Vorbeugung mit fail2ban
Es soll im Folgenden das Intrusion Prevention System fail2ban installiert und konfiguriert werden. Das Ganze geschieht auf unserem ‚alp-router‘:
Installation
An dieser Stelle
my@bash $ hostname -f
alp-router.haus1.tld
my@bash $
my@bash $
my@bash $ apk -dv search fail2ban
fail2ban-openrc-0.10.3.1-r2 - Scans log files for login failures then updates iptables to reject originating ip address (OpenRC init scripts)
fail2ban-doc-0.10.3.1-r2 - Scans log files for login failures then updates iptables to reject originating ip address (documentation)
fail2ban-0.10.3.1-r2 - Scans log files for login failures then updates iptables to reject originating ip address
my@bash $
my@bash $ ## LPI-relevante Beschreibung: "Scans log files for login failures then updates iptables to reject originating ip address"!
my@bash $
my@bash $
my@bash $ apk add fail2ban-openrc
(1/7) Installing expat (2.2.8-r0)
(2/7) Installing xz-libs (5.2.4-r0)
(3/7) Installing python3 (3.6.9-r3)
(4/7) Installing popt (1.16-r7)
(5/7) Installing logrotate (3.15.0-r0)
(6/7) Installing logrotate-openrc (3.15.0-r0)
(7/7) Installing fail2ban-openrc (0.10.3.1-r2)
Executing busybox-1.29.3-r10.trigger
OK: 111 MiB in 88 packages
my@bash $
my@bash $
my@bash $ apk add fail2ban
(1/1) Installing fail2ban (0.10.3.1-r2)
Executing busybox-1.29.3-r10.trigger
OK: 114 MiB in 89 packages
my@bash $
Grundkonfiguration, Inbetriebnahme
Per Default ist auf dem meisten Linux-Distributionen das Jail für sshd voreingerichtet, so dass es wenig zu tun gibt.
Ansonsten geht es ähnlich weiter, wie unter https://pemmann.de/cc/Doc/Abuild/_build/html/handouts/202.html#fail2ban-ein-intrusion-prevention-system-ips beschrieben.
my@bash $ ## Prüfen, in wie weit Alpine Linux das Paket vorkonfigurert hat:
my@bash $ pgrep -alf log
224 /sbin/syslogd -Z
my@bash $
my@bash $ find /var/log -mmin -2
/var/log/messages
my@bash $
my@bash $ ## >> Der soeben erfolgte, erfolgreiche ssh-Login wurde aufgezeichnet:
my@bash $ tail /var/log/messages
Jan 4 09:29:32 alp-router local7.info dhcpd: DHCPREQUEST for 10.1.1.3 from 00:16:3e:ff:b2:c9 via eth1
Jan 4 09:29:32 alp-router local7.info dhcpd: DHCPACK on 10.1.1.3 to 00:16:3e:ff:b2:c9 via eth1
Jan 4 09:30:00 alp-router cron.info crond[251]: USER root pid 528 cmd run-parts /etc/periodic/15min
Jan 4 09:34:31 alp-router local7.err dhcpd: uid lease 10.1.1.100 for client 00:16:3e:ff:b2:c9 is duplicate on 10.1.1.0/24
Jan 4 09:34:31 alp-router local7.info dhcpd: DHCPREQUEST for 10.1.1.3 from 00:16:3e:ff:b2:c9 via eth1
Jan 4 09:34:31 alp-router local7.info dhcpd: DHCPACK on 10.1.1.3 to 00:16:3e:ff:b2:c9 via eth1
Jan 4 09:38:41 alp-router auth.info sshd[540]: Accepted publickey for tux from 192.168.2.202 port 36822 ssh2: RSA SHA256:4Ngaq8yf5AMASDqg2SQrh8CXYy/g5GtrntDou4Yc8cw
Jan 4 09:39:19 alp-router local7.err dhcpd: uid lease 10.1.1.100 for client 00:16:3e:ff:b2:c9 is duplicate on 10.1.1.0/24
Jan 4 09:39:19 alp-router local7.info dhcpd: DHCPREQUEST for 10.1.1.3 from 00:16:3e:ff:b2:c9 via eth1
Jan 4 09:39:19 alp-router local7.info dhcpd: DHCPACK on 10.1.1.3 to 00:16:3e:ff:b2:c9 via eth1
my@bash $
my@bash $
### Ein Fehlversuch in /var/log/messages:
Jan 4 09:41:32 alp-router auth.info sshd[548]: Invalid user fritzzz from 192.168.2.202 port 36824
Jan 4 09:41:35 alp-router auth.err sshd[548]: error: Could not get shadow information for NOUSER
Jan 4 09:41:35 alp-router auth.info sshd[548]: Failed password for invalid user fritzzz from 192.168.2.202 port 36824 ssh2
Jan 4 09:41:37 alp-router auth.info sshd[548]: Failed password for invalid user fritzzz from 192.168.2.202 port 36824 ssh2
Jan 4 09:41:39 alp-router auth.info sshd[548]: Failed password for invalid user fritzzz from 192.168.2.202 port 36824 ssh2
Jan 4 09:41:39 alp-router auth.info sshd[548]: Connection closed by invalid user fritzzz 192.168.2.202 port 36824 [preauth]
Und dies ist der auslösende Loginversuch von SuSE ausgehend:
my@bash $
my@bash $ ssh fritzzz@192.168.2.103
fritzzz@192.168.2.103's password:
Permission denied, please try again.
fritzzz@192.168.2.103's password:
Permission denied, please try again.
fritzzz@192.168.2.103's password:
fritzzz@192.168.2.103: Permission denied (publickey,password,keyboard-interactive).
my@bash $
my@bash $ grep -ri '/var/log/messages' /etc/fail2ban/
/etc/fail2ban/filter.d/nagios.conf:# typically logged in /var/log/messages syslog
/etc/fail2ban/jail.d/alpine-ssh.conf:logpath = /var/log/messages
/etc/fail2ban/jail.d/alpine-ssh.conf:logpath = /var/log/messages
/etc/fail2ban/paths-fedora.conf:# Tested and it worked out in /var/log/messages so assuming syslog_ftp for now.
/etc/fail2ban/paths-freebsd.conf:# note - is only ftp.info - if notice /var/log/messages may be needed
/etc/fail2ban/paths-common.conf:syslog_local0 = /var/log/messages
my@bash $
my@bash $ ## >> Alles Schick - das Logfile ist genau wie bei Debian bereits eingebunden worden.
my@bash $
my@bash $
my@bash $ ## Wir wechseln ins ServerRoot-Verzeichnis hinein:
my@bash $ cd /etc/fail2ban/
my@bash $
my@bash $ ls -lhS
total 56
-rw-r--r-- 1 root root 22.4K Apr 4 2018 jail.conf
-rw-r--r-- 1 root root 2.8K Apr 4 2018 paths-common.conf
drwxr-xr-x 1 root root 2.6K Jan 4 09:33 filter.d
drwxr-xr-x 1 root root 2.3K Jan 4 09:33 action.d
-rw-r--r-- 1 root root 2.3K Apr 4 2018 fail2ban.conf
-rw-r--r-- 1 root root 982 Apr 4 2018 paths-freebsd.conf
-rw-r--r-- 1 root root 930 Apr 4 2018 paths-fedora.conf
-rw-r--r-- 1 root root 738 Apr 4 2018 paths-opensuse.conf
-rw-r--r-- 1 root root 645 Apr 4 2018 paths-arch.conf
-rw-r--r-- 1 root root 573 Apr 4 2018 paths-debian.conf
-rw-r--r-- 1 root root 286 Apr 4 2018 paths-osx.conf
drwxr-xr-x 1 root root 30 Jan 4 09:33 jail.d
drwxr-xr-x 1 root root 0 Jan 4 09:33 fail2ban.d
my@bash $
my@bash $ ## >> Und sehen, dass die jail.conf riesig groß ist! Besser die passenden Files in 'jail.d' benutzen:
my@bash $
my@bash $ ## Konfiguration anschauen:
my@bash $ ls -lhS jail.d/
total 4
-rw-r--r-- 1 root root 219 Dec 20 2018 alpine-ssh.conf
my@bash $
my@bash $ cat jail.d/alpine-ssh.conf
[sshd]
enabled = true
filter = alpine-sshd
port = ssh
logpath = /var/log/messages
maxretry = 10
[sshd-ddos]
enabled = true
filter = alpine-sshd-ddos
port = ssh
logpath = /var/log/messages
maxretry = 10
my@bash $
my@bash $
my@bash $ ## >> Beide Jails sind aktiv (LPI-relevant: "enabled = true").
Damit können wir uns an einen Funktionstest wagen:
my@bash $ pgrep -alf fail
my@bash $
my@bash $ rc-service fail2ban start
* Caching service dependencies ... [ ok ]
* Starting fail2ban ...
Server ready [ ok ]
my@bash $
my@bash $ pgrep -alf fail
699 /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid --loglevel INFO --logtarget /var/log/fail2ban.log --syslogsocket auto
my@bash $
my@bash $ rc-update add fail2ban
* service fail2ban added to runlevel default
my@bash $
my@bash $
my@bash $ ## Wichtig ist insbesondere das Frontend 'fail2ban-client':
my@bash $ fail2ban-client status
Status
|- Number of jail: 2
`- Jail list: sshd, sshd-ddos
my@bash $
my@bash $
my@bash $
my@bash $ fail2ban-client -v status sshd
2021-01-04 09:55:49,698 fail2ban.configreader [713]: INFO Loading configs for fail2ban under /etc/fail2ban
2021-01-04 09:55:49,704 fail2ban.configparserin [713]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
2021-01-04 09:55:49,708 fail2ban.configparserin [713]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
2021-01-04 09:55:49,708 fail2ban [713]: INFO Using socket file /var/run/fail2ban/fail2ban.sock
2021-01-04 09:55:49,709 fail2ban [713]: INFO Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/messages
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
my@bash $
my@bash $
my@bash $ ## Änderung auf 3 max. erlaubte Fehlversuche:
my@bash $ vi jail.d/alpine-ssh.conf
my@bash $
my@bash $ ## Änderung auf 3 max. erlaubte Fehlversuche:
my@bash $ vi jail.d/alpine-ssh.conf
my@bash $
my@bash $ grep maxretry jail.d/alpine-ssh.conf
maxretry = 3
maxretry = 3
my@bash $
my@bash $ rc-service fail2ban restart
* Stopping fail2ban ... [ ok ]
* Starting fail2ban ...
Server ready [ ok ]
my@bash $
my@bash $ ## Testings:
my@bash $ tail -f /var/log/fail2ban.log
2021-01-04 10:00:28,505 fail2ban.jail [762]: INFO Creating new jail 'sshd-ddos'
2021-01-04 10:00:28,506 fail2ban.jail [762]: INFO Jail 'sshd-ddos' uses poller {}
2021-01-04 10:00:28,506 fail2ban.jail [762]: INFO Initiated 'polling' backend
2021-01-04 10:00:28,509 fail2ban.filter [762]: INFO Added logfile: '/var/log/messages' (pos = 50755, hash = 8271a07d126f4f38550a77627100fd020839c55c)
2021-01-04 10:00:28,509 fail2ban.filter [762]: INFO encoding: UTF-8
2021-01-04 10:00:28,510 fail2ban.filter [762]: INFO maxRetry: 3
2021-01-04 10:00:28,510 fail2ban.filter [762]: INFO findtime: 600
2021-01-04 10:00:28,511 fail2ban.actions [762]: INFO banTime: 600
2021-01-04 10:00:28,513 fail2ban.jail [762]: INFO Jail 'sshd' started
2021-01-04 10:00:28,515 fail2ban.jail [762]: INFO Jail 'sshd-ddos' started
my@bash $ ssh 192.168.2.103
Enter passphrase for key '/home/tux/.ssh/id_rsa':
tux@192.168.2.103's password:
Permission denied, please try again.
tux@192.168.2.103's password:
Permission denied, please try again.
tux@192.168.2.103's password:
tux@192.168.2.103: Permission denied (publickey,password,keyboard-interactive).
my@bash $
Aus dem Log (/var/log/fail2ban.log):
2021-01-04 10:01:27,878 fail2ban.filter [762]: INFO [sshd] Found 192.168.2.202 - 2021-01-04 10:01:27
2021-01-04 10:01:28,080 fail2ban.filter [762]: INFO [sshd] Found 192.168.2.202 - 2021-01-04 10:01:28
my@bash $ ssh 192.168.2.103
Enter passphrase for key '/home/tux/.ssh/id_rsa':
Enter passphrase for key '/home/tux/.ssh/id_rsa':
Enter passphrase for key '/home/tux/.ssh/id_rsa':
tux@192.168.2.103's password:
Permission denied, please try again.
tux@192.168.2.103's password:
Permission denied, please try again.
tux@192.168.2.103's password:
tux@192.168.2.103: Permission denied (publickey,password,keyboard-interactive).
my@bash $
my@bash $
2021-01-04 10:01:51,331 fail2ban.filter [762]: INFO [sshd] Found 192.168.2.202 - 2021-01-04 10:01:51
2021-01-04 10:01:51,919 fail2ban.actions [762]: NOTICE [sshd] Ban 192.168.2.202
2021-01-04 10:01:52,538 fail2ban.filter [762]: INFO [sshd] Found 192.168.2.202 - 2021-01-04 10:01:51
my@bash $ ## Und siehe, es ist wirklich kein Zugang mehr möglich:
my@bash $ ssh 192.168.2.103
ssh: connect to host 192.168.2.103 port 22: Connection refused
my@bash $
Wir können die Verbannung nun an drei Stellen sehen: a) Logfiles, b) fail2ban-client und c) iptables:
my@bash $ ## a) Im fail2ban-Logbuch:
my@bash $ grep Ban /var/log/fail2ban.log
2021-01-04 10:01:51,919 fail2ban.actions [762]: NOTICE [sshd] Ban 192.168.2.202
my@bash $
my@bash $
my@bash $ ## b) Mit fail2ban-client:
my@bash $ fail2ban-client -v status sshd
2021-01-04 10:04:43,995 fail2ban.configreader [787]: INFO Loading configs for fail2ban under /etc/fail2ban
2021-01-04 10:04:43,997 fail2ban.configparserin [787]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
2021-01-04 10:04:44,000 fail2ban.configparserin [787]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
2021-01-04 10:04:44,002 fail2ban [787]: INFO Using socket file /var/run/fail2ban/fail2ban.sock
2021-01-04 10:04:44,003 fail2ban [787]: INFO Using pid file /var/run/fail2ban/fail2ban.pid, [INFO] logging to /var/log/fail2ban.log
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 4
| `- File list: /var/log/messages
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.2.202
my@bash $
my@bash $
my@bash $ ## c) Mit unserem Paketfilter:
my@bash $ iptables -vnL
Chain INPUT (policy ACCEPT 5 packets, 180 bytes)
pkts bytes target prot opt in out source destination
2 120 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 176 bytes)
pkts bytes target prot opt in out source destination
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
2 120 REJECT all -- * * 192.168.2.202 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
my@bash $
my@bash $ ## >> Funktioniert wunderbar.
Manuell die Blockade aufheben:
my@bash $ fail2ban-client set sshd unbanip 192.168.2.202
192.168.2.202
my@bash $
my@bash $ fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 1
| |- Total failed: 4
| `- File list: /var/log/messages
`- Actions
|- Currently banned: 0
|- Total banned: 1
`- Banned IP list:
my@bash $
my@bash $ ## >> Und schon kann von SuSE aus 'ssh 192.168.2.103' erfolgreich laufen.
Fail2ban als Logparser:
Einstellungen für Bantime und IgnoreIP
Zuerst schauen wir uns an, wie wir die Zeitspanne, die ein Angreifer blockiert bleibt, konfigurieren können:
my@bash $ pwd
/etc/fail2ban
my@bash $
my@bash $
my@bash $ grep -ri '^bantime' .
./action.d/shorewall-ipset-proto6.conf:bantime = 600
./action.d/iptables-ipset-proto6-allports.conf:bantime = 600
./action.d/iptables-ipset-proto6.conf:bantime = 600
./action.d/firewallcmd-ipset.conf:bantime = 600
./action.d/osx-afctl.conf:bantime = 2880
./jail.conf:bantime = 10m
./jail.conf:bantime = 48h
./jail.conf:bantime = 1w
./jail.conf:bantime = 1h
my@bash $
my@bash $
my@bash $ grep -ri -B5 '^bantime' jail.conf | head
#
# ignorecommand = /path/to/command <ip>
ignorecommand =
# "bantime" is the number of seconds that a host is banned.
bantime = 10m
--
[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
my@bash $
my@bash $ ## >> Die globale 'bantime', nach der die Blockierung automatisch aufgehoben wird, beträgt 10 Minuten.
Und nun wollen wir noch den SuSE-Host als Ausnahme definieren, falls jemand von dort aus Fehlversuche startet. Dafür gibt es ignoreip:
my@bash $ ## Zum Ignorieren von Login-Fehlern seitens vertrauenswürdiger Hosts:
my@bash $ grep -ri -B5 'ignoreip' .
./filter.d/freeswitch.conf-#
./filter.d/freeswitch.conf-# Enable "log-auth-failures" on each Sofia profile to monitor
./filter.d/freeswitch.conf-# <param name="log-auth-failures" value="true"/>
./filter.d/freeswitch.conf-# -- this requires a high enough loglevel on your logs to save these messages.
./filter.d/freeswitch.conf-#
./filter.d/freeswitch.conf:# In the fail2ban jail.local file for this filter set ignoreip to the internal
--
./jail.conf-
./jail.conf-# "ignorself" specifies whether the local resp. own IP addresses should be ignored
./jail.conf-# (default is true). Fail2ban will not ban a host which matches such addresses.
./jail.conf-#ignorself = true
./jail.conf-
./jail.conf:# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
./jail.conf-# will not ban a host which matches an address in this list. Several addresses
./jail.conf-# can be defined using space (and/or comma) separator.
./jail.conf:#ignoreip = 127.0.0.1/8 ::1
my@bash $
my@bash $ grep -ri -B5 'ignoreip' jail.conf | head
# "ignorself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses.
#ignorself = true
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
#ignoreip = 127.0.0.1/8 ::1
my@bash $
my@bash $
my@bash $
my@bash $ ## Wie bei Debian üblich, wird gern mit einer Kopie namens jail.local gearbeitet:
my@bash $ cp jail.conf jail.local
my@bash $
my@bash $ vi jail.local
my@bash $ grep ^ignore jail.local
ignoreip = 127.0.0.1/8 ::1 192.168.2.202
ignorecommand =
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
my@bash $
my@bash $
my@bash $
my@bash $ rc-service fail2ban restart
* Stopping fail2ban ... [ ok ]
* Starting fail2ban ...
2021-01-04 10:47:31,185 fail2ban.jailreader [864]: ERROR No file(s) found for glob /var/log/auth.log
2021-01-04 10:47:31,186 fail2ban [864]: ERROR Failed during configuration: Have not found any log file for sshd jail
* start-stop-daemon: failed to start `/usr/bin/fail2ban-client'
* Failed to start fail2ban [ !! ]
* ERROR: fail2ban failed to start
my@bash $
my@bash $
my@bash $ grep /var/log/auth.log jail.local
my@bash $
my@bash $ grep -r /var/log/auth.log .
./paths-common.conf:syslog_authpriv = /var/log/auth.log
my@bash $
my@bash $
my@bash $ rc-service fail2ban restart
* Starting fail2ban ...
2021-01-04 10:48:41,397 fail2ban.jailreader [888]: ERROR No file(s) found for glob /var/log/auth.log
2021-01-04 10:48:41,398 fail2ban [888]: ERROR Failed during configuration: Have not found any log file for sshd jail
* start-stop-daemon: failed to start `/usr/bin/fail2ban-client'
* Failed to start fail2ban [ !! ]
* ERROR: fail2ban failed to start
my@bash $
my@bash $
my@bash $ mv jail.local ~
my@bash $
my@bash $ rc-service fail2ban restart
* Starting fail2ban ...
Server ready [ ok ]
my@bash $
my@bash $ ## >> Hier stimmt etwas nicht ganz (-> auf Debian-Art wird eine /var/log/auth.log gesucht.
my@bash $
my@bash $ grep ignoreip jail.conf
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
#ignoreip = 127.0.0.1/8 ::1
my@bash $
my@bash $
my@bash $ ## Versuchsweise direkt in der jail.conf ändern:
my@bash $ vi jail.conf
my@bash $
my@bash $ rc-service fail2ban restart
* Stopping fail2ban ... [ ok ]
* Starting fail2ban ...
Server ready [ ok ]
my@bash $
my@bash $ ## >> Die Änderung in dieser Default-JailConfigDatei wurde akzeptiert.
my@bash $
my@bash $
my@bash $ grep ^ignoreip jail.conf
ignoreip = 127.0.0.1/8 ::1 192.168.2.202
my@bash $
my@bash $
my@bash $ tail -f /var/log/fail2ban.log
2021-01-04 10:52:17,982 fail2ban.jail [971]: INFO Creating new jail 'sshd-ddos'
2021-01-04 10:52:17,983 fail2ban.jail [971]: INFO Jail 'sshd-ddos' uses poller {}
2021-01-04 10:52:17,984 fail2ban.jail [971]: INFO Initiated 'polling' backend
2021-01-04 10:52:17,986 fail2ban.filter [971]: INFO Added logfile: '/var/log/messages' (pos = 56220, hash = 8271a07d126f4f38550a77627100fd020839c55c)
2021-01-04 10:52:17,986 fail2ban.filter [971]: INFO encoding: UTF-8
2021-01-04 10:52:17,987 fail2ban.filter [971]: INFO maxRetry: 3
2021-01-04 10:52:17,987 fail2ban.filter [971]: INFO findtime: 600
2021-01-04 10:52:17,987 fail2ban.actions [971]: INFO banTime: 600
2021-01-04 10:52:17,990 fail2ban.jail [971]: INFO Jail 'sshd' started
2021-01-04 10:52:17,991 fail2ban.jail [971]: INFO Jail 'sshd-ddos' started
2021-01-04 10:55:14,657 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip
2021-01-04 10:55:14,859 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip
2021-01-04 10:55:22,880 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip
2021-01-04 10:55:22,880 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip
2021-01-04 10:55:24,886 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip
2021-01-04 10:55:25,087 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip
2021-01-04 10:55:27,092 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip
2021-01-04 10:55:27,092 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip
2021-01-04 10:55:29,097 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip
2021-01-04 10:55:29,097 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip
2021-01-04 10:55:35,111 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip
2021-01-04 10:55:35,714 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip
2021-01-04 10:55:36,318 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip
2021-01-04 10:55:36,520 fail2ban.filter [971]: INFO [sshd] Ignore 192.168.2.202 by ip
^C
my@bash $
my@bash $ # >> Fehlversuche werden tatsächlich ignoriert.
Halten wir fest:
Alpine bringt eine gute Default-Konfiguration mit (sogar ssh-Jail gegen DDoS)
Die Distributions-Config liegt in /etc/fail2ban/jail.d/alpine-ssh.conf
Das Kopieren der jail.conf in jail.local ist hier NICHT ratsam, -> Debian-Welt -> auth.log (Paketbetreuer?)
Firewall-Konfiguration
Es stellt sich die Frage, wie die Einbindung der von fail2ban erzeugten dynamischen Regeln in das vorhande Distributions-Regelwerk geschieht. Dazu wird mittels der Direktive banaction das zu verwendende Firewall-Framework festgelegt. Wenn als Wert iptables-multiport gesetzt wurde, ist iptables in purer Form gemeint. Diesen Fall haben wir unter Alpine-Linux 3.9:
my@bash $ grep -ir ^banaction /etc/fail2ban/jail.conf
banaction = iptables-multiport
banaction_allports = iptables-allports
banaction = %(banaction_allports)s
banaction = %(banaction_allports)s
banaction = iptables-multiport-log
banaction = %(banaction_allports)s
my@bash $
Bei Centos 7 gibt es aber in VPS/VPC-Umgebungen wie OpenVZ Probleme. Dort ist nämlich der firewall-Daemon aktiv. Daher ändern wir zuerst die Datei /etc/fail2ban/jail.d/00-firewalld.conf auf die folgenden Werte:
[DEFAULT]
# Wegen der OpenVZ-Umgebung, die kein 'ipset' unterstützt:
#banaction = firewallcmd-ipset
banaction = iptables-multiport
banaction_allports = iptables-allports
Nun folgt die Installation des erforderlichen Softwarepakets, und das de-/aktivieren der Services:
yum install iptables-services
systemctl stop firewalld
systemctl start iptables
systemctl restart fail2ban
Die statischen iptables-Rules werden dabei in den Dateien /etc/sysconfig/iptables und /etc/sysconfig/ip6tables abgelegt.
Siehe dazu:
https://foe.flourishes1966.space/firewalld-ipset.html („The ipset command doesn’t work under OpenVZ“)
https://unix.stackexchange.com/questions/372396/fail2ban-fails-to-start-on-centos-7
Weitere Binaries
my@bash $ apk info -L fail2ban | grep bin
usr/bin/fail2ban-server
usr/bin/fail2ban-client
usr/bin/fail2ban-python
usr/bin/fail2ban-regex
usr/bin/fail2ban-testcases
my@bash $
my@bash $
my@bash $ /usr/bin/fail2ban-server --help
Usage: fail2ban-server [OPTIONS]
Fail2Ban v0.10.3.fix1 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.
Options:
-c <DIR> configuration directory
-s <FILE> socket path
-p <FILE> pidfile path
--loglevel <LEVEL> logging level
--logtarget <TARGET> logging target, use file-name or stdout, stderr, syslog or sysout.
--syslogsocket auto|<FILE>
-d dump configuration. For debugging
--dp, --dump-pretty dump the configuration using more human readable representation
-t, --test test configuration (can be also specified with start parameters)
-i interactive mode
-v increase verbosity
-q decrease verbosity
-x force execution of the server (remove socket file)
-b start server in background (default)
-f start server in foreground
--async start server in async mode (for internal usage only, don't read configuration)
--timeout timeout to wait for the server (for internal usage only, don't read configuration)
--str2sec <STRING> convert time abbreviation format to seconds
-h, --help display this help message
-V, --version print the version
Report bugs to https://github.com/fail2ban/fail2ban/issues
my@bash $
my@bash $
my@bash $ /usr/bin/fail2ban-server -t
OK: configuration test is successful
my@bash $
my@bash $ /usr/bin/fail2ban-client --help 2>/dev/null | head -15
Usage: fail2ban-client [OPTIONS] <COMMAND>
Fail2Ban v0.10.3.fix1 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.
Options:
-c <DIR> configuration directory
-s <FILE> socket path
-p <FILE> pidfile path
--loglevel <LEVEL> logging level
--logtarget <TARGET> logging target, use file-name or stdout, stderr, syslog or sysout.
--syslogsocket auto|<FILE>
-d dump configuration. For debugging
--dp, --dump-pretty dump the configuration using more human readable representation
-t, --test test configuration (can be also specified with start parameters)
my@bash $
my@bash $
my@bash $ /usr/bin/fail2ban-client -t
OK: configuration test is successful
my@bash $
my@bash $
my@bash $ /usr/bin/fail2ban-regex --help 2>/dev/null | head -15
Usage: /usr/bin/fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX]
Fail2Ban reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.
This tools can test regular expressions for "fail2ban".
LOG:
string a string representing a log line
filename path to a log file (/var/log/auth.log)
"systemd-journal" search systemd journal (systemd-python required)
REGEX:
string a string representing a 'failregex'
my@bash $
Zu fail2ban-regex siehe auch:
Ein weiteres Tool aus dem Paket:
.. highlight:: shell-session
my@bash $ /usr/bin/fail2ban-testcases --help 2>/dev/null | head -15
Usage: /usr/bin/fail2ban-testcases [OPTIONS] [regexps]
Script to run Fail2Ban tests battery
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-l LOG_LEVEL, --log-level=LOG_LEVEL
Log level for the logger to use during running tests
-v Increase verbosity
--verbosity=VERBOSITY
Set numerical level of verbosity (0..4)
--log-direct Prevent lazy logging inside tests
-n, --no-network Do not run tests that require the network
-g, --no-gamin Do not run tests that require the gamin
my@bash $
Ein interessantes Tool, was Portscans gegensteuert: https://www.linux-magazin.de/ausgaben/2012/02/einfuehrung2/
my@bash $ apk -dv search portsentry
my@bash $
my@bash $ cat /etc/apk/repositories
http://dl-cdn.alpinelinux.org/alpine/v3.9/main
http://dl-cdn.alpinelinux.org/alpine/v3.9/community
my@bash $
tux@deb-int1:~$ ## Debian hat das Paket im Repo:
tux@deb-int1:~$ apt-cache show portsentry
Package: portsentry
Source: portsentry (1.2-14)
Version: 1.2-14+b1
Installed-Size: 175
Maintainer: Dario Minnucci <midget@debian.org>
Architecture: amd64
Depends: libc6 (>= 2.15), debconf (>= 1.2.9) | debconf-2.0, net-tools, procps, libfile-temp-perl
Recommends: tcpd
Suggests: logcheck
Description-en: Portscan detection daemon
PortSentry has the ability to detect portscans(including stealth scans) on
the network interfaces of your machine. Upon alarm it can block the
attacker via hosts.deny, dropped route or firewall rule. It is part of the
Abacus program suite.
.
Note: If you have no idea what a port/stealth scan is, It's recommended to
have a look at http://sf.net/projects/sentrytools/ before installing this
package. Otherwise you might easily block hosts you'd better not (e.g. your
NFS-server, name-server, etc.).
Description-md5: ff8ecc87ed516a7095261180d5556efa
Homepage: http://sentrytools.sourceforge.net/
Tag: implemented-in::c, interface::daemon, network::server, network::service,
role::program, security::ids, use::monitor
Section: net
Priority: optional
Filename: pool/main/p/portsentry/portsentry_1.2-14+b1_amd64.deb
Size: 70976
MD5sum: cddab7d92dda7d81ab8f243ed71b591c
SHA256: b99f3709a4894d8f3340ef03dfddcf3946cebcf1a931219e6bf2ef32c9d27b7a
tux@deb-int1:~$ exit
my@bash $
DEBIAN 10
root@deb10srv:~# ## Weiter zu 212.4 Security tasks
root@deb10srv:~# ## ==============================
root@deb10srv:~#
root@deb10srv:~# ## => S. 491 ff sowie https://pemmann.de/cc/Doc/Abuild/_build/html/handouts/202.html#fail2ban-ein-intrusion-prevention-system-ips
root@deb10srv:~#
root@deb10srv:~#
root@deb10srv:~# ## Funktionsweise:
root@deb10srv:~#
root@deb10srv:~# # - Überwachung von Logdateien (Loginversuche, Debian: /var/log/auth.log)
root@deb10srv:~# # - Blockieren von Angreifern mittels iptables-Paketfilterregeln
root@deb10srv:~#
root@deb10srv:~#
root@deb10srv:~# ## Installation
root@deb10srv:~# ## ------------
root@deb10srv:~#
root@deb10srv:~# apt-get update
Holen:1 http://security.debian.org/debian-security buster/updates InRelease [65,4 kB]
OK:2 http://ftp.tu-chemnitz.de/debian buster InRelease
Holen:3 http://ftp.tu-chemnitz.de/debian buster-updates InRelease [51,9 kB]
Holen:4 http://security.debian.org/debian-security buster/updates/main Sources [185 kB]
Holen:5 http://security.debian.org/debian-security buster/updates/main amd64 Packages [289 kB]
Holen:6 http://security.debian.org/debian-security buster/updates/main Translation-en [150 kB]
Es wurden 740 kB in 1 s geholt (654 kB/s).
Paketlisten werden gelesen... Fertig
root@deb10srv:~#
root@deb10srv:~#
root@deb10srv:~# apt-get install fail2ban
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
Die folgenden zusätzlichen Pakete werden installiert:
python3-pyinotify python3-systemd whois
Vorgeschlagene Pakete:
mailx monit sqlite3 python-pyinotify-doc
Die folgenden NEUEN Pakete werden installiert:
fail2ban python3-pyinotify python3-systemd whois
0 aktualisiert, 4 neu installiert, 0 zu entfernen und 1 nicht aktualisiert.
Es müssen 527 kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 2.560 kB Plattenplatz zusätzlich benutzt.
Möchten Sie fortfahren? [J/n]
Vorbereitung zum Entpacken von .../archives/whois_5.4.3_amd64.deb ...
Entpacken von whois (5.4.3) ...
whois (5.4.3) wird eingerichtet ...
fail2ban (0.10.2-2.1) wird eingerichtet ...
Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service → /lib/systemd/system/fail2ban.service.
[fail2ban-tmpfiles.conf:1] Line references path below legacy directory /var/run/, updating /var/run/fail2ban → /run/fail2ban; please update the tmpfiles.d/ drop-in file accordingly.
python3-pyinotify (0.9.6-1) wird eingerichtet ...
python3-systemd (234-2+b1) wird eingerichtet ...
Trigger für man-db (2.8.5-2) werden verarbeitet ...
Trigger für systemd (241-7~deb10u7) werden verarbeitet ...
root@deb10srv:~#
root@deb10srv:~#
root@deb10srv:~#
root@deb10srv:~# ## Konfiguration
root@deb10srv:~# ## -------------
root@deb10srv:~#
root@deb10srv:~# cd /etc/fail2ban/
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# ls -l
insgesamt 60
drwxr-xr-x 2 root root 4096 Mai 20 08:13 action.d
-rw-r--r-- 1 root root 2334 Jan 18 2018 fail2ban.conf
drwxr-xr-x 2 root root 4096 Sep 23 2018 fail2ban.d
drwxr-xr-x 3 root root 4096 Mai 20 08:13 filter.d
-rw-r--r-- 1 root root 22897 Jan 18 2018 jail.conf
drwxr-xr-x 2 root root 4096 Mai 20 08:13 jail.d
-rw-r--r-- 1 root root 645 Jan 18 2018 paths-arch.conf
-rw-r--r-- 1 root root 2827 Jan 18 2018 paths-common.conf
-rw-r--r-- 1 root root 573 Jan 18 2018 paths-debian.conf
-rw-r--r-- 1 root root 738 Jan 18 2018 paths-opensuse.conf
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# ## Nach Jails suchen, die 'enabled' sind:
root@deb10srv:/etc/fail2ban# grep -r enabled
jail.d/defaults-debian.conf:enabled = true
action.d/npf.conf:# we don't enable NPF automatically, as it will be enabled elsewhere
action.d/ipfilter.conf:# enable IPF if not already enabled
jail.conf:# enabled = true
jail.conf:# "enabled" enables the jails.
jail.conf:# true: jail will be enabled and log files will get monitored for changes
jail.conf:# false: jail is not enabled
jail.conf:enabled = false
filter.d/domino-smtp.conf:# console_log_enabled=1
filter.d/roundcube-auth.conf:# The userlogins log file can be enabled by setting $config['log_logins'] = true; in config.inc.php
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# ls -l jail.d/
insgesamt 4
-rw-r--r-- 1 root root 22 Sep 23 2018 defaults-debian.conf
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# cat jail.d/defaults-debian.conf
[sshd]
enabled = true
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# # >> sshd ist der erste Dienst, für den es ein aktiviertes Jail gibt.
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# # Einstellungen für Bantime und IgnoreIP
root@deb10srv:/etc/fail2ban# # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# # => S. 492
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# vi jail.conf
62 # "bantime" is the number of seconds that a host is banned.
63 bantime = 10m
64
51 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
52 # will not ban a host which matches an address in this list. Several addresses
53 # can be defined using space (and/or comma) separator.
54 ignoreip = 127.0.0.1/8 ::1 192.168.2.201/24
55
69 # "maxretry" is the number of failures before a host get banned.
70 maxretry = 3
71
72 # "backend" specifies the backend used to get files modification.
73 # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
74 # This option can be overridden in each jail as well.
"jail.conf" 890L, 22913C geschrieben
root@deb10srv:/etc/fail2ban# ## Die Einstellungen waren:
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# grep ^bantime jail.conf
bantime = 10m
bantime = 48h
bantime = 1w
bantime = 1h
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# grep ^ignoreip jail.conf
ignoreip = 127.0.0.1/8 ::1 192.168.2.201/24
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# grep ^maxretry jail.conf
maxretry = 3
maxretry = 1
maxretry = 2
maxretry = 2
maxretry = 2
maxretry = 1
maxretry = 2
maxretry = 1
maxretry = 2
maxretry = 1
maxretry = 10
maxretry = 10
maxretry = 2
maxretry = 1
maxretry = 1
maxretry = 1
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# # >> es gilt der jeweils erste Wert als globaler Standard
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# ## Für andere Daemons sind keine Jails aktiv:
root@deb10srv:/etc/fail2ban# grep "enabled = true" jail.conf
# enabled = true
root@deb10srv:/etc/fail2ban# grep "enabled = false" jail.conf
enabled = false
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# # >> Hier ist nichts definiert!
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# ## Man nehme sich für andere Daemons, die man schützen will, den betreffenden
root@deb10srv:/etc/fail2ban# ## Abschnitt und schreibe ihn in eine kleine Datei unter 'jail.d/':
root@deb10srv:/etc/fail2ban# grep -A4 apache-auth jail.conf > jail.d/apache-auth.conf
root@deb10srv:/etc/fail2ban# echo 'enabled = true' >> jail.d/apache-auth.conf
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# cd
root@deb10srv:~#
root@deb10srv:~# ## Daemon neu starten und testen
root@deb10srv:~# ## ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
root@deb10srv:~#
root@deb10srv:~# systemctl restart fail2ban
root@deb10srv:~#
root@deb10srv:~# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them
root@deb10srv:~#
root@deb10srv:~#
root@deb10srv:~# iptables-legacy -vnL
Chain INPUT (policy ACCEPT 63730 packets, 13M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- lxdbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* generated for LXD network lxdbr0 */
0 0 ACCEPT udp -- lxdbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* generated for LXD network lxdbr0 */
0 0 ACCEPT udp -- lxdbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 /* generated for LXD network lxdbr0 */
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lxdbr0 0.0.0.0/0 0.0.0.0/0 /* generated for LXD network lxdbr0 */
0 0 ACCEPT all -- lxdbr0 * 0.0.0.0/0 0.0.0.0/0 /* generated for LXD network lxdbr0 */
Chain OUTPUT (policy ACCEPT 36513 packets, 3979K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * lxdbr0 0.0.0.0/0 0.0.0.0/0 tcp spt:53 /* generated for LXD network lxdbr0 */
0 0 ACCEPT udp -- * lxdbr0 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* generated for LXD network lxdbr0 */
0 0 ACCEPT udp -- * lxdbr0 0.0.0.0/0 0.0.0.0/0 udp spt:67 /* generated for LXD network lxdbr0 */
root@deb10srv:~#
root@deb10srv:~#
root@deb10srv:~# history 7
2049 iptables -vnL
2050 iptables-legacy -vnL
2051 iptables -t nat -vnL
2052 iptables-legacy -t nat -vnL
2053 iptables-legacy -t mangle -vnL
2054 iptables -t mangle -vnL
2055 history 7
root@deb10srv:~#
root@deb10srv:~# # >> Momentan sind noch keine Regeln von fail2ban zu sehen.
root@deb10srv:~#
root@deb10srv:~#
root@deb10srv:~# fail2ban-client status
Status
|- Number of jail: 2
`- Jail list: apache-auth, sshd
root@deb10srv:~#
root@deb10srv:~#
root@deb10srv:~# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
root@deb10srv:~#
root@deb10srv:~#
tux@alp ~$ ssh 192.168.2.202
tux@192.168.2.202's password:
Linux deb10srv 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
Willommen auf dem Containerhost!
Last login: Tue May 18 19:42:47 2021 from 192.168.2.201
tux@deb10srv:~$
tux@deb10srv:~$ lxc exec deb-srv bash
root@deb-srv:~#
root@deb-srv:~# ssh -l root -o HostKeyAlgorithms=ssh-ed25519 192.168.2.202
Enter passphrase for key '/root/.ssh/id_rsa':
Enter passphrase for key '/root/.ssh/id_rsa':
Enter passphrase for key '/root/.ssh/id_rsa':
root@192.168.2.202's password:
Permission denied, please try again.
root@192.168.2.202's password:
Permission denied, please try again.
root@192.168.2.202's password:
root@192.168.2.202: Permission denied (publickey,password).
root@deb-srv:~#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# iptables -vnL | grep fail
# Warning: iptables-legacy tables present, use iptables-legacy to see them
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# iptables-legacy -vnL | grep fail
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# iptables -t mangle -vnL | grep fail
# Warning: iptables-legacy tables present, use iptables-legacy to see them
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# iptables-legacy -t mangle -vnL | grep fail
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# ## >> Trotz vieler Fehlversuche greift es nicht, es fehlen ja auch die iptables-Regeln!
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# # https://pemmann.de/cc/Kurse/Archiv/2021-01-lpic2-124-web/htmldoc/_build/html/lpi201-2021-01-04.html#firewall-konfiguration
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# grep -ri ^banaction
jail.conf:banaction = iptables-multiport
jail.conf:banaction_allports = iptables-allports
jail.conf:banaction = %(banaction_allports)s
jail.conf:banaction = %(banaction_allports)s
jail.conf:banaction = iptables-multiport-log
jail.conf:banaction = %(banaction_allports)s
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# # >> "banaction = iptables-multiport" bedeutet, klassisches iptables zu verwenden, nicht den
root@deb10srv:/etc/fail2ban# # firewalld.
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# pgrep -alfi fire
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-05-20 08:41:27 CEST; 18min ago
Docs: man:fail2ban(1)
Process: 19500 ExecStartPre=/bin/mkdir -p /var/run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 19501 (fail2ban-server)
Tasks: 5 (limit: 1356)
Memory: 14.8M
CGroup: /system.slice/fail2ban.service
└─19501 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Mai 20 08:41:27 deb10srv systemd[1]: fail2ban.service: Main process exited, code=killed, status=15/TERM
Mai 20 08:41:27 deb10srv systemd[1]: fail2ban.service: Succeeded.
Mai 20 08:41:27 deb10srv systemd[1]: Stopped Fail2Ban Service.
Mai 20 08:41:27 deb10srv systemd[1]: Starting Fail2Ban Service...
Mai 20 08:41:27 deb10srv systemd[1]: Started Fail2Ban Service.
Mai 20 08:41:28 deb10srv fail2ban-server[19501]: Server ready
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# pam_tally --user tux
User tux (1000) has 17
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# pam_tally --user tux --reset=0
User tux (1000) had 17
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# pam_tally --user tux
User tux (1000) has 0
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# vi /etc/pam.d/common-session
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# vi /etc/pam.d/common-auth
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# grep -A1 AXPE /etc/pam.d/common-auth
# AXPE:
#auth required pam_tally.so deny=3
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# journalctl -f
-- Logs begin at Mon 2021-05-17 07:57:45 CEST. --
Mai 20 09:01:46 deb10srv sshd[16660]: pam_unix(sshd:session): session closed for user tux
Mai 20 09:01:46 deb10srv systemd-logind[349]: Session 217 logged out. Waiting for processes to exit.
Mai 20 09:01:46 deb10srv systemd[1]: session-217.scope: Succeeded.
Mai 20 09:01:46 deb10srv systemd-logind[349]: Removed session 217.
Mai 20 09:02:25 deb10srv sshd[19761]: pam_tally(sshd:auth): user tux (1000) tally 16, deny 3
Mai 20 09:02:27 deb10srv sshd[19761]: Failed password for tux from 192.168.2.211 port 58254 ssh2
Mai 20 09:02:32 deb10srv sshd[19761]: pam_tally(sshd:auth): user tux (1000) tally 17, deny 3
Mai 20 09:02:34 deb10srv sshd[19761]: Failed password for tux from 192.168.2.211 port 58254 ssh2
Mai 20 09:02:37 deb10srv sshd[19761]: Failed password for tux from 192.168.2.211 port 58254 ssh2
Mai 20 09:02:37 deb10srv sshd[19761]: Connection closed by authenticating user tux 192.168.2.211 port 58254 [preauth]
Mai 20 09:05:01 deb10srv CRON[19848]: pam_unix(cron:session): session opened for user root by (uid=0)
Mai 20 09:05:01 deb10srv CRON[19849]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Mai 20 09:05:01 deb10srv CRON[19848]: pam_unix(cron:session): session closed for user root
Mai 20 09:05:06 deb10srv sshd[19851]: Accepted password for tux from 192.168.2.211 port 58256 ssh2
Mai 20 09:05:06 deb10srv sshd[19851]: pam_unix(sshd:session): session opened for user tux by (uid=0)
Mai 20 09:05:06 deb10srv systemd[1]: Started Session 250 of user tux.
Mai 20 09:05:06 deb10srv systemd-logind[349]: New session 250 of user tux.
Mai 20 09:05:11 deb10srv sshd[19857]: Received disconnect from 192.168.2.211 port 58256:11: disconnected by user
Mai 20 09:05:11 deb10srv sshd[19857]: Disconnected from user tux 192.168.2.211 port 58256
Mai 20 09:05:11 deb10srv sshd[19851]: pam_unix(sshd:session): session closed for user tux
Mai 20 09:05:11 deb10srv systemd[1]: session-250.scope: Succeeded.
Mai 20 09:05:11 deb10srv systemd-logind[349]: Session 250 logged out. Waiting for processes to exit.
Mai 20 09:05:11 deb10srv systemd-logind[349]: Removed session 250.
Mai 20 09:05:27 deb10srv sshd[19862]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.211 user=tux
Mai 20 09:05:29 deb10srv sshd[19862]: Failed password for tux from 192.168.2.211 port 58258 ssh2
Mai 20 09:05:33 deb10srv sshd[19862]: Failed password for tux from 192.168.2.211 port 58258 ssh2
Mai 20 09:05:35 deb10srv sshd[19862]: Connection closed by authenticating user tux 192.168.2.211 port 58258 [preauth]
Mai 20 09:05:35 deb10srv sshd[19862]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.211 user=tux
Mai 20 09:05:50 deb10srv sshd[19864]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.211 user=tux
Mai 20 09:05:53 deb10srv sshd[19864]: Failed password for tux from 192.168.2.211 port 58260 ssh2
Mai 20 09:06:00 deb10srv sshd[19864]: Failed password for tux from 192.168.2.211 port 58260 ssh2
Mai 20 09:06:06 deb10srv sshd[19864]: Failed password for tux from 192.168.2.211 port 58260 ssh2
Mai 20 09:06:06 deb10srv sshd[19864]: Connection closed by authenticating user tux 192.168.2.211 port 58260 [preauth]
Mai 20 09:06:06 deb10srv sshd[19864]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.211 user=tux
Mai 20 09:06:14 deb10srv sshd[19866]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.211 user=tux
Mai 20 09:06:16 deb10srv sshd[19866]: Failed password for tux from 192.168.2.211 port 58262 ssh2
Mai 20 09:06:19 deb10srv sshd[19866]: Failed password for tux from 192.168.2.211 port 58262 ssh2
Mai 20 09:06:23 deb10srv sshd[19866]: Failed password for tux from 192.168.2.211 port 58262 ssh2
Mai 20 09:06:23 deb10srv sshd[19866]: Connection closed by authenticating user tux 192.168.2.211 port 58262 [preauth]
Mai 20 09:06:23 deb10srv sshd[19866]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.211 user=tux
^C
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# pam_tally --user tux
User tux (1000) has 0
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# date
Do 20. Mai 09:07:09 CEST 2021
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# ls -l /var/log/fail2ban.log
-rw-r----- 1 root adm 8160 Mai 20 09:06 /var/log/fail2ban.log
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# less /var/log/fail2ban.log
2021-05-20 08:49:54,072 fail2ban.filter [19501]: INFO [sshd] Ignore 192.168.2.233 by ip
2021-05-20 08:49:59,617 fail2ban.filter [19501]: INFO [sshd] Ignore 192.168.2.233 by ip
2021-05-20 08:50:04,441 fail2ban.filter [19501]: INFO [sshd] Ignore 192.168.2.233 by ip
2021-05-20 09:02:28,217 fail2ban.filter [19501]: INFO [sshd] Ignore 192.168.2.211 by ip
2021-05-20 09:02:34,360 fail2ban.filter [19501]: INFO [sshd] Ignore 192.168.2.211 by ip
2021-05-20 09:02:37,909 fail2ban.filter [19501]: INFO [sshd] Ignore 192.168.2.211 by ip
2021-05-20 09:05:27,829 fail2ban.filter [19501]: INFO [sshd] Ignore 192.168.2.211 by ip
root@deb10srv:/etc/fail2ban# # >> Zu sehen ist, dass MEHRERE Adresse ignoriert werden!
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# grep ^ignoreip jail.conf
ignoreip = 127.0.0.1/8 ::1 192.168.2.201/24
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# # >> Es könnte sein, dass mit /24 das ganze Netz 192.168.2.0 ignoriert wird!
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# sed -i 's;192.168.2.201/24;192.168.2.201;' jail.conf
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# grep ^ignoreip jail.conf
ignoreip = 127.0.0.1/8 ::1 192.168.2.201
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# systemctl restart fail2ban
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# tail -f /var/log/fail2ban.log
2021-05-20 09:12:31,355 fail2ban.jail [19997]: INFO Creating new jail 'apache-auth'
2021-05-20 09:12:31,356 fail2ban.jail [19997]: INFO Jail 'apache-auth' uses pyinotify {}
2021-05-20 09:12:31,358 fail2ban.jail [19997]: INFO Initiated 'pyinotify' backend
2021-05-20 09:12:31,363 fail2ban.filter [19997]: INFO Added logfile: '/var/log/apache2/error.log' (pos = 416, hash = 0a3f94a9dbb8953451e4e7ccd97ab3ea171f601d)
2021-05-20 09:12:31,364 fail2ban.filter [19997]: INFO encoding: UTF-8
2021-05-20 09:12:31,364 fail2ban.filter [19997]: INFO maxRetry: 3
2021-05-20 09:12:31,364 fail2ban.filter [19997]: INFO findtime: 600
2021-05-20 09:12:31,364 fail2ban.actions [19997]: INFO banTime: 600
2021-05-20 09:12:31,366 fail2ban.jail [19997]: INFO Jail 'sshd' started
2021-05-20 09:12:31,367 fail2ban.jail [19997]: INFO Jail 'apache-auth' started
2021-05-20 09:13:14,637 fail2ban.filter [19997]: INFO [sshd] Found 192.168.2.233 - 2021-05-20 09:13:14
2021-05-20 09:13:16,242 fail2ban.filter [19997]: INFO [sshd] Found 192.168.2.233 - 2021-05-20 09:13:16
2021-05-20 09:13:23,722 fail2ban.filter [19997]: INFO [sshd] Found 192.168.2.233 - 2021-05-20 09:13:23
2021-05-20 09:13:24,038 fail2ban.actions [19997]: NOTICE [sshd] Ban 192.168.2.233
root@deb-srv:~#
root@deb-srv:~# ssh -l tux -o HostKeyAlgorithms=ssh-ed25519 192.168.2.202
tux@192.168.2.202's password:
Permission denied, please try again.
tux@192.168.2.202's password:
Permission denied, please try again.
tux@192.168.2.202's password:
### ... es dauert und dauert ... ###
Connection closed by 192.168.2.202 port 22
root@deb-srv:~#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# ## Nach dem Beenden von 'tail -f /var/log/fail2ban.log' sehen wir folg.:
root@deb10srv:/etc/fail2ban# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 3
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.2.233
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
861 60932 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain f2b-sshd (1 references)
pkts bytes target prot opt in out source destination
21 2040 REJECT all -- * * 192.168.2.233 0.0.0.0/0 reject-with icmp-port-unreachable
840 58892 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
# Warning: iptables-legacy tables present, use iptables-legacy to see them
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# # >> Bei Debian heißt die Kette 'f2b-sshd', die sich im neuen NFtables-Framework befindet.
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# ## Den Client anstelle mit 'fail2ban-client set ssh unbanip 192.168.2.233' mit iptables freischalten:
root@deb10srv:/etc/fail2ban# iptables -vnL f2b-sshd --line-numbers
Chain f2b-sshd (1 references)
num pkts bytes target prot opt in out source destination
1 25 2280 REJECT all -- * * 192.168.2.233 0.0.0.0/0 reject-with icmp-port-unreachable
2 1416 99780 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
# Warning: iptables-legacy tables present, use iptables-legacy to see them
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# iptables -D f2b-sshd 1
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# iptables -vnL f2b-sshd --line-numbers
Chain f2b-sshd (1 references)
num pkts bytes target prot opt in out source destination
1 1535 110K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
# Warning: iptables-legacy tables present, use iptables-legacy to see them
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# # Zu der Zeile 'iptables -D f2b-sshd 1' ...
root@deb10srv:/etc/fail2ban# #
root@deb10srv:/etc/fail2ban# # iptables -D f2b-sshd 1
root@deb10srv:/etc/fail2ban# # ======>> -------- --->
root@deb10srv:/etc/fail2ban# # anstelle -F,
root@deb10srv:/etc/fail2ban# # was alle Zeilen Zeilen-
root@deb10srv:/etc/fail2ban# # entfernen würde nummer
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# ## ACHTUNG: Nach dem unkonservativen Enfernen der Regel mit iptables muss fail2ban neu gestartet werden:
root@deb10srv:/etc/fail2ban# systemctl restart fail2ban
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# iptables -vnL f2b-sshd --line-numbers
Chain f2b-sshd (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 192.168.2.233 0.0.0.0/0 reject-with icmp-port-unreachable
2 10 716 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
# Warning: iptables-legacy tables present, use iptables-legacy to see them
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 192.168.2.233
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban# fail2ban-client set sshd unbanip 192.168.2.233
192.168.2.233
root@deb10srv:/etc/fail2ban#
root@deb10srv:/etc/fail2ban#
root@deb10srv:~#