Forum Debian Users Gang

urbinek · 2010-02-21 12:16:17

otóż,
ktoś mi się namiętnie próbuje wbić na ssh jakimś bootem tak więc google -> fail2ban
pogrzebałem w configu, spłodziłem takie coś:

/etc/fail2ban/jail.conf

Kod:

# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 195.114.177.150 192.168.1.0/24 192.168.0.0/24
bantime  = 86400
maxretry = 10

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = urbinek@wp.pl

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define 
# action_* variables. Can be overriden globally or per 
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
 
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section 
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME] 
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled = true
port    = ssh
filter    = sshd
logpath  = /var/log/auth.log
maxretry = 3

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter    = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6

[xinetd-fail]

enabled   = false
filter    = xinetd-fail
port      = all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2


[ssh-ddos]

enabled = true
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 3

#
# HTTP servers
#

[apache]

enabled = true
port    = http,https
filter    = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = false
port      = http,https
filter      = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6

[apache-noscript]

enabled = true
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled = true
port    = http,https
filter  = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2

#
# FTP servers
#

[vsftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


[proftpd]

enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


[wuftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled  = false
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = false
port     = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
logpath  = /var/log/mail.log


# DNS Servers


# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# }
#
# in your named.conf to provide proper logging

# Word of Caution:
# Given filter can lead to DoS attack against your DNS server
# since there is no way to assure that UDP packets come from the
# real source IP
[named-refused-udp]

enabled  = false
port     = domain,953
protocol = udp
filter   = named-refused
logpath  = /var/log/named/security.log

[named-refused-tcp]

enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log

odpala się bez problemu (usunąłem wpis z init.d i dołączyłem na końcu pliku z moimi regułkami firewalla co by się nie gryzło)
ale w logach mam takie coś:

Kod:

2010-02-21 11:01:31,111 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
2010-02-21 11:01:31,112 fail2ban.jail   : INFO   Jail 'ssh' stopped
2010-02-21 11:01:31,799 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2010-02-21 11:01:31,801 fail2ban.jail   : INFO   Creating new jail 'ssh'
2010-02-21 11:01:31,802 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2010-02-21 11:01:31,852 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2010-02-21 11:01:31,854 fail2ban.filter : INFO   Set maxRetry = 6
2010-02-21 11:01:31,859 fail2ban.filter : INFO   Set findtime = 600
2010-02-21 11:01:31,861 fail2ban.actions: INFO   Set banTime = 600
2010-02-21 11:01:32,012 fail2ban.jail   : INFO   Jail 'ssh' started
2010-02-21 11:03:18,042 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2010-02-21 11:03:18,053 fail2ban.jail   : INFO   Creating new jail 'ssh'
2010-02-21 11:03:18,054 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2010-02-21 11:03:18,109 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2010-02-21 11:03:18,111 fail2ban.filter : INFO   Set maxRetry = 6
2010-02-21 11:03:18,116 fail2ban.filter : INFO   Set findtime = 600
2010-02-21 11:03:18,118 fail2ban.actions: INFO   Set banTime = 600
2010-02-21 11:03:18,271 fail2ban.jail   : INFO   Jail 'ssh' started
2010-02-21 11:54:29,070 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
2010-02-21 11:54:29,085 fail2ban.jail   : INFO   Jail 'ssh' stopped
2010-02-21 11:54:29,874 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2010-02-21 11:54:29,876 fail2ban.jail   : INFO   Creating new jail 'apache-noscript'
2010-02-21 11:54:29,877 fail2ban.jail   : INFO   Jail 'apache-noscript' uses poller
2010-02-21 11:54:29,941 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2010-02-21 11:54:29,943 fail2ban.filter : INFO   Set maxRetry = 6
2010-02-21 11:54:29,948 fail2ban.filter : INFO   Set findtime = 600
2010-02-21 11:54:29,950 fail2ban.actions: INFO   Set banTime = 86400
2010-02-21 11:54:29,971 fail2ban.jail   : INFO   Creating new jail 'ssh-ddos'
2010-02-21 11:54:29,972 fail2ban.jail   : INFO   Jail 'ssh-ddos' uses poller
2010-02-21 11:54:29,974 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2010-02-21 11:54:29,976 fail2ban.filter : INFO   Set maxRetry = 3
2010-02-21 11:54:29,981 fail2ban.filter : INFO   Set findtime = 600
2010-02-21 11:54:29,983 fail2ban.actions: INFO   Set banTime = 86400
2010-02-21 11:54:29,999 fail2ban.jail   : INFO   Creating new jail 'apache-overflows'
2010-02-21 11:54:29,999 fail2ban.jail   : INFO   Jail 'apache-overflows' uses poller
2010-02-21 11:54:30,001 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2010-02-21 11:54:30,003 fail2ban.filter : INFO   Set maxRetry = 2
2010-02-21 11:54:30,008 fail2ban.filter : INFO   Set findtime = 600
2010-02-21 11:54:30,010 fail2ban.actions: INFO   Set banTime = 86400
2010-02-21 11:54:30,027 fail2ban.jail   : INFO   Creating new jail 'ssh'
2010-02-21 11:54:30,027 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2010-02-21 11:54:30,029 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2010-02-21 11:54:30,031 fail2ban.filter : INFO   Set maxRetry = 3
2010-02-21 11:54:30,036 fail2ban.filter : INFO   Set findtime = 600
2010-02-21 11:54:30,038 fail2ban.actions: INFO   Set banTime = 86400
2010-02-21 11:54:30,198 fail2ban.jail   : INFO   Creating new jail 'apache'
2010-02-21 11:54:30,199 fail2ban.jail   : INFO   Jail 'apache' uses poller
2010-02-21 11:54:30,201 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2010-02-21 11:54:30,203 fail2ban.filter : INFO   Set maxRetry = 6
2010-02-21 11:54:30,208 fail2ban.filter : INFO   Set findtime = 600
2010-02-21 11:54:30,209 fail2ban.actions: INFO   Set banTime = 86400
2010-02-21 11:54:30,230 fail2ban.jail   : INFO   Creating new jail 'proftpd'
2010-02-21 11:54:30,231 fail2ban.jail   : INFO   Jail 'proftpd' uses poller
2010-02-21 11:54:30,246 fail2ban.filter : INFO   Added logfile = /var/log/proftpd/proftpd.log
2010-02-21 11:54:30,248 fail2ban.filter : INFO   Set maxRetry = 6
2010-02-21 11:54:30,253 fail2ban.filter : INFO   Set findtime = 600
2010-02-21 11:54:30,255 fail2ban.actions: INFO   Set banTime = 86400
2010-02-21 11:54:30,285 fail2ban.jail   : INFO   Jail 'apache-noscript' started
2010-02-21 11:54:30,291 fail2ban.jail   : INFO   Jail 'ssh-ddos' started
2010-02-21 11:54:30,313 fail2ban.jail   : INFO   Jail 'apache-overflows' started
2010-02-21 11:54:30,327 fail2ban.jail   : INFO   Jail 'ssh' started
2010-02-21 11:54:30,368 fail2ban.jail   : INFO   Jail 'apache' started
2010-02-21 11:54:30,461 fail2ban.jail   : INFO   Jail 'proftpd' started

iptables -L

Kod:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-proftpd  tcp  --  anywhere             anywhere            multiport dports ftp,ftp-data,ftps,ftps-data
fail2ban-apache  tcp  --  anywhere             anywhere            multiport dports www,https
fail2ban-apache-overflows  tcp  --  anywhere             anywhere            multiport dports www,https
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh
fail2ban-ssh-ddos  tcp  --  anywhere             anywhere            multiport dports ssh
fail2ban-apache-noscript  tcp  --  anywhere             anywhere            multiport dports www,https
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             chello089074036205.chello.pl udp dpt:29910
ACCEPT     udp  --  anywhere             chello089074036205.chello.pl udp dpt:27901
ACCEPT     udp  --  anywhere             chello089074036205.chello.pl udp dpt:27900
ACCEPT     udp  --  anywhere             chello089074036205.chello.pl udp dpt:6500
ACCEPT     udp  --  anywhere             chello089074036205.chello.pl udp dpt:6112
ACCEPT     tcp  --  anywhere             chello089074036205.chello.pl tcp dpt:29920
ACCEPT     tcp  --  anywhere             chello089074036205.chello.pl tcp dpt:29901
ACCEPT     tcp  --  anywhere             chello089074036205.chello.pl tcp dpt:29900
ACCEPT     tcp  --  anywhere             chello089074036205.chello.pl tcp dpt:28910
ACCEPT     tcp  --  anywhere             chello089074036205.chello.pl tcp dpt:ircd
ACCEPT     tcp  --  anywhere             chello089074036205.chello.pl tcp dpt:5900
ACCEPT     udp  --  anywhere             chello089074036205.chello.pl udp dpt:4445
ACCEPT     udp  --  anywhere             chello089074036205.chello.pl udp dpt:6882
ACCEPT     tcp  --  anywhere             chello089074036205.chello.pl tcp dpt:6882
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain fail2ban-apache (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-noscript (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-overflows (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-proftpd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh-ddos (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

teraz tak, działa ?
co to za błąd

Kod:

2010-02-21 11:01:31,111 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh

i jak się tego pozbyć

ewentualnie co można by zmienić ?

Jacekalex · 2010-03-02 00:15:24

Ja na twoim miejscu dałbym denyhosta, plus trik z ipt_recent (jest w howto)

http://forum.ubuntu.pl/showthread.php?p=281050
http://stary.dug.net.pl/faq/faq-3-140-Blokowanie_ss … logowania.php

To by było na tyle
;)

Ostatnio edytowany przez Jacekalex (2010-03-02 00:52:30)

bzyk · 2010-03-02 11:19:12

Iptables z paczki? Co się dzieje jeżeli ręcznie wklepiesz tą regułkę?

urbinek · 2010-03-03 21:04:58

iptables standardowo instalowane z Debianem
żadnych regułek nie wklepuje, mam skrypt do forwardu

Kod:

root@haruko:/home/urbinek# cat /etc/init.d/firewall
#!/bin/sh
# uaktywnianie iptables
echo 1 > /proc/sys/net/ipv4/ip_forward

# czyszczenie regół
iptables -F
iptables -X
iptables -t nat -X
iptables -t nat -F
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
#
#
#
# uaktywninie ochrony zapory fail2ban
/etc/init.d/fail2ban restart

a co do fail2ban sprawdziłem, działa dobrze :)

tomii · 2010-03-04 00:43:02

Jacekalex napisał(-a):
Ja na twoim miejscu dałbym denyhosta, plus trik z ipt_recent (jest w howto)

po co ten trik? Denyhost sam nie potrafi zdejmować blokad po danym czasie?

Jacekalex · 2010-03-08 18:02:57

Trik z firewallem - przycinający IP na wszystkich potrach, - na 10 - 30 sekund po jednym lub 2 pakietach SYN, jest idealny do ukrywania usług na serwerze.
Nie należy go dawać tylko do portow serwera www. (przeglądarki otwierają zwykle po kilka polączeń na raz), ale idealnie nadaje sie do ukrycia mysql'a, webmina i innch usług na serwerze.
Przy takim zasosowaniu, i przeniesieniu ssh np. na port 1914 - żaden skaner, choćby skanował wszystkie porty (jak nmpa z opcja --all) nigdy nie znajdzie serwera ssh.

natomiast denyhosts - dodając do host.deny adresy z opcją ALL - blokuje dostęp do całego serwera, wszystkich usług + może dodawać do blacklist na serwerach, przez co klient dostaje bana na sporej liczbie kompów z denyhostem na pokładzie.

To czy (po co) czy warto - zależy od konfiguracji, diabeł tkwi w szczegółach.

Forum Debian Users Gang

Ogłoszenie

#1 2010-02-21 12:16:17

urbinek - Dzban Naczelny

zabezpieczanie komputera - fail2ban

Kod:

Kod:

Kod:

Kod:

#2 2010-03-02 00:15:24

Jacekalex - Podobno człowiek...;)

Re: zabezpieczanie komputera - fail2ban

#3 2010-03-02 11:19:12

bzyk - Użytkownik

Re: zabezpieczanie komputera - fail2ban

#4 2010-03-03 21:04:58

urbinek - Dzban Naczelny

Re: zabezpieczanie komputera - fail2ban

Kod:

#5 2010-03-04 00:43:02

tomii - Członek DUG

Re: zabezpieczanie komputera - fail2ban

Jacekalex napisał(-a):

#6 2010-03-08 18:02:57

Jacekalex - Podobno człowiek...;)

Re: zabezpieczanie komputera - fail2ban

Stopka forum