failtoban

To: debian-user-french@lists.debian.org
Subject: failtoban
From: Vincent Gay <vgay@salug-fr.org>
Date: Wed, 06 Jun 2007 15:51:34 +0200
Message-id: <[🔎] 4666BBE6.7020801@salug-fr.org>

Bonjour,

Je suis nouveau sur cette liste aussi 2 mots de présentation. Je tournesous testing (etch puis lenny) depuis bientôt 1 an, venant initialementdu monde Mandriva puis Gentoo. Par ailleurs je gère un petite vingtainede PC de relations (enfants, frères et soeur, amis...) via ssh.

Mon PC et connecté via une freebox en mode routeur sur lequel j'airedirigé les ports qui vont bien (dont naturellement le port 22). Jen'ai pas (pour l'instant) jugé utile de mettre un autre firewall

Aussi j'ai été très intéressé de la référence à fail2ban dans ladiscussion sur "Blacklistage d'ip par ssh".

Donc installation (sans problème) de fail2ban, juste un coup d'oeil à/etc/fail2ban/jail.conf pour accepter les règles par défaut (voirci-dessous), et... ça marche pas. C'est à dire qu'après 3 échecs(volontaires) je ne suis pas banni et peut me reconnecter immédiatement


pourtant :

# /etc/init.d/fail2ban status

* Status of authentication failuremonitor

*  fail2ban is running

et

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

fail2ban-ssh tcp -- anywhere anywheremultiport dports ssh,sftp


Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     0    --  anywhere             anywhere

Aurais-je manqué quelque chose ?

Ci joints mon /etc/fail2ban/jail.conf et mon /var/loc/fail2ban.log

Merci

--
Vincent Gay - mailto:vgay@salug-fr.org

"Étant donné l'état actuel de l'agriculture dans le monde, on saitqu'elle pourrait nourrir 12 milliards d'individus sans difficultés. Pourle dire autrement : tout enfant qui meurt actuellement de faim est, enréalité, assassiné."

Jean Ziegler, rapporteur auprès de l'O.N.U. sur le droit à l'alimentation.
(N.B. un enfant de moins de 10 ans meurt de faim toutes les 5 secondes)

# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = vgay@salug-fr.org

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define 
# action_* variables. Can be overriden globally or per 
# section within jail.local file
banaction = iptables-multiport


#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s"]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s"]
              mail-whois[name=%(__name__)s, dest="%(destemail)s"]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s"]
               mail-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
 
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section 
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Please enable any defined here jail by including
#
# [SECTION_NAME] 
# enabled = true
#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled = true
port	= ssh,sftp
filter	= sshd
logpath  = /var/log/auth.log
maxretry = 6


[ssh-ddos]

enabled = false
port    = ssh,sftp
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = false
port	= http,https
filter	= apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = false
port	  = http,https
filter	  = apache-auth
logpath   = /var/log/apache*/*access.log
maxretry  = 6

[apache-noscript]

enabled = false
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

#
# FTP servers
#

[vsftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


[proftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


[wuftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled  = false
port	 = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = false
port	 = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = false
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = false
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
logpath  = /var/log/mail.log

2007-06-06 07:20:21,440 fail2ban.jail   : INFO   Using poller
2007-06-06 07:20:21,460 fail2ban.filter : INFO   Created Filter
2007-06-06 07:20:21,461 fail2ban.filter : INFO   Created FilterPoll
2007-06-06 07:20:21,463 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2007-06-06 07:20:21,465 fail2ban.filter : INFO   Set maxRetry = 6
2007-06-06 07:20:21,469 fail2ban.filter : INFO   Set findtime = 600
2007-06-06 07:20:21,470 fail2ban.actions: INFO   Set banTime = 600
2007-06-06 07:20:21,491 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2007-06-06 07:20:21,493 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2007-06-06 07:20:21,496 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
2007-06-06 07:20:21,498 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2007-06-06 07:20:21,500 fail2ban.actions.action: INFO   Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2007-06-06 07:24:49,093 fail2ban.server : INFO   Exiting Fail2ban
2007-06-06 07:24:50,696 fail2ban.jail   : INFO   Using poller
2007-06-06 07:24:50,715 fail2ban.filter : INFO   Created Filter
2007-06-06 07:24:50,715 fail2ban.filter : INFO   Created FilterPoll
2007-06-06 07:24:50,717 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2007-06-06 07:24:50,719 fail2ban.filter : INFO   Set maxRetry = 6
2007-06-06 07:24:50,723 fail2ban.filter : INFO   Set findtime = 600
2007-06-06 07:24:50,725 fail2ban.actions: INFO   Set banTime = 600
2007-06-06 07:24:50,744 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2007-06-06 07:24:50,746 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2007-06-06 07:24:50,749 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
2007-06-06 07:24:50,751 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2007-06-06 07:24:50,753 fail2ban.actions.action: INFO   Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>

Reply to:

Follow-Ups:
- Re: failtoban
  - From: Damien Ulrich <damien.ulrich@domosys.org>
- Re: failtoban
  - From: mpg <manuel.pg@free.fr>
- Re: failtoban
  - From: Thomas Labourdette <thomas.labourdette@free.fr>
- Re: failtoban
  - From: Damien Ulrich <damien.ulrich@domosys.org>

Prev by Date: Re: Dev/php et Dev/bash : Gestionnaire de version
Next by Date: Re: udev hal pmount
Previous by thread: Re: outil graphique pour relations d'1 db
Next by thread: Re: failtoban
Index(es):
- Date
- Thread