fail2ban不禁止ssh bruteforce,但regex有效
我刚刚注意到我的服务器上有一个ssh bruteforce,它实际上应该被fail2ban禁止,但出于某种原因它并没有禁止它。大多数对fail2ban有问题的人,似乎对他们的正则表达式有问题,这在这里似乎很好 jail.conf的一部分fail2ban不禁止ssh bruteforce,但regex有效,ssh,brute-force,Ssh,Brute Force,我刚刚注意到我的服务器上有一个ssh bruteforce,它实际上应该被fail2ban禁止,但出于某种原因它并没有禁止它。大多数对fail2ban有问题的人,似乎对他们的正则表达式有问题,这在这里似乎很好 jail.conf的一部分 [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6 findtime = 6000 bantime = 86400 Run
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
findtime = 6000
bantime = 86400
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file : /var/log/auth.log
Results
=======
Failregex
|- Regular expressions:
| [1] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
| [2] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
| [3] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Failed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
| [4] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*ROOT LOGIN REFUSED.* FROM <HOST>\s*$
| [5] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$
| [6] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*User .+ from <HOST> not allowed because not listed in AllowUsers$
| [7] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
| [8] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*refused connect from \S+ \(<HOST>\)\s*$
| [9] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
| [10] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\
S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
|
`- Number of matches:
[1] 0 match(es)
[2] 0 match(es)
[3] 380 match(es)
[4] 0 match(es)
[5] 353 match(es)
[6] 26 match(es)
[7] 0 match(es)
[8] 0 match(es)
[9] 0 match(es)
[10] 0 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
[2]
[3]
198.245.50.151 (Sat Dec 21 15:18:12 2013)
198.245.50.151 (Sat Dec 21 15:18:15 2013)
198.245.50.151 (Sat Dec 21 15:18:18 2013)
198.245.50.151 (Sat Dec 21 15:18:21 2013)
198.245.50.151 (Sat Dec 21 15:18:24 2013)
..................
Date template hits:
23379 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
..................
Success, the total number of match is 759
Status for the jail: ssh
|- filter
| |- File list: /var/log/auth.log
| |- Currently failed: 0
| `- Total failed: 0
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
findtime = 6000
bantime = 86400
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file : /var/log/auth.log
Results
=======
Failregex
|- Regular expressions:
| [1] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
| [2] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
| [3] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Failed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
| [4] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*ROOT LOGIN REFUSED.* FROM <HOST>\s*$
| [5] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$
| [6] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*User .+ from <HOST> not allowed because not listed in AllowUsers$
| [7] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
| [8] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*refused connect from \S+ \(<HOST>\)\s*$
| [9] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
| [10] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\
S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
|
`- Number of matches:
[1] 0 match(es)
[2] 0 match(es)
[3] 380 match(es)
[4] 0 match(es)
[5] 353 match(es)
[6] 26 match(es)
[7] 0 match(es)
[8] 0 match(es)
[9] 0 match(es)
[10] 0 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
[2]
[3]
198.245.50.151 (Sat Dec 21 15:18:12 2013)
198.245.50.151 (Sat Dec 21 15:18:15 2013)
198.245.50.151 (Sat Dec 21 15:18:18 2013)
198.245.50.151 (Sat Dec 21 15:18:21 2013)
198.245.50.151 (Sat Dec 21 15:18:24 2013)
..................
Date template hits:
23379 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
..................
Success, the total number of match is 759
运行测试
=============
使用regex文件:/etc/fail2ban/filter.d/sshd.conf
使用日志文件:/var/log/auth.log
结果
=======
Failregex
|-正则表达式:
|[1]^\s*(?:\s+)(?:内核:\[\d+\.\d+\])(?:@vserver\\s+)(?:(?:\[\d+\])?:\s+[\(]?sshd(?:(\s+\)?[\]\]?:?\[\[\(]?sshd(?:)(\s
+\))?[\]\]?:?(?:\[\d+\])?:)?\s*(?:错误:PAM:)?来自\s的.*的身份验证失败*$
|[2]^\s*(?:\s+)(?:内核:\[\d+\.\d+\])(?:@vserver\\s+)(?:(?:\[\d+\])?:\s+[\(]?sshd(?:(\s+\)?[\]\]?:?\[\[\(]?sshd(?:)(\s+))]
+\))?[\]\]]?:?(?:\[\d+\])?:)?\s*(?:错误:PAM:)?基础身份验证模块不知道的用户,.*from\s*$
|[3]^\s*(?:\s+)(?:内核:\[\d+\.\d+\])(?:@vserver\\s+)(?:(?:\[\d+\])?:\s+[\(]?sshd(?:(\s+\)?[\]\]?:?\[\[\(]?sshd(?:)(\s
+\))?[\]\]?:?(?:\[\d+\])?:)?\s*失败(?:密码|公钥).*来自(?:端口\d*)?(?:ssh\d*)$
|[4]^\s*(?:\s+)(?:内核:\[\d+\.\d+\])(?:@vserver\\s+)(?:(?:\[\d+\])?:\s+[\(]?sshd(?:(\s+\)?[\]]?:?\[\[\(]?sshd(?:)(\s
+\))?[\]\]?:?(?:\[\d+\])?:)?\s*根登录被拒绝。*来自\s*$
|[5]^\s*(?:\s+)(?:内核:\[\d+\.\d+\])(?:@vserver\\s+)(?:(?:\[\d+\])?:\s+[\(]?sshd(?:(\s+\)?[\]\]?:?\[\[\(]?sshd(?:)(\s
+\))?[\]\]?:?(?:\[\d+\])?:)?\s*[iI](?:llegal | nvalid)用户。*来自\s*$
|[6]^\s*(?:\s+)(?:内核:\[\d+\.\d+\])(?:@vserver\\s+)(?:(?:\[\d+\])?:\s+[\(]?sshd(?:(\s+\)?[\]\]?:?\[\[\(]?sshd(?:)(\s
+\))由于AllowUsers中未列出,因此不允许使用?[\]\]]]?:(?:\[\d+\])?:)?\s*User.+from$
|[7]^\s*(?:\s+)(?:内核:\[\d+\.\d+\])(?:@vserver\\s+)(?:(?:\[\d+\])?:\s+[\(]?sshd(?:(\s+\)?[\]\]?:?\[\[\(]?sshd(?:)(\s])
+\))?[\]\]?:?(?:\[\d+\])?:)?\s*身份验证失败;logname=\S*uid=\S*euid=\S*tty=\S*ruser=\S*rhost=(?:\S+user=.*))\S*$
|[8]^\s*(?:\s+)(?:内核:\[\d+\.\d+\])(?:@vserver\\s+)(?:(?:\[\d+\])?:\s+[\(]?sshd(?:(\s+\)?[\]\]?:?\[\[\(]?sshd(?:)(\s])
+\))?[\]\]?:?(?:\[\d+\])?:)?\s*拒绝从\s+\(\)\s进行连接*$
|[9]^\s*(?:\s+)(?:内核:\[\d+\.\d+\])(?:@vserver\\s+)(?:(?:\[\d+\])?:\s+[\(]?sshd(?:(\s+\)?[\]\]?:?\[\[\(]?sshd(?:)(\s])
+\))?[\]\]?:?(?:\[\d+\])?:)?\s*地址。*可能有人试图闯入*\*$
|[10]^\s*(?:\s+)(?:内核:\[\d+\.\d+\])(?:@vserver\\s+)(?:(?:\[\d+\])?:\s+[\(]?sshd(?:(\s+\)?[\]\]?:?:;[\[\[\(]?sshd::\(\
不允许使用S+\)?[\]\]]?:?(?:\[\d+\])?:)?\S*User.+from,因为AllowGroups\S中未列出任何用户组*$
|
`-匹配数:
[1] 0个匹配项(es)
[2] 0个匹配项(es)
[3] 380场比赛(es)
[4] 0个匹配项(es)
[5] 353场比赛(es)
[6] 26场比赛(es)
[7] 0个匹配项(es)
[8] 0个匹配项(es)
[9] 0个匹配项(es)
[10] 0个匹配项(es)
Ignoreregex
|-正则表达式:
|
`-匹配数:
总结
=======
找到的地址:
[1]
[2]
[3]
198.245.50.151(2013年12月21日星期六15:18:12)
198.245.50.151(2013年12月21日星期六15:18:15)
198.245.50.151(2013年12月21日星期六15:18:18)
198.245.50.151(2013年12月21日星期六15:18:21)
198.245.50.151(2013年12月21日星期六15:18:24)
..................
模板点击日期:
23379命中率:月日小时分钟秒
0命中率:工作日月日小时:分钟:第二年
..................
成功,比赛总数为759场
fish当我遇到这个问题(在Debian Box上)时,通常与tzdata和错误时间有关。如果regexp有效(并且有效),唯一可以防止fai2ban触发的事情就是日期/时间出错。尝试安装ntp并保持日期同步。我在Ubuntu搜索框(13.04)上也有类似的行为。Fail2ban未能注意到/var/log/auth.log文件中的更改。 更改jail.conf文件中的
backend我最终通过使用NeuroDebian提供的Backport版本安装了最新版本的Fail2ban,如Fail2ban网站上所述。Fail2ban不禁止和regexp匹配很多?很可能是你的监狱错过了一次禁令行动。您有两个选择: 备选方案1) 在你的监狱里[ssh]包括
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
action = %(action_mwl)s # <<== THIS IS FOR BANNING
maxretry = 6
findtime = 6000
bantime = 86400
To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
好的,这不是一个正式的解决方案,但它确实有效: 3个月工作正常,直到fail2ban升级并停止禁止。我可以告诉你,为了解决这个问题,我付出了多大的努力,最终这是唯一可行的方法 这应该行得通
sudo service fail2ban stop
sudo service fail2ban start
sudo service fail2ban restart
- 使用jail.local
- 启用了4个监狱:ssh、dovecot、apache和wootwoot
- 所有监狱作为一个魔咒工作了几个月,没有任何问题
- Ubuntu服务器14.04
- fail2ban0.9
- 有时这是因为
\u bsd\u syslog\u verboseYYYY.MM.DDMMM DDcp /etc/fail2ban/filter.d/common.conf /etc/fail2ban/filter.d/common.local
common.local__bsd_syslog_verbose = (<[^.]+ [^.]+>)
我在这里尝试了所有的解决方案,然后在谷歌上再次搜索并找到了答案: 润宁
sudo dpkg-reconfigure tzdata
sudo service rsyslog restart