Fail2Ban não está pegando falhas de autenticação dropbear

0

raspbian Linux [hostname] 4.9.36+ # 1015 Qui Jul 6 16:07:57 BST 2017 armv6l GNU / Linux

O fail2ban não está atendendo as falhas de autenticação do dropbear. Isso estava funcionando para o openssh sem problemas. Eu fui dropbear para reduzir o uso de memória.

Aqui está o meu auth.log para mostrar que o log está funcionando

dropbear[2640]: Bad password attempt for 'username' from 192.168.1.151:50780

Minha jail.local

#dropbear shh config password

[dropbear]

enabled  = true
port     = ssh
filter   = dropbear
logpath  = /var/log/auth.log
bantime = 900
banaction = iptables-allports
findtime = 900
maxretry = 3

Meu filtro dropbear.conf fail2ban

[Definition]

_daemon = dropbear

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT

# These match the unmodified dropbear messages. It isn't possible to
# match the source of the 'exit before auth' messages from dropbear.
#
failregex = ^%(__prefix_line)slogin attempt for nonexistent user ('.*' )?from <HOST>:.*\s*$
            ^%(__prefix_line)sbad password attempt for .+ from <HOST>:.*\s*$

# The only line we need to match with the modified dropbear.

# NOTE: The failregex below is ONLY intended to work with a patched
# version of Dropbear as described here:
# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches

E o jail.config padrão (essas opções devem ser sobrescritas com a cadeia local.)

# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

[dropbear]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/dropbear
maxretry = 6
    
por PInoob 12.07.2017 / 19:26

1 resposta

1

A dropbear.conf regex não corresponde às entradas em auth.log :

Bad password attempt for...  /* auth.log */
bad password attempt for...  /* dropbear.conf */

Se você editar dropbear.conf para respeitar maiúsculas e minúsculas, o fail2ban deve detectar as falhas de autenticação registradas.

    
por 12.07.2017 / 20:08