fail2ban : chevauchement de règles ?

Support Debian
#1

bonjour,
j’ai installé fail2ban depuis un moment, qui fonctionnait bien jusque là.

J’ai rajouté quelques règles en m’adaptant à ce que je trouvais dans les logs, et depuis, la règle ssh ne bannit plus rien, sans erreur de configuration particulière.
je soupconne que chaque règle soit valide individuellement, mais que leur addition pose problème. C’est possible ca ?

fail2ban-client status

Status |- Number of jail: 8 `- Jail list: apache-w00tw00t, shrunk-windows, courierauth, pam-generic, ssh-ddos, ssh, ispconfig, fail2ban

cat /etc/fail2ban/jail.conf

[code]# Fail2Ban configuration file.

[DEFAULT]

“ignoreip” can be an IP address, a CIDR mask or a DNS host

ignoreip = 127.0.0.1 109.190.XX.XX
bantime = 900
maxretry = 3

backend = polling

destemail = root@localhost

ACTIONS

banaction = iptables-multiport

mta = sendmail

protocol = tcp

action_ = %(banaction)s[name=%(name)s, port="%(port)s", protocol="%(protocol)s]

action_mw = %(banaction)s[name=%(name)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois[name=%(name)s, dest="%(destemail)s", protocol="%(protocol)s]

action_mwl = %(banaction)s[name=%(name)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois-lines[name=%(name)s, dest="%(destemail)s", logpath=%(logpath)s]

action = %(action_)s

JAILS

[shrunk-windows]

enabled = true
filter = shrunk-windows
logpath = /var/log/kern.log
port = all
banaction= iptables-allports
#port = anyport
maxretry = 1

[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

[pam-generic]
enabled = true
filter = pam-generic
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6

[ispconfig]
enabled = true
filter = ispconfig
port = http,https,8080
logpath = /var/log/ispconfig/auth.log
maxretry = 3

[ssh-ddos]
enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6

HTTP servers

[apache-w00tw00t]
enabled = true
filter = apache-w00tw00t
action = iptables[name=Apache-w00tw00t,port=80,protocol=tcp]
logpath = /var/log/apache2/access.log
/var/log/ispconfig/httpd/domain1.com/access.log
/var/log/ispconfig/httpd/domain2.com/access.log
maxretry = 1

Mail servers

[courierauth]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log

[fail2ban]
enabled = true
filter = fail2ban
action = iptables-allports[name=fail2ban]
#sendmail-whois[name=fail2ban]
logpath = /var/log/fail2ban.log

findtime: 1 mois

findtime = 86400

bantime: 1 mois

bantime = 86400
maxretry = 2

[/code]

cat /etc/fail2ban/filter.d/sshd.conf

[code]# Fail2Ban configuration file

Author: Cyril Jaquier

$Revision: 728 $

[INCLUDES]

Read common prefixes. If any customizations available – read them from

common.local

before = common.conf

[Definition]

_daemon = sshd

Option: failregex

Notes.: regex to match the password failures messages in the logfile. The

host must be matched by a group named “host”. The tag “” can

be used for standard IP/hostname matching and is only an alias for

(?:::f{4,6}:)?(?P[\w-.^_]+)

Values: TEXT

failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from \s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$
^%(__prefix_line)sFailed (?:password|publickey) for .* from (?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$
^%(__prefix_line)siI user .* from \s*$
^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=(?:\s+user=.)?\s$
^%(__prefix_line)srefused connect from \S+ ()\s*$
^%(__prefix_line)sAddress .* POSSIBLE BREAK-IN ATTEMPT!\s$
^%(__prefix_line)sUser .+ from not allowed because none of user’s groups are listed in AllowGroups\s*$

Option: ignoreregex

Notes.: regex to ignore. If this regex matches, the line is ignored.

Values: TEXT

ignoreregex =
[/code]

cat /etc/fail2ban/filter.d/sshd-ddos.conf

[code]# Fail2Ban configuration file

Author: Yaroslav Halchenko

$Revision: 728 $

[Definition]

Option: failregex

Notes.: regex to match the password failures messages in the logfile. The

host must be matched by a group named “host”. The tag “” can

be used for standard IP/hostname matching and is only an alias for

(?:::f{4,6}:)?(?P[\w-.^_]+)

Values: TEXT

failregex = sshd(?:[\d+])?: Did not receive identification string from $

Option: ignoreregex

Notes.: regex to ignore. If this regex matches, the line is ignored.

Values: TEXT

ignoreregex = [/code]

auparavant, les tentatives d’identification ssh étaient bien bannies.
plus maintenant :
sshd:
Authentication Failures:
root (192.237.216.180): 219 Time(s)
unknown (192.237.216.180): 44 Time(s)

j’ai pas touché à sshd.conf ni à ssh-ddos.conf, j’ai par contre rajouté les filtres ispconfig et modifié le chemin vers les logs apache pour que les domaines hébergés soient surveillés.

et là :
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

Success, the total number of match is 4375

cat /var/log/fail2ban.log

2013-10-13 12:26:15,231 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN 2013-10-13 12:26:15,800 fail2ban.filter : INFO Log rotation detected for /var/log/fail2ban.log 2013-10-13 12:26:17,685 fail2ban.filter : INFO Log rotation detected for /var/log/kern.log 2013-10-13 12:26:17,686 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log 2013-10-13 12:26:17,688 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log 2013-10-13 12:26:17,804 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log 2013-10-13 12:26:17,846 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log 2013-10-13 12:26:20,809 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log 2013-10-13 12:26:20,850 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log 2013-10-13 12:26:21,690 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log 2013-10-13 12:30:02,821 fail2ban.filter : INFO Log rotation detected for /var/log/apache2/access.log 2013-10-13 12:30:02,927 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log 2013-10-13 14:52:29,686 fail2ban.jail : INFO Jail 'apache-w00tw00t' stopped 2013-10-13 14:52:30,534 fail2ban.jail : INFO Jail 'shrunk-windows' stopped 2013-10-13 14:52:31,011 fail2ban.jail : INFO Jail 'courierauth' stopped 2013-10-13 14:52:31,931 fail2ban.jail : INFO Jail 'pam-generic' stopped 2013-10-13 14:52:32,909 fail2ban.jail : INFO Jail 'ssh-ddos' stopped 2013-10-13 14:52:33,850 fail2ban.jail : INFO Jail 'ssh' stopped 2013-10-13 14:52:34,857 fail2ban.jail : INFO Jail 'ispconfig' stopped 2013-10-13 14:52:35,676 fail2ban.jail : INFO Jail 'fail2ban' stopped 2013-10-13 14:52:35,678 fail2ban.server : INFO Exiting Fail2ban 2013-10-13 14:52:36,681 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN 2013-10-13 14:52:36,683 fail2ban.jail : INFO Creating new jail 'apache-w00tw00t' 2013-10-13 14:52:36,683 fail2ban.jail : INFO Jail 'apache-w00tw00t' uses poller 2013-10-13 14:52:36,759 fail2ban.filter : INFO Added logfile = /var/log/apache2/access.log 2013-10-13 14:52:36,761 fail2ban.filter : INFO Added logfile = /var/log/ispconfig/httpd/domain1.com/access.log 2013-10-13 14:52:36,763 fail2ban.filter : INFO Added logfile = /var/log/ispconfig/httpd/domain2.com/access.log 2013-10-13 14:52:36,765 fail2ban.filter : INFO Set maxRetry = 1 2013-10-13 14:52:36,770 fail2ban.filter : INFO Set findtime = 600 2013-10-13 14:52:36,772 fail2ban.actions: INFO Set banTime = 900 2013-10-13 14:52:36,794 fail2ban.jail : INFO Creating new jail 'shrunk-windows' 2013-10-13 14:52:36,794 fail2ban.jail : INFO Jail 'shrunk-windows' uses poller 2013-10-13 14:52:36,797 fail2ban.filter : INFO Added logfile = /var/log/kern.log 2013-10-13 14:52:36,799 fail2ban.filter : INFO Set maxRetry = 1 2013-10-13 14:52:36,803 fail2ban.filter : INFO Set findtime = 600 2013-10-13 14:52:36,805 fail2ban.actions: INFO Set banTime = 900 2013-10-13 14:52:36,825 fail2ban.jail : INFO Creating new jail 'pam-generic' 2013-10-13 14:52:36,825 fail2ban.jail : INFO Jail 'pam-generic' uses poller 2013-10-13 14:52:36,828 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2013-10-13 14:52:36,830 fail2ban.filter : INFO Set maxRetry = 6 2013-10-13 14:52:36,834 fail2ban.filter : INFO Set findtime = 600 2013-10-13 14:52:36,836 fail2ban.actions: INFO Set banTime = 900 2013-10-13 14:52:36,863 fail2ban.jail : INFO Creating new jail 'fail2ban' 2013-10-13 14:52:36,863 fail2ban.jail : INFO Jail 'fail2ban' uses poller 2013-10-13 14:52:36,867 fail2ban.filter : INFO Added logfile = /var/log/fail2ban.log 2013-10-13 14:52:36,869 fail2ban.filter : INFO Set maxRetry = 2 2013-10-13 14:52:36,873 fail2ban.filter : INFO Set findtime = 86400 2013-10-13 14:52:36,875 fail2ban.actions: INFO Set banTime = 86400 2013-10-13 14:52:36,894 fail2ban.jail : INFO Creating new jail 'ssh-ddos' 2013-10-13 14:52:36,895 fail2ban.jail : INFO Jail 'ssh-ddos' uses poller 2013-10-13 14:52:36,897 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2013-10-13 14:52:36,900 fail2ban.filter : INFO Set maxRetry = 6 2013-10-13 14:52:36,904 fail2ban.filter : INFO Set findtime = 600 2013-10-13 14:52:36,906 fail2ban.actions: INFO Set banTime = 900 2013-10-13 14:52:36,924 fail2ban.jail : INFO Creating new jail 'ssh' 2013-10-13 14:52:36,924 fail2ban.jail : INFO Jail 'ssh' uses poller 2013-10-13 14:52:36,928 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2013-10-13 14:52:36,929 fail2ban.filter : INFO Set maxRetry = 3 2013-10-13 14:52:36,934 fail2ban.filter : INFO Set findtime = 600 2013-10-13 14:52:36,939 fail2ban.actions: INFO Set banTime = 900 2013-10-13 14:52:37,115 fail2ban.jail : INFO Creating new jail 'courierauth' 2013-10-13 14:52:37,116 fail2ban.jail : INFO Jail 'courierauth' uses poller 2013-10-13 14:52:37,119 fail2ban.filter : INFO Added logfile = /var/log/mail.log 2013-10-13 14:52:37,120 fail2ban.filter : INFO Set maxRetry = 3 2013-10-13 14:52:37,125 fail2ban.filter : INFO Set findtime = 600 2013-10-13 14:52:37,127 fail2ban.actions: INFO Set banTime = 900 2013-10-13 14:52:37,144 fail2ban.jail : INFO Creating new jail 'ispconfig' 2013-10-13 14:52:37,144 fail2ban.jail : INFO Jail 'ispconfig' uses poller 2013-10-13 14:52:37,148 fail2ban.filter : INFO Added logfile = /var/log/ispconfig/auth.log 2013-10-13 14:52:37,150 fail2ban.filter : INFO Set maxRetry = 3 2013-10-13 14:52:37,155 fail2ban.filter : INFO Set findtime = 600 2013-10-13 14:52:37,157 fail2ban.actions: INFO Set banTime = 900 2013-10-13 14:52:37,175 fail2ban.jail : INFO Jail 'apache-w00tw00t' started 2013-10-13 14:52:37,184 fail2ban.jail : INFO Jail 'shrunk-windows' started 2013-10-13 14:52:37,188 fail2ban.jail : INFO Jail 'pam-generic' started 2013-10-13 14:52:37,203 fail2ban.jail : INFO Jail 'fail2ban' started 2013-10-13 14:52:37,214 fail2ban.jail : INFO Jail 'ssh-ddos' started 2013-10-13 14:52:37,219 fail2ban.jail : INFO Jail 'ssh' started 2013-10-13 14:52:37,223 fail2ban.jail : INFO Jail 'courierauth' started 2013-10-13 14:52:37,232 fail2ban.jail : INFO Jail 'ispconfig' started

fail2ban-client status ssh

Status for the jail: ssh |- filter | |- File list: /var/log/auth.log | |- Currently failed: 0 | `- Total failed: 0 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 0

Alors si vous avez une piste, je suis bien sûr preneur :slightly_smiling:
merci d’avance