[Linux-bruxelles] question fail2ban et recidive
Ald0
info at brlspeak.net
Dim 7 Fév 05:34:47 CET 2021
Bonjour.
J'ai besoin de vos conseils, et voudrais plus particulièrement savoir si
-d'après vous- mon jail [recidive] tourne bien comme il se doit.
Cf. ici ma conf fail2ban personalisée + l'affichage via mon script de test.
J'ai l'impression que qq chose ne tourne pas rond, et que ça ne bannit pas
malgé la récidive. Merci par avance pour vos lumières !
# Extrait de mon /etc/fail2ban/jail.d/custom.conf (Source: /etc/fail2ban/jail.conf)
[DEFAULT]
ignoreip = 127.0.0.1/8 adr.ip.int.pc
# destemail = moi at localhost
# sender = root at localhost
#(pas encore activé)
# maxretry = 5
maxretry = 3
findtime = 3600
# bantime = 1209600
bantime = 172800
[sshd]
enabled = true
port = 3022 #(par ex.)
logpath = /var/log/auth.log
# logpath = %(sshd_log)s #(ceci ne fonctionnant pas)
# backend = %(ssh_backend)s #(idem, porutant lu @ doc.ubuntu-fr.org/fail2ban)
# maxretry = 5
maxretry = 3
bantime = 7200
[recidive]
enabled = true
logpath = /var/log/fail2ban.log
# banaction = %(banaction_allports)s #(ne fonctionne pas)
banaction = iptables-allports
bantime = 604800 ; 1 week
findtime = 14400 ; 4 hours
maxretry = 3
# Din d'extrait de mon /etc/fail2ban/jail.d/custom.conf
# Screenshot @ 07 feb 2021 04:05:04 CET
root at MonOrdiLinux:~# cf2bs.sh
#(Check Fail2Ban (.sh) Script)
CF2BS / Check Fail2Ban Status (& co.) .sh script !
ii fail2ban 0.9.3-1 all ban hosts that cause multiple authentication errors
fail2ban: /etc/fail2ban /usr/share/man/man1/fail2ban.1.gz
/usr/bin/fail2ban-client
/usr/bin/fail2ban-regex
/usr/bin/fail2ban-server
/usr/bin/fail2ban-testcases
ps -A |grep sshd:
1041 ? 00:00:00 sshd
3121 ? 00:00:00 sshd
3122 ? 00:00:00 sshd
<q> (pourquoi déjà 3x sshd ? Es-ce parce qu'à peine allumé mon ordi subit
*déjà* 3 attaques ? ) </q>
systemctl status fail2ban:
fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since zo 2021-02-07 04:04:20 CET; 53s ago
Docs: man:fail2ban(1)
Process: 1015 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
Main PID: 1118 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─1118 /usr/bin/python3 /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
feb 07 04:04:19 MonOrdiLinux systemd[1]: Starting Fail2Ban Service...
feb 07 04:04:19 MonOrdiLinux fail2ban-client[1015]: 2021-02-07 04:04:19,900 fail2ban.server [1091]: INFO Starting Fail2ban v0.9.3
feb 07 04:04:19 MonOrdiLinux fail2ban-client[1015]: 2021-02-07 04:04:19,900 fail2ban.server [1091]: INFO Starting in daemon mode
feb 07 04:04:20 MonOrdiLinux systemd[1]: Started Fail2Ban Service.
fail2ban-client status:
Status
|- Number of jail: 2
`- Jail list: recidive, sshd
fail2ban-client status sshd:
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 4
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 221.131.165.124
fail2ban-client status recidive:
Status for the jail: recidive
|- Filter
| |- Currently failed: 1
| |- Total failed: 1
| `- File list: /var/log/fail2ban.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
<q> (pourquoi Currently banned et Total banned = 0 : s'il y a eu récidive
eh bien dans ma conf c'est supposé être activé pour un long ban ?
Es-ce que là ça bannit seulement ? ) </q>
Fail2Ban.log ...
2021-02-07 04:04:19,965 fail2ban.filter [1118]: INFO Set jail log file encoding to UTF-8
2021-02-07 04:04:19,970 fail2ban.filter [1118]: INFO Added logfile = /var/log/auth.log
2021-02-07 04:04:19,983 fail2ban.filter [1118]: INFO Set maxlines = 10
2021-02-07 04:04:20,019 fail2ban.server [1118]: INFO Jail sshd is not a JournalFilter instance
2021-02-07 04:04:20,022 fail2ban.jail [1118]: INFO Creating new jail 'recidive'
2021-02-07 04:04:20,023 fail2ban.jail [1118]: INFO Jail 'recidive' uses pyinotify
2021-02-07 04:04:20,023 fail2ban.filter [1118]: INFO Set jail log file encoding to UTF-8
2021-02-07 04:04:20,027 fail2ban.jail [1118]: INFO Initiated 'pyinotify' backend
2021-02-07 04:04:20,040 fail2ban.filter [1118]: INFO Set maxRetry = 3
2021-02-07 04:04:20,040 fail2ban.actions [1118]: INFO Set banTime = 604800
2021-02-07 04:04:20,041 fail2ban.filter [1118]: INFO Set findtime = 14400
2021-02-07 04:04:20,041 fail2ban.filter [1118]: INFO Set jail log file encoding to UTF-8
2021-02-07 04:04:20,053 fail2ban.filter [1118]: INFO Added logfile = /var/log/fail2ban.log
2021-02-07 04:04:20,070 fail2ban.server [1118]: INFO Jail recidive is not a JournalFilter instance
2021-02-07 04:04:20,074 fail2ban.jail [1118]: INFO Jail 'sshd' started
2021-02-07 04:04:20,077 fail2ban.jail [1118]: INFO Jail 'recidive' started
2021-02-07 04:05:11,080 fail2ban.filter [1118]: INFO [sshd] Found 221.131.165.124
2021-02-07 04:05:12,461 fail2ban.filter [1118]: INFO [sshd] Found 221.131.165.124
2021-02-07 04:05:19,988 fail2ban.filter [1118]: INFO [sshd] Found 221.131.165.124
2021-02-07 04:05:20,739 fail2ban.actions [1118]: NOTICE [sshd] Ban 221.131.165.124
2021-02-07 04:05:20,740 fail2ban.filter [1118]: INFO [recidive] Found 221.131.165.124
2021-02-07 04:05:21,467 fail2ban.filter [1118]: INFO [sshd] Found 221.131.165.124
<q>(pourquoi voit-on parfois unban dans les logs alors que je ne prévois
aucun unban pour les attaquants et surtout pas les récidivistes ?)</q>
Auth.log ...
Feb 7 04:04:24 MonOrdiLinux sshd[1041]: Received SIGHUP; restarting.
Feb 7 04:04:24 MonOrdiLinux sshd[1041]: Server listening on 0.0.0.0 port 3022.
Feb 7 04:04:24 MonOrdiLinux sshd[1041]: Server listening on :: port 3022.
Feb 7 04:04:24 MonOrdiLinux sshd[1041]: Received SIGHUP; restarting.
Feb 7 04:04:24 MonOrdiLinux sshd[1041]: Server listening on 0.0.0.0 port 3022.
Feb 7 04:04:24 MonOrdiLinux sshd[1041]: Server listening on :: port 3022.
Feb 7 04:04:51 MonOrdiLinux login[2155]: pam_unix(login:session): session opened for user moi by LOGIN(uid=0)
Feb 7 04:04:51 MonOrdiLinux systemd-logind[788]: New session 1 of user moi.
Feb 7 04:04:58 MonOrdiLinux sudo: moi : TTY=tty1 ; PWD=/home/moi ; USER=root ; COMMAND=/bin/su
Feb 7 04:04:58 MonOrdiLinux sudo: pam_unix(sudo:session): session opened for user root by moi(uid=0)
Feb 7 04:04:58 MonOrdiLinux su[3095]: Successful su for root by root
Feb 7 04:04:58 MonOrdiLinux su[3095]: + /dev/tty1 root:root
Feb 7 04:04:58 MonOrdiLinux su[3095]: pam_unix(su:session): session opened for user root by moi(uid=0)
Feb 7 04:04:58 MonOrdiLinux su[3095]: pam_systemd(su:session): Cannot create session: Already running in a session
Feb 7 04:05:11 MonOrdiLinux sshd[3121]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.131.165.124 user=root
Feb 7 04:05:12 MonOrdiLinux sshd[3121]: Failed password for root from 221.131.165.124 port 58204 ssh2
Feb 7 04:05:16 MonOrdiLinux sshd[3121]: message repeated 2 times: [ Failed password for root from 221.131.165.124 port 58204 ssh2]
Feb 7 04:05:16 MonOrdiLinux sshd[3121]: Received disconnect from 221.131.165.124 port 58204:11: [preauth]
Feb 7 04:05:16 MonOrdiLinux sshd[3121]: Disconnected from 221.131.165.124 port 58204 [preauth]
Feb 7 04:05:16 MonOrdiLinux sshd[3121]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.131.165.124 user=root
Feb 7 04:05:19 MonOrdiLinux sshd[3140]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.131.165.124 user=root
Feb 7 04:05:21 MonOrdiLinux sshd[3140]: Failed password for root from 221.131.165.124 port 16514 ssh2
<nb> (j'ai remplacé ici mon username par moi mais vous l'aviez déjà
compris ! )</nb>
root at MonOrdiLinux:~#
# Stopped @ 07 feb 2021 04:05:55 CET
@+
Plus d'informations sur la liste de diffusion Linux-bruxelles