Bonjour
Je teste fail2ban avec de réseau interne sur mon serveur. Il voit bien les erreurs :Il me semble avoir configurer normalement /etc/fail2ban/jail.conf pour ssh :Code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 [root@089156242052][~]# grep Failed /var/log/auth.log | grep 192.168.Y.XXX Jan 23 15:13:22 netjuke sshd[15001]: Failed password for troumad from 192.168.Y.XXX port 62771 ssh2 Jan 23 15:13:36 netjuke sshd[15004]: Failed password for troumad from 192.168.Y.XXX port 62772 ssh2 Jan 23 15:14:46 netjuke sshd[15011]: Failed password for troumad from 192.168.Y.XXX port 62779 ssh2 Jan 23 15:14:56 netjuke sshd[15013]: Failed password for troumad from 192.168.Y.XXX port 62780 ssh2 Jan 23 16:03:06 netjuke sshd[15711]: Failed password for troumad from 192.168.Y.XXX port 60776 ssh2 Jan 23 16:03:32 netjuke sshd[15714]: Failed password for troumad from 192.168.Y.XXX port 60777 ssh2 Jan 23 16:03:41 netjuke sshd[15717]: Failed password for troumad from 192.168.Y.XXX port 60778 ssh2 Jan 23 16:03:52 netjuke sshd[15720]: Failed password for troumad from 192.168.Y.XXX port 60779 ssh2 Jan 23 16:51:32 netjuke sshd[16038]: Failed password for troumad from 192.168.Y.XXX port 60977 ssh2 Jan 23 16:51:40 netjuke sshd[16040]: Failed password for troumad from 192.168.Y.XXX port 60978 ssh2 Jan 23 16:51:47 netjuke sshd[16042]: Failed password for troumad from 192.168.Y.XXX port 60979 ssh2 Jan 23 16:51:56 netjuke sshd[16045]: Failed password for troumad from 192.168.Y.XXX port 60980 ssh2 Jan 23 16:52:09 netjuke sshd[16047]: Failed password for troumad from 192.168.Y.XXX port 60981 ssh2 Jan 23 16:53:20 netjuke sshd[16156]: Failed password for troumad from 192.168.Y.XXX port 60984 ssh2 Jan 23 16:53:32 netjuke sshd[16159]: Failed password for troumad from 192.168.Y.XXX port 60985 ssh2
Et rien ne se passe...Code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 [DEFAULT] ignoreip = 127.0.0.1 # On bannit bantime secondes une Ip qui fait maxretry erreurs en findtime secondes bantime = 600 findtime = 600 maxretry = 3 backend = auto [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=2244, protocol=tcp] mail-whois[name=SSH, dest=bernard@troumad.org] #logpath = /var/log/sshd.log logpath = /var/log/auth.log maxretry = 5
Aucun blocage... Le fichier de log de fail2ban donne :Je suis surpris par les tag entre <> . Je me serais attendu à trouver les valeurs exactes !Code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37 2008-01-23 15:22:13,384 fail2ban.actions.action: INFO Set actionUnban = 2008-01-23 15:22:13,386 fail2ban.actions.action: INFO Set actionCheck = 2008-01-23 15:25:00,431 fail2ban.server : INFO Exiting Fail2ban 2008-01-23 15:25:03,049 fail2ban.jail : INFO Using poller 2008-01-23 15:25:03,059 fail2ban.filter : INFO Created Filter 2008-01-23 15:25:03,059 fail2ban.filter : INFO Created FilterPoll 2008-01-23 15:25:03,061 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2008-01-23 15:25:03,063 fail2ban.filter : INFO Set maxRetry = 5 2008-01-23 15:25:03,065 fail2ban.filter : INFO Set findtime = 600 2008-01-23 15:25:03,067 fail2ban.actions: INFO Set banTime = 600 2008-01-23 15:25:03,080 fail2ban.actions.action: INFO Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP 2008-01-23 15:25:03,082 fail2ban.actions.action: INFO Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> 2008-01-23 15:25:03,083 fail2ban.actions.action: INFO Set actionStart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name> 2008-01-23 15:25:03,085 fail2ban.actions.action: INFO Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP 2008-01-23 15:25:03,087 fail2ban.actions.action: INFO Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name> 2008-01-23 15:25:03,093 fail2ban.actions.action: INFO Set actionBan = echo -en "Hi,\n The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>.\n\n Here are more information about <ip>:\n `whois <ip>`\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip>" <dest> 2008-01-23 15:25:03,095 fail2ban.actions.action: INFO Set actionStop = echo -en "Hi,\n The jail <name> has been stopped.\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest> 2008-01-23 15:25:03,096 fail2ban.actions.action: INFO Set actionStart = echo -en "Hi,\n The jail <name> has been started successfuly.\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest> 2008-01-23 15:25:03,098 fail2ban.actions.action: INFO Set actionUnban = 2008-01-23 15:25:03,099 fail2ban.actions.action: INFO Set actionCheck = 2008-01-23 16:06:35,557 fail2ban.server : INFO Exiting Fail2ban