failtoban
Bonjour,
Je suis nouveau sur cette liste aussi 2 mots de présentation. Je tourne
sous testing (etch puis lenny) depuis bientôt 1 an, venant initialement
du monde Mandriva puis Gentoo. Par ailleurs je gère un petite vingtaine
de PC de relations (enfants, frères et soeur, amis...) via ssh.
Mon PC et connecté via une freebox en mode routeur sur lequel j'ai
redirigé les ports qui vont bien (dont naturellement le port 22). Je
n'ai pas (pour l'instant) jugé utile de mettre un autre firewall
Aussi j'ai été très intéressé de la référence à fail2ban dans la
discussion sur "Blacklistage d'ip par ssh".
Donc installation (sans problème) de fail2ban, juste un coup d'oeil à
/etc/fail2ban/jail.conf pour accepter les règles par défaut (voir
ci-dessous), et... ça marche pas. C'est à dire qu'après 3 échecs
(volontaires) je ne suis pas banni et peut me reconnecter immédiatement
pourtant :
# /etc/init.d/fail2ban status
* Status of authentication failure
monitor
* fail2ban is running
et
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- anywhere anywhere
multiport dports ssh,sftp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN 0 -- anywhere anywhere
Aurais-je manqué quelque chose ?
Ci joints mon /etc/fail2ban/jail.conf et mon /var/loc/fail2ban.log
Merci
--
Vincent Gay - mailto:vgay@salug-fr.org
"Étant donné l'état actuel de l'agriculture dans le monde, on sait
qu'elle pourrait nourrir 12 milliards d'individus sans difficultés. Pour
le dire autrement : tout enfant qui meurt actuellement de faim est, en
réalité, assassiné."
Jean Ziegler, rapporteur auprès de l'O.N.U. sur le droit à l'alimentation.
(N.B. un enfant de moins de 10 ans meurt de faim toutes les 5 secondes)
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime = 600
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = polling
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = vgay@salug-fr.org
#
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overriden globally or per
# section within jail.local file
banaction = iptables-multiport
#
# Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s"]
mail-whois[name=%(__name__)s, dest="%(destemail)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s"]
mail-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
#
# JAILS
#
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Please enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
[ssh]
enabled = true
port = ssh,sftp
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
[ssh-ddos]
enabled = false
port = ssh,sftp
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
#
# HTTP servers
#
[apache]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 6
# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 6
[apache-noscript]
enabled = false
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6
#
# FTP servers
#
[vsftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6
[proftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[wuftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6
#
# Mail servers
#
[postfix]
enabled = false
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
[couriersmtp]
enabled = false
port = smtp,ssmtp
filter = couriersmtp
logpath = /var/log/mail.log
#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#
[courierauth]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log
[sasl]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/mail.log
2007-06-06 07:20:21,440 fail2ban.jail : INFO Using poller
2007-06-06 07:20:21,460 fail2ban.filter : INFO Created Filter
2007-06-06 07:20:21,461 fail2ban.filter : INFO Created FilterPoll
2007-06-06 07:20:21,463 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2007-06-06 07:20:21,465 fail2ban.filter : INFO Set maxRetry = 6
2007-06-06 07:20:21,469 fail2ban.filter : INFO Set findtime = 600
2007-06-06 07:20:21,470 fail2ban.actions: INFO Set banTime = 600
2007-06-06 07:20:21,491 fail2ban.actions.action: INFO Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2007-06-06 07:20:21,493 fail2ban.actions.action: INFO Set actionStop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2007-06-06 07:20:21,496 fail2ban.actions.action: INFO Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
2007-06-06 07:20:21,498 fail2ban.actions.action: INFO Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2007-06-06 07:20:21,500 fail2ban.actions.action: INFO Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2007-06-06 07:24:49,093 fail2ban.server : INFO Exiting Fail2ban
2007-06-06 07:24:50,696 fail2ban.jail : INFO Using poller
2007-06-06 07:24:50,715 fail2ban.filter : INFO Created Filter
2007-06-06 07:24:50,715 fail2ban.filter : INFO Created FilterPoll
2007-06-06 07:24:50,717 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2007-06-06 07:24:50,719 fail2ban.filter : INFO Set maxRetry = 6
2007-06-06 07:24:50,723 fail2ban.filter : INFO Set findtime = 600
2007-06-06 07:24:50,725 fail2ban.actions: INFO Set banTime = 600
2007-06-06 07:24:50,744 fail2ban.actions.action: INFO Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2007-06-06 07:24:50,746 fail2ban.actions.action: INFO Set actionStop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2007-06-06 07:24:50,749 fail2ban.actions.action: INFO Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
2007-06-06 07:24:50,751 fail2ban.actions.action: INFO Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2007-06-06 07:24:50,753 fail2ban.actions.action: INFO Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
Reply to: