Fail2ban não está funcionando raspbian (ssh)

2

Acabei de fazer uma nova instalação no meu pi de framboesa (Raspbian) e não consigo fazer o fail2ban fazer nada, ele não bloqueia nenhum log-in de ssh com falha. Eu verifiquei se estava apontando para o arquivo de log correto ( /var/log/auth.log ), confirmei que o iptables está ativo e o fail2ban foi iniciado e a cadeia do sshd está ativada e o serviço está sendo executado pela porta 22, Eu realmente não sei o que fazer neste momento Eu nunca tive tanto trabalho para fazer isso funcionar com o ssh antes. Normalmente funciona imediatamente da caixa. Aqui está o meu filtro de log e log de autenticação:

Log:

Jan 22 21:11:25 PI2 sshd[22700]: pam_unix(sshd:auth): authentication failure; lo gname= uid=0 euid=0 tty=ssh ruser= rhost=216.4.56.163 user=pi
Jan 22 21:11:27 PI2 sshd[22700]: Failed password for pi from 216.4.56.163 port 1 6290 ssh2
Jan 22 21:11:27 PI2 sshd[22700]: error: Received disconnect from 216.4.56.163: 3 : com.jcraft.jsch.JSchException: Auth cancel [preauth]
Jan 22 21:17:01 PI2 CRON[22783]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 22 21:17:01 PI2 CRON[22783]: pam_unix(cron:session): session closed for user root
Jan 22 21:17:30 PI2 sshd[22809]: pam_unix(sshd:auth): authentication failure; lo gname= uid=0 euid=0 tty=ssh ruser= rhost=183.3.202.106 user=root
Jan 22 21:17:33 PI2 sshd[22809]: Failed password for root from 183.3.202.106 por t 16766 ssh2
Jan 22 21:17:36 PI2 sshd[22809]: Failed password for root from 183.3.202.106 por t 16766 ssh2
Jan 22 21:17:38 PI2 sshd[22809]: Failed password for root from 183.3.202.106 por t 16766 ssh2
Jan 22 21:17:39 PI2 sshd[22809]: Received disconnect from 183.3.202.106: 11: [p reauth]
Jan 22 21:17:39 PI2 sshd[22809]: PAM 2 more authentication failures; logname= ui d=0 euid=0 tty=ssh ruser= rhost=183.3.202.106 user=root'

Filtro:

sshd.conf          [----]  0 L:[ 17+21  38/ 38] *(1772/1772b) <EOF>       [*][X]
    ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*
    ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
    ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
    ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in
    ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in Deny
    ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any gro
    ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
    ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
    ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is lis
    ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's
ignoreregex =.

Tenho certeza de que é o filtro de log, mas não tenho certeza de como corrigi-lo.

    
por TheStarvingGeek 23.01.2016 / 18:52

1 resposta

0

Descobri isso,

O problema era que eu tinha uma configuração de cadeia personalizada para um serviço diferente e não estava configurada corretamente e que estava impedindo o fail2ban de iniciar corretamente.

Então, quando eu corri "service fail2ban status", eu pegava isso antes de consertar a outra cadeia:

 ● fail2ban.service - LSB: Start/stop fail2ban
   Loaded: loaded (/etc/init.d/fail2ban)
   Active: active (exited) since Mon 2016-01-25 18:41:50 EST; 3s ago
  Process: 11673 ExecStop=/etc/init.d/fail2ban stop (code=exited, status=0/SUCCESS)
  Process: 11683 ExecStart=/etc/init.d/fail2ban start (code=exited, status=0/SUCCESS)

Jan 25 18:41:50 PI2 fail2ban[11683]: Starting authentication failure monitor: fail2banERROR  No file(s) found for glob /wrong/way/service.log #edit to your needs
Jan 25 18:41:50 PI2 fail2ban[11683]: ERROR  Failed during configuration: Have not found any log file for service jail
Jan 25 18:41:50 PI2 fail2ban[11683]: failed!
Jan 25 18:41:50 PI2 systemd[1]: Started LSB: Start/stop fail2ban.

Depois de corrigi-lo:

 ● fail2ban.service - LSB: Start/stop fail2ban
   Loaded: loaded (/etc/init.d/fail2ban)
   Active: active (running) since Mon 2016-01-25 18:43:03 EST; 3s ago
  Process: 11774 ExecStop=/etc/init.d/fail2ban stop (code=exited, status=0/SUCCESS)
  Process: 11784 ExecStart=/etc/init.d/fail2ban start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/fail2ban.service
           └─11795 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid

Jan 25 18:43:03 PI2 fail2ban[11784]: Starting authentication failure monitor: fail2ban.
Jan 25 18:43:03 PI2 systemd[1]: Started LSB: Start/stop fail2ban.
    
por 26.01.2016 / 00:55