Hello,
Comme annoncé voici mon 2ème soucis, j’ai installé fail2ban mais mes jail ne semble pas toutes fonctionné.
J’ai activé notamment la protection contre les scripts w00t-w00t visant Apache et les logs de fail2ban montre qu’il est actif : 2013-08-23 15:22:41,000 fail2ban.actions: WARNING [apache-w00tw00t] Ban 184.22.58.49
2013-08-23 15:32:41,789 fail2ban.actions: WARNING [apache-w00tw00t] Unban 184.22.58.49
...
Par contre j’ai aussi tenté de filtrer les attaques brute force sur Squirrelmail et Roundcubemail mais cette fois sans succès…
Voici un extrait de /etc/jail.local : [code][roundcube]
enabled = true
port = http,https
filter = roundcube
action = iptables-multiport[name=roundcube, port=“http,https”]
logpath = /var/www/roundcubemail/logs/userlogins
[squirrelmail]
enabled = true
port = http,https
filter = squirrelmail
action = iptables-multiport[name=squirrelmail, port=“http,https”]
logpath = /var/log/squirrelmail.log
maxretry = 4[/code]
Et maintenant mes filtres :
squirellmail.conf : [Definition]
failregex = [[]LOGIN_ERROR[]] .*. from <HOST>: Unknown user or password incorrect.
ignoreregex =
roundcube.conf : [Definition]
failregex = FAILED login for .*. from <HOST>
ignoreregex =
Quand je teste de me connecter plusieurs fois avec un mot de passe erroné je bien des lignes dans les log respectifs :
squirrelmail Aug 22 17:34:45 [LOGIN_ERROR] sdfg (caladan.siberien.tf) from 95.136.128.5: Unknown user or password incorrect.
Aug 22 17:34:53 [LOGIN_ERROR] N/A (caladan.siberien.tf) from 95.136.128.5: Unknown user or password incorrect.
Aug 22 17:35:05 [LOGIN_ERROR] N/A (caladan.siberien.tf) from 95.136.128.5: Unknown user or password incorrect.
Aug 22 17:35:25 [LOGIN_ERROR] N/A (caladan.siberien.tf) from 95.136.128.5: Unknown user or password incorrect.
Aug 22 17:35:44 [LOGIN_ERROR] N/A (caladan.siberien.tf) from 95.136.128.5: Unknown user or password incorrect.
Aug 22 17:36:01 [LOGIN_ERROR] N/A (caladan.siberien.tf) from 95.136.128.5: Unknown user or password incorrect.
Et le test des expression me remonte bien des IP : [code]# fail2ban-regex /var/log/squirrelmail.log /etc/fail2ban/filter.d/squirrelmail.conf
Running tests
Use regex file : /etc/fail2ban/filter.d/squirrelmail.conf
Use log file : /var/log/squirrelmail.log
Matched time template Year-Month-Day Hour:Minute:Second
Got time using template Year-Month-Day Hour:Minute:Second
…
Results
Failregex: 33 total
|- #) [# of hits] regular expression
| 1) [33] [[]LOGIN_ERROR[]] .*. from : Unknown user or password incorrect.
`-
Ignoreregex: 0 total
Summary
Addresses found:
[1]
95.136.128.5 (Mon Aug 19 19:53:05 2013)
95.136.128.5 (Mon Aug 19 19:53:14 2013)
95.136.128.5 (Mon Aug 19 19:53:26 2013)
…
Date template hits:
16 hit(s): MONTH Day Hour:Minute:Second
60 hit(s): Year-Month-Day Hour:Minute:Second
Success, the total number of match is 33
However, look at the above section ‘Running tests’ which could contain important
information.[/code]
Et même chose pour roundcube : [22-Aug-2013 17:46:01 +0000]: FAILED login for namour from 95.136.128.5
[22-Aug-2013 17:46:09 +0000]: FAILED login for namour from 95.136.128.5
[22-Aug-2013 17:46:21 +0000]: FAILED login for namour from 95.136.128.5
[22-Aug-2013 17:46:41 +0000]: FAILED login for namour from 95.136.128.5
[22-Aug-2013 17:47:02 +0000]: FAILED login for namour from 95.136.128.5
[22-Aug-2013 17:47:22 +0000]: FAILED login for namour from 95.136.128.5
[code]# fail2ban-regex /var/www/roundcubemail/logs/userlogins /etc/fail2ban/filter.d/roundcube.conf
Running tests
Use regex file : /etc/fail2ban/filter.d/roundcube.conf
Use log file : /var/www/roundcubemail/logs/userlogins
Matched time template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Got time using template Day-MONTH-Year Hour:Minute:Second[.Millisecond]
…
Results
Failregex: 16 total
|- #) [# of hits] regular expression
| 1) [16] FAILED login for .*. from
`-
Ignoreregex: 0 total
Summary
Addresses found:
[1]
95.136.128.5 (Mon Aug 19 20:09:37 2013)
95.136.128.5 (Mon Aug 19 20:42:59 2013)
…
Date template hits:
46 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
Success, the total number of match is 16
However, look at the above section ‘Running tests’ which could contain important
information.[/code]
Et pourtant aucun ban, des idées ?