Kürzlich habe ich fail2ban auf einem CentOS 6-Server installiert. Ich habe zum Schutz von SSH-Einbruchversuchen konfiguriert. Aber fail2ban spürt keine Einbruchsversuche.
Ich habe den Filter von fail2ban-regex getestet und denke, dass etwas im Filter nicht stimmt.
Die Ausgabe von fail2ban-regex ist:
% fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/sshd.conf
Use log file : /var/log/secure
Results
=======
Failregex: 13248 total
|- #) [# of hits] regular expression
| 3) [13059] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Failed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
| 5) [101] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$
| 9) [88] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [45621] MONTH Day Hour:Minute:Second
`-
Lines: 45621 lines, 0 ignored, 13248 matched, 32373 missed
Missed line(s):: too many to print. Use --print-all-missed to print all 32373 lines
In meinem Setup werden SSHD-Protokolle unter / var / log / secure aufgezeichnet
Protokolle sehen folgendermaßen aus:
Feb 2 04:31:26 twmp sshd[31779]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info user=root
Feb 2 04:31:27 twmp sshd[31782]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info user=root
Feb 2 04:31:28 twmp sshd[31779]: Failed password for root from 199.71.214.66 port 50984 ssh2
Feb 2 04:31:28 twmp sshd[31780]: Received disconnect from 199.71.214.66: 11: Bye Bye
Feb 2 04:31:29 twmp sshd[31785]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info user=root
Feb 2 04:31:29 twmp sshd[31782]: Failed password for root from 199.71.214.66 port 53998 ssh2
Feb 2 04:31:29 twmp sshd[31783]: Received disconnect from 199.71.214.66: 11: Bye Bye
Feb 2 04:31:30 twmp sshd[31788]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info user=root
Feb 2 04:31:31 twmp sshd[31785]: Failed password for root from 199.71.214.66 port 52127 ssh2
Feb 2 04:31:32 twmp sshd[31786]: Received disconnect from 199.71.214.66: 11: Bye Bye
Feb 2 04:31:33 twmp sshd[31791]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info user=root
Feb 2 04:31:33 twmp sshd[31788]: Failed password for root from 199.71.214.66 port 55001 ssh2
Feb 2 04:31:33 twmp sshd[31789]: Received disconnect from 199.71.214.66: 11: Bye Bye
Feb 2 04:31:34 twmp sshd[31794]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info user=root
Feb 2 04:31:35 twmp sshd[31791]: Failed password for root from 199.71.214.66 port 53390 ssh2
Feb 2 04:31:35 twmp sshd[31794]: Failed password for root from 199.71.214.66 port 56186 ssh2
Feb 2 04:31:36 twmp sshd[31792]: Received disconnect from 199.71.214.66: 11: Bye Bye
Feb 2 04:31:36 twmp sshd[31795]: Received disconnect from 199.71.214.66: 11: Bye Bye
Feb 2 04:31:37 twmp sshd[31797]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info user=root
Feb 2 04:31:37 twmp sshd[31798]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info user=root
Feb 2 04:31:38 twmp sshd[31797]: Failed password for root from 199.71.214.66 port 57048 ssh2
Feb 2 04:31:38 twmp sshd[31799]: Received disconnect from 199.71.214.66: 11: Bye Bye
Feb 2 04:31:39 twmp sshd[31798]: Failed password for root from 199.71.214.66 port 54688 ssh2
Feb 2 04:31:39 twmp sshd[31800]: Received disconnect from 199.71.214.66: 11: Bye Bye
Feb 2 04:31:39 twmp sshd[31803]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info user=root
Feb 2 04:31:41 twmp sshd[31806]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info user=root
Feb 2 04:31:41 twmp sshd[31803]: Failed password for root from 199.71.214.66 port 57895 ssh2
Feb 2 04:31:41 twmp sshd[31804]: Received disconnect from 199.71.214.66: 11: Bye Bye
Meine jail.local-Datei sieht folgendermaßen aus:
#
Fail2Ban jail base specification file
#
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
# "bantime" is the number of seconds that a host is banned.
bantime = 3600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 60
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
backend = gamin
# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = warn
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = mail
destemail = "user@example.com"
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
#
# Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_mwl)s
[ssh-iptables]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 3
action = iptables-multiport[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=user@example.com, sender=sender@example.com, sendername="Fail2Ban"]
...(other disabled configurations.)
Und sshd filter unter fail2ban / filters.d ist:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision$
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = sshd
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Die Datei common.conf, die durch Filter enthalten ist:
# Generic configuration items (to be used as interpolations) in other
# filters or actions configurations
#
[INCLUDES]
# Load customizations if any available
after = common.local
[DEFAULT]
# Daemon definition is to be specialized (if needed) in .conf file
_daemon = \S*
#
# Shortcuts for easier comprehension of the failregex
#
# PID.
# EXAMPLES: [123]
__pid_re = (?:\[\d+\])
# Daemon name (with optional source_file:line or whatever)
# EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix)
__daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?
# extra daemon info
# EXAMPLE: [ID 800047 auth.info]
__daemon_extra_re = (?:\[ID \d+ \S+\])
# Combinations of daemon name and PID
# EXAMPLES: sshd[31607], pop(pam_unix)[4920]
__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?)
# Some messages have a kernel prefix with a timestamp
# EXAMPLES: kernel: [769570.846956]
__kernel_prefix = kernel: \[\d+\.\d+\]
__hostname = \S+
# A MD5 hex
# EXAMPLES: 07:06:27:55:b0:e3:0c:3c:5a:28:2d:7c:7e:4c:77:5f
__md5hex = (?:[\da-f]{2}:){15}[\da-f]{2}
# bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or
# <auth.info> appearing before the host as per testcases/files/logs/bsd/*.
__bsd_syslog_verbose = (<[^.]+\.[^.]+>)
# Common line prefixes (beginnings) which could be used in filters
#
# [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
#
# This can be optional (for instance if we match named native log files)
__prefix_line = \s*%(__bsd_syslog_verbose)s?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s*
Ich habe verschiedene Konfigurationsdateien ausprobiert, aber es erkennt immer noch keine fehlgeschlagenen SSH-Verbindungen. Ich habe die fail2ban-Protokolldatei überprüft und es wird nichts protokolliert, außer das Stoppen und Starten von Zeilen.