[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fail2ban : pas de blocage d'accès et pas de logs

Bonjour,

J'ai debian 6.0.5 "squeeze" sur un Seagate Freeagent Dockstar.
fail2ban installé, démarre normalement, mais n'écrit rien sur /var/log/fail2ban.log.

_______________________________________________
Une jail SSH est activée :

root@debian:~# fail2ban-client -d

WARNING 'findtime' not defined in 'ssh'. Using default value
['set', 'loglevel', 3]
['set', 'logtarget', '/var/log/fail2ban.log']
['add', 'ssh', 'polling']
['set', 'ssh', 'addlogpath', '/var/log/auth.log']
...
['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Failed (?:password|publickey) for .* from <HOST>(?: port \\d*)?(?: ssh\\d*)?$']
...
['set', 'ssh', 'addaction', 'iptables-multiport']
['set', 'ssh', 'actionban', 'iptables-multiport', 'iptables -I fail2ban-<name> 1 -s <ip> -j DROP']
...
['set', 'ssh', 'setcinfo', 'iptables-multiport', 'name', 'ssh']
['set', 'ssh', 'setcinfo', 'iptables-multiport', 'port', 'ssh']
['start', 'ssh']

________________________________________________

L'interprétation des logs lus dans /var/log/auth.log se fait bien :

root@debian:~# fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead
  import md5
...2013-02-19 11:03:31,253 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2013-02-19 11:03:31,274 fail2ban.jail   : INFO   Creating new jail 'ssh'
2013-02-19 11:03:31,275 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2013-02-19 11:03:31,303 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2013-02-19 11:03:31,309 fail2ban.filter : INFO   Set maxRetry = 6
2013-02-19 11:03:31,320 fail2ban.filter : INFO   Set findtime = 600
2013-02-19 11:03:31,325 fail2ban.actions: INFO   Set banTime = 600
2013-02-19 11:03:31,655 fail2ban.jail   : INFO   Jail 'ssh' started

Running tests
Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file   : /var/log/auth.log
...
    118.192.2.50 (Tue Feb 19 05:28:49 2013)
    118.192.2.50 (Tue Feb 19 05:28:53 2013)
    118.192.2.50 (Tue Feb 19 05:28:58 2013)
...
Success, the total number of match is 691

_______________________________________________

Voilà le contenu de /var/log/fail2ban.log quand je restart :

2013-02-19 12:41:22,203 fail2ban.jail   : INFO   Jail 'ssh' stopped
2013-02-19 12:41:22,274 fail2ban.server : INFO   Exiting Fail2ban
2013-02-19 12:41:24,634 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2013-02-19 12:41:24,640 fail2ban.jail   : INFO   Creating new jail 'ssh'
2013-02-19 12:41:24,641 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2013-02-19 12:41:24,809 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2013-02-19 12:41:24,816 fail2ban.filter : INFO   Set maxRetry = 6
2013-02-19 12:41:24,826 fail2ban.filter : INFO   Set findtime = 600
2013-02-19 12:41:24,831 fail2ban.actions: INFO   Set banTime = 600
2013-02-19 12:41:25,456 fail2ban.jail   : INFO   Jail 'ssh' started

________________________________________________

Et pourtant les tentatives d'accès root par ssh ne sont pas mises dedans, et ne sont pas bloquées par fail2ban ?
Où je dois regarder ? Merci !
Reply to: