fail2ban não está funcionando

2

Eu tenho vários serviços em execução no meu servidor Ubuntu 12.04 e configuro o fail2ban, mas ele não bloqueia os IPs de ataque. O SSH está sendo executado na porta 22.

jail.conf

[DEFAULT]

bantime  = 600
maxretry = 3
banaction = iptables-multiport
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action = %(action_)s


[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

verificação de regex

fail2ban-regex /var/log/auth.log.1 /etc/fail2ban/filter.d/sshd.conf

Failregex
|- Regular expressions:
|  [1] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error: PAM: )?Authentication failure for
 .* from <HOST>\s*$
|  [2] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error: PAM: )?User not known to the unde
rlying authentication module for .* from <HOST>\s*$
|  [3] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Failed (?:password|publickey) for .* from <
HOST>(?: port \d*)?(?: ssh\d*)?$
|  [4] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*ROOT LOGIN REFUSED.* FROM <HOST>\s*$
|  [5] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s
*$
|  [6] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*User .+ from <HOST> not allowed because not
 listed in AllowUsers$
|  [7] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*authentication failure; logname=\S* uid=\S*
 euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
|  [8] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*refused connect from \S+ \(<HOST>\)\s*$
|  [9] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT
!*\s*$
|  [10] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*User .+ from <HOST> not allowed because no
ne of user's groups are listed in AllowGroups\s*$
|
'- Number of matches:
   [1] 0 match(es)
   [2] 0 match(es)
   [3] 2810 match(es)
   [4] 0 match(es)
   [5] 2378 match(es)
   [6] 0 match(es)
   [7] 0 match(es)
   [8] 0 match(es)
   [9] 0 match(es)
   [10] 0 match(es)

[...]

Date template hits:
380718 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 5188

auth.log

Jul 26 14:17:49 servername sshd[12930]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14  user=root
Jul 26 14:17:51 servername sshd[12930]: Failed password for root from 91.117.124.14 port 37340 ssh2
Jul 26 14:17:51 servername sshd[12930]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:17:51 servername sshd[12932]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14  user=root
Jul 26 14:17:53 servername sshd[12932]: Failed password for root from 91.117.124.14 port 38980 ssh2
Jul 26 14:17:54 servername sshd[12932]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:17:54 servername sshd[12934]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14  user=root
Jul 26 14:17:56 servername sshd[12934]: Failed password for root from 91.117.124.14 port 40576 ssh2
Jul 26 14:17:56 servername sshd[12934]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:17:57 servername sshd[12936]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14  user=root
Jul 26 14:17:58 servername sshd[12936]: Failed password for root from 91.117.124.14 port 42148 ssh2
Jul 26 14:17:58 servername sshd[12936]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:17:59 servername sshd[12938]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14  user=root
Jul 26 14:18:01 servername CRON[12940]: pam_unix(cron:session): session opened for user root by (uid=0)
Jul 26 14:18:01 servername sshd[12938]: Failed password for root from 91.117.124.14 port 43589 ssh2
Jul 26 14:18:01 servername sshd[12938]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:18:01 servername CRON[12940]: pam_unix(cron:session): session closed for user root
Jul 26 14:18:01 servername sshd[12982]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14  user=root
Jul 26 14:18:03 servername sshd[12982]: Failed password for root from 91.117.124.14 port 44989 ssh2
Jul 26 14:18:03 servername sshd[12982]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:18:04 servername sshd[12985]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14  user=root
Jul 26 14:18:06 servername sshd[12985]: Failed password for root from 91.117.124.14 port 46546 ssh2
Jul 26 14:18:06 servername sshd[12985]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:18:06 servername sshd[12987]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14  user=root
Jul 26 14:18:09 servername sshd[12987]: Failed password for root from 91.117.124.14 port 48192 ssh2
Jul 26 14:18:09 servername sshd[12987]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:18:09 servername sshd[12989]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14  user=root
Jul 26 14:18:11 servername sshd[12989]: Failed password for root from 91.117.124.14 port 49739 ssh2
Jul 26 14:18:11 servername sshd[12989]: Received disconnect from 91.117.124.14: 11: Normal Shutdown, Thank you for playing [preauth]
Jul 26 14:18:11 servername sshd[12991]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.117.124.14  user=root
Jul 26 14:18:13 servername sshd[12991]: Failed password for root from 91.117.124.14 port 51193 ssh2

As tentativas de login duram 20 minutos ou mais e o fail2ban não faz nada.

    
por gNQyyNbhhTWo7L2j 28.07.2014 / 12:07

1 resposta

1

Aumente a depuração para ajudar a descobrir por que o fail2ban não está bloqueando nada quando seus regexs funcionam com o arquivo de log configurado.

fail2ban-client set loglevel DEBUG

No meu caso, tive um problema semelhante ao seu. Config check out está bem, jail estava em execução, arquivo de log adequado, e o regex foram todos recebendo contagens altas ao verificar com fail2ban-regex . Depois de aparecer a depuração, a pista vital apareceu:

2016-02-17 11:27:57,450 fail2ban.datedetector   [30443]: DEBUG   Got time 1455722877.000000 for "u'Feb 17 10:27:57'" using template (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
2016-02-17 11:27:57,450 fail2ban.filter         [30443]: DEBUG   Processing line with time:1455722877.0 and ip:8.8.8.8
2016-02-17 11:27:57,450 fail2ban.filter         [30443]: DEBUG   Ignore line since time 1455722877.0 < 1455726477.45 - 600

Observe que a diferença de tempo está fora do findtime (600) e, na verdade, é de 3600 segundos ou uma hora. Anteriormente, o fuso horário do sistema foi alterado e o sistema não foi reinicializado. Os tempos no syslog estavam todos fora de uma hora da hora do sistema. A reinicialização do rsyslogd fez com que novas entradas de log fossem gravadas com a hora correta, e o fail2ban não mais ignorava essas entradas de log.

    
por 17.02.2016 / 18:06