Vorbeugung mit fail2ban ----------------------- Es soll im Folgenden das Intrusion Prevention System *fail2ban* installiert und konfiguriert werden. Das Ganze geschieht auf unserem 'alp-router': Installation ^^^^^^^^^^^^ An dieser Stelle .. highlight:: shell-session :: my@bash $ hostname -f alp-router.haus1.tld my@bash $ my@bash $ my@bash $ apk -dv search fail2ban fail2ban-openrc-0.10.3.1-r2 - Scans log files for login failures then updates iptables to reject originating ip address (OpenRC init scripts) fail2ban-doc-0.10.3.1-r2 - Scans log files for login failures then updates iptables to reject originating ip address (documentation) fail2ban-0.10.3.1-r2 - Scans log files for login failures then updates iptables to reject originating ip address my@bash $ my@bash $ ## LPI-relevante Beschreibung: "Scans log files for login failures then updates iptables to reject originating ip address"! my@bash $ my@bash $ my@bash $ apk add fail2ban-openrc (1/7) Installing expat (2.2.8-r0) (2/7) Installing xz-libs (5.2.4-r0) (3/7) Installing python3 (3.6.9-r3) (4/7) Installing popt (1.16-r7) (5/7) Installing logrotate (3.15.0-r0) (6/7) Installing logrotate-openrc (3.15.0-r0) (7/7) Installing fail2ban-openrc (0.10.3.1-r2) Executing busybox-1.29.3-r10.trigger OK: 111 MiB in 88 packages my@bash $ my@bash $ my@bash $ apk add fail2ban (1/1) Installing fail2ban (0.10.3.1-r2) Executing busybox-1.29.3-r10.trigger OK: 114 MiB in 89 packages my@bash $ Grundkonfiguration, Inbetriebnahme ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Per Default ist auf dem meisten Linux-Distributionen das Jail für sshd voreingerichtet, so dass es wenig zu tun gibt. Ansonsten geht es ähnlich weiter, wie unter https://pemmann.de/cc/Doc/Abuild/_build/html/handouts/202.html#fail2ban-ein-intrusion-prevention-system-ips beschrieben. .. highlight:: shell-session :: my@bash $ ## Prüfen, in wie weit Alpine Linux das Paket vorkonfigurert hat: my@bash $ pgrep -alf log 224 /sbin/syslogd -Z my@bash $ my@bash $ find /var/log -mmin -2 /var/log/messages my@bash $ my@bash $ ## >> Der soeben erfolgte, erfolgreiche ssh-Login wurde aufgezeichnet: my@bash $ tail /var/log/messages Jan 4 09:29:32 alp-router local7.info dhcpd: DHCPREQUEST for 10.1.1.3 from 00:16:3e:ff:b2:c9 via eth1 Jan 4 09:29:32 alp-router local7.info dhcpd: DHCPACK on 10.1.1.3 to 00:16:3e:ff:b2:c9 via eth1 Jan 4 09:30:00 alp-router cron.info crond[251]: USER root pid 528 cmd run-parts /etc/periodic/15min Jan 4 09:34:31 alp-router local7.err dhcpd: uid lease 10.1.1.100 for client 00:16:3e:ff:b2:c9 is duplicate on 10.1.1.0/24 Jan 4 09:34:31 alp-router local7.info dhcpd: DHCPREQUEST for 10.1.1.3 from 00:16:3e:ff:b2:c9 via eth1 Jan 4 09:34:31 alp-router local7.info dhcpd: DHCPACK on 10.1.1.3 to 00:16:3e:ff:b2:c9 via eth1 Jan 4 09:38:41 alp-router auth.info sshd[540]: Accepted publickey for tux from 192.168.2.202 port 36822 ssh2: RSA SHA256:4Ngaq8yf5AMASDqg2SQrh8CXYy/g5GtrntDou4Yc8cw Jan 4 09:39:19 alp-router local7.err dhcpd: uid lease 10.1.1.100 for client 00:16:3e:ff:b2:c9 is duplicate on 10.1.1.0/24 Jan 4 09:39:19 alp-router local7.info dhcpd: DHCPREQUEST for 10.1.1.3 from 00:16:3e:ff:b2:c9 via eth1 Jan 4 09:39:19 alp-router local7.info dhcpd: DHCPACK on 10.1.1.3 to 00:16:3e:ff:b2:c9 via eth1 my@bash $ my@bash $ ### Ein Fehlversuch in /var/log/messages: Jan 4 09:41:32 alp-router auth.info sshd[548]: Invalid user fritzzz from 192.168.2.202 port 36824 Jan 4 09:41:35 alp-router auth.err sshd[548]: error: Could not get shadow information for NOUSER Jan 4 09:41:35 alp-router auth.info sshd[548]: Failed password for invalid user fritzzz from 192.168.2.202 port 36824 ssh2 Jan 4 09:41:37 alp-router auth.info sshd[548]: Failed password for invalid user fritzzz from 192.168.2.202 port 36824 ssh2 Jan 4 09:41:39 alp-router auth.info sshd[548]: Failed password for invalid user fritzzz from 192.168.2.202 port 36824 ssh2 Jan 4 09:41:39 alp-router auth.info sshd[548]: Connection closed by invalid user fritzzz 192.168.2.202 port 36824 [preauth] Und dies ist der auslösende Loginversuch von SuSE ausgehend: my@bash $ my@bash $ ssh fritzzz@192.168.2.103 fritzzz@192.168.2.103's password: Permission denied, please try again. fritzzz@192.168.2.103's password: Permission denied, please try again. fritzzz@192.168.2.103's password: fritzzz@192.168.2.103: Permission denied (publickey,password,keyboard-interactive). my@bash $ my@bash $ grep -ri '/var/log/messages' /etc/fail2ban/ /etc/fail2ban/filter.d/nagios.conf:# typically logged in /var/log/messages syslog /etc/fail2ban/jail.d/alpine-ssh.conf:logpath = /var/log/messages /etc/fail2ban/jail.d/alpine-ssh.conf:logpath = /var/log/messages /etc/fail2ban/paths-fedora.conf:# Tested and it worked out in /var/log/messages so assuming syslog_ftp for now. /etc/fail2ban/paths-freebsd.conf:# note - is only ftp.info - if notice /var/log/messages may be needed /etc/fail2ban/paths-common.conf:syslog_local0 = /var/log/messages my@bash $ my@bash $ ## >> Alles Schick - das Logfile ist genau wie bei Debian bereits eingebunden worden. my@bash $ my@bash $ my@bash $ ## Wir wechseln ins ServerRoot-Verzeichnis hinein: my@bash $ cd /etc/fail2ban/ my@bash $ my@bash $ ls -lhS total 56 -rw-r--r-- 1 root root 22.4K Apr 4 2018 jail.conf -rw-r--r-- 1 root root 2.8K Apr 4 2018 paths-common.conf drwxr-xr-x 1 root root 2.6K Jan 4 09:33 filter.d drwxr-xr-x 1 root root 2.3K Jan 4 09:33 action.d -rw-r--r-- 1 root root 2.3K Apr 4 2018 fail2ban.conf -rw-r--r-- 1 root root 982 Apr 4 2018 paths-freebsd.conf -rw-r--r-- 1 root root 930 Apr 4 2018 paths-fedora.conf -rw-r--r-- 1 root root 738 Apr 4 2018 paths-opensuse.conf -rw-r--r-- 1 root root 645 Apr 4 2018 paths-arch.conf -rw-r--r-- 1 root root 573 Apr 4 2018 paths-debian.conf -rw-r--r-- 1 root root 286 Apr 4 2018 paths-osx.conf drwxr-xr-x 1 root root 30 Jan 4 09:33 jail.d drwxr-xr-x 1 root root 0 Jan 4 09:33 fail2ban.d my@bash $ my@bash $ ## >> Und sehen, dass die jail.conf riesig groß ist! Besser die passenden Files in 'jail.d' benutzen: my@bash $ my@bash $ ## Konfiguration anschauen: my@bash $ ls -lhS jail.d/ total 4 -rw-r--r-- 1 root root 219 Dec 20 2018 alpine-ssh.conf my@bash $ my@bash $ cat jail.d/alpine-ssh.conf [sshd] enabled = true filter = alpine-sshd port = ssh logpath = /var/log/messages maxretry = 10 [sshd-ddos] enabled = true filter = alpine-sshd-ddos port = ssh logpath = /var/log/messages maxretry = 10 my@bash $ my@bash $ my@bash $ ## >> Beide Jails sind aktiv (LPI-relevant: "enabled = true"). Damit können wir uns an einen Funktionstest wagen: .. highlight:: shell-session :: my@bash $ pgrep -alf fail my@bash $ my@bash $ rc-service fail2ban start * Caching service dependencies ... [ ok ] * Starting fail2ban ... Server ready [ ok ] my@bash $ my@bash $ pgrep -alf fail 699 /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid --loglevel INFO --logtarget /var/log/fail2ban.log --syslogsocket auto my@bash $ my@bash $ rc-update add fail2ban * service fail2ban added to runlevel default my@bash $ my@bash $ my@bash $ ## Wichtig ist insbesondere das Frontend 'fail2ban-client': my@bash $ fail2ban-client status Status |- Number of jail: 2 `- Jail list: sshd, sshd-ddos my@bash $ my@bash $ my@bash $ my@bash $ fail2ban-client -v status sshd 2021-01-04 09:55:49,698 fail2ban.configreader [713]: INFO Loading configs for fail2ban under /etc/fail2ban 2021-01-04 09:55:49,704 fail2ban.configparserin [713]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf'] 2021-01-04 09:55:49,708 fail2ban.configparserin [713]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf'] 2021-01-04 09:55:49,708 fail2ban [713]: INFO Using socket file /var/run/fail2ban/fail2ban.sock 2021-01-04 09:55:49,709 fail2ban [713]: INFO Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/messages `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: my@bash $ my@bash $ my@bash $ ## Änderung auf 3 max. erlaubte Fehlversuche: my@bash $ vi jail.d/alpine-ssh.conf my@bash $ my@bash $ ## Änderung auf 3 max. erlaubte Fehlversuche: my@bash $ vi jail.d/alpine-ssh.conf my@bash $ my@bash $ grep maxretry jail.d/alpine-ssh.conf maxretry = 3 maxretry = 3 my@bash $ my@bash $ rc-service fail2ban restart * Stopping fail2ban ... [ ok ] * Starting fail2ban ... Server ready [ ok ] my@bash $ my@bash $ ## Testings: my@bash $ tail -f /var/log/fail2ban.log 2021-01-04 10:00:28,505 fail2ban.jail [762]: INFO Creating new jail 'sshd-ddos' 2021-01-04 10:00:28,506 fail2ban.jail [762]: INFO Jail 'sshd-ddos' uses poller {} 2021-01-04 10:00:28,506 fail2ban.jail [762]: INFO Initiated 'polling' backend 2021-01-04 10:00:28,509 fail2ban.filter [762]: INFO Added logfile: '/var/log/messages' (pos = 50755, hash = 8271a07d126f4f38550a77627100fd020839c55c) 2021-01-04 10:00:28,509 fail2ban.filter [762]: INFO encoding: UTF-8 2021-01-04 10:00:28,510 fail2ban.filter [762]: INFO maxRetry: 3 2021-01-04 10:00:28,510 fail2ban.filter [762]: INFO findtime: 600 2021-01-04 10:00:28,511 fail2ban.actions [762]: INFO banTime: 600 2021-01-04 10:00:28,513 fail2ban.jail [762]: INFO Jail 'sshd' started 2021-01-04 10:00:28,515 fail2ban.jail [762]: INFO Jail 'sshd-ddos' started my@bash $ ssh 192.168.2.103 Enter passphrase for key '/home/tux/.ssh/id_rsa': tux@192.168.2.103's password: Permission denied, please try again. tux@192.168.2.103's password: Permission denied, please try again. tux@192.168.2.103's password: tux@192.168.2.103: Permission denied (publickey,password,keyboard-interactive). my@bash $ Aus dem Log (/var/log/fail2ban.log): 2021-01-04 10:01:27,878 fail2ban.filter [762]: INFO [sshd] Found 192.168.2.202 - 2021-01-04 10:01:27 2021-01-04 10:01:28,080 fail2ban.filter [762]: INFO [sshd] Found 192.168.2.202 - 2021-01-04 10:01:28 my@bash $ ssh 192.168.2.103 Enter passphrase for key '/home/tux/.ssh/id_rsa': Enter passphrase for key '/home/tux/.ssh/id_rsa': Enter passphrase for key '/home/tux/.ssh/id_rsa': tux@192.168.2.103's password: Permission denied, please try again. tux@192.168.2.103's password: Permission denied, please try again. tux@192.168.2.103's password: tux@192.168.2.103: Permission denied (publickey,password,keyboard-interactive). my@bash $ my@bash $ 2021-01-04 10:01:51,331 fail2ban.filter [762]: INFO [sshd] Found 192.168.2.202 - 2021-01-04 10:01:51 2021-01-04 10:01:51,919 fail2ban.actions [762]: NOTICE [sshd] Ban 192.168.2.202 2021-01-04 10:01:52,538 fail2ban.filter [762]: INFO [sshd] Found 192.168.2.202 - 2021-01-04 10:01:51 my@bash $ ## Und siehe, es ist wirklich kein Zugang mehr möglich: my@bash $ ssh 192.168.2.103 ssh: connect to host 192.168.2.103 port 22: Connection refused my@bash $ Wir können die Verbannung nun an drei Stellen sehen: a) Logfiles, b) fail2ban-client und c) iptables: .. highlight:: shell-session :: my@bash $ ## a) Im fail2ban-Logbuch: my@bash $ grep Ban /var/log/fail2ban.log 2021-01-04 10:01:51,919 fail2ban.actions [762]: NOTICE [sshd] Ban 192.168.2.202 my@bash $ my@bash $ my@bash $ ## b) Mit fail2ban-client: my@bash $ fail2ban-client -v status sshd 2021-01-04 10:04:43,995 fail2ban.configreader [787]: INFO Loading configs for fail2ban under /etc/fail2ban 2021-01-04 10:04:43,997 fail2ban.configparserin [787]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf'] 2021-01-04 10:04:44,000 fail2ban.configparserin [787]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf'] 2021-01-04 10:04:44,002 fail2ban [787]: INFO Using socket file /var/run/fail2ban/fail2ban.sock 2021-01-04 10:04:44,003 fail2ban [787]: INFO Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 4 | `- File list: /var/log/messages `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 192.168.2.202 my@bash $ my@bash $ my@bash $ ## c) Mit unserem Paketfilter: my@bash $ iptables -vnL Chain INPUT (policy ACCEPT 5 packets, 180 bytes) pkts bytes target prot opt in out source destination 2 120 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2 packets, 176 bytes) pkts bytes target prot opt in out source destination Chain f2b-sshd (1 references) pkts bytes target prot opt in out source destination 2 120 REJECT all -- * * 192.168.2.202 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 my@bash $ my@bash $ ## >> Funktioniert wunderbar. Manuell die Blockade aufheben: .. highlight:: shell-session :: my@bash $ fail2ban-client set sshd unbanip 192.168.2.202 192.168.2.202 my@bash $ my@bash $ fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 4 | `- File list: /var/log/messages `- Actions |- Currently banned: 0 |- Total banned: 1 `- Banned IP list: my@bash $ my@bash $ ## >> Und schon kann von SuSE aus 'ssh 192.168.2.103' erfolgreich laufen. Fail2ban als Logparser: - https://help.univention.com/t/portal-deaktivieren-oder-fail2ban/3007 - http://durchgeblickt.de/faq/index.php?action=artikel&cat=8&id=34&artlang=de Einstellungen für Bantime und IgnoreIP ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Zuerst schauen wir uns an, wie wir die Zeitspanne, die ein Angreifer blockiert bleibt, konfigurieren können: .. highlight:: shell-session :: my@bash $ pwd /etc/fail2ban my@bash $ my@bash $ my@bash $ grep -ri '^bantime' . ./action.d/shorewall-ipset-proto6.conf:bantime = 600 ./action.d/iptables-ipset-proto6-allports.conf:bantime = 600 ./action.d/iptables-ipset-proto6.conf:bantime = 600 ./action.d/firewallcmd-ipset.conf:bantime = 600 ./action.d/osx-afctl.conf:bantime = 2880 ./jail.conf:bantime = 10m ./jail.conf:bantime = 48h ./jail.conf:bantime = 1w ./jail.conf:bantime = 1h my@bash $ my@bash $ my@bash $ grep -ri -B5 '^bantime' jail.conf | head # # ignorecommand = /path/to/command ignorecommand = # "bantime" is the number of seconds that a host is banned. bantime = 10m -- [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. my@bash $ my@bash $ ## >> Die globale 'bantime', nach der die Blockierung automatisch aufgehoben wird, beträgt 10 Minuten. Und nun wollen wir noch den SuSE-Host als Ausnahme definieren, falls jemand von dort aus Fehlversuche startet. Dafür gibt es ``ignoreip``: :: my@bash $ ## Zum Ignorieren von Login-Fehlern seitens vertrauenswürdiger Hosts: my@bash $ grep -ri -B5 'ignoreip' . ./filter.d/freeswitch.conf-# ./filter.d/freeswitch.conf-# Enable "log-auth-failures" on each Sofia profile to monitor ./filter.d/freeswitch.conf-# ./filter.d/freeswitch.conf-# -- this requires a high enough loglevel on your logs to save these messages. ./filter.d/freeswitch.conf-# ./filter.d/freeswitch.conf:# In the fail2ban jail.local file for this filter set ignoreip to the internal -- ./jail.conf- ./jail.conf-# "ignorself" specifies whether the local resp. own IP addresses should be ignored ./jail.conf-# (default is true). Fail2ban will not ban a host which matches such addresses. ./jail.conf-#ignorself = true ./jail.conf- ./jail.conf:# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban ./jail.conf-# will not ban a host which matches an address in this list. Several addresses ./jail.conf-# can be defined using space (and/or comma) separator. ./jail.conf:#ignoreip = 127.0.0.1/8 ::1 my@bash $ my@bash $ grep -ri -B5 'ignoreip' jail.conf | head # "ignorself" specifies whether the local resp. own IP addresses should be ignored # (default is true). Fail2ban will not ban a host which matches such addresses. #ignorself = true # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host which matches an address in this list. Several addresses # can be defined using space (and/or comma) separator. #ignoreip = 127.0.0.1/8 ::1 my@bash $ my@bash $ my@bash $ my@bash $ ## Wie bei Debian üblich, wird gern mit einer Kopie namens jail.local gearbeitet: my@bash $ cp jail.conf jail.local my@bash $ my@bash $ vi jail.local my@bash $ grep ^ignore jail.local ignoreip = 127.0.0.1/8 ::1 192.168.2.202 ignorecommand = ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot my@bash $ my@bash $ my@bash $ my@bash $ rc-service fail2ban restart * Stopping fail2ban ... [ ok ] * Starting fail2ban ... 2021-01-04 10:47:31,185 fail2ban.jailreader [864]: ERROR No file(s) found for glob /var/log/auth.log 2021-01-04 10:47:31,186 fail2ban [864]: ERROR Failed during configuration: Have not found any log file for sshd jail * start-stop-daemon: failed to start `/usr/bin/fail2ban-client' * Failed to start fail2ban [ !! ] * ERROR: fail2ban failed to start my@bash $ my@bash $ my@bash $ grep /var/log/auth.log jail.local my@bash $ my@bash $ grep -r /var/log/auth.log . ./paths-common.conf:syslog_authpriv = /var/log/auth.log my@bash $ my@bash $ my@bash $ rc-service fail2ban restart * Starting fail2ban ... 2021-01-04 10:48:41,397 fail2ban.jailreader [888]: ERROR No file(s) found for glob /var/log/auth.log 2021-01-04 10:48:41,398 fail2ban [888]: ERROR Failed during configuration: Have not found any log file for sshd jail * start-stop-daemon: failed to start `/usr/bin/fail2ban-client' * Failed to start fail2ban [ !! ] * ERROR: fail2ban failed to start my@bash $ my@bash $ my@bash $ mv jail.local ~ my@bash $ my@bash $ rc-service fail2ban restart * Starting fail2ban ... Server ready [ ok ] my@bash $ my@bash $ ## >> Hier stimmt etwas nicht ganz (-> auf Debian-Art wird eine /var/log/auth.log gesucht. my@bash $ my@bash $ grep ignoreip jail.conf # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban #ignoreip = 127.0.0.1/8 ::1 my@bash $ my@bash $ my@bash $ ## Versuchsweise direkt in der jail.conf ändern: my@bash $ vi jail.conf my@bash $ my@bash $ rc-service fail2ban restart * Stopping fail2ban ... [ ok ] * Starting fail2ban ... Server ready [ ok ] my@bash $ my@bash $ ## >> Die Änderung in dieser Default-JailConfigDatei wurde akzeptiert. my@bash $ my@bash $ my@bash $ grep ^ignoreip jail.conf ignoreip = 127.0.0.1/8 ::1 192.168.2.202 my@bash $ my@bash $ my@bash $ tail -f /var/log/fail2ban.log 2021-01-04 10:52:17,982 fail2ban.jail [971]: INFO Creating new jail 'sshd-ddos' 2021-01-04 10:52:17,983 fail2ban.jail [971]: INFO Jail 'sshd-ddos' uses poller {} 2021-01-04 10:52:17,984 fail2ban.jail [971]: INFO Initiated 'polling' backend 2021-01-04 10:52:17,986 fail2ban.filter [971]: INFO Added logfile: '/var/log/messages' (pos = 56220, hash = 8271a07d126f4f38550a77627100fd020839c55c) 2021-01-04 10:52:17,986 fail2ban.filter [971]: INFO encoding: UTF-8 2021-01-04 10:52:17,987 fail2ban.filter [971]: INFO maxRetry: 3 2021-01-04 10:52:17,987 fail2ban.filter [971]: INFO findtime: 600 2021-01-04 10:52:17,987 fail2ban.actions [971]: INFO banTime: 600 2021-01-04 10:52:17,990 fail2ban.jail [971]: INFO Jail 'sshd' started 2021-01-04 10:52:17,991 fail2ban.jail [971]: INFO Jail 'sshd-ddos' started 2021-01-04 10:55:14,657 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip 2021-01-04 10:55:14,859 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip 2021-01-04 10:55:22,880 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip 2021-01-04 10:55:22,880 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip 2021-01-04 10:55:24,886 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip 2021-01-04 10:55:25,087 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip 2021-01-04 10:55:27,092 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip 2021-01-04 10:55:27,092 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip 2021-01-04 10:55:29,097 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip 2021-01-04 10:55:29,097 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip 2021-01-04 10:55:35,111 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip 2021-01-04 10:55:35,714 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip 2021-01-04 10:55:36,318 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip 2021-01-04 10:55:36,520 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip ^C my@bash $ my@bash $ # >> Fehlversuche werden tatsächlich ignoriert. Halten wir fest: - Alpine bringt eine gute Default-Konfiguration mit (sogar ssh-Jail gegen DDoS) - Die Distributions-Config liegt in /etc/fail2ban/jail.d/alpine-ssh.conf - Das Kopieren der jail.conf in jail.local ist hier NICHT ratsam, -> Debian-Welt -> auth.log (Paketbetreuer?) Firewall-Konfiguration ^^^^^^^^^^^^^^^^^^^^^^ Es stellt sich die Frage, wie die Einbindung der von fail2ban erzeugten dynamischen Regeln in das vorhande Distributions-Regelwerk geschieht. Dazu wird mittels der Direktive ``banaction`` das zu verwendende Firewall-Framework festgelegt. Wenn als Wert *iptables-multiport* gesetzt wurde, ist *iptables* in purer Form gemeint. Diesen Fall haben wir unter Alpine-Linux 3.9: :: my@bash $ grep -ir ^banaction /etc/fail2ban/jail.conf banaction = iptables-multiport banaction_allports = iptables-allports banaction = %(banaction_allports)s banaction = %(banaction_allports)s banaction = iptables-multiport-log banaction = %(banaction_allports)s my@bash $ Bei Centos 7 gibt es aber in VPS/VPC-Umgebungen wie OpenVZ Probleme. Dort ist nämlich der firewall-Daemon aktiv. Daher ändern wir zuerst die Datei ``/etc/fail2ban/jail.d/00-firewalld.conf`` auf die folgenden Werte: .. highlight:: bash :: [DEFAULT] # Wegen der OpenVZ-Umgebung, die kein 'ipset' unterstützt: #banaction = firewallcmd-ipset banaction = iptables-multiport banaction_allports = iptables-allports Nun folgt die Installation des erforderlichen Softwarepakets, und das de-/aktivieren der Services: :: yum install iptables-services systemctl stop firewalld systemctl start iptables systemctl restart fail2ban Die statischen iptables-Rules werden dabei in den Dateien */etc/sysconfig/iptables* und */etc/sysconfig/ip6tables* abgelegt. Siehe dazu: - https://foe.flourishes1966.space/firewalld-ipset.html ("The ipset command doesn't work under OpenVZ") - https://osric.com/chris/accidental-developer/2017/08/using-fail2ban-with-iptables-instead-of-firewalld/ - https://unix.stackexchange.com/questions/372396/fail2ban-fails-to-start-on-centos-7 - https://fedoraproject.org/wiki/How_to_edit_iptables_rules Weitere Binaries ^^^^^^^^^^^^^^^^ .. highlight:: shell-session :: my@bash $ apk info -L fail2ban | grep bin usr/bin/fail2ban-server usr/bin/fail2ban-client usr/bin/fail2ban-python usr/bin/fail2ban-regex usr/bin/fail2ban-testcases my@bash $ my@bash $ my@bash $ /usr/bin/fail2ban-server --help Usage: fail2ban-server [OPTIONS] Fail2Ban v0.10.3.fix1 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. Options: -c configuration directory -s socket path -p pidfile path --loglevel logging level --logtarget logging target, use file-name or stdout, stderr, syslog or sysout. --syslogsocket auto| -d dump configuration. For debugging --dp, --dump-pretty dump the configuration using more human readable representation -t, --test test configuration (can be also specified with start parameters) -i interactive mode -v increase verbosity -q decrease verbosity -x force execution of the server (remove socket file) -b start server in background (default) -f start server in foreground --async start server in async mode (for internal usage only, don't read configuration) --timeout timeout to wait for the server (for internal usage only, don't read configuration) --str2sec convert time abbreviation format to seconds -h, --help display this help message -V, --version print the version Report bugs to https://github.com/fail2ban/fail2ban/issues my@bash $ my@bash $ my@bash $ /usr/bin/fail2ban-server -t OK: configuration test is successful my@bash $ my@bash $ /usr/bin/fail2ban-client --help 2>/dev/null | head -15 Usage: fail2ban-client [OPTIONS] Fail2Ban v0.10.3.fix1 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. Options: -c configuration directory -s socket path -p pidfile path --loglevel logging level --logtarget logging target, use file-name or stdout, stderr, syslog or sysout. --syslogsocket auto| -d dump configuration. For debugging --dp, --dump-pretty dump the configuration using more human readable representation -t, --test test configuration (can be also specified with start parameters) my@bash $ my@bash $ my@bash $ /usr/bin/fail2ban-client -t OK: configuration test is successful my@bash $ my@bash $ my@bash $ /usr/bin/fail2ban-regex --help 2>/dev/null | head -15 Usage: /usr/bin/fail2ban-regex [OPTIONS] [IGNOREREGEX] Fail2Ban reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. This tools can test regular expressions for "fail2ban". LOG: string a string representing a log line filename path to a log file (/var/log/auth.log) "systemd-journal" search systemd journal (systemd-python required) REGEX: string a string representing a 'failregex' my@bash $ Zu fail2ban-regex siehe auch: - https://stackoverflow.com/questions/22516576/fail2ban-regex-pattern-for-apache-logs - http://shopnix.de/tipps-fail2ban-vulnerability-scanner.html Ein weiteres Tool aus dem Paket:: .. highlight:: shell-session :: my@bash $ /usr/bin/fail2ban-testcases --help 2>/dev/null | head -15 Usage: /usr/bin/fail2ban-testcases [OPTIONS] [regexps] Script to run Fail2Ban tests battery Options: --version show program's version number and exit -h, --help show this help message and exit -l LOG_LEVEL, --log-level=LOG_LEVEL Log level for the logger to use during running tests -v Increase verbosity --verbosity=VERBOSITY Set numerical level of verbosity (0..4) --log-direct Prevent lazy logging inside tests -n, --no-network Do not run tests that require the network -g, --no-gamin Do not run tests that require the gamin my@bash $ Ein interessantes Tool, was Portscans gegensteuert: https://www.linux-magazin.de/ausgaben/2012/02/einfuehrung2/ .. highlight:: shell-session :: my@bash $ apk -dv search portsentry my@bash $ my@bash $ cat /etc/apk/repositories http://dl-cdn.alpinelinux.org/alpine/v3.9/main http://dl-cdn.alpinelinux.org/alpine/v3.9/community my@bash $ tux@deb-int1:~$ ## Debian hat das Paket im Repo: tux@deb-int1:~$ apt-cache show portsentry Package: portsentry Source: portsentry (1.2-14) Version: 1.2-14+b1 Installed-Size: 175 Maintainer: Dario Minnucci Architecture: amd64 Depends: libc6 (>= 2.15), debconf (>= 1.2.9) | debconf-2.0, net-tools, procps, libfile-temp-perl Recommends: tcpd Suggests: logcheck Description-en: Portscan detection daemon PortSentry has the ability to detect portscans(including stealth scans) on the network interfaces of your machine. Upon alarm it can block the attacker via hosts.deny, dropped route or firewall rule. It is part of the Abacus program suite. . Note: If you have no idea what a port/stealth scan is, It's recommended to have a look at http://sf.net/projects/sentrytools/ before installing this package. Otherwise you might easily block hosts you'd better not (e.g. your NFS-server, name-server, etc.). Description-md5: ff8ecc87ed516a7095261180d5556efa Homepage: http://sentrytools.sourceforge.net/ Tag: implemented-in::c, interface::daemon, network::server, network::service, role::program, security::ids, use::monitor Section: net Priority: optional Filename: pool/main/p/portsentry/portsentry_1.2-14+b1_amd64.deb Size: 70976 MD5sum: cddab7d92dda7d81ab8f243ed71b591c SHA256: b99f3709a4894d8f3340ef03dfddcf3946cebcf1a931219e6bf2ef32c9d27b7a tux@deb-int1:~$ exit my@bash $ DEBIAN 10 ========= :: root@deb10srv:~# ## Weiter zu 212.4 Security tasks root@deb10srv:~# ## ============================== root@deb10srv:~# root@deb10srv:~# ## => S. 491 ff sowie https://pemmann.de/cc/Doc/Abuild/_build/html/handouts/202.html#fail2ban-ein-intrusion-prevention-system-ips root@deb10srv:~# root@deb10srv:~# root@deb10srv:~# ## Funktionsweise: root@deb10srv:~# root@deb10srv:~# # - Überwachung von Logdateien (Loginversuche, Debian: /var/log/auth.log) root@deb10srv:~# # - Blockieren von Angreifern mittels iptables-Paketfilterregeln root@deb10srv:~# root@deb10srv:~# root@deb10srv:~# ## Installation root@deb10srv:~# ## ------------ root@deb10srv:~# root@deb10srv:~# apt-get update Holen:1 http://security.debian.org/debian-security buster/updates InRelease [65,4 kB] OK:2 http://ftp.tu-chemnitz.de/debian buster InRelease Holen:3 http://ftp.tu-chemnitz.de/debian buster-updates InRelease [51,9 kB] Holen:4 http://security.debian.org/debian-security buster/updates/main Sources [185 kB] Holen:5 http://security.debian.org/debian-security buster/updates/main amd64 Packages [289 kB] Holen:6 http://security.debian.org/debian-security buster/updates/main Translation-en [150 kB] Es wurden 740 kB in 1 s geholt (654 kB/s). Paketlisten werden gelesen... Fertig root@deb10srv:~# root@deb10srv:~# root@deb10srv:~# apt-get install fail2ban Paketlisten werden gelesen... Fertig Abhängigkeitsbaum wird aufgebaut. Statusinformationen werden eingelesen.... Fertig Die folgenden zusätzlichen Pakete werden installiert: python3-pyinotify python3-systemd whois Vorgeschlagene Pakete: mailx monit sqlite3 python-pyinotify-doc Die folgenden NEUEN Pakete werden installiert: fail2ban python3-pyinotify python3-systemd whois 0 aktualisiert, 4 neu installiert, 0 zu entfernen und 1 nicht aktualisiert. Es müssen 527 kB an Archiven heruntergeladen werden. Nach dieser Operation werden 2.560 kB Plattenplatz zusätzlich benutzt. Möchten Sie fortfahren? [J/n] Vorbereitung zum Entpacken von .../archives/whois_5.4.3_amd64.deb ... Entpacken von whois (5.4.3) ... whois (5.4.3) wird eingerichtet ... fail2ban (0.10.2-2.1) wird eingerichtet ... Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service → /lib/systemd/system/fail2ban.service. [fail2ban-tmpfiles.conf:1] Line references path below legacy directory /var/run/, updating /var/run/fail2ban → /run/fail2ban; please update the tmpfiles.d/ drop-in file accordingly. python3-pyinotify (0.9.6-1) wird eingerichtet ... python3-systemd (234-2+b1) wird eingerichtet ... Trigger für man-db (2.8.5-2) werden verarbeitet ... Trigger für systemd (241-7~deb10u7) werden verarbeitet ... root@deb10srv:~# root@deb10srv:~# root@deb10srv:~# root@deb10srv:~# ## Konfiguration root@deb10srv:~# ## ------------- root@deb10srv:~# root@deb10srv:~# cd /etc/fail2ban/ root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# ls -l insgesamt 60 drwxr-xr-x 2 root root 4096 Mai 20 08:13 action.d -rw-r--r-- 1 root root 2334 Jan 18 2018 fail2ban.conf drwxr-xr-x 2 root root 4096 Sep 23 2018 fail2ban.d drwxr-xr-x 3 root root 4096 Mai 20 08:13 filter.d -rw-r--r-- 1 root root 22897 Jan 18 2018 jail.conf drwxr-xr-x 2 root root 4096 Mai 20 08:13 jail.d -rw-r--r-- 1 root root 645 Jan 18 2018 paths-arch.conf -rw-r--r-- 1 root root 2827 Jan 18 2018 paths-common.conf -rw-r--r-- 1 root root 573 Jan 18 2018 paths-debian.conf -rw-r--r-- 1 root root 738 Jan 18 2018 paths-opensuse.conf root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# ## Nach Jails suchen, die 'enabled' sind: root@deb10srv:/etc/fail2ban# grep -r enabled jail.d/defaults-debian.conf:enabled = true action.d/npf.conf:# we don't enable NPF automatically, as it will be enabled elsewhere action.d/ipfilter.conf:# enable IPF if not already enabled jail.conf:# enabled = true jail.conf:# "enabled" enables the jails. jail.conf:# true: jail will be enabled and log files will get monitored for changes jail.conf:# false: jail is not enabled jail.conf:enabled = false filter.d/domino-smtp.conf:# console_log_enabled=1 filter.d/roundcube-auth.conf:# The userlogins log file can be enabled by setting $config['log_logins'] = true; in config.inc.php root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# ls -l jail.d/ insgesamt 4 -rw-r--r-- 1 root root 22 Sep 23 2018 defaults-debian.conf root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# cat jail.d/defaults-debian.conf [sshd] enabled = true root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# # >> sshd ist der erste Dienst, für den es ein aktiviertes Jail gibt. root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# # Einstellungen für Bantime und IgnoreIP root@deb10srv:/etc/fail2ban# # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# # => S. 492 root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# vi jail.conf 62 # "bantime" is the number of seconds that a host is banned. 63 bantime = 10m 64 51 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban 52 # will not ban a host which matches an address in this list. Several addresses 53 # can be defined using space (and/or comma) separator. 54 ignoreip = 127.0.0.1/8 ::1 192.168.2.201/24 55 69 # "maxretry" is the number of failures before a host get banned. 70 maxretry = 3 71 72 # "backend" specifies the backend used to get files modification. 73 # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". 74 # This option can be overridden in each jail as well. "jail.conf" 890L, 22913C geschrieben root@deb10srv:/etc/fail2ban# ## Die Einstellungen waren: root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# grep ^bantime jail.conf bantime = 10m bantime = 48h bantime = 1w bantime = 1h root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# grep ^ignoreip jail.conf ignoreip = 127.0.0.1/8 ::1 192.168.2.201/24 root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# grep ^maxretry jail.conf maxretry = 3 maxretry = 1 maxretry = 2 maxretry = 2 maxretry = 2 maxretry = 1 maxretry = 2 maxretry = 1 maxretry = 2 maxretry = 1 maxretry = 10 maxretry = 10 maxretry = 2 maxretry = 1 maxretry = 1 maxretry = 1 root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# # >> es gilt der jeweils erste Wert als globaler Standard root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# ## Für andere Daemons sind keine Jails aktiv: root@deb10srv:/etc/fail2ban# grep "enabled = true" jail.conf # enabled = true root@deb10srv:/etc/fail2ban# grep "enabled = false" jail.conf enabled = false root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# # >> Hier ist nichts definiert! root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# ## Man nehme sich für andere Daemons, die man schützen will, den betreffenden root@deb10srv:/etc/fail2ban# ## Abschnitt und schreibe ihn in eine kleine Datei unter 'jail.d/': root@deb10srv:/etc/fail2ban# grep -A4 apache-auth jail.conf > jail.d/apache-auth.conf root@deb10srv:/etc/fail2ban# echo 'enabled = true' >> jail.d/apache-auth.conf root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# cd root@deb10srv:~# root@deb10srv:~# ## Daemon neu starten und testen root@deb10srv:~# ## ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ root@deb10srv:~# root@deb10srv:~# systemctl restart fail2ban root@deb10srv:~# root@deb10srv:~# iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination # Warning: iptables-legacy tables present, use iptables-legacy to see them root@deb10srv:~# root@deb10srv:~# root@deb10srv:~# iptables-legacy -vnL Chain INPUT (policy ACCEPT 63730 packets, 13M bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- lxdbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* generated for LXD network lxdbr0 */ 0 0 ACCEPT udp -- lxdbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* generated for LXD network lxdbr0 */ 0 0 ACCEPT udp -- lxdbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 /* generated for LXD network lxdbr0 */ Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lxdbr0 0.0.0.0/0 0.0.0.0/0 /* generated for LXD network lxdbr0 */ 0 0 ACCEPT all -- lxdbr0 * 0.0.0.0/0 0.0.0.0/0 /* generated for LXD network lxdbr0 */ Chain OUTPUT (policy ACCEPT 36513 packets, 3979K bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * lxdbr0 0.0.0.0/0 0.0.0.0/0 tcp spt:53 /* generated for LXD network lxdbr0 */ 0 0 ACCEPT udp -- * lxdbr0 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* generated for LXD network lxdbr0 */ 0 0 ACCEPT udp -- * lxdbr0 0.0.0.0/0 0.0.0.0/0 udp spt:67 /* generated for LXD network lxdbr0 */ root@deb10srv:~# root@deb10srv:~# root@deb10srv:~# history 7 2049 iptables -vnL 2050 iptables-legacy -vnL 2051 iptables -t nat -vnL 2052 iptables-legacy -t nat -vnL 2053 iptables-legacy -t mangle -vnL 2054 iptables -t mangle -vnL 2055 history 7 root@deb10srv:~# root@deb10srv:~# # >> Momentan sind noch keine Regeln von fail2ban zu sehen. root@deb10srv:~# root@deb10srv:~# root@deb10srv:~# fail2ban-client status Status |- Number of jail: 2 `- Jail list: apache-auth, sshd root@deb10srv:~# root@deb10srv:~# root@deb10srv:~# fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: root@deb10srv:~# root@deb10srv:~# tux@alp ~$ ssh 192.168.2.202 tux@192.168.2.202's password: Linux deb10srv 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 Willommen auf dem Containerhost! Last login: Tue May 18 19:42:47 2021 from 192.168.2.201 tux@deb10srv:~$ tux@deb10srv:~$ lxc exec deb-srv bash root@deb-srv:~# root@deb-srv:~# ssh -l root -o HostKeyAlgorithms=ssh-ed25519 192.168.2.202 Enter passphrase for key '/root/.ssh/id_rsa': Enter passphrase for key '/root/.ssh/id_rsa': Enter passphrase for key '/root/.ssh/id_rsa': root@192.168.2.202's password: Permission denied, please try again. root@192.168.2.202's password: Permission denied, please try again. root@192.168.2.202's password: root@192.168.2.202: Permission denied (publickey,password). root@deb-srv:~# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination # Warning: iptables-legacy tables present, use iptables-legacy to see them root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# iptables -vnL | grep fail # Warning: iptables-legacy tables present, use iptables-legacy to see them root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# iptables-legacy -vnL | grep fail root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# iptables -t mangle -vnL | grep fail # Warning: iptables-legacy tables present, use iptables-legacy to see them root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# iptables-legacy -t mangle -vnL | grep fail root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# ## >> Trotz vieler Fehlversuche greift es nicht, es fehlen ja auch die iptables-Regeln! root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# # https://pemmann.de/cc/Kurse/Archiv/2021-01-lpic2-124-web/htmldoc/_build/html/lpi201-2021-01-04.html#firewall-konfiguration root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# grep -ri ^banaction jail.conf:banaction = iptables-multiport jail.conf:banaction_allports = iptables-allports jail.conf:banaction = %(banaction_allports)s jail.conf:banaction = %(banaction_allports)s jail.conf:banaction = iptables-multiport-log jail.conf:banaction = %(banaction_allports)s root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# # >> "banaction = iptables-multiport" bedeutet, klassisches iptables zu verwenden, nicht den root@deb10srv:/etc/fail2ban# # firewalld. root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# pgrep -alfi fire root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# systemctl status fail2ban ● fail2ban.service - Fail2Ban Service Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2021-05-20 08:41:27 CEST; 18min ago Docs: man:fail2ban(1) Process: 19500 ExecStartPre=/bin/mkdir -p /var/run/fail2ban (code=exited, status=0/SUCCESS) Main PID: 19501 (fail2ban-server) Tasks: 5 (limit: 1356) Memory: 14.8M CGroup: /system.slice/fail2ban.service └─19501 /usr/bin/python3 /usr/bin/fail2ban-server -xf start Mai 20 08:41:27 deb10srv systemd[1]: fail2ban.service: Main process exited, code=killed, status=15/TERM Mai 20 08:41:27 deb10srv systemd[1]: fail2ban.service: Succeeded. Mai 20 08:41:27 deb10srv systemd[1]: Stopped Fail2Ban Service. Mai 20 08:41:27 deb10srv systemd[1]: Starting Fail2Ban Service... Mai 20 08:41:27 deb10srv systemd[1]: Started Fail2Ban Service. Mai 20 08:41:28 deb10srv fail2ban-server[19501]: Server ready root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# pam_tally --user tux User tux (1000) has 17 root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# pam_tally --user tux --reset=0 User tux (1000) had 17 root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# pam_tally --user tux User tux (1000) has 0 root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# vi /etc/pam.d/common-session root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# vi /etc/pam.d/common-auth root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# grep -A1 AXPE /etc/pam.d/common-auth # AXPE: #auth required pam_tally.so deny=3 root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# journalctl -f -- Logs begin at Mon 2021-05-17 07:57:45 CEST. -- Mai 20 09:01:46 deb10srv sshd[16660]: pam_unix(sshd:session): session closed for user tux Mai 20 09:01:46 deb10srv systemd-logind[349]: Session 217 logged out. Waiting for processes to exit. Mai 20 09:01:46 deb10srv systemd[1]: session-217.scope: Succeeded. Mai 20 09:01:46 deb10srv systemd-logind[349]: Removed session 217. Mai 20 09:02:25 deb10srv sshd[19761]: pam_tally(sshd:auth): user tux (1000) tally 16, deny 3 Mai 20 09:02:27 deb10srv sshd[19761]: Failed password for tux from 192.168.2.211 port 58254 ssh2 Mai 20 09:02:32 deb10srv sshd[19761]: pam_tally(sshd:auth): user tux (1000) tally 17, deny 3 Mai 20 09:02:34 deb10srv sshd[19761]: Failed password for tux from 192.168.2.211 port 58254 ssh2 Mai 20 09:02:37 deb10srv sshd[19761]: Failed password for tux from 192.168.2.211 port 58254 ssh2 Mai 20 09:02:37 deb10srv sshd[19761]: Connection closed by authenticating user tux 192.168.2.211 port 58254 [preauth] Mai 20 09:05:01 deb10srv CRON[19848]: pam_unix(cron:session): session opened for user root by (uid=0) Mai 20 09:05:01 deb10srv CRON[19849]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1) Mai 20 09:05:01 deb10srv CRON[19848]: pam_unix(cron:session): session closed for user root Mai 20 09:05:06 deb10srv sshd[19851]: Accepted password for tux from 192.168.2.211 port 58256 ssh2 Mai 20 09:05:06 deb10srv sshd[19851]: pam_unix(sshd:session): session opened for user tux by (uid=0) Mai 20 09:05:06 deb10srv systemd[1]: Started Session 250 of user tux. Mai 20 09:05:06 deb10srv systemd-logind[349]: New session 250 of user tux. Mai 20 09:05:11 deb10srv sshd[19857]: Received disconnect from 192.168.2.211 port 58256:11: disconnected by user Mai 20 09:05:11 deb10srv sshd[19857]: Disconnected from user tux 192.168.2.211 port 58256 Mai 20 09:05:11 deb10srv sshd[19851]: pam_unix(sshd:session): session closed for user tux Mai 20 09:05:11 deb10srv systemd[1]: session-250.scope: Succeeded. Mai 20 09:05:11 deb10srv systemd-logind[349]: Session 250 logged out. Waiting for processes to exit. Mai 20 09:05:11 deb10srv systemd-logind[349]: Removed session 250. Mai 20 09:05:27 deb10srv sshd[19862]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.211 user=tux Mai 20 09:05:29 deb10srv sshd[19862]: Failed password for tux from 192.168.2.211 port 58258 ssh2 Mai 20 09:05:33 deb10srv sshd[19862]: Failed password for tux from 192.168.2.211 port 58258 ssh2 Mai 20 09:05:35 deb10srv sshd[19862]: Connection closed by authenticating user tux 192.168.2.211 port 58258 [preauth] Mai 20 09:05:35 deb10srv sshd[19862]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.211 user=tux Mai 20 09:05:50 deb10srv sshd[19864]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.211 user=tux Mai 20 09:05:53 deb10srv sshd[19864]: Failed password for tux from 192.168.2.211 port 58260 ssh2 Mai 20 09:06:00 deb10srv sshd[19864]: Failed password for tux from 192.168.2.211 port 58260 ssh2 Mai 20 09:06:06 deb10srv sshd[19864]: Failed password for tux from 192.168.2.211 port 58260 ssh2 Mai 20 09:06:06 deb10srv sshd[19864]: Connection closed by authenticating user tux 192.168.2.211 port 58260 [preauth] Mai 20 09:06:06 deb10srv sshd[19864]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.211 user=tux Mai 20 09:06:14 deb10srv sshd[19866]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.211 user=tux Mai 20 09:06:16 deb10srv sshd[19866]: Failed password for tux from 192.168.2.211 port 58262 ssh2 Mai 20 09:06:19 deb10srv sshd[19866]: Failed password for tux from 192.168.2.211 port 58262 ssh2 Mai 20 09:06:23 deb10srv sshd[19866]: Failed password for tux from 192.168.2.211 port 58262 ssh2 Mai 20 09:06:23 deb10srv sshd[19866]: Connection closed by authenticating user tux 192.168.2.211 port 58262 [preauth] Mai 20 09:06:23 deb10srv sshd[19866]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.211 user=tux ^C root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# pam_tally --user tux User tux (1000) has 0 root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# date Do 20. Mai 09:07:09 CEST 2021 root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# ls -l /var/log/fail2ban.log -rw-r----- 1 root adm 8160 Mai 20 09:06 /var/log/fail2ban.log root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# less /var/log/fail2ban.log 2021-05-20 08:49:54,072 fail2ban.filter [19501]: INFO [sshd] Ignore 192.168.2.233 by ip 2021-05-20 08:49:59,617 fail2ban.filter [19501]: INFO [sshd] Ignore 192.168.2.233 by ip 2021-05-20 08:50:04,441 fail2ban.filter [19501]: INFO [sshd] Ignore 192.168.2.233 by ip 2021-05-20 09:02:28,217 fail2ban.filter [19501]: INFO [sshd] Ignore 192.168.2.211 by ip 2021-05-20 09:02:34,360 fail2ban.filter [19501]: INFO [sshd] Ignore 192.168.2.211 by ip 2021-05-20 09:02:37,909 fail2ban.filter [19501]: INFO [sshd] Ignore 192.168.2.211 by ip 2021-05-20 09:05:27,829 fail2ban.filter [19501]: INFO [sshd] Ignore 192.168.2.211 by ip root@deb10srv:/etc/fail2ban# # >> Zu sehen ist, dass MEHRERE Adresse ignoriert werden! root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# grep ^ignoreip jail.conf ignoreip = 127.0.0.1/8 ::1 192.168.2.201/24 root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# # >> Es könnte sein, dass mit /24 das ganze Netz 192.168.2.0 ignoriert wird! root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# sed -i 's;192.168.2.201/24;192.168.2.201;' jail.conf root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# grep ^ignoreip jail.conf ignoreip = 127.0.0.1/8 ::1 192.168.2.201 root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# systemctl restart fail2ban root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# tail -f /var/log/fail2ban.log 2021-05-20 09:12:31,355 fail2ban.jail [19997]: INFO Creating new jail 'apache-auth' 2021-05-20 09:12:31,356 fail2ban.jail [19997]: INFO Jail 'apache-auth' uses pyinotify {} 2021-05-20 09:12:31,358 fail2ban.jail [19997]: INFO Initiated 'pyinotify' backend 2021-05-20 09:12:31,363 fail2ban.filter [19997]: INFO Added logfile: '/var/log/apache2/error.log' (pos = 416, hash = 0a3f94a9dbb8953451e4e7ccd97ab3ea171f601d) 2021-05-20 09:12:31,364 fail2ban.filter [19997]: INFO encoding: UTF-8 2021-05-20 09:12:31,364 fail2ban.filter [19997]: INFO maxRetry: 3 2021-05-20 09:12:31,364 fail2ban.filter [19997]: INFO findtime: 600 2021-05-20 09:12:31,364 fail2ban.actions [19997]: INFO banTime: 600 2021-05-20 09:12:31,366 fail2ban.jail [19997]: INFO Jail 'sshd' started 2021-05-20 09:12:31,367 fail2ban.jail [19997]: INFO Jail 'apache-auth' started 2021-05-20 09:13:14,637 fail2ban.filter [19997]: INFO [sshd] Found 192.168.2.233 - 2021-05-20 09:13:14 2021-05-20 09:13:16,242 fail2ban.filter [19997]: INFO [sshd] Found 192.168.2.233 - 2021-05-20 09:13:16 2021-05-20 09:13:23,722 fail2ban.filter [19997]: INFO [sshd] Found 192.168.2.233 - 2021-05-20 09:13:23 2021-05-20 09:13:24,038 fail2ban.actions [19997]: NOTICE [sshd] Ban 192.168.2.233 root@deb-srv:~# root@deb-srv:~# ssh -l tux -o HostKeyAlgorithms=ssh-ed25519 192.168.2.202 tux@192.168.2.202's password: Permission denied, please try again. tux@192.168.2.202's password: Permission denied, please try again. tux@192.168.2.202's password: ### ... es dauert und dauert ... ### Connection closed by 192.168.2.202 port 22 root@deb-srv:~# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# ## Nach dem Beenden von 'tail -f /var/log/fail2ban.log' sehen wir folg.: root@deb10srv:/etc/fail2ban# fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 3 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 192.168.2.233 root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 861 60932 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain f2b-sshd (1 references) pkts bytes target prot opt in out source destination 21 2040 REJECT all -- * * 192.168.2.233 0.0.0.0/0 reject-with icmp-port-unreachable 840 58892 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 # Warning: iptables-legacy tables present, use iptables-legacy to see them root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# # >> Bei Debian heißt die Kette 'f2b-sshd', die sich im neuen NFtables-Framework befindet. root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# ## Den Client anstelle mit 'fail2ban-client set ssh unbanip 192.168.2.233' mit iptables freischalten: root@deb10srv:/etc/fail2ban# iptables -vnL f2b-sshd --line-numbers Chain f2b-sshd (1 references) num pkts bytes target prot opt in out source destination 1 25 2280 REJECT all -- * * 192.168.2.233 0.0.0.0/0 reject-with icmp-port-unreachable 2 1416 99780 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 # Warning: iptables-legacy tables present, use iptables-legacy to see them root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# iptables -D f2b-sshd 1 root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# iptables -vnL f2b-sshd --line-numbers Chain f2b-sshd (1 references) num pkts bytes target prot opt in out source destination 1 1535 110K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 # Warning: iptables-legacy tables present, use iptables-legacy to see them root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# # Zu der Zeile 'iptables -D f2b-sshd 1' ... root@deb10srv:/etc/fail2ban# # root@deb10srv:/etc/fail2ban# # iptables -D f2b-sshd 1 root@deb10srv:/etc/fail2ban# # ======>> -------- ---> root@deb10srv:/etc/fail2ban# # anstelle -F, root@deb10srv:/etc/fail2ban# # was alle Zeilen Zeilen- root@deb10srv:/etc/fail2ban# # entfernen würde nummer root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# ## ACHTUNG: Nach dem unkonservativen Enfernen der Regel mit iptables muss fail2ban neu gestartet werden: root@deb10srv:/etc/fail2ban# systemctl restart fail2ban root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# iptables -vnL f2b-sshd --line-numbers Chain f2b-sshd (1 references) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 192.168.2.233 0.0.0.0/0 reject-with icmp-port-unreachable 2 10 716 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 # Warning: iptables-legacy tables present, use iptables-legacy to see them root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 192.168.2.233 root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# fail2ban-client set sshd unbanip 192.168.2.233 192.168.2.233 root@deb10srv:/etc/fail2ban# root@deb10srv:/etc/fail2ban# root@deb10srv:~#