fail2ban não está funcionando na nova instalação do Ubuntu 14.04, por quê?

6

Após instalar e configurar o fail2ban, tentei fazer login no meu servidor através do ssh com uma senha incorreta. Depois de algumas tentativas, tentei com a senha correta com sucesso. Então, o fail2ban não baniu o ip do usuário permitindo que ele logasse. Independentemente das regras que eu defini, maxretry = 1, etc.

Minha saída iptables -L:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-SSH  tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-SSH (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere    

Aqui está o log de depuração, a versão não completa segue:

root@host:~# fail2ban-client -v -v -v start
DEBUG  Reading configs for /etc/fail2ban/fail2ban under /etc/fail2ban 
DEBUG  Reading config files: /etc/fail2ban/fail2ban.conf
DEBUG  Reading files: ['/etc/fail2ban/fail2ban.conf']
INFO   Using socket file /var/run/fail2ban/fail2ban.sock
DEBUG  Reading configs for /etc/fail2ban/fail2ban under /etc/fail2ban 
DEBUG  Reading config files: /etc/fail2ban/fail2ban.conf
DEBUG  Reading files: ['/etc/fail2ban/fail2ban.conf']
DEBUG  Reading configs for /etc/fail2ban/jail under /etc/fail2ban 
DEBUG  Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading configs for /etc/fail2ban/jail under /etc/fail2ban 
DEBUG  Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading configs for /etc/fail2ban/filter.d/sshd under /etc/fail2ban 
DEBUG  Reading config files: /etc/fail2ban/filter.d/sshd.conf
DEBUG  Reading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/common.local', '/etc/fail2ban/filter.d/sshd.conf']
DEBUG  Reading configs for /etc/fail2ban/action.d/iptables under /etc/fail2ban 
DEBUG  Reading config files: /etc/fail2ban/action.d/iptables.conf
DEBUG  Reading files: ['/etc/fail2ban/action.d/iptables-blocktype.conf', '/etc/fail2ban/action.d/iptables-blocktype.local', '/etc/fail2ban/action.d/iptables.conf']
DEBUG  Reading configs for /etc/fail2ban/jail under /etc/fail2ban 
DEBUG  Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading configs for /etc/fail2ban/jail under /etc/fail2ban 
DEBUG  Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading configs for /etc/fail2ban/jail under /etc/fail2ban 
DEBUG  Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading configs for /etc/fail2ban/jail under /etc/fail2ban 
DEBUG  Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading configs for /etc/fail2ban/jail under /etc/fail2ban 
DEBUG  Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local

[...] SKIPPED SOME READING CONFIG FILES here

DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
DEBUG  Reading configs for /etc/fail2ban/jail under /etc/fail2ban 
DEBUG  Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local
DEBUG  Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local']
INFO   [#         ] Waiting on the server...DEBUG  Starting '/usr/bin/fail2ban-server' with args ['fail2ban-server', '-b', '-s', '/var/run/fail2ban/fail2ban.sock', '-p', '/var/run/fail2ban/fail2ban.pid']
2014-05-22 15:29:14,376 fail2ban.server : INFO   Starting Fail2ban v0.8.11
2014-05-22 15:29:14,376 fail2ban.server : INFO   Starting in daemon mode
DEBUG  OK : 'pong'

DEBUG  OK : 3
DEBUG  OK : '/var/log/fail2ban.log'
DEBUG  OK : 'ssh'
DEBUG  OK : 'warn'
DEBUG  OK : ['/var/log/auth.log']
DEBUG  OK : 1
DEBUG  OK : ['127.0.0.1/8']
DEBUG  OK : 600
DEBUG  OK : 600
DEBUG  OK : ['^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from (?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)( via \S+)?\s*$']
DEBUG  OK : ['^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from (?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)( via \S+)?\s*$', '^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from (?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)\s*$']

[...] SKIPPED SOME REGEX HERE

DEBUG  OK : 'iptables'
DEBUG  OK : 'iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>'
DEBUG  OK : 'iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>'
DEBUG  OK : 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>'
DEBUG  OK : 'iptables -D fail2ban-<name> -s <ip> -j <blocktype>'
DEBUG  OK : "iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'"
DEBUG  OK : 'REJECT --reject-with icmp-port-unreachable'
DEBUG  OK : 'tcp'
DEBUG  OK : 'SSH'
DEBUG  OK : 'INPUT'
DEBUG  OK : 'ssh'
DEBUG  OK : None

Meu fail2ban.log, jail.local:

tail /var/log/fail2ban.log
2014-05-22 15:30:27,729 fail2ban.server : INFO   Exiting Fail2ban
2014-05-22 15:30:32,668 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11
2014-05-22 15:30:32,668 fail2ban.jail   : INFO   Creating new jail 'ssh'
2014-05-22 15:30:32,668 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2014-05-22 15:30:32,679 fail2ban.jail   : INFO   Initiated 'polling' backend
2014-05-22 15:30:32,680 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2014-05-22 15:30:32,681 fail2ban.filter : INFO   Set maxRetry = 1
2014-05-22 15:30:32,681 fail2ban.filter : INFO   Set findtime = 600
2014-05-22 15:30:32,682 fail2ban.actions: INFO   Set banTime = 600
2014-05-22 15:30:32,716 fail2ban.jail   : INFO   Jail 'ssh' started

cauda /etc/fail2ban/jail.local

[ssh]
enabled = true
logpath = /var/log/auth.log
filter = sshd
maxretry = 1
action = iptables[name=SSH, port=ssh, protocol=tcp]
port = ssh


tail /var/log/auth.log

tail /var/log/auth.log está vazio!

root @ host: ~ # fail2ban-client -d

['set', 'loglevel', 3]
['set', 'logtarget', '/var/log/fail2ban.log']
['add', 'ssh', 'polling']
['set', 'ssh', 'usedns', 'warn']
['set', 'ssh', 'addlogpath', '/var/log/auth.log']
['set', 'ssh', 'maxretry', 1]
['set', 'ssh', 'addignoreip', '127.0.0.1/8']
['set', 'ssh', 'findtime', 600]
['set', 'ssh', 'bantime', 600]
['set', 'ssh', 'addfailregex', '^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$']
['set', 'ssh', 'addfailregex', '^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$']
['set', 'ssh', 'addfailregex', '^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Failed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ (?:[\da-f]{2}:){15}[\da-f]{2}(, client user ".*", client host ".*")?))?\s*$']
['set', 'ssh', 'addfailregex', '^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*ROOT LOGIN REFUSED.* FROM <HOST>\s*$']
['set', 'ssh', 'addfailregex', '^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$']
['set', 'ssh', 'addfailregex', '^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*User .+ from <HOST> not allowed because not listed in AllowUsers\s*$']
['set', 'ssh', 'addfailregex', '^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*User .+ from <HOST> not allowed because listed in DenyUsers\s*$']
['set', 'ssh', 'addfailregex', '^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*User .+ from <HOST> not allowed because not in any group\s*$']
['set', 'ssh', 'addfailregex', '^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*refused connect from \S+ \(<HOST>\)\s*$']
['set', 'ssh', 'addfailregex', '^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*User .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$']
['set', 'ssh', 'addfailregex', "^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$"]
['set', 'ssh', 'addaction', 'iptables']
['set', 'ssh', 'actionban', 'iptables', 'iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>']
['set', 'ssh', 'actionstop', 'iptables', 'iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>']
['set', 'ssh', 'actionstart', 'iptables', 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>']
['set', 'ssh', 'actionunban', 'iptables', 'iptables -D fail2ban-<name> -s <ip> -j <blocktype>']
['set', 'ssh', 'actioncheck', 'iptables', "iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'"]
['set', 'ssh', 'setcinfo', 'iptables', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'ssh', 'setcinfo', 'iptables', 'protocol', 'tcp']
['set', 'ssh', 'setcinfo', 'iptables', 'name', 'SSH']
['set', 'ssh', 'setcinfo', 'iptables', 'chain', 'INPUT']
['set', 'ssh', 'setcinfo', 'iptables', 'port', 'ssh']
['start', 'ssh']

Outras informações:

dpkg -l |grep fail  
ii  fail2ban                         0.8.11-1                      all          ban hosts that cause multiple authentication errors


/etc/init.d/fail2ban status      
 * Status of authentication failure monitor                                                                             *  fail2ban is running

fail2ban-client status   
Status
|- Number of jail:  1
'- Jail list:       ssh

Alguma dica? Obrigado por procurar!

    
por punkbit 22.05.2014 / 16:40

4 respostas

12

not sure if related but I deleted and recreated /var/log/auth.log, because I needed to empty it, to debug the situation

Esse pode ser o problema. É provável que o daemon syslog ainda esteja escrevendo para o fd original. Você deve tentar reiniciar o daemon syslog para ver se ele inicia o log no arquivo correto.

service rsyslog restart

Depois de ter mensagens indo para o auth.log, ele deve começar a funcionar.

    
por 22.05.2014 / 17:36
6

Às vezes, isso ocorre porque o __bsd_syslog_verbose está errado. O fail2ban espera que o /var/log/auth.log comece com YYYY.MM.DD (ex .: 2014.10.15), mas os registros leem MMM DD (ex .: 15 de outubro)

Para corrigir isso, você precisará fazer o seguinte:

cp /etc/fail2ban/filter.d/common.conf /etc/fail2ban/filter.d/common.local

Edite common.local e defina:

__bsd_syslog_verbose = (<[^.]+ [^.]+>)

Reinicie o fail2ban:

Ubuntu (não use reiniciar):

sudo service fail2ban stop
sudo service fail2ban start
    
por 15.10.2014 / 14:07
3

Emite em pyinotify:

link

in /etc/fail2ban/jail.conf or /etc/fail2ban/jail.local

Alterei "backend = auto" para "backend = polling" e tudo funciona conforme esperado;)

service fail2ban stop
service fail2ban start
    
por 24.06.2015 / 02:19
0

O /var/log/auth.log ficou vazio por muito tempo, então após executar o comando: service rsyslog restart

Agora, após a tentativa errada de login do ssh, o ip é banido!

    
por 22.05.2014 / 17:36