fail2ban en [recidive] jail-probleem odner Ubuntu
Y P
yellowpenguin op telenet.be
Zo Feb 7 05:33:15 UTC 2021
Hoi,
ik probeer op m'n Ubuntu computer fail2ban te configureren zodat ik vanop afstand veilig en wel kan inloggen.
Toch is er iets dat niet lijkt te werken, nl. het permanent of langdurig bannen van recidivisten.
Dit is mijn custom.conf + feedback via een script output:
# Mijn /etc/fail2ban/jail.d/custom.conf (Src: /etc/fail2ban/jail.conf)
[DEFAULT]
ignoreip = 127.0.0.1/8 myn.ip.int.pc
# destemail = ik op localhost
# sender = root op localhost
#(nog niet geactiveerd)
# maxretry = 5
maxretry = 3
findtime = 3600
# bantime = 1209600
bantime = 172800
[sshd]
enabled = true
port = 3022 #(bijvoorbeeld)
logpath = /var/log/auth.log
# logpath = %(sshd_log)s #(dit werkt niet)
# backend = %(ssh_backend)s #(idem, werkt niet)
# maxretry = 5
maxretry = 3
bantime = 7200
[recidive]
enabled = true
logpath = /var/log/fail2ban.log
# banaction = %(banaction_allports)s #(werkt niet)
banaction = iptables-allports
bantime = 604800 ; 1 week
findtime = 14400 ; 4 hours
maxretry = 3
# Einde /etc/fail2ban/jail.d/custom.conf
# Screenshot @ 07 feb 2021 04:05:04 CET
root op MijnLinuxPC:~# cf2bs.sh
#(Check Fail2Ban (.sh) Script)
CF2BS / Check Fail2Ban Status (& co.) .sh script !
ii fail2ban 0.9.3-1 all ban hosts that cause multiple authentication errors
fail2ban: /etc/fail2ban /usr/share/man/man1/fail2ban.1.gz
/usr/bin/fail2ban-client
/usr/bin/fail2ban-regex
/usr/bin/fail2ban-server
/usr/bin/fail2ban-testcases
ps -A |grep sshd:
1041 ? 00:00:00 sshd
3121 ? 00:00:00 sshd
3122 ? 00:00:00 sshd
<q> (waarom meteen 3x sshd ?
zijn dit al 3 pogingen/attacks ? ) </q>
systemctl status fail2ban:
fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since zo 2021-02-07 04:04:20 CET; 53s ago
Docs: man:fail2ban(1)
Process: 1015 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
Main PID: 1118 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─1118 /usr/bin/python3 /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
feb 07 04:04:19 MijnLinuxPC systemd[1]: Starting Fail2Ban Service...
feb 07 04:04:19 MijnLinuxPC fail2ban-client[1015]: 2021-02-07 04:04:19,900 fail2ban.server [1091]: INFO Starting Fail2ban v0.9.3
feb 07 04:04:19 MijnLinuxPC fail2ban-client[1015]: 2021-02-07 04:04:19,900 fail2ban.server [1091]: INFO Starting in daemon mode
feb 07 04:04:20 MijnLinuxPC systemd[1]: Started Fail2Ban Service.
fail2ban-client status:
Status
|- Number of jail: 2
`- Jail list: recidive, sshd
fail2ban-client status sshd:
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 4
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 221.131.165.124
fail2ban-client status recidive:
Status for the jail: recidive
|- Filter
| |- Currently failed: 1
| |- Total failed: 1
| `- File list: /var/log/fail2ban.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
<q> (waarom Currently banned en Total banned = 0 ? ) </q>
Fail2Ban.log ...
2021-02-07 04:04:19,965 fail2ban.filter [1118]: INFO Set jail log file encoding to UTF-8
2021-02-07 04:04:19,970 fail2ban.filter [1118]: INFO Added logfile = /var/log/auth.log
2021-02-07 04:04:19,983 fail2ban.filter [1118]: INFO Set maxlines = 10
2021-02-07 04:04:20,019 fail2ban.server [1118]: INFO Jail sshd is not a JournalFilter instance
2021-02-07 04:04:20,022 fail2ban.jail [1118]: INFO Creating new jail 'recidive'
2021-02-07 04:04:20,023 fail2ban.jail [1118]: INFO Jail 'recidive' uses pyinotify
2021-02-07 04:04:20,023 fail2ban.filter [1118]: INFO Set jail log file encoding to UTF-8
2021-02-07 04:04:20,027 fail2ban.jail [1118]: INFO Initiated 'pyinotify' backend
2021-02-07 04:04:20,040 fail2ban.filter [1118]: INFO Set maxRetry = 3
2021-02-07 04:04:20,040 fail2ban.actions [1118]: INFO Set banTime = 604800
2021-02-07 04:04:20,041 fail2ban.filter [1118]: INFO Set findtime = 14400
2021-02-07 04:04:20,041 fail2ban.filter [1118]: INFO Set jail log file encoding to UTF-8
2021-02-07 04:04:20,053 fail2ban.filter [1118]: INFO Added logfile = /var/log/fail2ban.log
2021-02-07 04:04:20,070 fail2ban.server [1118]: INFO Jail recidive is not a JournalFilter instance
2021-02-07 04:04:20,074 fail2ban.jail [1118]: INFO Jail 'sshd' started
2021-02-07 04:04:20,077 fail2ban.jail [1118]: INFO Jail 'recidive' started
2021-02-07 04:05:11,080 fail2ban.filter [1118]: INFO [sshd] Found 221.131.165.124
2021-02-07 04:05:12,461 fail2ban.filter [1118]: INFO [sshd] Found 221.131.165.124
2021-02-07 04:05:19,988 fail2ban.filter [1118]: INFO [sshd] Found 221.131.165.124
2021-02-07 04:05:20,739 fail2ban.actions [1118]: NOTICE [sshd] Ban 221.131.165.124
2021-02-07 04:05:20,740 fail2ban.filter [1118]: INFO [recidive] Found 221.131.165.124
2021-02-07 04:05:21,467 fail2ban.filter [1118]: INFO [sshd] Found 221.131.165.124
<q>(waarom zie je soms unban in de logs terwijl ik recidives *zeker
niet* wil en ga unbannen ? ) </q>
Auth.log ...
Feb 7 04:04:24 MijnLinuxPC sshd[1041]: Received SIGHUP; restarting.
Feb 7 04:04:24 MijnLinuxPC sshd[1041]: Server listening on 0.0.0.0 port 3022.
Feb 7 04:04:24 MijnLinuxPC sshd[1041]: Server listening on :: port 3022.
Feb 7 04:04:24 MijnLinuxPC sshd[1041]: Received SIGHUP; restarting.
Feb 7 04:04:24 MijnLinuxPC sshd[1041]: Server listening on 0.0.0.0 port 3022.
Feb 7 04:04:24 MijnLinuxPC sshd[1041]: Server listening on :: port 3022.
Feb 7 04:04:51 MijnLinuxPC login[2155]: pam_unix(login:session): session opened for user ik by LOGIN(uid=0)
Feb 7 04:04:51 MijnLinuxPC systemd-logind[788]: New session 1 of user ik.
Feb 7 04:04:58 MijnLinuxPC sudo: ik : TTY=tty1 ; PWD=/home/ik ; USER=root ; COMMAND=/bin/su
Feb 7 04:04:58 MijnLinuxPC sudo: pam_unix(sudo:session): session opened for user root by ik(uid=0)
Feb 7 04:04:58 MijnLinuxPC su[3095]: Successful su for root by root
Feb 7 04:04:58 MijnLinuxPC su[3095]: + /dev/tty1 root:root
Feb 7 04:04:58 MijnLinuxPC su[3095]: pam_unix(su:session): session opened for user root by ik(uid=0)
Feb 7 04:04:58 MijnLinuxPC su[3095]: pam_systemd(su:session): Cannot create session: Already running in a session
Feb 7 04:05:11 MijnLinuxPC sshd[3121]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.131.165.124 user=root
Feb 7 04:05:12 MijnLinuxPC sshd[3121]: Failed password for root from 221.131.165.124 port 58204 ssh2
Feb 7 04:05:16 MijnLinuxPC sshd[3121]: message repeated 2 times: [ Failed password for root from 221.131.165.124 port 58204 ssh2]
Feb 7 04:05:16 MijnLinuxPC sshd[3121]: Received disconnect from 221.131.165.124 port 58204:11: [preauth]
Feb 7 04:05:16 MijnLinuxPC sshd[3121]: Disconnected from 221.131.165.124 port 58204 [preauth]
Feb 7 04:05:16 MijnLinuxPC sshd[3121]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.131.165.124 user=root
Feb 7 04:05:19 MijnLinuxPC sshd[3140]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.131.165.124 user=root
Feb 7 04:05:21 MijnLinuxPC sshd[3140]: Failed password for root from 221.131.165.124 port 16514 ssh2
root op MijnLinuxPC:~#
# Stopped @ 07 feb 2021 04:05:55 CET
Dank bijvoorbaat voor meer info/hulp.
@+
Y P
Meer informatie over de Ubuntu-NL
maillijst