O que as entradas iptables do log de fail2ban “retornaram NNN”? (Fail2ban não está banindo)

Question

O que as entradas iptables do log de fail2ban “retornaram NNN”? (Fail2ban não está banindo)

#1 resposta do luri (3 votos)
#2 resposta do pepoluan (1 votos)

4

No meu fail2ban.log há algumas entradas cujo significado eu não entendo (e não encontrei procurando por aí) ... Eu tenho vários "jails", e eu criei um em particular que proíbe IP's quando eles tentam se conectar ao servidor web procurando por scripts, eu acho .... Estas são algumas entradas de um determinado IP (desculpe sobre o log longo) :

user@computer:/var/log$ cat apache2/access.log.1 |grep 58.218.199.147
58.218.199.147 - - [27/Mar/2011:09:03:37 +0200] "GET http://www.mtajp.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [27/Mar/2011:11:32:16 +0200] "GET http://ppcfinder.net/judge.php HTTP/1.1" 404 432 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [27/Mar/2011:11:34:57 +0200] "GET http://98.126.15.13/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [27/Mar/2011:14:04:08 +0200] "GET http://58.218.199.147:7182/judge.php HTTP/1.1" 404 432 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [27/Mar/2011:19:02:37 +0200] "GET http://www.shopsline.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [27/Mar/2011:21:33:17 +0200] "GET http://98.126.64.106/judge123.php HTTP/1.1" 404 435 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [28/Mar/2011:14:59:49 +0200] "GET http://www.racross.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [28/Mar/2011:17:28:32 +0200] "GET http://98.126.64.106/judge123.php HTTP/1.1" 404 435 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [29/Mar/2011:00:58:17 +0200] "GET http://www.racross.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [29/Mar/2011:05:00:53 +0200] "GET http://www.mtajp.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [29/Mar/2011:09:57:48 +0200] "GET http://www.shopsline.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [29/Mar/2011:12:40:06 +0200] "GET http://www.mtajp.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [29/Mar/2011:15:01:01 +0200] "GET http://www.infodownload.info/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.204.110 - - [29/Mar/2011:15:28:42 +0200] "GET http://58.218.199.147:7182/judge.php HTTP/1.1" 404 432 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [29/Mar/2011:20:01:14 +0200] "GET http://www.cjpjp.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [29/Mar/2011:22:31:50 +0200] "GET http://www.travelimgusa.com/ip.php HTTP/1.1" 404 429 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [30/Mar/2011:01:00:05 +0200] "GET http://98.126.15.13/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [30/Mar/2011:03:31:05 +0200] "GET http://www.infodownload.info/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [30/Mar/2011:11:02:43 +0200] "GET http://piceducation.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [30/Mar/2011:13:33:24 +0200] "GET http://ppcfinder.net/judge.php HTTP/1.1" 404 432 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [30/Mar/2011:16:01:04 +0200] "GET http://www.shopsline.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [30/Mar/2011:21:04:31 +0200] "GET http://www.racross.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [31/Mar/2011:04:35:55 +0200] "GET http://www.racross.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [31/Mar/2011:12:03:43 +0200] "GET http://www.mtajp.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [31/Mar/2011:14:34:40 +0200] "GET http://www.eduju.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [31/Mar/2011:19:36:04 +0200] "GET http://58.218.204.110:7182/judge.php HTTP/1.1" 404 432 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [31/Mar/2011:22:05:48 +0200] "GET http://ppcfinder.net/judge.php HTTP/1.1" 404 432 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [01/Apr/2011:03:11:14 +0200] "GET http://58.218.199.147:7182/judge.php HTTP/1.1" 404 432 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [01/Apr/2011:09:52:09 +0200] "GET http://www.travelimgusa.com/ip.php HTTP/1.1" 404 429 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [01/Apr/2011:12:15:59 +0200] "GET http://www.racross.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [01/Apr/2011:14:39:47 +0200] "GET http://piceducation.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [01/Apr/2011:17:06:09 +0200] "GET http://www.shopsline.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [01/Apr/2011:20:45:50 +0200] "GET http://www.cjpjp.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [01/Apr/2011:23:11:21 +0200] "GET http://www.seektwo.com/proxy-1.php HTTP/1.1" 404 434 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [02/Apr/2011:01:37:16 +0200] "GET http://www.infodownload.info/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [02/Apr/2011:10:25:15 +0200] "GET http://98.126.64.106/judge123.php HTTP/1.1" 404 435 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [02/Apr/2011:12:51:45 +0200] "GET http://58.218.204.110:7182/judge.php HTTP/1.1" 404 432 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [02/Apr/2011:15:18:07 +0200] "GET http://www.racross.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [02/Apr/2011:17:43:43 +0200] "GET http://www.travelimgusa.com/ip.php HTTP/1.1" 404 429 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [02/Apr/2011:22:35:49 +0200] "GET http://www.infodownload.info/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Para evitar isso, configurei uma cadeia personalizada em /etc/fail2ban/jail.local :

[apache-404-slowattackers]
enabled = true
port = http,https
filter = apache-404-slowattackers
logpath = /var/log/apache*/*access.log
bantime = 344000
findtime = 172800
maxretry = 12

E isso é / etc/fail2ban/filter.d/apache-404-slowattackers.conf

[Definition]
failregex = (?P<host>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+ 404 [0-9]+ "
ignoreregex =

(o mesmo que o filtro /etc/fail2ban/filter.d/apache-404.conf padrão)

O Fail2ban bane alguns IPs quando eles trabalham contra alguns filtros, mas não contra o meu personalizado. Algumas linhas de /var/log/fail2ban.log :

2011-03-31 20:46:29,982 fail2ban.jail   : INFO   Jail 'apache-404' started
[...]
2011-03-31 20:46:30,922 fail2ban.jail   : INFO   Jail 'courierauth' started
2011-03-31 20:46:31,026 fail2ban.jail   : INFO   Jail 'apache-404-slowattackers' started
2011-03-31 20:46:31,038 fail2ban.actions.action: ERROR  iptables -N fail2ban-apache-404-slowattackers
iptables -A fail2ban-apache-404-slowattackers -j RETURN
iptables -I INPUT -p tcp -m multiport --dports http,https -j fail2ban-apache-404-slowattackers returned 200
2011-04-01 21:39:16,558 fail2ban.actions: WARNING [apache-404] Ban 211.75.185.152
2011-04-01 22:09:17,245 fail2ban.actions: WARNING [apache-404] Unban 211.75.185.152
2011-04-02 15:18:08,544 fail2ban.actions: WARNING [apache-404-slowattackers] Ban 58.218.199.147
2011-04-02 15:18:08,684 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-apache-404-slowattackers returned 100
2011-04-02 15:18:08,685 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2011-04-02 15:18:08,698 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports http,https -j fail2ban-apache-404-slowattackers
iptables -F fail2ban-apache-404-slowattackers
iptables -X fail2ban-apache-404-slowattackers returned 200
2011-04-02 15:18:08,712 fail2ban.actions.action: ERROR  iptables -N fail2ban-apache-404-slowattackers
iptables -A fail2ban-apache-404-slowattackers -j RETURN
iptables -I INPUT -p tcp -m multiport --dports http,https -j fail2ban-apache-404-slowattackers returned 200
2011-04-02 15:18:08,721 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-apache-404-slowattackers returned 100
2011-04-02 15:18:08,722 fail2ban.actions.action: CRITICAL Unable to restore environment
2011-04-02 23:20:50,480 fail2ban.actions: WARNING [courierauth] Ban 84.225.81.193
2011-04-02 23:50:50,777 fail2ban.actions: WARNING [courierauth] Unban 84.225.81.193
2011-04-03 03:23:58,876 fail2ban.actions: WARNING [courierauth] Ban 74.143.34.38
2011-04-03 03:53:59,155 fail2ban.actions: WARNING [courierauth] Unban 74.143.34.38

Como você pode ver, algo falha ao tentar banir um ataque contra meu filtro personalizado (para que esses ataques sejam detectados, mas não banidos corretamente, não sei por que)

Então minhas perguntas seriam:

Esses erros representam um problema fail2ban ou iptables um?
O que esses erros significam? ... e ... como eles podem ser evitados?
O que estou fazendo de errado ou como posso corrigir esse comportamento?

EDITAR:

Talvez isso seja útil para responder à pergunta (ou não), mas iptables -L não mostra nenhum traço de meu apache-404-slowattackers , enquanto outros jail estão presentes:

user@computer:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-courierauth  tcp  --  anywhere             anywhere            multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s 
fail2ban-apache  tcp  --  anywhere             anywhere            multiport dports www,https 
fail2ban-sasl  tcp  --  anywhere             anywhere            multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s 
fail2ban-postfix  tcp  --  anywhere             anywhere            multiport dports smtp,ssmtp 
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh 
fail2ban-couriersmtp  tcp  --  anywhere             anywhere            multiport dports smtp,ssmtp 
fail2ban-apache-overflows  tcp  --  anywhere             anywhere            multiport dports www,https 
fail2ban-apache-multiport  tcp  --  anywhere             anywhere            multiport dports www,https 
fail2ban-ssh-ddos  tcp  --  anywhere             anywhere            multiport dports ssh 
fail2ban-apache-404  tcp  --  anywhere             anywhere            multiport dports www,https 
fail2ban-pam-generic  tcp  --  anywhere             anywhere            
fail2ban-apache-noscript  tcp  --  anywhere             anywhere            multiport dports www,https 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-apache (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-apache-404 (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-apache-multiport (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-apache-noscript (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-apache-overflows (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-courierauth (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-couriersmtp (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-pam-generic (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-postfix (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-sasl (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-ssh-ddos (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

Isso dá alguma pista adicional?

iptables fail2ban

por luri 22.02.2011 / 20:09

2 respostas

1

Eu nunca uso o fail2ban, mas talvez essa página ajude você:

link

por pepoluan 23.03.2011 / 14:54

Tags iptables fail2ban

Conecte-se ao NFS na disponibilidade Como executo um script toda vez que um DVD é inserido?

score 3 · Accepted Answer

Acho que descobri por que ele está falhando, mas, como uma recompensa foi definida, esperarei que ele termine antes de escrever a resposta, oferecendo a outros usuários para tentar responder a pergunta ... (@ Moderadores: Está tudo bem? O que devo fazer de outra maneira?)

Editar:

Como ninguém respondeu, vou anotar o que descobri. Duas coisas estavam erradas sobre minha configuração (na verdade, uma sobre minha configuração e uma sobre o próprio fail2ban):

1.- Se eu tentar

sudo iptables -N fail2ban-apache-404-slowattackers

que é o comando fail2ban, recebo a seguinte mensagem:

iptables v1.4.4: chain name 'fail2ban-apache-404-slowattackers' too long (must be under 30 chars)

Se isso tivesse sido registrado em fail2ban.log , eu teria sabido o que estava dando errado (mas não estava logado). Por isso, alterar o nome do meu filtro personalizado para algo mais curto (por exemplo, apache-404-slowatt ) resolveu o problema, pois o nome da cadeia de iptables ficou abaixo de 30 caracteres.

2.- Há um script fail2ban (aparentemente) defeituoso que aparentemente "roda muito rápido", então eu encontrei uma solução alternativa .

Citando: Eu tive vários fail2ban.action.action erro na inicialização / reinicialização. Parece que houve uma condição de "corrida" com o iptables. Eu resolvi o problema completamente no meu sistema editando /usr/bin/fail2ban-client e adicionando um time.sleep(0.1) :

def __processCmd(self, cmd, showRet = True):
    beautifier = Beautifier()
    for c in cmd:
        time.sleep(0.1)
        beautifier.setInputCmd(c)