Mise en place fail2ban

Bonjour,
j’ai install fail2ban afin de sécuriser mon serveur. mais je ne vois aucun trace d’attaque, alors que je suis quasi sur d’etre pris en defaut sur mon serveur asterisk.

# cat /var/log/messages|grep Ban|awk '{print $7" "$9}'|sort|uniq -c|sort -r
      7 NOTIFICATION: 1
      7 Attempting execute
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-apache-bloquescan  tcp  --  anywhere             anywhere            multiport dports www,https
fail2ban-apache-phpmyadmin  tcp  --  anywhere             anywhere            multiport dports www,https
fail2ban-fail2ban  tcp  --  anywhere             anywhere
fail2ban-postfix  tcp  --  anywhere             anywhere            multiport dports smtp,ssmtp
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh
fail2ban-ASTERISK  all  --  anywhere             anywhere
fail2ban-named-refused-tcp  tcp  --  anywhere             anywhere            multiport dports domain,953
fail2ban-apache  tcp  --  anywhere             anywhere            multiport dports www,https
fail2ban-recidivist  tcp  --  anywhere             anywhere
fail2ban-apache-multiport  tcp  --  anywhere             anywhere            multiport dports www,https
fail2ban-apache-w00tw00t  tcp  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ASTERISK (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-bloquescan (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-multiport (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-phpmyadmin (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-w00tw00t (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-fail2ban (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-named-refused-tcp (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-postfix (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-recidivist (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

je ne vois pas ce qui cloche.
Merci d’avance.

Arnaud

Salut,

Et fail2ban lui, il en dit quoi ?

?

bonjour,

# cat /var/log/fail2ban.log
2013-06-02 06:25:47,698 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2013-06-02 06:25:48,175 fail2ban.filter : INFO   Log rotation detected for /var/log/fail2ban.log
2013-06-02 06:25:54,942 fail2ban.filter : INFO   Log rotation detected for /var/log/apache2/error.log
2013-06-02 06:25:54,948 fail2ban.filter : INFO   Log rotation detected for /var/log/apache2/error.log
2013-06-02 06:25:54,950 fail2ban.filter : INFO   Log rotation detected for /var/log/apache2/error.log
2013-06-02 06:25:54,940 fail2ban.filter : INFO   Log rotation detected for /var/log/apache2/error.log
2013-06-02 06:25:55,185 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2013-06-02 06:25:55,191 fail2ban.filter : INFO   Log rotation detected for /var/log/auth.log
2013-06-02 06:25:56,944 fail2ban.filter : INFO   Log rotation detected for /var/log/apache2/access.log
2013-06-02 06:26:02,203 fail2ban.filter : INFO   Log rotation detected for /var/log/auth.log
2013-06-02 06:26:05,217 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2013-06-02 06:32:06,686 fail2ban.filter : INFO   Log rotation detected for /var/log/asterisk/messages
2013-06-02 07:00:03,317 fail2ban.filter : ERROR  Unable to get stat on /var/log/mail.log
2013-06-02 07:00:04,373 fail2ban.filter : ERROR  Unable to get stat on /var/log/mail.log
2013-06-02 07:00:05,377 fail2ban.filter : ERROR  Unable to get stat on /var/log/mail.log
2013-06-02 07:00:05,378 fail2ban.filter : WARNING Too much read error. Set the jail idle
2013-06-02 12:16:57,088 fail2ban.jail   : INFO   Jail 'apache-w00tw00t' stopped
2013-06-02 12:16:57,992 fail2ban.jail   : INFO   Jail 'postfix' stopped
2013-06-02 12:16:58,145 fail2ban.jail   : INFO   Jail 'asterisk-iptables' stopped
2013-06-02 12:16:59,103 fail2ban.jail   : INFO   Jail 'apache-bloquescan' stopped
2013-06-02 12:17:00,105 fail2ban.jail   : INFO   Jail 'apache-multiport' stopped
2013-06-02 12:17:01,100 fail2ban.jail   : INFO   Jail 'fail2ban' stopped
2013-06-02 12:17:02,176 fail2ban.jail   : INFO   Jail 'apache' stopped
2013-06-02 12:17:03,104 fail2ban.jail   : INFO   Jail 'named-refused-tcp' stopped
2013-06-02 12:17:04,112 fail2ban.jail   : INFO   Jail 'ssh' stopped
2013-06-02 12:17:05,110 fail2ban.jail   : INFO   Jail 'apache-phpmyadmin' stopped
2013-06-02 12:17:05,141 fail2ban.server : INFO   Exiting Fail2ban
2013-06-02 12:17:42,491 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2013-06-02 12:17:42,498 fail2ban.jail   : INFO   Creating new jail 'apache-w00tw00t'
2013-06-02 12:17:42,501 fail2ban.jail   : INFO   Jail 'apache-w00tw00t' uses poller
2013-06-02 12:17:42,723 fail2ban.filter : INFO   Added logfile = /var/log/apache2/access.log
2013-06-02 12:17:42,730 fail2ban.filter : INFO   Set maxRetry = 1
2013-06-02 12:17:42,752 fail2ban.filter : INFO   Set findtime = 600
2013-06-02 12:17:42,758 fail2ban.actions: INFO   Set banTime = 86400
2013-06-02 12:17:42,843 fail2ban.jail   : INFO   Creating new jail 'apache-multiport'
2013-06-02 12:17:42,845 fail2ban.jail   : INFO   Jail 'apache-multiport' uses poller
2013-06-02 12:17:42,880 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2013-06-02 12:17:42,887 fail2ban.filter : INFO   Set maxRetry = 6
2013-06-02 12:17:42,909 fail2ban.filter : INFO   Set findtime = 600
2013-06-02 12:17:42,915 fail2ban.actions: INFO   Set banTime = 3600
2013-06-02 12:17:43,020 fail2ban.jail   : INFO   Creating new jail 'fail2ban-recidivist'
2013-06-02 12:17:43,022 fail2ban.jail   : INFO   Jail 'fail2ban-recidivist' uses poller
2013-06-02 12:17:43,034 fail2ban.filter : INFO   Added logfile = /var/log/messages
2013-06-02 12:17:43,042 fail2ban.filter : INFO   Set maxRetry = 5
2013-06-02 12:17:43,065 fail2ban.filter : INFO   Set findtime = 604800
2013-06-02 12:17:43,071 fail2ban.actions: INFO   Set banTime = 604800
2013-06-02 12:17:43,149 fail2ban.jail   : INFO   Creating new jail 'apache'
2013-06-02 12:17:43,151 fail2ban.jail   : INFO   Jail 'apache' uses poller
2013-06-02 12:17:43,162 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2013-06-02 12:17:43,168 fail2ban.filter : INFO   Set maxRetry = 6
2013-06-02 12:17:43,190 fail2ban.filter : INFO   Set findtime = 600
2013-06-02 12:17:43,196 fail2ban.actions: INFO   Set banTime = 3600
2013-06-02 12:17:43,268 fail2ban.jail   : INFO   Creating new jail 'named-refused-tcp'
2013-06-02 12:17:43,271 fail2ban.jail   : INFO   Jail 'named-refused-tcp' uses poller
2013-06-02 12:17:43,281 fail2ban.filter : INFO   Set maxRetry = 3
2013-06-02 12:17:43,302 fail2ban.filter : INFO   Set findtime = 600
2013-06-02 12:17:43,308 fail2ban.actions: INFO   Set banTime = 3600
2013-06-02 12:17:43,399 fail2ban.jail   : INFO   Creating new jail 'asterisk-iptables'
2013-06-02 12:17:43,401 fail2ban.jail   : INFO   Jail 'asterisk-iptables' uses poller
2013-06-02 12:17:43,412 fail2ban.filter : INFO   Added logfile = /var/log/asterisk/messages
2013-06-02 12:17:43,418 fail2ban.filter : INFO   Set maxRetry = 3
2013-06-02 12:17:43,441 fail2ban.filter : INFO   Set findtime = 21600
2013-06-02 12:17:43,447 fail2ban.actions: INFO   Set banTime = 259200
2013-06-02 12:17:43,751 fail2ban.jail   : INFO   Creating new jail 'apache-bloquescan'
2013-06-02 12:17:43,753 fail2ban.jail   : INFO   Jail 'apache-bloquescan' uses poller
2013-06-02 12:17:43,764 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2013-06-02 12:17:43,770 fail2ban.filter : INFO   Set maxRetry = 1
2013-06-02 12:17:43,792 fail2ban.filter : INFO   Set findtime = 600
2013-06-02 12:17:43,799 fail2ban.actions: INFO   Set banTime = 86400
2013-06-02 12:17:43,868 fail2ban.jail   : INFO   Creating new jail 'ssh'
2013-06-02 12:17:43,871 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2013-06-02 12:17:43,881 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2013-06-02 12:17:43,888 fail2ban.filter : INFO   Set maxRetry = 6
2013-06-02 12:17:43,910 fail2ban.filter : INFO   Set findtime = 600
2013-06-02 12:17:43,916 fail2ban.actions: INFO   Set banTime = 3600
2013-06-02 12:17:44,609 fail2ban.jail   : INFO   Creating new jail 'postfix'
2013-06-02 12:17:44,613 fail2ban.jail   : INFO   Jail 'postfix' uses poller
2013-06-02 12:17:44,623 fail2ban.filter : INFO   Set maxRetry = 3
2013-06-02 12:17:44,645 fail2ban.filter : INFO   Set findtime = 600
2013-06-02 12:17:44,652 fail2ban.actions: INFO   Set banTime = 3600
2013-06-02 12:17:44,706 fail2ban.jail   : INFO   Creating new jail 'fail2ban'
2013-06-02 12:17:44,708 fail2ban.jail   : INFO   Jail 'fail2ban' uses poller
2013-06-02 12:17:44,718 fail2ban.filter : INFO   Added logfile = /var/log/fail2ban.log
2013-06-02 12:17:44,725 fail2ban.filter : INFO   Set maxRetry = 3
2013-06-02 12:17:44,747 fail2ban.filter : INFO   Set findtime = 604800
2013-06-02 12:17:44,753 fail2ban.actions: INFO   Set banTime = 604800
2013-06-02 12:17:44,840 fail2ban.jail   : INFO   Creating new jail 'apache-phpmyadmin'
2013-06-02 12:17:44,842 fail2ban.jail   : INFO   Jail 'apache-phpmyadmin' uses poller
2013-06-02 12:17:44,852 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2013-06-02 12:17:44,859 fail2ban.filter : INFO   Set maxRetry = 3
2013-06-02 12:17:44,882 fail2ban.filter : INFO   Set findtime = 600
2013-06-02 12:17:44,888 fail2ban.actions: INFO   Set banTime = 3600
2013-06-02 12:17:44,994 fail2ban.jail   : INFO   Jail 'apache-w00tw00t' started
2013-06-02 12:17:45,026 fail2ban.jail   : INFO   Jail 'apache-multiport' started
2013-06-02 12:17:45,043 fail2ban.jail   : INFO   Jail 'fail2ban-recidivist' started
2013-06-02 12:17:45,059 fail2ban.jail   : INFO   Jail 'apache' started
2013-06-02 12:17:45,075 fail2ban.jail   : INFO   Jail 'named-refused-tcp' started
2013-06-02 12:17:45,097 fail2ban.jail   : INFO   Jail 'asterisk-iptables' started
2013-06-02 12:17:45,110 fail2ban.jail   : INFO   Jail 'apache-bloquescan' started
2013-06-02 12:17:45,132 fail2ban.jail   : INFO   Jail 'ssh' started
2013-06-02 12:17:45,150 fail2ban.jail   : INFO   Jail 'postfix' started
2013-06-02 12:17:45,179 fail2ban.jail   : INFO   Jail 'fail2ban' started
2013-06-02 12:17:45,226 fail2ban.jail   : INFO   Jail 'apache-phpmyadmin' started

et je recois bien ce genre de mail

The IP 188.138.110.44 has just been banned by Fail2Ban after
144 attempts against ASTERISK.
Here are more information about 188.138.110.44:
Regards,

Merci.
Arnaud

Rien que là, il y a à faire quelque chose :
DROP à la place de ACCEPT.
Le principe, c’est de refuser tout au départ et de n’ouvrir que ce qu’on accepte.