bonjour,
j’ai installé fail2ban depuis un moment, qui fonctionnait bien jusque là.
J’ai rajouté quelques règles en m’adaptant à ce que je trouvais dans les logs, et depuis, la règle ssh ne bannit plus rien, sans erreur de configuration particulière.
je soupconne que chaque règle soit valide individuellement, mais que leur addition pose problème. C’est possible ca ?
fail2ban-client status
Status
|- Number of jail: 8
`- Jail list: apache-w00tw00t, shrunk-windows, courierauth, pam-generic, ssh-ddos, ssh, ispconfig, fail2ban
cat /etc/fail2ban/jail.conf
[code]# Fail2Ban configuration file.
[DEFAULT]
“ignoreip” can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 109.190.XX.XX
bantime = 900
maxretry = 3
backend = polling
destemail = root@localhost
ACTIONS
banaction = iptables-multiport
mta = sendmail
protocol = tcp
action_ = %(banaction)s[name=%(name)s, port="%(port)s", protocol="%(protocol)s]
action_mw = %(banaction)s[name=%(name)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois[name=%(name)s, dest="%(destemail)s", protocol="%(protocol)s]
action_mwl = %(banaction)s[name=%(name)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois-lines[name=%(name)s, dest="%(destemail)s", logpath=%(logpath)s]
action = %(action_)s
JAILS
[shrunk-windows]
enabled = true
filter = shrunk-windows
logpath = /var/log/kern.log
port = all
banaction= iptables-allports
#port = anyport
maxretry = 1
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
[pam-generic]
enabled = true
filter = pam-generic
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
[ispconfig]
enabled = true
filter = ispconfig
port = http,https,8080
logpath = /var/log/ispconfig/auth.log
maxretry = 3
[ssh-ddos]
enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
HTTP servers
[apache-w00tw00t]
enabled = true
filter = apache-w00tw00t
action = iptables[name=Apache-w00tw00t,port=80,protocol=tcp]
logpath = /var/log/apache2/access.log
/var/log/ispconfig/httpd/domain1.com/access.log
/var/log/ispconfig/httpd/domain2.com/access.log
maxretry = 1
Mail servers
[courierauth]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log
[fail2ban]
enabled = true
filter = fail2ban
action = iptables-allports[name=fail2ban]
#sendmail-whois[name=fail2ban]
logpath = /var/log/fail2ban.log
findtime: 1 mois
findtime = 86400
bantime: 1 mois
bantime = 86400
maxretry = 2
[/code]
cat /etc/fail2ban/filter.d/sshd.conf
[code]# Fail2Ban configuration file
Author: Cyril Jaquier
$Revision: 728 $
[INCLUDES]
Read common prefixes. If any customizations available – read them from
common.local
before = common.conf
[Definition]
_daemon = sshd
Option: failregex
Notes.: regex to match the password failures messages in the logfile. The
host must be matched by a group named “host”. The tag “” can
be used for standard IP/hostname matching and is only an alias for
(?:::f{4,6}:)?(?P[\w-.^_]+)
Values: TEXT
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from \s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$
^%(__prefix_line)sFailed (?:password|publickey) for .* from (?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$
^%(__prefix_line)siI user .* from \s*$
^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=(?:\s+user=.)?\s$
^%(__prefix_line)srefused connect from \S+ ()\s*$
^%(__prefix_line)sAddress .* POSSIBLE BREAK-IN ATTEMPT!\s$
^%(__prefix_line)sUser .+ from not allowed because none of user’s groups are listed in AllowGroups\s*$
Option: ignoreregex
Notes.: regex to ignore. If this regex matches, the line is ignored.
Values: TEXT
ignoreregex =
[/code]
cat /etc/fail2ban/filter.d/sshd-ddos.conf
[code]# Fail2Ban configuration file
Author: Yaroslav Halchenko
$Revision: 728 $
[Definition]
Option: failregex
Notes.: regex to match the password failures messages in the logfile. The
host must be matched by a group named “host”. The tag “” can
be used for standard IP/hostname matching and is only an alias for
(?:::f{4,6}:)?(?P[\w-.^_]+)
Values: TEXT
failregex = sshd(?:[\d+])?: Did not receive identification string from $
Option: ignoreregex
Notes.: regex to ignore. If this regex matches, the line is ignored.
Values: TEXT
ignoreregex = [/code]
auparavant, les tentatives d’identification ssh étaient bien bannies.
plus maintenant :
sshd:
Authentication Failures:
root (192.237.216.180): 219 Time(s)
unknown (192.237.216.180): 44 Time(s)
j’ai pas touché à sshd.conf ni à ssh-ddos.conf, j’ai par contre rajouté les filtres ispconfig et modifié le chemin vers les logs apache pour que les domaines hébergés soient surveillés.
et là :
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
Success, the total number of match is 4375
cat /var/log/fail2ban.log
2013-10-13 12:26:15,231 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2013-10-13 12:26:15,800 fail2ban.filter : INFO Log rotation detected for /var/log/fail2ban.log
2013-10-13 12:26:17,685 fail2ban.filter : INFO Log rotation detected for /var/log/kern.log
2013-10-13 12:26:17,686 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2013-10-13 12:26:17,688 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2013-10-13 12:26:17,804 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2013-10-13 12:26:17,846 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2013-10-13 12:26:20,809 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2013-10-13 12:26:20,850 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2013-10-13 12:26:21,690 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2013-10-13 12:30:02,821 fail2ban.filter : INFO Log rotation detected for /var/log/apache2/access.log
2013-10-13 12:30:02,927 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2013-10-13 14:52:29,686 fail2ban.jail : INFO Jail 'apache-w00tw00t' stopped
2013-10-13 14:52:30,534 fail2ban.jail : INFO Jail 'shrunk-windows' stopped
2013-10-13 14:52:31,011 fail2ban.jail : INFO Jail 'courierauth' stopped
2013-10-13 14:52:31,931 fail2ban.jail : INFO Jail 'pam-generic' stopped
2013-10-13 14:52:32,909 fail2ban.jail : INFO Jail 'ssh-ddos' stopped
2013-10-13 14:52:33,850 fail2ban.jail : INFO Jail 'ssh' stopped
2013-10-13 14:52:34,857 fail2ban.jail : INFO Jail 'ispconfig' stopped
2013-10-13 14:52:35,676 fail2ban.jail : INFO Jail 'fail2ban' stopped
2013-10-13 14:52:35,678 fail2ban.server : INFO Exiting Fail2ban
2013-10-13 14:52:36,681 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2013-10-13 14:52:36,683 fail2ban.jail : INFO Creating new jail 'apache-w00tw00t'
2013-10-13 14:52:36,683 fail2ban.jail : INFO Jail 'apache-w00tw00t' uses poller
2013-10-13 14:52:36,759 fail2ban.filter : INFO Added logfile = /var/log/apache2/access.log
2013-10-13 14:52:36,761 fail2ban.filter : INFO Added logfile = /var/log/ispconfig/httpd/domain1.com/access.log
2013-10-13 14:52:36,763 fail2ban.filter : INFO Added logfile = /var/log/ispconfig/httpd/domain2.com/access.log
2013-10-13 14:52:36,765 fail2ban.filter : INFO Set maxRetry = 1
2013-10-13 14:52:36,770 fail2ban.filter : INFO Set findtime = 600
2013-10-13 14:52:36,772 fail2ban.actions: INFO Set banTime = 900
2013-10-13 14:52:36,794 fail2ban.jail : INFO Creating new jail 'shrunk-windows'
2013-10-13 14:52:36,794 fail2ban.jail : INFO Jail 'shrunk-windows' uses poller
2013-10-13 14:52:36,797 fail2ban.filter : INFO Added logfile = /var/log/kern.log
2013-10-13 14:52:36,799 fail2ban.filter : INFO Set maxRetry = 1
2013-10-13 14:52:36,803 fail2ban.filter : INFO Set findtime = 600
2013-10-13 14:52:36,805 fail2ban.actions: INFO Set banTime = 900
2013-10-13 14:52:36,825 fail2ban.jail : INFO Creating new jail 'pam-generic'
2013-10-13 14:52:36,825 fail2ban.jail : INFO Jail 'pam-generic' uses poller
2013-10-13 14:52:36,828 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2013-10-13 14:52:36,830 fail2ban.filter : INFO Set maxRetry = 6
2013-10-13 14:52:36,834 fail2ban.filter : INFO Set findtime = 600
2013-10-13 14:52:36,836 fail2ban.actions: INFO Set banTime = 900
2013-10-13 14:52:36,863 fail2ban.jail : INFO Creating new jail 'fail2ban'
2013-10-13 14:52:36,863 fail2ban.jail : INFO Jail 'fail2ban' uses poller
2013-10-13 14:52:36,867 fail2ban.filter : INFO Added logfile = /var/log/fail2ban.log
2013-10-13 14:52:36,869 fail2ban.filter : INFO Set maxRetry = 2
2013-10-13 14:52:36,873 fail2ban.filter : INFO Set findtime = 86400
2013-10-13 14:52:36,875 fail2ban.actions: INFO Set banTime = 86400
2013-10-13 14:52:36,894 fail2ban.jail : INFO Creating new jail 'ssh-ddos'
2013-10-13 14:52:36,895 fail2ban.jail : INFO Jail 'ssh-ddos' uses poller
2013-10-13 14:52:36,897 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2013-10-13 14:52:36,900 fail2ban.filter : INFO Set maxRetry = 6
2013-10-13 14:52:36,904 fail2ban.filter : INFO Set findtime = 600
2013-10-13 14:52:36,906 fail2ban.actions: INFO Set banTime = 900
2013-10-13 14:52:36,924 fail2ban.jail : INFO Creating new jail 'ssh'
2013-10-13 14:52:36,924 fail2ban.jail : INFO Jail 'ssh' uses poller
2013-10-13 14:52:36,928 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2013-10-13 14:52:36,929 fail2ban.filter : INFO Set maxRetry = 3
2013-10-13 14:52:36,934 fail2ban.filter : INFO Set findtime = 600
2013-10-13 14:52:36,939 fail2ban.actions: INFO Set banTime = 900
2013-10-13 14:52:37,115 fail2ban.jail : INFO Creating new jail 'courierauth'
2013-10-13 14:52:37,116 fail2ban.jail : INFO Jail 'courierauth' uses poller
2013-10-13 14:52:37,119 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2013-10-13 14:52:37,120 fail2ban.filter : INFO Set maxRetry = 3
2013-10-13 14:52:37,125 fail2ban.filter : INFO Set findtime = 600
2013-10-13 14:52:37,127 fail2ban.actions: INFO Set banTime = 900
2013-10-13 14:52:37,144 fail2ban.jail : INFO Creating new jail 'ispconfig'
2013-10-13 14:52:37,144 fail2ban.jail : INFO Jail 'ispconfig' uses poller
2013-10-13 14:52:37,148 fail2ban.filter : INFO Added logfile = /var/log/ispconfig/auth.log
2013-10-13 14:52:37,150 fail2ban.filter : INFO Set maxRetry = 3
2013-10-13 14:52:37,155 fail2ban.filter : INFO Set findtime = 600
2013-10-13 14:52:37,157 fail2ban.actions: INFO Set banTime = 900
2013-10-13 14:52:37,175 fail2ban.jail : INFO Jail 'apache-w00tw00t' started
2013-10-13 14:52:37,184 fail2ban.jail : INFO Jail 'shrunk-windows' started
2013-10-13 14:52:37,188 fail2ban.jail : INFO Jail 'pam-generic' started
2013-10-13 14:52:37,203 fail2ban.jail : INFO Jail 'fail2ban' started
2013-10-13 14:52:37,214 fail2ban.jail : INFO Jail 'ssh-ddos' started
2013-10-13 14:52:37,219 fail2ban.jail : INFO Jail 'ssh' started
2013-10-13 14:52:37,223 fail2ban.jail : INFO Jail 'courierauth' started
2013-10-13 14:52:37,232 fail2ban.jail : INFO Jail 'ispconfig' started
fail2ban-client status ssh
Status for the jail: ssh
|- filter
| |- File list: /var/log/auth.log
| |- Currently failed: 0
| `- Total failed: 0
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0
Alors si vous avez une piste, je suis bien sûr preneur
merci d’avance