Fail2ban erstellt keine Firewall-Regeln

Jiny · 17. September 2012

Hallo,
auch ich habe Probleme das ständig mein vServer über postfix attackiert wird. Ich habe dagegen schon fail2ban installiert und das Script auch so eingestellt wie es hier im Forum steht damit es mit der VCP Firewall zusammen arbeitet. Leider werden aber keine neue Regeln durch fail2ban erstellt, wenn ich es manuell teste, direkt über das PHP Script, klappt das eintragen und löschen ohne Probleme.

Dies sind mal ein paar Beispieleinträge aus meiner mail.log:

Code

Sep 17 16:54:36 v220100556153214 postfix/smtpd[14841]: warning: unknown[187.75.218.117]: SASL CRAM-MD5 authentication failed: authentication failure
Sep 17 16:54:41 v220100556153214 postfix/smtpd[14841]: warning: SASL authentication failure: no secret in database
Sep 17 16:54:41 v220100556153214 postfix/smtpd[14841]: warning: unknown[187.75.218.117]: SASL CRAM-MD5 authentication failed: authentication failure
Sep 17 16:54:43 v220100556153214 postfix/smtpd[14841]: too many errors after AUTH from unknown[187.75.218.117]
Sep 17 16:54:43 v220100556153214 postfix/smtpd[14841]: disconnect from unknown[187.75.218.117]
Sep 17 16:54:45 v220100556153214 postfix/smtpd[14841]: warning: 187.75.218.117: hostname 187-75-218-117.dsl.telesp.net.br verification failed: Name or service not known
Sep 17 16:54:45 v220100556153214 postfix/smtpd[14841]: connect from unknown[187.75.218.117]
Sep 17 16:54:46 v220100556153214 postfix/smtpd[14841]: warning: SASL authentication failure: no secret in database
Sep 17 16:54:46 v220100556153214 postfix/smtpd[14841]: warning: unknown[187.75.218.117]: SASL CRAM-MD5 authentication failed: authentication failure
Sep 17 16:54:47 v220100556153214 postfix/smtpd[14841]: warning: SASL authentication failure: no secret in database

Code

Sep 17 08:20:23 v220100556153214 postfix/smtpd[18320]: warning: unknown[187.75.218.117]: SASL CRAM-MD5 authentication failed: bad protocol / cancel
Sep 17 08:20:28 v220100556153214 postfix/smtpd[18320]: warning: SASL authentication failure: need authentication name
Sep 17 08:20:28 v220100556153214 postfix/smtpd[18320]: warning: unknown[187.75.218.117]: SASL CRAM-MD5 authentication failed: bad protocol / cancel
Sep 17 08:20:33 v220100556153214 postfix/smtpd[18320]: warning: SASL authentication failure: need authentication name
Sep 17 08:20:33 v220100556153214 postfix/smtpd[18320]: warning: unknown[187.75.218.117]: SASL CRAM-MD5 authentication failed: bad protocol / cancel
Sep 17 08:20:37 v220100556153214 postfix/smtpd[18320]: warning: SASL authentication failure: need authentication name
Sep 17 08:20:37 v220100556153214 postfix/smtpd[18320]: warning: unknown[187.75.218.117]: SASL CRAM-MD5 authentication failed: bad protocol / cancel
Sep 17 08:20:42 v220100556153214 postfix/smtpd[18320]: warning: SASL authentication failure: need authentication name
Sep 17 08:20:42 v220100556153214 postfix/smtpd[18320]: warning: unknown[187.75.218.117]: SASL CRAM-MD5 authentication failed: bad protocol / cancel

Code

Sep 16 20:59:33 v220100556153214 postfix/smtpd[27006]: warning: 213.227.39.134.static.user.ono.com[213.227.39.134]: SASL LOGIN authentication failed: authentication failure
Sep 16 20:59:34 v220100556153214 postfix/smtpd[31357]: warning: 213.227.39.134.static.user.ono.com[213.227.39.134]: SASL LOGIN authentication failed: authentication failure
Sep 16 20:59:35 v220100556153214 postfix/smtpd[27006]: disconnect from 213.227.39.134.static.user.ono.com[213.227.39.134]
Sep 16 20:59:35 v220100556153214 postfix/smtpd[31357]: disconnect from 213.227.39.134.static.user.ono.com[213.227.39.134]
Sep 16 20:59:36 v220100556153214 postfix/smtpd[16533]: warning: 213.227.39.134.static.user.ono.com[213.227.39.134]: SASL LOGIN authentication failed: authentication failure
Sep 16 20:59:36 v220100556153214 postfix/smtpd[25721]: connect from 213.227.39.134.static.user.ono.com[213.227.39.134]
Sep 16 20:59:36 v220100556153214 postfix/smtpd[14870]: warning: 213.227.39.134.static.user.ono.com[213.227.39.134]: SASL LOGIN authentication failed: authentication failure
Sep 16 20:59:36 v220100556153214 postfix/smtpd[29115]: warning: 213.227.39.134.static.user.ono.com[213.227.39.134]: SASL LOGIN authentication failed: authentication failure

Der sasl Filter ist in fail2ban aktiviert.

Schon mal vielen Dank im Vorraus für eure Hilfe!

MfG
Jiny

Dragon · 17. September 2012

Die Logs von fail2ban wären interessanter...

perryflynn · 17. September 2012

Hast Du mein Script denn in das action.d Script für iptables-multiport eingebaut?
Wird iptables-multiport denn auch als action verwendet?

Jiny · 17. September 2012

Die original iptables-multiport.conf hab ich ersetzt durch deine und in meiner jail.local steht:
banaction = iptables-multiport

Die Logs von fail2ban sind nicht sehr aussagekräftig, dort steht nur das die Dieste gestartet wurden bzw. mal ein Hinweis wenn eine Logdatei archiviert wurde.

perryflynn · 17. September 2012

Was schreibt denn Fail2Ban in sein Log?
Erkennt er überhaupt die "Hackversuche" und versucht einen Ban?

Jiny · 17. September 2012

Ja wo du es gerade sagst, nein tut er nicht. Also hat fail2ban ein Problem und nicht dein Script. Tut mir leid, da hab ich ja gar nicht dran gedacht.

perryflynn · 17. September 2012

Kein Problem.
Dann schau mal in den Logs ob die Jails überhaupt aktiviert werden.

Jiny · 17. September 2012

Hier ist mal ein Auszug aus dem fail2ban log:

Code

2012-09-13 16:17:10,768 fail2ban.server : INFO   Exiting Fail2ban
2012-09-13 16:17:11,115 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2012-09-13 16:17:11,117 fail2ban.jail   : INFO   Creating new jail 'vsftpd'
2012-09-13 16:17:11,117 fail2ban.jail   : INFO   Jail 'vsftpd' uses poller
2012-09-13 16:17:11,132 fail2ban.filter : INFO   Set maxRetry = 6
2012-09-13 16:17:11,133 fail2ban.filter : INFO   Set findtime = 600
2012-09-13 16:17:11,134 fail2ban.actions: INFO   Set banTime = 86400
2012-09-13 16:17:11,148 fail2ban.jail   : INFO   Creating new jail 'ssh-ddos'
2012-09-13 16:17:11,148 fail2ban.jail   : INFO   Jail 'ssh-ddos' uses poller
2012-09-13 16:17:11,149 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2012-09-13 16:17:11,150 fail2ban.filter : INFO   Set maxRetry = 6
2012-09-13 16:17:11,151 fail2ban.filter : INFO   Set findtime = 600
2012-09-13 16:17:11,151 fail2ban.actions: INFO   Set banTime = 86400
2012-09-13 16:17:11,164 fail2ban.jail   : INFO   Creating new jail 'couriersmtp'
2012-09-13 16:17:11,164 fail2ban.jail   : INFO   Jail 'couriersmtp' uses poller
2012-09-13 16:17:11,165 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2012-09-13 16:17:11,165 fail2ban.filter : INFO   Set maxRetry = 3
2012-09-13 16:17:11,167 fail2ban.filter : INFO   Set findtime = 600
2012-09-13 16:17:11,169 fail2ban.actions: INFO   Set banTime = 86400
2012-09-13 16:17:11,181 fail2ban.jail   : INFO   Creating new jail 'wuftpd'
2012-09-13 16:17:11,181 fail2ban.jail   : INFO   Jail 'wuftpd' uses poller
2012-09-13 16:17:11,182 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2012-09-13 16:17:11,185 fail2ban.filter : INFO   Set maxRetry = 6
2012-09-13 16:17:11,187 fail2ban.filter : INFO   Set findtime = 600
2012-09-13 16:17:11,188 fail2ban.actions: INFO   Set banTime = 86400
2012-09-13 16:17:11,206 fail2ban.jail   : INFO   Creating new jail 'ssh'
2012-09-13 16:17:11,207 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2012-09-13 16:17:11,208 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2012-09-13 16:17:11,210 fail2ban.filter : INFO   Set maxRetry = 6
2012-09-13 16:17:11,212 fail2ban.filter : INFO   Set findtime = 600
2012-09-13 16:17:11,213 fail2ban.actions: INFO   Set banTime = 86400
2012-09-13 16:17:11,316 fail2ban.jail   : INFO   Creating new jail 'postfix'
2012-09-13 16:17:11,316 fail2ban.jail   : INFO   Jail 'postfix' uses poller
2012-09-13 16:17:11,316 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2012-09-13 16:17:11,317 fail2ban.filter : INFO   Set maxRetry = 3
2012-09-13 16:17:11,318 fail2ban.filter : INFO   Set findtime = 600
2012-09-13 16:17:11,318 fail2ban.actions: INFO   Set banTime = 86400
2012-09-13 16:17:11,333 fail2ban.jail   : INFO   Creating new jail 'sasl'
2012-09-13 16:17:11,333 fail2ban.jail   : INFO   Jail 'sasl' uses poller
2012-09-13 16:17:11,334 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2012-09-13 16:17:11,334 fail2ban.filter : INFO   Set maxRetry = 3
2012-09-13 16:17:11,335 fail2ban.filter : INFO   Set findtime = 600
2012-09-13 16:17:11,335 fail2ban.actions: INFO   Set banTime = 86400
2012-09-13 16:17:11,346 fail2ban.jail   : INFO   Creating new jail 'apache'
2012-09-13 16:17:11,346 fail2ban.jail   : INFO   Jail 'apache' uses poller
2012-09-13 16:17:11,347 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2012-09-13 16:17:11,347 fail2ban.filter : INFO   Set maxRetry = 6
2012-09-13 16:17:11,348 fail2ban.filter : INFO   Set findtime = 600
2012-09-13 16:17:11,348 fail2ban.actions: INFO   Set banTime = 86400
2012-09-13 16:17:11,358 fail2ban.jail   : INFO   Creating new jail 'courierauth'
2012-09-13 16:17:11,358 fail2ban.jail   : INFO   Jail 'courierauth' uses poller
2012-09-13 16:17:11,359 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2012-09-13 16:17:11,360 fail2ban.filter : INFO   Set maxRetry = 3
2012-09-13 16:17:11,361 fail2ban.filter : INFO   Set findtime = 600
2012-09-13 16:17:11,361 fail2ban.actions: INFO   Set banTime = 86400
2012-09-13 16:17:11,370 fail2ban.jail   : INFO   Creating new jail 'proftpd'
2012-09-13 16:17:11,370 fail2ban.jail   : INFO   Jail 'proftpd' uses poller
2012-09-13 16:17:11,370 fail2ban.filter : INFO   Added logfile = /var/log/proftpd/proftpd.log
2012-09-13 16:17:11,371 fail2ban.filter : INFO   Set maxRetry = 6
2012-09-13 16:17:11,372 fail2ban.filter : INFO   Set findtime = 600
2012-09-13 16:17:11,372 fail2ban.actions: INFO   Set banTime = 86400
2012-09-13 16:17:11,385 fail2ban.jail   : INFO   Jail 'vsftpd' started
2012-09-13 16:17:11,388 fail2ban.jail   : INFO   Jail 'ssh-ddos' started
2012-09-13 16:17:11,390 fail2ban.jail   : INFO   Jail 'couriersmtp' started
2012-09-13 16:17:11,391 fail2ban.jail   : INFO   Jail 'wuftpd' started
2012-09-13 16:17:11,392 fail2ban.jail   : INFO   Jail 'ssh' started
2012-09-13 16:17:11,393 fail2ban.jail   : INFO   Jail 'postfix' started
2012-09-13 16:17:11,394 fail2ban.jail   : INFO   Jail 'sasl' started
2012-09-13 16:17:11,395 fail2ban.jail   : INFO   Jail 'apache' started
2012-09-13 16:17:11,396 fail2ban.jail   : INFO   Jail 'courierauth' started
2012-09-13 16:17:11,400 fail2ban.jail   : INFO   Jail 'proftpd' started
2012-09-16 06:25:11,541 fail2ban.filter : INFO   Log rotation detected for /var/log/apache2/error.log
2012-09-16 06:25:40,112 fail2ban.filter : INFO   Log rotation detected for /var/log/apache2/error.log

Alles anzeigen