Beiträge von Zlypher

Zlypher · 24. August 2011

hallo,

ja die sync.sh ist ausführbar und nur ausführbar r und w habe ich nicht vergeben.

In der fail2ban.log steht nichts derartiges drin.

Code

2011-08-24 11:19:59,470 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2011-08-24 11:19:59,471 fail2ban.jail   : INFO   Creating new jail 'ssh'
2011-08-24 11:19:59,471 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2011-08-24 11:19:59,481 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2011-08-24 11:19:59,481 fail2ban.filter : INFO   Set maxRetry = 3
2011-08-24 11:19:59,482 fail2ban.filter : INFO   Set findtime = 600
2011-08-24 11:19:59,483 fail2ban.actions: INFO   Set banTime = 7200
2011-08-24 11:19:59,508 fail2ban.jail   : INFO   Creating new jail 'ssh-ddos'
2011-08-24 11:19:59,508 fail2ban.jail   : INFO   Jail 'ssh-ddos' uses poller
2011-08-24 11:19:59,508 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2011-08-24 11:19:59,509 fail2ban.filter : INFO   Set maxRetry = 3
2011-08-24 11:19:59,509 fail2ban.filter : INFO   Set findtime = 600
2011-08-24 11:19:59,510 fail2ban.actions: INFO   Set banTime = 7200
2011-08-24 11:19:59,513 fail2ban.jail   : INFO   Creating new jail 'apache'
2011-08-24 11:19:59,513 fail2ban.jail   : INFO   Jail 'apache' uses poller
2011-08-24 11:19:59,514 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2011-08-24 11:19:59,514 fail2ban.filter : INFO   Set maxRetry = 3
2011-08-24 11:19:59,515 fail2ban.filter : INFO   Set findtime = 600
2011-08-24 11:19:59,515 fail2ban.actions: INFO   Set banTime = 7200
2011-08-24 11:19:59,519 fail2ban.jail   : INFO   Creating new jail 'apache-multiport'
2011-08-24 11:19:59,519 fail2ban.jail   : INFO   Jail 'apache-multiport' uses poller
2011-08-24 11:19:59,519 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2011-08-24 11:19:59,520 fail2ban.filter : INFO   Set maxRetry = 3
2011-08-24 11:19:59,520 fail2ban.filter : INFO   Set findtime = 600
2011-08-24 11:19:59,520 fail2ban.actions: INFO   Set banTime = 7200
2011-08-24 11:19:59,524 fail2ban.jail   : INFO   Jail 'ssh' started
2011-08-24 11:19:59,527 fail2ban.jail   : INFO   Jail 'ssh-ddos' started
2011-08-24 11:19:59,529 fail2ban.jail   : INFO   Jail 'apache' started
2011-08-24 11:19:59,532 fail2ban.jail   : INFO   Jail 'apache-multiport' started

Alles anzeigen

jedoch im Log (jeweils ip durch [ip], port durch [port] und username durch [username] ersetzt )

Code

Aug 24 11:57:27 your-path sshd[20734]: Failed password for [username] from [ip] port [port] ssh2
Aug 24 11:58:05 your-path sshd[20734]: last message repeated 4 times
Aug 24 11:58:23 your-path sshd[20734]: Failed password for [username] from [ip] port [port] ssh2
Aug 24 11:58:23 your-path sshd[20734]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=[ip]  user=[username]
Aug 24 11:58:23 your-path sshd[20734]: PAM service(sshd) ignoring max retries; 6 > 3
Aug 24 12:00:57 your-path sshd[28625]: pam_unix(sshd:session): session closed for user [username]

also scheinen wirklich die Filter nicht zu greifen denn es würden einige Einträge aus dem Logfile zutreffen!
sollte man weiteren quellcode benötigen, so schreibe ich den hier gerne ein.

[edit]
bin gerade auf etwas gestoßen!
im Filter steht:

Code

^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$

somit kann der das ja nicht finden oder?
Weil die Zeile im meinem Log endet ja mit ssh2 und laut der regex (so wie ich es verstehe) ssh bzw. sshd.
Falls dies so, wie ich vermute der Fall ist, hätte dann jemand eine Idee, wie ich die regex so anpassen könnte, dass ssh, sshd und ssh2 am ende möglich sind?
kann natürlich auch sein, dass \d Platzhalter für eine beliebige Zahl ist <-- da muss ich mich einmal reinarbeiten

Zlypher · 24. August 2011

Hallo,

ersteinmal vielen Lieben dank für das script.
Ich habe es direkt auf meinem vServer uranus eingerichtet.
Manuell kann ich die Adressen hinzufügen und auch löschen das klappt alles super.

Jedoch geschieht bei mir automatisiert nichts.
die Filter habe ich beim Standard belassen und nichts daran geändert.

Wenn ich nun via ssh auf meinen Server verbinde und mehrmals das Kennwort von der Passphrase meines keys falsch eingebe,
dann werde ich dennoch nicht gesperrt. Irgendwann muss doch die Regel greifen?
Kann mir da vielleicht jemand freundlicher Weise helfen?

sync.conf

Code

[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = 
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = 
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = 
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = /etc/fail2ban/action.d/sync.sh <ip> add
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = /etc/fail2ban/action.d/sync.sh <ip> del

Alles anzeigen

jail.conf

Code

# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#




# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.




[DEFAULT]




# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 7200
findtime = 600
maxretry = 3




# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#  	This issue left ToDo, so polling is default backend for now
backend = polling




#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = steffen.sandow@googlemail.com




#
# ACTIONS
#




# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overriden globally or per
# section within jail.local file
banaction = iptables-multiport




# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail




# Default protocol
protocol = tcp




#
# Action shortcuts. To be used to define action parameter




# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]




# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
          	%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]




# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
           	%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]




# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = sync




#
# JAILS
#




# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true




#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local




[ssh]




enabled = true
port	= ssh
filter	= sshd
logpath  = /var/log/auth.log
maxretry = 3




# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]




enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter	= pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port 	= anyport
logpath  = /var/log/auth.log
maxretry = 3




[xinetd-fail]




enabled   = false
filter	= xinetd-fail
port  	= all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2







[ssh-ddos]




enabled = true
port	= ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 3




#
# HTTP servers
#




[apache]




enabled = false
port	= http,https
filter	= apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 3




# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]




enabled   = false
port	  = http,https
filter	  = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry = 3




[apache-noscript]




enabled = false
port	= http,https
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 3




[apache-overflows]




enabled = false
port	= http,https
filter  = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2




#
# FTP servers
#




[vsftpd]




enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 3







[proftpd]




enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 3







[wuftpd]




enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 3







#
# Mail servers
#




[postfix]




enabled  = false
port	 = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log







[couriersmtp]




enabled  = false
port	 = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log







#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#




[courierauth]




enabled  = false
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log







[sasl]




enabled  = false
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log







# DNS Servers







# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# 	channel security_file {
#     	file "/var/log/named/security.log" versions 3 size 30m;
#     	severity dynamic;
#     	print-time yes;
# 	};
# 	category security {
#     	security_file;
# 	};
# };
#
# in your named.conf to provide proper logging




# !!! WARNING !!!
#   Since UDP is connectionless protocol, spoofing of IP and immitation
#   of illegal actions is way too simple.  Thus enabling of this filter
#   might provide an easy way for implementing a DoS against a chosen
#   victim. See
#	http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
#   Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled  = false
#port 	= domain,953
#protocol = udp
#filter   = named-refused
#logpath  = /var/log/named/security.log




[named-refused-tcp]




enabled  = false
port 	= domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log

Alles anzeigen

fail2ban.conf

Code

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 629 $
#




[Definition]




# Option:  loglevel
# Notes.:  Set the log level output.
#      	1 = ERROR
#      	2 = WARN
#      	3 = INFO
#      	4 = DEBUG
# Values:  NUM  Default:  3
#
loglevel = 3




# Option:  logtarget
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#      	Only one log target can be specified.
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log




# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
#     	not remove this file when Fail2ban runs. It will not be possible to
#     	communicate with the server afterwards.
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock

Alles anzeigen

Um folgendes auszuschließen:
Die benötigten Daten im init-bereich der sync.sh sind korrekt
die sync.sh ist unverändert (bis auf die Logindaten)
manuelle eintragungen über die Console in die FW des VCP sind problemlos möglich

[edit] fast vergessen:
ich verwende ubuntu 11.4 (beta)
hatte das gleiche problem aber auch bereits auf ubuntu 10.4 LTS

Danke im Voraus an alle, welche sich den Kopf für mich zerbrechen.

Beiträge von Zlypher

vServer fail2ban Alternative

vServer fail2ban Alternative