Fail2Não é possível recuperar falhas de autenticação dropbear - novamente

Jessie raposa

Edit: Está trabalhando em alguns clientes

De outro Rasberry Pi, o log está funcionando e agora pegando a entrada correta no log

Jul 22 04:02:21 <HOSTNAME> dropbear[2462]: Bad password attempt for
'user' from 192.168.1.154:39594

Mas quando eu tento do meu mac eu recebo isso

Jul 22 04:29:27 <HOSTNAME> dropbear[3026]: Bad password attempt for 'user' from fe80::109b:c195:be5d:6e5e%eth0:63395

Está tentando usar um endereço IPV6 ... por algum motivo.

Eu tive um tópico semelhante que pode ser encontrado aqui Fail2Ban não escolhendo falhas de autenticação dropbear

Eu consegui fazer isso funcionar, mas tive que restaurar a partir de um backup (não relacionado), no entanto, esse backup não incluiu minha correção para isso. Após a restauração, eu tinha reinstalado o drop bear e reconfigurava o fail2ban, no entanto, parece que as expressões regulares mudaram novamente. A última vez que foi uma maiúscula vs minúscula B foi a culpada, mas não desta vez, como você pode ver abaixo, que parece ter sido abordado na versão do fail2ban que estou executando agora. Mas ainda não está pegando as falhas automáticas.

Erro no registro de autenticação

dropbear[740]: Bad password attempt for 'username' from 192.168.1.171:62556

Filtro atual

# Fail2Ban filter for dropbear
#
# NOTE: The regex below is ONLY intended to work with a patched
# version of Dropbear as described here:
# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
#            ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
#
# The standard Dropbear output doesn't provide enough information to
# ban all types of attack.  The Dropbear patch adds IP address
# information to the 'exit before auth' message which is always
# produced for any form of non-successful login. It is that message
# which this file matches.
#
# More information: http://bugs.debian.org/546913

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = dropbear

failregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
            ^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
            ^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$

ignoreregex =

# DEV Notes:
#
# The first two regexs here match the unmodified dropbear messages. It isn't
# possible to match the source of the 'exit before auth' messages from dropbear
# as they don't include the "from <HOST>" bit.
#
# The second last failregex line we need to match with the modified dropbear.
#
# For the second regex the following apply:
#
# http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c
# http://svn.dd-wrt.com/changeset/16642#file64

Fail2ban jail.conf

# [SECTION_NAME]
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

[dropbear]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

Fail2Ban jail.local

#local ssh rule set

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
bantime = 900
banaction = iptables-allports
findtime = 900
maxretry = 3

#dropbear ssh config

[dropbear]

enabled = true
port = ssh
filter = dropbear
logpath = /var/log/auth.log
bantime = 900
banaction = iptables-allports
findtime = 900
maxretry = 3

IPTABLEs -L output

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-dropbear  tcp  --  anywhere             anywhere            
fail2ban-ssh  tcp  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-dropbear (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere      

Quando executo o regex

fail2ban-regex "Nov 15 09:09:16 gw dropbear[16806]: Bad password attempt for 'root' from 104.223.180.34:3703" config/filter.d/dropbear.conf

Running tests
=============

Use   failregex line : config/filter.d/dropbear.conf
Traceback (most recent call last):
  File "/usr/bin/fail2ban-regex", line 430, in <module>
    fail2banRegex.readRegex(cmd_regex, 'fail') or sys.exit(-1)
  File "/usr/bin/fail2ban-regex", line 227, in readRegex
    'add%sRegex' % regextype.title())(regex.getFailRegex())
  File "/usr/share/fail2ban/server/filter.py", line 95, in addFailRegex
    raise e
server.failregex.RegexException: No 'host' group in 'config/filter.d/dropbear.conf'