
filter  = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2

#
# FTP servers
#

[vsftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


[proftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


[wuftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled  = true
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = true
port     = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = true
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log


# DNS Servers


# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# };
#
# in your named.conf to provide proper logging

# !!! WARNING !!!
#   Since UDP is connectionless protocol, spoofing of IP and immitation
#   of illegal actions is way too simple.  Thus enabling of this filter
#   might provide an easy way for implementing a DoS against a chosen
#   victim. See
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
#   Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled  = false
#port     = domain,953
#protocol = udp
#filter   = named-refused
#logpath  = /var/log/named/security.log

[named-refused-tcp]

enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log

je me demande si fail2ban est sufisant … ?
mal configurer peut être , mai ou et quoi ?

Merci d’avance

Teste tes filtres sur tes logs pour voir (et adapter si besoin)

exemple

fail2ban-regex /var/log/mail.log.1 /etc/fail2ban/filter.d/sasl.conf

Salut,

Apache ne serait il pas en cause … Fail2ban Impossible de trouver une adresse IP correspondante …

Une remarque en passant, je te trouve très très large sur le nombre de tentatives autoriser …

Une moyenne de …

maxretry = 6

De plus, AMHA ceci est contradictoire avec le fonctionnement par défaut de fail2ban.
À savoir … un ban d’une heure avec 5 tentatives autorisés.

Or, par défaut ( de mémoire) fail2ban (config d’origine) bannit durant 10 mn et autorise 3 tentatives.

bantime = 600 maxretry = 3

Voici tes paramètres par défaut:

bantime = 3600 maxretry = 5

Et malgré (la conf par défaut que tu imposes) Tu as sur tous tes filtres une valeur différente pour les autorisations

maxretry = X

AMTHA, pour faire valoir ces paramètres individuels, il te faudrait commenter les lignes suivantes en début de script.
Sans oublié d’y coller un bantime (individuel) adéquate.

[code]# “ignoreip” can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1

bantime = 3600

maxretry = 5[/code]

Merci pour vos reponse.

donc voici le resulta du test:

# fail2ban-regex /var/log/mail.log.1 /etc/fail2ban/filter.d/sasl.conf
/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead
  import md5

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/sasl.conf
Use log file   : /var/log/mail.log.1


Results
=======

Failregex
|- Regular expressions:
|  [1] (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
|
`- Number of matches:
   [1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======                                                                                                                                                                                                                                      
                                                                                                                                                                                                                                             
Sorry, no match                                                                                                                                                                                                                              
                                                                                                                                                                                                                                             
Look at the above section 'Running tests' which could contain important                                                                                                                                                                      
information.  

le problème semble venir de là ?

Une remarque en passant, je te trouve très très large sur le nombre de tentatives autoriser ... :033

Euh ? une moyenne ??
je veux pas une moyenne, je veux qu’après 5 tentative le ban soie d’une heure.
et la dans les log c est pas 5 tentative mai env + de 300 …, donc 3 ou 5 sa va pas changer grand chose
pour la durée 3600 c’est voulu car 10 minute c est pas suffisant.

je pense pas que les paramètres généraux dérange les paramètres individuel. j’entends par la qu’il prenne le dessus . le reste est ignorer. ou bien j’ai faux ?

autres question sa fait quoi si je commente cette ligne ?

ignoreip = 127.0.0.1

sa va pas ban le réseaux local de la machine

Salut,

• Ce que je voulais te faire saisir, c’est (exemple) que le maxretry de ssh pourrait, profitablement être ramener à 1 … par exemple!

• Quel est ta version, (fail2ban) Wheezy ? Squeeze ?

• Concernant le bantime il peut être également augmenter …

J’ai des doutes la dessus!

• ignoreip = les ip qui seront ignorées … non ?

[quote=“loreleil”]Salut,

• Ce que je voulais te faire saisir, c’est (exemple) que le maxretry de ssh pourrait, profitablement être ramener à 1 … par exemple!
  [/quote]
  Ah et bien, ssh je l’ai couvert via un ip fixe sa risque pas d’être mai l’idée est bonne

ii fail2ban 0.8.4-3+squeeze1 bans IPs that cause multiple authentication errors

1 heure sa suffi pas ?

J’ai des doutes la dessus!

• ignoreip = les ip qui seront ignorées … non ?[/quote]
  Donc je conserve la ligne si je l’enleve et que le réseaux local est ban plus rien ne tourne !
  Tu voulais peut être dire autre chose que de supprimer cette ligne ?

Sinon je fait quoi pour résoudre le soucis?
Car je ne vois pas trop quoi faire pour l’instant ???

J’ai des doutes la dessus![/quote]+1
Il serait ptet intéressant de faire le test en commentant la ligne des paramètres généraux ?

Bon supprimer ou pas ,fichier d’origine ou non. Aucun changement :
pour le lever le doute je parle bien de:

bantime  = 600
maxretry = 3

j’ai aussi fait un teste sur le log de postfix.

# fail2ban-regex /var/log/postfix.log /etc/fail2ban/filter.d/sasl.conf
/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead
  import md5

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/sasl.conf
Use log file   : /var/log/postfix.log


Results
=======

Failregex
|- Regular expressions:
|  [1] (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
|
`- Number of matches:
   [1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.

C’est simplement que fail2ban n’a pas de règle appropriée …
une idée ?

Salut,

Je ne pourrais que te conseiller d’installer la version Wheezy!

[code]# acp fail2ban
fail2ban:
Installé : 0.8.6-3
Candidat : 0.8.6-3
Packages
*** 0.8.6-3 0
90 http://ftp.fr.debian.org/debian/ wheezy/main i386

[/code]

[code]# fail2ban-regex /var/log/postfix.log /etc/fail2ban/filter.d/sasl.conf
Running tests

Use regex file : /etc/fail2ban/filter.d/sasl.conf
Use single line: /var/log/postfix.log

Results

Failregex
|- Regular expressions:
| [1] (?i): warning: [-._\w]+[]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]={0,2})?\s$
|
- Number of matches: [1] 0 match(es) Ignoreregex |- Regular expressions: |- Number of matches:
Summary

Sorry, no match
Look at the above section ‘Running tests’ which could contain important
information.
#[/code]

Merci pour ta réponse
bon j’ai suprimer fail2ban avec un

mai les fichier de config son toujours presents, j’ai supprimé les fichier de config a la main /etc/fail2ban
j’ai ré-installer.
j’ai donc rien toucher.
et fait un teste: petite surprise!

Cannot remove regular expression. Index 0 is not valid
No 'host' group in '/etc/fail2ban/filter.d/sasl.conf'
Cannot remove regular expression. Index 0 is not valid
No 'host' group in '/etc/fail2ban/filter.d/sasl.conf'
Cannot remove regular expression. Index 0 is not valid
No 'host' group in '/etc/fail2ban/filter.d/sasl.conf'
Cannot remove regular expression. Index 0 is not valid
No 'host' group in '/etc/fail2ban/filter.d/sasl.conf'
Cannot remove regular expression. Index 0 is not valid
No 'host' group in '/etc/fail2ban/filter.d/sasl.conf'
Cannot remove regular expression. Index 0 is not valid
No 'host' group in '/etc/fail2ban/filter.d/sasl.conf'
Cannot remove regular expression. Index 0 is not valid

Results
=======

Failregex
|- Regular expressions:
|  [1] /etc/fail2ban/filter.d/sasl.conf
|
`- Number of matches:
   [1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.

j’ai couper les ligne identiques …

j’ai voulu tester la version de la testing mai il lui faut mettre a jours des paquet sensibles, donc pas possibles. ??

Merci pour votre aide,

Pour supprimer complètement avec aptitude, j’ai plusieurs fois remarqué que c’était plus complet en faisant en deux fois :

aptitude remove paquet

aptitude purge paquet

[quote=“ricardo”]Pour supprimer complètement avec aptitude, j’ai plusieurs fois remarqué que c’était plus complet en faisant en deux fois :

aptitude remove paquet

aptitude purge paquet

[/quote]
c’est en principe identique. ou alors le man m’aurais menti ?
sinon pas d’idée ?

Autrement je le vire et je me code quelque chose parce que la sa ressemble a une usine a gaz ce truc. Curieusement il a pourtemps bonne réputation ??

Bonjour, c’est l’expression régulière qui ne va pas :

essaye :

fail2ban-regex /var/log/ton_fichier.log "(?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+]*)?"

[quote=“panthere”] j’ai suprimer fail2ban
[/quote]
Non! Il ne fallait pas!!!

# aptitude install fail2ban

• De là, tu fais tes propres modifs (suivit d’un restart)

• Et seulement après, installé la version Wheezy!!!

# aptitude -t wheezy install fail2ban

Durant cette MAJ, il te sera demandé (de mémoire) , si tu acceptes les nouveaux fichiers de configurations à mettre en place de part son auteur.

• J’accepte!! Un fichier .hold sera systématiquement créer.

• Ceci fait, il te suffira d’adapter (copier/coller) tes anciennes configs à ton jail.conf

* edit *

[quote=“ricardo”]Pour supprimer complètement avec aptitude, j’ai plusieurs fois remarqué que c’était plus complet en faisant en deux fois :

aptitude remove paquet

aptitude purge paquet

[/quote]

# aptitude remove --purge <le_paquet>

Suivit de …

• Histoire de voir …

# aptitude search ~c

• Histoire de confirmer …

# aptitude purge ~c

* edit_1 *

[quote=“fluo”]Bonjour, c’est l’expression régulière qui ne va pas :

essaye :

fail2ban-regex /var/log/ton_fichier.log "(?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+]*)?" [/quote]

?

Plaît-il …

Merci pour vos réponse

loreleil: fail2ban de la wheezy !

# aptitude -t wheezy install  fail2ban
Les NOUVEAUX paquets suivants vont être installés : 
  gamin{a} libffi5{a} libgamin0{a} multiarch-support{a} python-gamin{a} 
Les paquets suivants seront mis à jour : 
  fail2ban libc-bin libc6 libglib2.0-0 libpcre3 locales 
6 paquets mis à jour, 5 nouvellement installés, 0 à enlever et 514 non mis à jour.
Il est nécessaire de télécharger 13.3 Mo d'archives. Après dépaquetage, 5'608 ko seront utilisés.
Les paquets suivants ont des dépendances non satisfaites :
  libglib2.0-dev: Dépend: libglib2.0-0 (= 2.24.2-1) mais 2.33.12+really2.32.4-3 doit être installé.
  libc-dev-bin: Dépend: libc6 (< 2.12) mais 2.13-35 doit être installé.
  libc6-i686: Pré-Dépend: libc6 (= 2.11.3-4) mais 2.13-35 doit être installé.
  libc6-amd64: Dépend: libc6 (= 2.11.3-4) mais 2.13-35 doit être installé.
  libc6-dev: Dépend: libc6 (= 2.11.3-4) mais 2.13-35 doit être installé.
Les actions suivantes permettront de résoudre ces dépendances :

      Supprimer les paquets suivants :                       
1)      build-essential                                      
2)      g++                                                  
3)      g++-4.4                                              
4)      gccxml                                               
5)      kernel-package                                       
6)      lib64gcc1                                            
7)      lib64gcc1-dbg                                        
8)      lib64stdc++6                                         
9)      lib64stdc++6-4.4-dbg                                 
10)     libaa1-dev                                           
11)     libartsc0-dev                                        
12)     libasound2-dev                                       
13)     libaudiofile-dev                                     
14)     libboost-date-time1.42-dev                           
15)     libboost-filesystem1.42-dev                          
16)     libboost-graph-parallel1.42-dev                      
17)     libboost-graph1.42-dev                               
18)     libboost-iostreams1.42-dev                           
19)     libboost-math1.42-dev                                
20)     libboost-mpi-python1.42-dev                          
21)     libboost-mpi1.42-dev                                 
22)     libboost-program-options1.42-dev                     
23)     libboost-python1.42-dev                              
24)     libboost-regex1.42-dev                               
25)     libboost-serialization1.42-dev                       
26)     libboost-signals1.42-dev                             
27)     libboost-system1.42-dev                              
28)     libboost-test1.42-dev                                
29)     libboost-thread1.42-dev                              
30)     libboost-wave1.42-dev                                
31)     libboost1.42-all-dev                                 
32)     libboost1.42-dev                                     
33)     libc-dev-bin                                         
34)     libc6-amd64                                          
35)     libc6-dev                                            
36)     libc6-i686                                           
37)     libcaca-dev                                          
38)     libdevil-dev                                         
39)     libdirectfb-dev                                      
40)     libesd0-dev                                          
41)     libfreetype6-dev                                     
42)     libgl1-mesa-dev                                      
43)     libglew1.5-dev                                       
44)     libglib2.0-dev                                       
45)     libglu1-mesa-dev                                     
46)     libicu-dev                                           
47)     libjpeg62-dev                                        
48)     libncurses5-dev                                      
49)     libpng12-dev                                         
50)     libpulse-dev                                         
51)     libsdl1.2-dev                                        
52)     libslang2-dev                                        
53)     libssl-dev                                           
54)     libstdc++6-4.4-dev                                   
55)     libtiff4-dev                                         
56)     python-dev                                           
57)     python2.6-dev                                        
58)     zlib1g-dev                                           

      Laisser les dépendances suivantes non satisfaites :    
59)     dpkg-dev recommande build-essential                  
60)     gcc-4.3 recommande libc6-dev (>= 2.5)                
61)     gcc-4.4 recommande libc6-dev (>= 2.5)                
62)     gcc recommande libc6-dev | libc-dev                  
63)     linux-image-2.6.32-5-686-bigmem recommande libc6-i686
64)     linux-source-2.6.32 recommande libc6-dev | libc-dev  
65)     python2.6-dev recommande libc6-dev | libc-dev        
66)     libc6 recommande libc6-i686  

pas de fichier préférence! note que ici on vois clairement sa touche a la libc … pas bon et pas possible ! je vai rester avec la version de la stable! a moins qu’il y ai un fichier d epréférence qui colle bien et que sa touche pas a la libc !

fluo:

On dirait que sa vien de la.

# fail2ban-regex /var/log/postfix.log "(?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+]*)?"
/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead
  import md5

Running tests
=============

Use regex line : (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|P...
Use log file   : /var/log/postfix.log


Results
=======

Failregex
|- Regular expressions:
|  [1] (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+]*)?
|
`- Number of matches:
   [1] 4165 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
[couper]
    96.44.189.217 (Tue Nov 13 06:39:51 2012)

Date template hits:
28554 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 4165

However, look at the above section 'Running tests' which could contain important

il faut donc que je place cette règle quelque part ?
il y a un endroit spécifique ou je doit le fait ou , la modif dans le fichier de conf est propre ?

/etc/fail2ban/filter.d/sasl.conf

Merci pour l’aide

Bonjour panthere,

Il te faut avant toute chose, que fail2ban version Squeeze soit installé!!!

Et seulement après, installer la version supérieur, soit Wheezy!!!

[quote=“loreleil”]Bonjour panthere,

Il te faut avant toute chose, que fail2ban version Squeeze soit installé!!!

Et seulement après, installer la version supérieur, soit Wheezy!!![/quote]

c’est ce que j’ai fait:

# dpkg -l |grep fail2ban
ii  fail2ban                                 0.8.4-3+squeeze1               bans IPs that cause multiple authentication errors

la suite c est le même résultat avec le poste citer plus haut

Salut,

[quote=“panthere”][quote=“loreleil”]Bonjour panthere,

Il te faut avant toute chose, que fail2ban version Squeeze soit installé!!!

Et seulement après, installer la version supérieur, soit Wheezy!!![/quote]

c’est ce que j’ai fait:

# dpkg -l |grep fail2ban
ii  fail2ban                                 0.8.4-3+squeeze1               bans IPs that cause multiple authentication errors

la suite c est le même résultat avec le poste citer plus haut[/quote]

Dans ce cas et en toute connaissance de cause, tu sais ce qu’il te restes à faire … selon “preferences” et plus si affinité …

Tu ne dois pas toucher au fichier /etc/fail2ban/fail2ban.conf car fail2ban utilise les règles de banissements
du fichier /etc/fail2ban/jail.local.

Mais comme /etc/fail2ban/jail.local n’existe pas, tu dois te servir du modèle /etc/fail2ban/jail.conf, càd :

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Et dans ce fichier /etc/fail2ban/jail.local, il y a déjà des règles pour les logiciels populaires (apache,
postfix, vsftpd…) pour te faciliter la vie, et il y a même une section sasl :

enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log

Et dans ton cas, tu ajoute la règle, ce qui devient :

enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?

Puis tu restart :

/etc/init.d/fail2ban restart

Source : /usr/share/doc/fail2ban/README.Debian.gz

Bonjours,

Bon j’ai tout fait ce que a indiquer fluo
a l’exeption que le chemin de postfix est pas le meme ??
j’ai remplacer
logpath = /var/log/mail.log
par
logpath = /var/log/postfix.log

voici le fichier de configuration cat /etc/fail2ban/jail.local

# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define 
# action_* variables. Can be overriden globally or per 
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
 
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section 
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME] 
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled = false
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter  = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6

[xinetd-fail]

enabled   = false
filter    = xinetd-fail
port      = all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2


[ssh-ddos]

enabled = false
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = false
port    = http,https
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = false
port      = http,https
filter    = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6

[apache-noscript]

enabled = false
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled = false
port    = http,https
filter  = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2

#
# FTP servers
#

[vsftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


[proftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


[wuftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled  = false
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/postfix.log


[couriersmtp]

enabled  = false
port     = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/postfix.log
failregex = "(?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+]*)?"


# DNS Servers


# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# };
#
# in your named.conf to provide proper logging

# !!! WARNING !!!
#   Since UDP is connectionless protocol, spoofing of IP and immitation
#   of illegal actions is way too simple.  Thus enabling of this filter
#   might provide an easy way for implementing a DoS against a chosen
#   victim. See
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
#   Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled  = false
#port     = domain,953
#protocol = udp
#filter   = named-refused
#logpath  = /var/log/named/security.log

[named-refused-tcp]

enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log

je ne sais pas si sa correspond a ce qu’il faut?

loreleil:
Je me demande si il y a pas un backport de fail2ban ?
je ne sais plus ou il faut aller piocher les dépot apt

il y a un endroit ou un ban serai loguer ? car apres le redemarrage de fail2ban l’ip n’est pas bannie
je supose que c’est dans cat /var/log/fail2ban.log
mai aucune ip est bannie

Merci pour vos réponse