Fail2ban unter CentOS 6.x
Ähnlich wie das nagios Plugin check_logfiles kann mit Hilfe von Fail2ban diverse Logdateien auf Auffälligkeiten hin überwacht werden. Die Ursache dieser Auffälligkeiten kann nun ein amoklaufender Host, eine Brute-Force-Attacke, oder anderweitigen nicht erwünschten IP-Traffic sein.
Im Gegensatz zum Eingangs angesprochenen nagios-plugins, haben wir nun mit Fail2ban ein Werkzeug an der Hand, mit dem wir der Ursache oder dem Verursacher entgegentreten können. Fail2ban kann je nach Konfiguration, eMails-verschicken oder Dienste wie www.blocklist.de informieren und darüber hinaus über das Paketfilter-regelwerk iptables vornehmen, so dass die Verursachen für eine gewisse Zeit, oder auch dauerhaft, geblockt werden.
Installation
Im folgendem Abschnitt werden wir nun die aktuelle Release-Version 0.9.0 installieren. 0.9.0 ist zwar eine sog. Entwickler-Version, bringt aber wesentliche Neuerungen mit, die wir gerne einsetzen wollen. Hinweise zum aktuellen Release-Stand findet man bei GitHub hier.
Das zugehörige, oder besser gesagt, die zugehörigen RPMs findet man im Repository nausch.org. Falls noch nicht geschehen, binden wir nun das entsprechende Repository ein. Wie das geht, steht hier. Eine ausführliche Dokumentation der aktuellen Entwicklerversion 0.9.0 findet sich hier.
Da wir neben der Überwachung der Logfiles auch Aktionen, wie z.B. verschicken von Status-eMails nutzen wollen installieren wir das Paket fail2ban aus zuvor erwähnten nausch.org-Repository.
Dank des eingebundenen nausch.org-Repository könne wir yum zum Installieren verwenden, somit werden auch gleich alle weiteren Pakete für eine Basisinstallation als Abhängigkeiten mit installiert!
Wir starten also den Installationsvorgang.
# yum install fail2ban -y
Neben dem Basispaket fail2ban werden noch die Pakete fail2ban-server, fail2ban-sendmail, jwois, gamin-python und python-inotify installiert.
Bei Bedraf können wir uns mit Hilfe des Aufrufes rpm -qil
jeweils ein Bild davon machen, welche Dateien und Verzeichnisse bei der jeweiligen Paketinstallation neu zum System hinzukamen.
# rpm -qil fail2ban
Name : fail2ban Relocations: (not relocatable) Version : 0.9.0 Vendor: django Release : 2.el6 Build Date: Fri 13 Jun 2014 11:07:17 PM CEST Install Date: Fri 13 Jun 2014 11:16:39 PM CEST Build Host: vml010039.intra.nausch.org Group : Unspecified Source RPM: fail2ban-0.9.0-2.el6.src.rpm Size : 0 License: GPLv2+ Signature : RSA/SHA1, Fri 13 Jun 2014 11:07:18 PM CEST, Key ID 31b4758f7c65ab27 Packager : Django <django@nausch.org> URL : http://fail2ban.sourceforge.net/ Summary : Daemon to ban hosts that cause multiple authentication errors Description : Fail2Ban scans log files and bans IP addresses that makes too many password failures. It updates firewall rules to reject the IP address. These rules can be defined by the user. Fail2Ban can read multiple log files such as sshd or Apache web server ones. Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services. This is a meta-package that will install the default configuration. Other sub-packages are available to install support for other actions and configurations. (contains no files)
# rpm -qil fail2ban-server
Name : fail2ban-server Relocations: (not relocatable) Version : 0.9.0 Vendor: django Release : 2.el6 Build Date: Fri 13 Jun 2014 11:07:17 PM CEST Install Date: Fri 13 Jun 2014 11:16:33 PM CEST Build Host: vml010039.intra.nausch.org Group : Unspecified Source RPM: fail2ban-0.9.0-2.el6.src.rpm Size : 1240490 License: GPLv2+ Signature : RSA/SHA1, Fri 13 Jun 2014 11:07:19 PM CEST, Key ID 31b4758f7c65ab27 Packager : Django <django@nausch.org> URL : http://fail2ban.sourceforge.net/ Summary : Core server component for Fail2Ban Description : This package contains the core server components for Fail2Ban with minimal dependencies. You can install this directly if you want to have a small installation and know what you are doing. /etc/fail2ban /etc/fail2ban/action.d /etc/fail2ban/action.d/apf.conf /etc/fail2ban/action.d/badips.conf /etc/fail2ban/action.d/badips.py /etc/fail2ban/action.d/blocklist_de.conf /etc/fail2ban/action.d/dshield.conf /etc/fail2ban/action.d/dummy.conf /etc/fail2ban/action.d/firewallcmd-ipset.conf /etc/fail2ban/action.d/firewallcmd-new.conf /etc/fail2ban/action.d/iptables-allports.conf /etc/fail2ban/action.d/iptables-blocktype.conf /etc/fail2ban/action.d/iptables-ipset-proto4.conf /etc/fail2ban/action.d/iptables-ipset-proto6-allports.conf /etc/fail2ban/action.d/iptables-ipset-proto6.conf /etc/fail2ban/action.d/iptables-multiport-log.conf /etc/fail2ban/action.d/iptables-multiport.conf /etc/fail2ban/action.d/iptables-new.conf /etc/fail2ban/action.d/iptables-xt_recent-echo.conf /etc/fail2ban/action.d/iptables.conf /etc/fail2ban/action.d/mail.conf /etc/fail2ban/action.d/mynetwatchman.conf /etc/fail2ban/action.d/route.conf /etc/fail2ban/action.d/sendmail.conf /etc/fail2ban/action.d/smtp.py /etc/fail2ban/action.d/smtp.pyc /etc/fail2ban/action.d/smtp.pyo /etc/fail2ban/action.d/xarf-login-attack.conf /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.d /etc/fail2ban/fail2ban.local /etc/fail2ban/filter.d /etc/fail2ban/filter.d/3proxy.conf /etc/fail2ban/filter.d/apache-auth.conf /etc/fail2ban/filter.d/apache-badbots.conf /etc/fail2ban/filter.d/apache-botsearch.conf /etc/fail2ban/filter.d/apache-common.conf /etc/fail2ban/filter.d/apache-modsecurity.conf /etc/fail2ban/filter.d/apache-nohome.conf /etc/fail2ban/filter.d/apache-noscript.conf /etc/fail2ban/filter.d/apache-overflows.conf /etc/fail2ban/filter.d/assp.conf /etc/fail2ban/filter.d/asterisk.conf /etc/fail2ban/filter.d/common.conf /etc/fail2ban/filter.d/counter-strike.conf /etc/fail2ban/filter.d/courier-auth.conf /etc/fail2ban/filter.d/courier-smtp.conf /etc/fail2ban/filter.d/cyrus-imap.conf /etc/fail2ban/filter.d/dovecot.conf /etc/fail2ban/filter.d/dropbear.conf /etc/fail2ban/filter.d/ejabberd-auth.conf /etc/fail2ban/filter.d/exim-common.conf /etc/fail2ban/filter.d/exim-spam.conf /etc/fail2ban/filter.d/exim.conf /etc/fail2ban/filter.d/freeswitch.conf /etc/fail2ban/filter.d/groupoffice.conf /etc/fail2ban/filter.d/gssftpd.conf /etc/fail2ban/filter.d/guacamole.conf /etc/fail2ban/filter.d/horde.conf /etc/fail2ban/filter.d/kerio.conf /etc/fail2ban/filter.d/lighttpd-auth.conf /etc/fail2ban/filter.d/mysqld-auth.conf /etc/fail2ban/filter.d/nagios.conf /etc/fail2ban/filter.d/named-refused.conf /etc/fail2ban/filter.d/nginx-http-auth.conf /etc/fail2ban/filter.d/nsd.conf /etc/fail2ban/filter.d/openwebmail.conf /etc/fail2ban/filter.d/pam-generic.conf /etc/fail2ban/filter.d/perdition.conf /etc/fail2ban/filter.d/php-url-fopen.conf /etc/fail2ban/filter.d/postfix-sasl.conf /etc/fail2ban/filter.d/postfix.conf /etc/fail2ban/filter.d/proftpd.conf /etc/fail2ban/filter.d/pure-ftpd.conf /etc/fail2ban/filter.d/qmail.conf /etc/fail2ban/filter.d/recidive.conf /etc/fail2ban/filter.d/roundcube-auth.conf /etc/fail2ban/filter.d/selinux-common.conf /etc/fail2ban/filter.d/selinux-ssh.conf /etc/fail2ban/filter.d/sendmail-auth.conf /etc/fail2ban/filter.d/sendmail-reject.conf /etc/fail2ban/filter.d/sieve.conf /etc/fail2ban/filter.d/sogo-auth.conf /etc/fail2ban/filter.d/solid-pop3d.conf /etc/fail2ban/filter.d/squid.conf /etc/fail2ban/filter.d/squirrelmail.conf /etc/fail2ban/filter.d/sshd-ddos.conf /etc/fail2ban/filter.d/sshd.conf /etc/fail2ban/filter.d/stunnel.conf /etc/fail2ban/filter.d/suhosin.conf /etc/fail2ban/filter.d/tine20.conf /etc/fail2ban/filter.d/uwimap-auth.conf /etc/fail2ban/filter.d/vsftpd.conf /etc/fail2ban/filter.d/webmin-auth.conf /etc/fail2ban/filter.d/wuftpd.conf /etc/fail2ban/filter.d/xinetd-fail.conf /etc/fail2ban/jail.conf /etc/fail2ban/jail.d /etc/fail2ban/jail.local /etc/fail2ban/paths-centos.conf /etc/fail2ban/paths-common.conf /etc/logrotate.d/fail2ban /etc/rc.d/init.d/fail2ban /etc/tmpfiles.d/fail2ban.conf /usr/bin/fail2ban-client /usr/bin/fail2ban-regex /usr/bin/fail2ban-server /usr/bin/fail2ban-testcases /usr/lib/python2.6/site-packages/fail2ban /usr/lib/python2.6/site-packages/fail2ban-0.9.0-py2.6.egg-info /usr/lib/python2.6/site-packages/fail2ban-0.9.0-py2.6.egg-info/PKG-INFO /usr/lib/python2.6/site-packages/fail2ban-0.9.0-py2.6.egg-info/SOURCES.txt /usr/lib/python2.6/site-packages/fail2ban-0.9.0-py2.6.egg-info/dependency_links.txt /usr/lib/python2.6/site-packages/fail2ban-0.9.0-py2.6.egg-info/top_level.txt /usr/lib/python2.6/site-packages/fail2ban/__init__.py /usr/lib/python2.6/site-packages/fail2ban/__init__.pyc /usr/lib/python2.6/site-packages/fail2ban/__init__.pyo /usr/lib/python2.6/site-packages/fail2ban/client /usr/lib/python2.6/site-packages/fail2ban/client/__init__.py /usr/lib/python2.6/site-packages/fail2ban/client/__init__.pyc /usr/lib/python2.6/site-packages/fail2ban/client/__init__.pyo /usr/lib/python2.6/site-packages/fail2ban/client/actionreader.py /usr/lib/python2.6/site-packages/fail2ban/client/actionreader.pyc /usr/lib/python2.6/site-packages/fail2ban/client/actionreader.pyo /usr/lib/python2.6/site-packages/fail2ban/client/beautifier.py /usr/lib/python2.6/site-packages/fail2ban/client/beautifier.pyc /usr/lib/python2.6/site-packages/fail2ban/client/beautifier.pyo /usr/lib/python2.6/site-packages/fail2ban/client/configparserinc.py /usr/lib/python2.6/site-packages/fail2ban/client/configparserinc.pyc /usr/lib/python2.6/site-packages/fail2ban/client/configparserinc.pyo /usr/lib/python2.6/site-packages/fail2ban/client/configreader.py /usr/lib/python2.6/site-packages/fail2ban/client/configreader.pyc /usr/lib/python2.6/site-packages/fail2ban/client/configreader.pyo /usr/lib/python2.6/site-packages/fail2ban/client/configurator.py /usr/lib/python2.6/site-packages/fail2ban/client/configurator.pyc /usr/lib/python2.6/site-packages/fail2ban/client/configurator.pyo /usr/lib/python2.6/site-packages/fail2ban/client/csocket.py /usr/lib/python2.6/site-packages/fail2ban/client/csocket.pyc /usr/lib/python2.6/site-packages/fail2ban/client/csocket.pyo /usr/lib/python2.6/site-packages/fail2ban/client/fail2banreader.py /usr/lib/python2.6/site-packages/fail2ban/client/fail2banreader.pyc /usr/lib/python2.6/site-packages/fail2ban/client/fail2banreader.pyo /usr/lib/python2.6/site-packages/fail2ban/client/filterreader.py /usr/lib/python2.6/site-packages/fail2ban/client/filterreader.pyc /usr/lib/python2.6/site-packages/fail2ban/client/filterreader.pyo /usr/lib/python2.6/site-packages/fail2ban/client/jailreader.py /usr/lib/python2.6/site-packages/fail2ban/client/jailreader.pyc /usr/lib/python2.6/site-packages/fail2ban/client/jailreader.pyo /usr/lib/python2.6/site-packages/fail2ban/client/jailsreader.py /usr/lib/python2.6/site-packages/fail2ban/client/jailsreader.pyc /usr/lib/python2.6/site-packages/fail2ban/client/jailsreader.pyo /usr/lib/python2.6/site-packages/fail2ban/exceptions.py /usr/lib/python2.6/site-packages/fail2ban/exceptions.pyc /usr/lib/python2.6/site-packages/fail2ban/exceptions.pyo /usr/lib/python2.6/site-packages/fail2ban/helpers.py /usr/lib/python2.6/site-packages/fail2ban/helpers.pyc /usr/lib/python2.6/site-packages/fail2ban/helpers.pyo /usr/lib/python2.6/site-packages/fail2ban/protocol.py /usr/lib/python2.6/site-packages/fail2ban/protocol.pyc /usr/lib/python2.6/site-packages/fail2ban/protocol.pyo /usr/lib/python2.6/site-packages/fail2ban/server /usr/lib/python2.6/site-packages/fail2ban/server/__init__.py /usr/lib/python2.6/site-packages/fail2ban/server/__init__.pyc /usr/lib/python2.6/site-packages/fail2ban/server/__init__.pyo /usr/lib/python2.6/site-packages/fail2ban/server/action.py /usr/lib/python2.6/site-packages/fail2ban/server/action.pyc /usr/lib/python2.6/site-packages/fail2ban/server/action.pyo /usr/lib/python2.6/site-packages/fail2ban/server/actions.py /usr/lib/python2.6/site-packages/fail2ban/server/actions.pyc /usr/lib/python2.6/site-packages/fail2ban/server/actions.pyo /usr/lib/python2.6/site-packages/fail2ban/server/asyncserver.py /usr/lib/python2.6/site-packages/fail2ban/server/asyncserver.pyc /usr/lib/python2.6/site-packages/fail2ban/server/asyncserver.pyo /usr/lib/python2.6/site-packages/fail2ban/server/banmanager.py /usr/lib/python2.6/site-packages/fail2ban/server/banmanager.pyc /usr/lib/python2.6/site-packages/fail2ban/server/banmanager.pyo /usr/lib/python2.6/site-packages/fail2ban/server/database.py /usr/lib/python2.6/site-packages/fail2ban/server/database.pyc /usr/lib/python2.6/site-packages/fail2ban/server/database.pyo /usr/lib/python2.6/site-packages/fail2ban/server/datedetector.py /usr/lib/python2.6/site-packages/fail2ban/server/datedetector.pyc /usr/lib/python2.6/site-packages/fail2ban/server/datedetector.pyo /usr/lib/python2.6/site-packages/fail2ban/server/datetemplate.py /usr/lib/python2.6/site-packages/fail2ban/server/datetemplate.pyc /usr/lib/python2.6/site-packages/fail2ban/server/datetemplate.pyo /usr/lib/python2.6/site-packages/fail2ban/server/faildata.py /usr/lib/python2.6/site-packages/fail2ban/server/faildata.pyc /usr/lib/python2.6/site-packages/fail2ban/server/faildata.pyo /usr/lib/python2.6/site-packages/fail2ban/server/failmanager.py /usr/lib/python2.6/site-packages/fail2ban/server/failmanager.pyc /usr/lib/python2.6/site-packages/fail2ban/server/failmanager.pyo /usr/lib/python2.6/site-packages/fail2ban/server/failregex.py /usr/lib/python2.6/site-packages/fail2ban/server/failregex.pyc /usr/lib/python2.6/site-packages/fail2ban/server/failregex.pyo /usr/lib/python2.6/site-packages/fail2ban/server/filter.py /usr/lib/python2.6/site-packages/fail2ban/server/filter.pyc /usr/lib/python2.6/site-packages/fail2ban/server/filter.pyo /usr/lib/python2.6/site-packages/fail2ban/server/filtergamin.py /usr/lib/python2.6/site-packages/fail2ban/server/filtergamin.pyc /usr/lib/python2.6/site-packages/fail2ban/server/filtergamin.pyo /usr/lib/python2.6/site-packages/fail2ban/server/filterpoll.py /usr/lib/python2.6/site-packages/fail2ban/server/filterpoll.pyc /usr/lib/python2.6/site-packages/fail2ban/server/filterpoll.pyo /usr/lib/python2.6/site-packages/fail2ban/server/filterpyinotify.py /usr/lib/python2.6/site-packages/fail2ban/server/filterpyinotify.pyc /usr/lib/python2.6/site-packages/fail2ban/server/filterpyinotify.pyo /usr/lib/python2.6/site-packages/fail2ban/server/filtersystemd.py /usr/lib/python2.6/site-packages/fail2ban/server/filtersystemd.pyc /usr/lib/python2.6/site-packages/fail2ban/server/filtersystemd.pyo /usr/lib/python2.6/site-packages/fail2ban/server/jail.py /usr/lib/python2.6/site-packages/fail2ban/server/jail.pyc /usr/lib/python2.6/site-packages/fail2ban/server/jail.pyo /usr/lib/python2.6/site-packages/fail2ban/server/jails.py /usr/lib/python2.6/site-packages/fail2ban/server/jails.pyc /usr/lib/python2.6/site-packages/fail2ban/server/jails.pyo /usr/lib/python2.6/site-packages/fail2ban/server/jailthread.py /usr/lib/python2.6/site-packages/fail2ban/server/jailthread.pyc /usr/lib/python2.6/site-packages/fail2ban/server/jailthread.pyo /usr/lib/python2.6/site-packages/fail2ban/server/mytime.py /usr/lib/python2.6/site-packages/fail2ban/server/mytime.pyc /usr/lib/python2.6/site-packages/fail2ban/server/mytime.pyo /usr/lib/python2.6/site-packages/fail2ban/server/server.py /usr/lib/python2.6/site-packages/fail2ban/server/server.pyc /usr/lib/python2.6/site-packages/fail2ban/server/server.pyo /usr/lib/python2.6/site-packages/fail2ban/server/strptime.py /usr/lib/python2.6/site-packages/fail2ban/server/strptime.pyc /usr/lib/python2.6/site-packages/fail2ban/server/strptime.pyo /usr/lib/python2.6/site-packages/fail2ban/server/ticket.py /usr/lib/python2.6/site-packages/fail2ban/server/ticket.pyc /usr/lib/python2.6/site-packages/fail2ban/server/ticket.pyo /usr/lib/python2.6/site-packages/fail2ban/server/transmitter.py /usr/lib/python2.6/site-packages/fail2ban/server/transmitter.pyc /usr/lib/python2.6/site-packages/fail2ban/server/transmitter.pyo /usr/lib/python2.6/site-packages/fail2ban/tests /usr/lib/python2.6/site-packages/fail2ban/tests/__init__.py /usr/lib/python2.6/site-packages/fail2ban/tests/__init__.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/__init__.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/action_d /usr/lib/python2.6/site-packages/fail2ban/tests/action_d/__init__.py /usr/lib/python2.6/site-packages/fail2ban/tests/action_d/__init__.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/action_d/__init__.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/action_d/test_badips.py /usr/lib/python2.6/site-packages/fail2ban/tests/action_d/test_badips.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/action_d/test_badips.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/action_d/test_smtp.py /usr/lib/python2.6/site-packages/fail2ban/tests/action_d/test_smtp.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/action_d/test_smtp.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/actionstestcase.py /usr/lib/python2.6/site-packages/fail2ban/tests/actionstestcase.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/actionstestcase.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/actiontestcase.py /usr/lib/python2.6/site-packages/fail2ban/tests/actiontestcase.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/actiontestcase.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/banmanagertestcase.py /usr/lib/python2.6/site-packages/fail2ban/tests/banmanagertestcase.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/banmanagertestcase.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/clientreadertestcase.py /usr/lib/python2.6/site-packages/fail2ban/tests/clientreadertestcase.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/clientreadertestcase.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/config /usr/lib/python2.6/site-packages/fail2ban/tests/config/action.d /usr/lib/python2.6/site-packages/fail2ban/tests/config/action.d/brokenaction.conf /usr/lib/python2.6/site-packages/fail2ban/tests/config/fail2ban.conf /usr/lib/python2.6/site-packages/fail2ban/tests/config/filter.d /usr/lib/python2.6/site-packages/fail2ban/tests/config/filter.d/simple.conf /usr/lib/python2.6/site-packages/fail2ban/tests/config/jail.conf /usr/lib/python2.6/site-packages/fail2ban/tests/databasetestcase.py /usr/lib/python2.6/site-packages/fail2ban/tests/databasetestcase.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/databasetestcase.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/datedetectortestcase.py /usr/lib/python2.6/site-packages/fail2ban/tests/datedetectortestcase.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/datedetectortestcase.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/dummyjail.py /usr/lib/python2.6/site-packages/fail2ban/tests/dummyjail.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/dummyjail.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/failmanagertestcase.py /usr/lib/python2.6/site-packages/fail2ban/tests/failmanagertestcase.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/failmanagertestcase.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/files /usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d /usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action.py /usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action_errors.py /usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action_errors.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action_errors.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action_noAction.py /usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action_noAction.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action_noAction.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action_nomethod.py /usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action_nomethod.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/files/action.d/action_nomethod.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/files/config /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/README /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/basic /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htaccess /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/cant_get_me.html /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/basic/file /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htaccess /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/basic/file/.htpasswd /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest.py /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest/.htaccess /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest/.htpasswd /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest_anon /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htaccess /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest_anon/.htpasswd /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest_time /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htaccess /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest_time/.htpasswd /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htaccess /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/noentry /usr/lib/python2.6/site-packages/fail2ban/tests/files/config/apache-auth/noentry/.htaccess /usr/lib/python2.6/site-packages/fail2ban/tests/files/database_v1.db /usr/lib/python2.6/site-packages/fail2ban/tests/files/filter.d /usr/lib/python2.6/site-packages/fail2ban/tests/files/filter.d/substition.conf /usr/lib/python2.6/site-packages/fail2ban/tests/files/filter.d/testcase-common.conf /usr/lib/python2.6/site-packages/fail2ban/tests/files/filter.d/testcase01.conf /usr/lib/python2.6/site-packages/fail2ban/tests/files/ignorecommand.py /usr/lib/python2.6/site-packages/fail2ban/tests/files/ignorecommand.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/files/ignorecommand.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/3proxy /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/apache-auth /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/apache-badbots /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/apache-botsearch /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/apache-modsecurity /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/apache-nohome /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/apache-noscript /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/apache-overflows /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/assp /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/asterisk /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/bsd /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/bsd/syslog-plain.txt /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/bsd/syslog-v.txt /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/bsd/syslog-vv.txt /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/counter-strike /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/courier-auth /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/courier-smtp /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/cyrus-imap /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/dovecot /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/dropbear /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/ejabberd-auth /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/exim /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/exim-spam /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/freeswitch /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/groupoffice /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/gssftpd /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/guacamole /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/horde /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/kerio /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/lighttpd-auth /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/mysqld-auth /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/nagios /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/named-refused /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/nginx-http-auth /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/nsd /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/openwebmail /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/pam-generic /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/perdition /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/php-url-fopen /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/postfix /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/postfix-sasl /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/proftpd /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/pure-ftpd /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/qmail /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/recidive /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/roundcube-auth /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/selinux-ssh /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/sendmail-auth /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/sendmail-reject /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/sieve /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/sogo-auth /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/solid-pop3d /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/squid /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/squirrelmail /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/sshd /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/sshd-ddos /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/stunnel /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/suhosin /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/tine20 /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/uwimap-auth /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/vsftpd /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/webmin-auth /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/wuftpd /usr/lib/python2.6/site-packages/fail2ban/tests/files/logs/xinetd-fail /usr/lib/python2.6/site-packages/fail2ban/tests/files/testcase-journal.log /usr/lib/python2.6/site-packages/fail2ban/tests/files/testcase-multiline.log /usr/lib/python2.6/site-packages/fail2ban/tests/files/testcase-usedns.log /usr/lib/python2.6/site-packages/fail2ban/tests/files/testcase01.log /usr/lib/python2.6/site-packages/fail2ban/tests/files/testcase02.log /usr/lib/python2.6/site-packages/fail2ban/tests/files/testcase03.log /usr/lib/python2.6/site-packages/fail2ban/tests/files/testcase04.log /usr/lib/python2.6/site-packages/fail2ban/tests/filtertestcase.py /usr/lib/python2.6/site-packages/fail2ban/tests/filtertestcase.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/filtertestcase.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/misctestcase.py /usr/lib/python2.6/site-packages/fail2ban/tests/misctestcase.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/misctestcase.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/samplestestcase.py /usr/lib/python2.6/site-packages/fail2ban/tests/samplestestcase.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/samplestestcase.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/servertestcase.py /usr/lib/python2.6/site-packages/fail2ban/tests/servertestcase.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/servertestcase.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/sockettestcase.py /usr/lib/python2.6/site-packages/fail2ban/tests/sockettestcase.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/sockettestcase.pyo /usr/lib/python2.6/site-packages/fail2ban/tests/utils.py /usr/lib/python2.6/site-packages/fail2ban/tests/utils.pyc /usr/lib/python2.6/site-packages/fail2ban/tests/utils.pyo /usr/lib/python2.6/site-packages/fail2ban/version.py /usr/lib/python2.6/site-packages/fail2ban/version.pyc /usr/lib/python2.6/site-packages/fail2ban/version.pyo /usr/share/doc/fail2ban-server-0.9.0 /usr/share/doc/fail2ban-server-0.9.0/COPYING /usr/share/doc/fail2ban-server-0.9.0/ChangeLog /usr/share/doc/fail2ban-server-0.9.0/README.md /usr/share/doc/fail2ban-server-0.9.0/TODO /usr/share/doc/fail2ban-server-0.9.0/run-rootless.txt /usr/share/man/man1/fail2ban-client.1.gz /usr/share/man/man1/fail2ban-regex.1.gz /usr/share/man/man1/fail2ban-server.1.gz /usr/share/man/man1/fail2ban.1.gz /usr/share/man/man5/jail.conf.5.gz /var/lib/fail2ban /var/run/fail2ban
# rpm -qil fail2ban-sendmail
Name : fail2ban-sendmail Relocations: (not relocatable) Version : 0.9.0 Vendor: django Release : 2.el6 Build Date: Fri 13 Jun 2014 11:07:17 PM CEST Install Date: Fri 13 Jun 2014 11:16:38 PM CEST Build Host: vml010039.intra.nausch.org Group : Unspecified Source RPM: fail2ban-0.9.0-2.el6.src.rpm Size : 9564 License: GPLv2+ Signature : RSA/SHA1, Fri 13 Jun 2014 11:07:21 PM CEST, Key ID 31b4758f7c65ab27 Packager : Django <django@nausch.org> URL : http://fail2ban.sourceforge.net/ Summary : Sendmail actions for Fail2Ban Description : This package installs Fail2Ban's sendmail actions. This is the default mail actions for Fail2Ban. /etc/fail2ban/action.d/sendmail-buffered.conf /etc/fail2ban/action.d/sendmail-common.conf /etc/fail2ban/action.d/sendmail-whois-ipjailmatches.conf /etc/fail2ban/action.d/sendmail-whois-ipmatches.conf /etc/fail2ban/action.d/sendmail-whois-lines.conf /etc/fail2ban/action.d/sendmail-whois-matches.conf /etc/fail2ban/action.d/sendmail-whois.conf
rpm -qil gamin-python
Name : gamin-python Relocations: (not relocatable) Version : 0.1.10 Vendor: CentOS Release : 9.el6 Build Date: Thu 11 Nov 2010 09:03:58 AM CET Install Date: Fri 13 Jun 2014 11:16:30 PM CEST Build Host: c6b5.bsys.dev.centos.org Group : Development/Libraries Source RPM: gamin-0.1.10-9.el6.src.rpm Size : 89039 License: LGPLv2 Signature : RSA/8, Sun 03 Jul 2011 06:15:40 AM CEST, Key ID 0946fca2c105b9de Packager : CentOS BuildSystem <http://bugs.centos.org> URL : http://www.gnome.org/~veillard/gamin/ Summary : Python bindings for the gamin library Description : The gamin-python package contains a module that allow monitoring of files and directories from the Python language based on the support of the gamin package. /usr/lib64/python2.6/site-packages/_gamin.so /usr/lib64/python2.6/site-packages/gamin.py /usr/lib64/python2.6/site-packages/gamin.pyc /usr/lib64/python2.6/site-packages/gamin.pyo /usr/share/doc/gamin-python-0.1.10 /usr/share/doc/gamin-python-0.1.10/basic.py /usr/share/doc/gamin-python-0.1.10/basic2.py /usr/share/doc/gamin-python-0.1.10/basic3.py /usr/share/doc/gamin-python-0.1.10/basic4.py /usr/share/doc/gamin-python-0.1.10/basic5.py /usr/share/doc/gamin-python-0.1.10/basic6.py /usr/share/doc/gamin-python-0.1.10/bigfile.py /usr/share/doc/gamin-python-0.1.10/dnotify.py /usr/share/doc/gamin-python-0.1.10/dnotify10.py /usr/share/doc/gamin-python-0.1.10/dnotify11.py /usr/share/doc/gamin-python-0.1.10/dnotify12.py /usr/share/doc/gamin-python-0.1.10/dnotify13.py /usr/share/doc/gamin-python-0.1.10/dnotify15.py /usr/share/doc/gamin-python-0.1.10/dnotify2.py /usr/share/doc/gamin-python-0.1.10/dnotify3.py /usr/share/doc/gamin-python-0.1.10/dnotify4.py /usr/share/doc/gamin-python-0.1.10/dnotify5.py /usr/share/doc/gamin-python-0.1.10/dnotify6.py /usr/share/doc/gamin-python-0.1.10/dnotify7.py /usr/share/doc/gamin-python-0.1.10/dnotify8.py /usr/share/doc/gamin-python-0.1.10/dnotify9.py /usr/share/doc/gamin-python-0.1.10/flood.py /usr/share/doc/gamin-python-0.1.10/flood2.py /usr/share/doc/gamin-python-0.1.10/flood3.py /usr/share/doc/gamin-python-0.1.10/flood4.py /usr/share/doc/gamin-python-0.1.10/level.py /usr/share/doc/gamin-python-0.1.10/multiple.py /usr/share/doc/gamin-python-0.1.10/multiple2.py /usr/share/doc/gamin-python-0.1.10/multiple3.py /usr/share/doc/gamin-python-0.1.10/noexists.py /usr/share/doc/gamin-python-0.1.10/nokernel.py /usr/share/doc/gamin-python-0.1.10/python.html /usr/share/doc/gamin-python-0.1.10/readonly.py
# rpm -qil python-inotify
Name : python-inotify Relocations: (not relocatable) Version : 0.9.1 Vendor: ATrpms.net Release : 1.1.el6 Build Date: Sat 09 Apr 2011 09:15:37 PM CEST Install Date: Fri 13 Jun 2014 11:16:31 PM CEST Build Host: flocki.atrpms.net Group : Development/Libraries Source RPM: python-inotify-0.9.1-1.1.el6.src.rpm Size : 264165 License: MIT Signature : DSA/SHA1, Sat 09 Apr 2011 09:15:38 PM CEST, Key ID 508ce5e666534c2b Packager : ATrpms <http://ATrpms.net/> URL : https://github.com/seb-m/pyinotify Summary : Monitor filesystem events with Python under Linux Description : This is a Python module for watching filesystems changes. pyinotify can be used for various kind of fs monitoring. pyinotify relies on a recent Linux Kernel feature (merged in kernel 2.6.13) called inotify. inotify is an event-driven notifier, its notifications are exported from kernel space to user space. /usr/bin/pyinotify /usr/lib/python2.6/site-packages/pyinotify-0.9.1-py2.6.egg-info /usr/lib/python2.6/site-packages/pyinotify.py /usr/lib/python2.6/site-packages/pyinotify.pyc /usr/lib/python2.6/site-packages/pyinotify.pyo /usr/share/doc/python-inotify-0.9.1 /usr/share/doc/python-inotify-0.9.1/ACKS /usr/share/doc/python-inotify-0.9.1/COPYING /usr/share/doc/python-inotify-0.9.1/ChangeLog_old /usr/share/doc/python-inotify-0.9.1/NEWS_old
Dokumentation und Beschreibungen
Die Beschreibung der einzelnen Bestandteile von fail2ban, stammt in wesentlichen Teilen aus der originalen englischen Beschreibung vom Release-Version 0.8 und wurde sinngemäß ins Deutsche übertragen!
Definitionen
Folgende Berifflichkeiten in der nachfolgenden Beschreibung werden verwandt.
- filter : Ein Filter definiert einen regulären Ausdruck, mit Hilfe dessen eine bestimmte Zeichenfolge (Muster) in einer Log-Datei erkannt werden kann.
- action : Eine Aktion definiert einen oder auch mehrere Befehle, die getriggert von einem filter zu einem definiertem Zeitpunkt ausgeführt werden.
- jail : Ein jail ist eine Kombination aus einem Filter und einem oder mehreren actions, die fail2ban kann dabei meherer jails gleichzeitig verarbeiten.
- client : Bezeichnet bzw. verweist aus das Skript - fail2ban-client.
- server : Bezeichnet bzw. verweist aus das Skript - fail2ban-server.
fail2ban-Server
Fail2ban besteht aus zwei Teilen, dem server und dem client. Der server kann aus einem oder auch mehreren Prozessen bestehen und lauscht auf einem unix-socket auf eingehende Befehle. Beim Starten des server befindet sich dieser in einer Art Standard-Modus. Hierbei verfügt der server über keine Definitionen der einzelnen jails. Nachfolgende Optionen sind für fail2ban-server verfügbar:
# fail2ban-server --help
Usage: /usr/bin/fail2ban-server [OPTIONS] Fail2Ban v0.9.0 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. Only use this command for debugging purpose. Start the server with fail2ban-client instead. The default behaviour is to start the server in background. Options: -b start in background -f start in foreground -s <FILE> socket path -p <FILE> pidfile path -x force execution of the server (remove socket file) -h, --help display this help message -V, --version print the version Report bugs to https://github.com/fail2ban/fail2ban/issues
Vom Anwender selbst sollte der fail2ban-server, außer im debugModus, nicht angesprochen werden! Die Option -s ist dabei wohl die interessanteste Option, da damit der Unix-Socket-Pfad definiert werden kann. Somit könenn meherer Fail2ban-Instanzen mit je einem eigenen Socket betrieben werden. Aber auch dieser theoretische Anwendungsfall wird i.d.R. nicht benötigt, da Fail2ban mehrere jails parallel abarbeiten kann.Gefängnisse gleichzeitig ausgeführt werden.
Sollte widererwarten der fail2ban-server einmal tatsächlich abstürzen und den UNIX-Socket dabei nicht gelöscht werden konnte, kann man mit der Option -x Fail2ban anweisen, beim Starten einen etwaigen toten Socket zu löschen. Es wird dringend geraten diesen Socket im Betrieb niemals manuell zu löschen, da dann keine Kommunikation des fail2ban-client mit dem fail2ban-server mehr möglich ist.
Der Server verarbeitet die Signale SIGTERM und SIGINT. Beim Empfang eines dieser Signale wird fail2ban-server sauber beendet.
Weitere nützliche informationen findet man auf der man-page von fail2ban-server.
FAIL2BAN-SERVER(1) User Commands FAIL2BAN-SERVER(1) NAME fail2ban-server - start the server SYNOPSIS fail2ban-server [OPTIONS] DESCRIPTION Fail2Ban v0.9.0 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. Only use this command for debugging purpose. Start the server with fail2ban-client instead. The default behaviour is to start the server in background. OPTIONS -b start in background -f start in foreground -s <FILE> socket path -p <FILE> pidfile path -x force execution of the server (remove socket file) -h, --help display this help message -V, --version print the version AUTHOR Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>. Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>. REPORTING BUGS Report bugs to https://github.com/fail2ban/fail2ban/issues COPYRIGHT Copyright © 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors Copyright of modifications held by their respective authors. Licensed under the GNU General Public License v2 (GPL). SEE ALSO fail2ban-client(1) fail2ban-server v0.9.0 March 2014 FAIL2BAN-SERVER(1)
fail2ban-Client
fail2ban-client ist das Frontend von Fail2ban. Dieser verbindet sich mit dem Socket des fail2ban-server und sendet entsprechende Befehle zur Konfiguration und Steuerung des Servers. Neben dem Einlesen der Konfigurationsdateien wird der fail2ban-server zur Steuerung des Servers verwendet. Dieser kann z.B. den fail2ban-server starten oder auch beenden. Folgenden Optionen stehen für fail2ban-Client zur Verfügung.
# fail2ban-client --help
Usage: /usr/bin/fail2ban-client [OPTIONS] <COMMAND> Fail2Ban v0.9.0 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. Options: -c <DIR> configuration directory -s <FILE> socket path -p <FILE> pidfile path -d dump configuration. For debugging -i interactive mode -v increase verbosity -q decrease verbosity -x force execution of the server (remove socket file) -h, --help display this help message -V, --version print the version
Wie auch schon beim fail2ban-server wird auch beim fail2ban-client die Option -s <FILE> für die festlegung des Unix-Datei_Socketnamens verwendet. Setzt man diesen auf der Kommandozeile, wird dadurch die Definition des Konfigurationsdatei fail2ban.conf überschrieben. Möchte man das Standardkonfigurationsverzeichnis /etc/fail2ban anders setzen, verwendet man die Option -c <DIR>. Zum starten des Servers wir die Option -x einfach an den fail2ban-server über den UNIX-Socket weitergeleitet.
Eine sehr hilfreiche Option zu Debugzwecken ist die Option -d. Beim Aufruf von fail2ban-client -d
leist z.B. die komplette Konfiguration ein, parst diese und gibt die Informationen,
die der fail2ban-client an den fail2ban-server sendet, auf der Konsole aus.
Beispiel:
# fail2ban-client -d
['set', 'logtarget', '/var/log/fail2ban.log'] ['set', 'loglevel', 'INFO'] ['set', 'dbpurgeage', 86400] ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3'] ['add', 'sshd-ddos', 'auto'] ['set', 'sshd-ddos', 'usedns', 'warn'] ['set', 'sshd-ddos', 'addlogpath', '/var/log/secure', 'head'] ['set', 'sshd-ddos', 'maxretry', 5] ['set', 'sshd-ddos', 'addignoreip', '127.0.0.1/8'] ['set', 'sshd-ddos', 'logencoding', 'auto'] ['set', 'sshd-ddos', 'bantime', 600] ['set', 'sshd-ddos', 'ignorecommand', ''] ['set', 'sshd-ddos', 'findtime', 600] ['set', 'sshd-ddos', 'maxlines', '10'] ['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \\S+)?\\s*$'] ['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\\s*$'] ['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*Failed \\S+ for .*? from <HOST>(?: port \\d*)?(?: ssh\\d*)?(: (ruser .*|(\\S+ ID \\S+ \\(serial \\d+\\) CA )?\\S+ (?:[\\da-f]{2}:){15}[\\da-f]{2}(, client user ".*", client host ".*")?))?\\s*$'] ['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*ROOT LOGIN REFUSED.* FROM <HOST>\\s*$'] ['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*[iI](?:llegal|nvalid) user .* from <HOST>\\s*$'] ['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because not listed in AllowUsers\\s*$'] ['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because listed in DenyUsers\\s*$'] ['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because not in any group\\s*$'] ['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*refused connect from \\S+ \\(<HOST>\\)\\s*$'] ['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*Received disconnect from <HOST>: 3: \\S+: Auth fail$'] ['set', 'sshd-ddos', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because a group is listed in DenyGroups\\s*$'] ['set', 'sshd-ddos', 'addfailregex', "^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*$"] ['set', 'sshd-ddos', 'addfailregex', '^(?P<__prefix>\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: Bye Bye \\[preauth\\]$'] ['set', 'sshd-ddos', 'addfailregex', '^(?P<__prefix>\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*)Disconnecting: Too many authentication failures for .+? \\[preauth\\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \\[preauth\\]$'] ['set', 'sshd-ddos', 'addfailregex', '^(?P<__prefix>\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*)Connection from <HOST> port \\d+<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \\[preauth\\]$'] ['set', 'sshd-ddos', 'addjournalmatch', '_SYSTEMD_UNIT=sshd.service', '+', '_COMM=sshd'] ['set', 'sshd-ddos', 'addaction', 'iptables-multiport'] ['set', 'sshd-ddos', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b-<name> 1 -s <ip> -j <blocktype>'] ['set', 'sshd-ddos', 'action', 'iptables-multiport', 'actionstop', 'iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\niptables -F f2b-<name>\niptables -X f2b-<name>'] ['set', 'sshd-ddos', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-<name>\niptables -A f2b-<name> -j RETURN\niptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>'] ['set', 'sshd-ddos', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b-<name> -s <ip> -j <blocktype>'] ['set', 'sshd-ddos', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L <chain> | grep -q 'f2b-<name>[ \\t]'"] ['set', 'sshd-ddos', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'sshd-ddos', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'sshd-ddos', 'action', 'iptables-multiport', 'name', 'sshd-ddos'] ['set', 'sshd-ddos', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'sshd-ddos', 'action', 'iptables-multiport', 'port', '9999'] ['set', 'sshd-ddos', 'addaction', 'sendmail-whois-lines'] ['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'actionban', 'printf %b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`\nDate: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere is more information about <ip>:\\n\n`/usr/bin/whois <ip> || echo missing whois program`\\n\\n\nLines containing IP:<ip> in <logpath>\\n\n`grep \'[^0-9]<ip>[^0-9]\' <logpath>`\\n\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>'] ['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'actionstop', 'printf %b "Subject: [Fail2Ban] <name>: stopped on `uname -n`\nDate: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>'] ['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'actionstart', 'printf %b "Subject: [Fail2Ban] <name>: started on `uname -n`\nDate: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>'] ['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'actionunban', ''] ['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'actioncheck', ''] ['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'name', 'sshd-ddos'] ['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'chain', 'INPUT'] ['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'dest', 'django@nausch.org'] ['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'logpath', '/var/log/secure'] ['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'sendername', 'Fail2Ban'] ['set', 'sshd-ddos', 'action', 'sendmail-whois-lines', 'sender', 'fail2ban'] ['start', 'sshd-ddos']
Weiteres Beispiel: Mit dem Aufruf folgender Zeile, kann man einfach den Loglevel verändern:
$ fail2ban-client set loglevel DEBUG
Current logging level is 'DEBUG'
So kann jede einzelne Definition aus den Konfigurationsdateien überschrieben werden. Ein erneuter aufruf von fail2ban -d
liest dann wieder Konfigurationsdateien ein!
Auf zwei Kommandos von fail2ban wollen wir noch kurz ausführlicher eingehen.
fail2ban-client start
Als erstes wird der fail2ban-server gestartet; der fail2ban-client wartet dann bis die Kommunikation mit dem Server über den UNIX-SOCKET steht. Sobald dieser Kommunikationskanal steht, liest fail2ban-client die Konfigurationsdateien ein, parst diese und schockt das Ergebnis als Steuerbefehle zum fail2ban-server.fail2ban-client reload
Der fail2ban-client weist als erstes dden fail2ban-server an, alle jails zu stoppen. Anschließend werden die Konfigurationsdateien eingelesen, verarbeitet und das Ergebnis als Steuerbefehle zum fail2ban-server gesendet. Somit kann sehr leicht und einfach die Konfiguration neu geladen werden, ohne den Daemon neu durchstarten zu müssen!
Dies ist auch sehr nützlich beim Debuggen des Servers. So ist es möglich, den Server mitfail2ban-server -f
in einem Terminal zu starten und in einem weiteren Terminal die Konfiguration mitfail2ban-client reload
einzulesen. Somit hat man auf dem ersten terminal, die Ausgaben des fail2ban-server und auf dem zweiten die des fail2ban-client.
Ruf man fail2ban-client status [jail]
auf, wird der Status des betrffenden jail ausgegeben.
# fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl |- Filter | |- Currently failed: 2 | |- Total failed: 41 | `- File list: /var/log/maillog `- Actions |- Currently banned: 1 |- Total banned: 3 `- Banned IP list: 203.195.219.103
Auf Seiten des Paketfilters iptables kann man dann die erfogreiche Sperrung der gelisteten IP-Adresse einsehen:
# iptables -nvL
Chain f2b-postfix-sasl (1 references) pkts bytes target prot opt in out source destination 39 1972 REJECT all -- * * 203.195.219.103 0.0.0.0/0 reject-with icmp-port-unreachable 50498 15M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Ohne Angabe eines einzelnen jail wird der globale Status des Server ausgegeben.
# fail2ban-client status
Status |- Number of jail: 2 `- Jail list: postfix-sasl, sshd-ddos
Nachfolgend sind alle Befehle des fail2ban-client aufgelistet.
# fail2ban-client --help
Command: BASIC start starts the server and the jails reload reloads the configuration reload <JAIL> reloads the jail <JAIL> stop stops all jails and terminate the server status gets the current status of the server ping tests if the server is alive help return this output LOGGING set loglevel <LEVEL> sets logging level to <LEVEL>. Levels: CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG get loglevel gets the logging level set logtarget <TARGET> sets logging target to <TARGET>. Can be STDOUT, STDERR, SYSLOG or a file get logtarget gets logging target flushlogs flushes the logtarget if a file and reopens it. For log rotation. DATABASE set dbfile <FILE> set the location of fail2ban persistent datastore. Set to "None" to disable get dbfile get the location of fail2ban persistent datastore set dbpurgeage <SECONDS> sets the max age in <SECONDS> that history of bans will be kept get dbpurgeage gets the max age in seconds that history of bans will be kept JAIL CONTROL add <JAIL> <BACKEND> creates <JAIL> using <BACKEND> start <JAIL> starts the jail <JAIL> stop <JAIL> stops the jail <JAIL>. The jail is removed status <JAIL> gets the current status of <JAIL> JAIL CONFIGURATION set <JAIL> idle on|off sets the idle state of <JAIL> set <JAIL> addignoreip <IP> adds <IP> to the ignore list of <JAIL> set <JAIL> delignoreip <IP> removes <IP> from the ignore list of <JAIL> set <JAIL> addlogpath <FILE> ['tail'] adds <FILE> to the monitoring list of <JAIL>, optionally starting at the 'tail' of the file (default 'head'). set <JAIL> dellogpath <FILE> removes <FILE> from the monitoring list of <JAIL> set <JAIL> logencoding <ENCODING> sets the <ENCODING> of the log files for <JAIL> set <JAIL> addjournalmatch <MATCH> adds <MATCH> to the journal filter of <JAIL> set <JAIL> deljournalmatch <MATCH> removes <MATCH> from the journal filter of <JAIL> set <JAIL> addfailregex <REGEX> adds the regular expression <REGEX> which must match failures for <JAIL> set <JAIL> delfailregex <INDEX> removes the regular expression at <INDEX> for failregex set <JAIL> ignorecommand <VALUE> sets ignorecommand of <JAIL> set <JAIL> addignoreregex <REGEX> adds the regular expression <REGEX> which should match pattern to exclude for <JAIL> set <JAIL> delignoreregex <INDEX> removes the regular expression at <INDEX> for ignoreregex set <JAIL> findtime <TIME> sets the number of seconds <TIME> for which the filter will look back for <JAIL> set <JAIL> bantime <TIME> sets the number of seconds <TIME> a host will be banned for <JAIL> set <JAIL> datepattern <PATTERN> sets the <PATTERN> used to match date/times for <JAIL> set <JAIL> usedns <VALUE> sets the usedns mode for <JAIL> set <JAIL> banip <IP> manually Ban <IP> for <JAIL> set <JAIL> unbanip <IP> manually Unban <IP> in <JAIL> set <JAIL> maxretry <RETRY> sets the number of failures <RETRY> before banning the host for <JAIL> set <JAIL> maxlines <LINES> sets the number of <LINES> to buffer for regex search for <JAIL> set <JAIL> addaction <ACT>[ <PYTHONFILE> <JSONKWARGS>] adds a new action named <NAME> for <JAIL>. Optionally for a Python based action, a <PYTHONFILE> and <JSONKWARGS> can be specified, else will be a Command Action set <JAIL> delaction <ACT> removes the action <ACT> from <JAIL> COMMAND ACTION CONFIGURATION set <JAIL> action <ACT> actionstart <CMD> sets the start command <CMD> of the action <ACT> for <JAIL> set <JAIL> action <ACT> actionstop <CMD> sets the stop command <CMD> of the action <ACT> for <JAIL> set <JAIL> action <ACT> actioncheck <CMD> sets the check command <CMD> of the action <ACT> for <JAIL> set <JAIL> action <ACT> actionban <CMD> sets the ban command <CMD> of the action <ACT> for <JAIL> set <JAIL> action <ACT> actionunban <CMD> sets the unban command <CMD> of the action <ACT> for <JAIL> set <JAIL> action <ACT> timeout <TIMEOUT> sets <TIMEOUT> as the command timeout in seconds for the action <ACT> for <JAIL> GENERAL ACTION CONFIGURATION set <JAIL> action <ACT> <PROPERTY> <VALUE> sets the <VALUE> of <PROPERTY> for the action <ACT> for <JAIL> set <JAIL> action <ACT> <METHOD>[ <JSONKWARGS>] calls the <METHOD> with <JSONKWARGS> for the action <ACT> for <JAIL> JAIL INFORMATION get <JAIL> logpath gets the list of the monitored files for <JAIL> get <JAIL> logencoding gets the encoding of the log files for <JAIL> get <JAIL> journalmatch gets the journal filter match for <JAIL> get <JAIL> ignoreip gets the list of ignored IP addresses for <JAIL> get <JAIL> ignorecommand gets ignorecommand of <JAIL> get <JAIL> failregex gets the list of regular expressions which matches the failures for <JAIL> get <JAIL> ignoreregex gets the list of regular expressions which matches patterns to ignore for <JAIL> get <JAIL> findtime gets the time for which the filter will look back for failures for <JAIL> get <JAIL> bantime gets the time a host is banned for <JAIL> get <JAIL> datepattern gets the patern used to match date/times for <JAIL> get <JAIL> usedns gets the usedns setting for <JAIL> get <JAIL> maxretry gets the number of failures allowed for <JAIL> get <JAIL> maxlines gets the number of lines to buffer for <JAIL> get <JAIL> actions gets a list of actions for <JAIL> COMMAND ACTION INFORMATION get <JAIL> action <ACT> actionstart gets the start command for the action <ACT> for <JAIL> get <JAIL> action <ACT> actionstop gets the stop command for the action <ACT> for <JAIL> get <JAIL> action <ACT> actioncheck gets the check command for the action <ACT> for <JAIL> get <JAIL> action <ACT> actionban gets the ban command for the action <ACT> for <JAIL> get <JAIL> action <ACT> actionunban gets the unban command for the action <ACT> for <JAIL> get <JAIL> action <ACT> timeout gets the command timeout in seconds for the action <ACT> for <JAIL> GENERAL ACTION INFORMATION get <JAIL> actionproperties <ACT> gets a list of properties for the action <ACT> for <JAIL> get <JAIL> actionmethods <ACT> gets a list of methods for the action <ACT> for <JAIL> get <JAIL> action <ACT> <PROPERTY> gets the value of <PROPERTY> for the action <ACT> for <JAIL> Report bugs to https://github.com/fail2ban/fail2ban/issues
Weitere nützliche Informationen findet man auf der manpage von fail2ban-client.
FAIL2BAN-CLIENT(1) User Commands FAIL2BAN-CLIENT(1) NAME fail2ban-client - configure and control the server SYNOPSIS fail2ban-client [OPTIONS] <COMMAND> DESCRIPTION Fail2Ban v0.9.0 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. OPTIONS -c <DIR> configuration directory -s <FILE> socket path -p <FILE> pidfile path -d dump configuration. For debugging -i interactive mode -v increase verbosity -q decrease verbosity -x force execution of the server (remove socket file) -h, --help display this help message -V, --version print the version COMMAND BASIC start starts the server and the jails reload reloads the configuration reload <JAIL> reloads the jail <JAIL> stop stops all jails and terminate the server status gets the current status of the server ping tests if the server is alive help return this output LOGGING set loglevel <LEVEL> sets logging level to <LEVEL>. Levels: CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG get loglevel gets the logging level set logtarget <TARGET> sets logging target to <TARGET>. Can be STDOUT, STDERR, SYSLOG or a file get logtarget gets logging target flushlogs flushes the logtarget if a file and reopens it. For log rotation. DATABASE set dbfile <FILE> set the location of fail2ban persistent datastore. Set to "None" to disable get dbfile get the location of fail2ban persistent datastore set dbpurgeage <SECONDS> sets the max age in <SECONDS> that history of bans will be kept get dbpurgeage gets the max age in seconds that history of bans will be kept JAIL CONTROL add <JAIL> <BACKEND> creates <JAIL> using <BACKEND> start <JAIL> starts the jail <JAIL> stop <JAIL> stops the jail <JAIL>. The jail is removed status <JAIL> gets the current status of <JAIL> JAIL CONFIGURATION set <JAIL> idle on|off sets the idle state of <JAIL> set <JAIL> addignoreip <IP> adds <IP> to the ignore list of <JAIL> set <JAIL> delignoreip <IP> removes <IP> from the ignore list of <JAIL> set <JAIL> addlogpath <FILE> [’tail’] adds <FILE> to the monitoring list of <JAIL>, optionally starting at the ’tail’ of the file (default ’head’). set <JAIL> dellogpath <FILE> removes <FILE> from the monitoring list of <JAIL> set <JAIL> logencoding <ENCODING> sets the <ENCODING> of the log files for <JAIL> set <JAIL> addjournalmatch <MATCH> adds <MATCH> to the journal filter of <JAIL> set <JAIL> deljournalmatch <MATCH> removes <MATCH> from the journal filter of <JAIL> set <JAIL> addfailregex <REGEX> adds the regular expression <REGEX> which must match failures for <JAIL> set <JAIL> delfailregex <INDEX> removes the regular expression at <INDEX> for failregex set <JAIL> ignorecommand <VALUE> sets ignorecommand of <JAIL> set <JAIL> addignoreregex <REGEX> adds the regular expression <REGEX> which should match pattern to exclude for <JAIL> set <JAIL> delignoreregex <INDEX> removes the regular expression at <INDEX> for ignoreregex set <JAIL> findtime <TIME> sets the number of seconds <TIME> for which the filter will look back for <JAIL> set <JAIL> bantime <TIME> sets the number of seconds <TIME> a host will be banned for <JAIL> set <JAIL> datepattern <PATTERN> sets the <PATTERN> used to match date/times for <JAIL> set <JAIL> usedns <VALUE> sets the usedns mode for <JAIL> set <JAIL> banip <IP> manually Ban <IP> for <JAIL> set <JAIL> unbanip <IP> manually Unban <IP> in <JAIL> set <JAIL> maxretry <RETRY> sets the number of failures <RETRY> before banning the host for <JAIL> set <JAIL> maxlines <LINES> sets the number of <LINES> to buffer for regex search for <JAIL> set <JAIL> addaction <ACT>[ <PYTHONFILE> <JSONKWARGS>] adds a new action named <NAME> for <JAIL>. Optionally for a Python based action, a <PYTHONFILE> and <JSONKWARGS> can be specified, else will be a Command Action set <JAIL> delaction <ACT> removes the action <ACT> from <JAIL> COMMAND ACTION CONFIGURATION set <JAIL> action <ACT> actionstart <CMD> sets the start command <CMD> of the action <ACT> for <JAIL> set <JAIL> action <ACT> actionstop <CMD> sets the stop command <CMD> of the action <ACT> for <JAIL> set <JAIL> action <ACT> actioncheck <CMD> sets the check command <CMD> of the action <ACT> for <JAIL> set <JAIL> action <ACT> actionban <CMD> sets the ban command <CMD> of the action <ACT> for <JAIL> set <JAIL> action <ACT> actionunban <CMD> sets the unban command <CMD> of the action <ACT> for <JAIL> set <JAIL> action <ACT> timeout <TIMEOUT> sets <TIMEOUT> as the command timeout in seconds for the action <ACT> for <JAIL> GENERAL ACTION CONFIGURATION set <JAIL> action <ACT> <PROPERTY> <VALUE> sets the <VALUE> of <PROPERTY> for the action <ACT> for <JAIL> set <JAIL> action <ACT> <METHOD>[ <JSONKWARGS>] calls the <METHOD> with <JSONKWARGS> for the action <ACT> for <JAIL> JAIL INFORMATION get <JAIL> logpath gets the list of the monitored files for <JAIL> get <JAIL> logencoding gets the encoding of the log files for <JAIL> get <JAIL> journalmatch gets the journal filter match for <JAIL> get <JAIL> ignoreip gets the list of ignored IP addresses for <JAIL> get <JAIL> ignorecommand gets ignorecommand of <JAIL> get <JAIL> failregex gets the list of regular expressions which matches the failures for <JAIL> get <JAIL> ignoreregex gets the list of regular expressions which matches patterns to ignore for <JAIL> get <JAIL> findtime gets the time for which the filter will look back for failures for <JAIL> get <JAIL> bantime gets the time a host is banned for <JAIL> get <JAIL> datepattern gets the patern used to match date/times for <JAIL> get <JAIL> usedns gets the usedns setting for <JAIL> get <JAIL> maxretry gets the number of failures allowed for <JAIL> get <JAIL> maxlines gets the number of lines to buffer for <JAIL> get <JAIL> actions gets a list of actions for <JAIL> COMMAND ACTION INFORMATION get <JAIL> action <ACT> actionstart gets the start command for the action <ACT> for <JAIL> get <JAIL> action <ACT> actionstop gets the stop command for the action <ACT> for <JAIL> get <JAIL> action <ACT> actioncheck gets the check command for the action <ACT> for <JAIL> get <JAIL> action <ACT> actionban gets the unban command for the action <ACT> for <JAIL> get <JAIL> action <ACT> timeout gets the command timeout in seconds for the action <ACT> for <JAIL> GENERAL ACTION INFORMATION get <JAIL> actionproperties <ACT> gets a list of properties for the action <ACT> for <JAIL> get <JAIL> actionmethods <ACT> gets a list of methods for the action <ACT> for <JAIL> get <JAIL> action <ACT> <PROPERTY> gets the value of <PROPERTY> for the action <ACT> for <JAIL> FILES /etc/fail2ban/* AUTHOR Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>. Many contributions by Yaroslav O. Halchenko <debian@onerussian.com>. REPORTING BUGS Report bugs to https://github.com/fail2ban/fail2ban/issues COPYRIGHT Copyright © 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors Copyright of modifications held by their respective authors. Licensed under the GNU General Public License v2 (GPL). SEE ALSO fail2ban-server(1) jail.conf(5) fail2ban-client v0.9.0 March 2014 FAIL2BAN-CLIENT(1)
fail2ban-regex
Mit will fail2ban-regex hat man ein Werkzeug in der Hand um einzelne regex-Ausdrücke in Verbindung mit (s)einen Logdateien testen kann.
Beispiel:
- einzelne Logzeile:
Zum Bewerten der folgenden LogzeileJun 16 12:45:22 vml000080 postfix/smtpd[21888]: warning: unknown[203.195.219.103]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
ist diese in Anführungszeichen zu setzen!
# fail2ban-regex "Jun 16 12:45:22 vml000080 postfix/smtpd[21888]: warning: unknown[203.195.219.103]: SASL LOGIN authentication failed: UGFzc3dvcmQ6" /etc/fail2ban/filter.d/postfix-sasl.conf
Running tests ============= Use failregex file : /etc/fail2ban/filter.d/postfix-sasl.conf Use single line : Jun 16 12:45:22 vml000080 postfix/smtpd[21888]: wa... Results ======= Failregex: 1 total |- #) [# of hits] regular expression | 1) [1] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [1] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? `- Lines: 1 lines, 0 ignored, 1 matched, 0 missed Running tests ============= Use failregex file : /etc/fail2ban/filter.d/postfix-sasl.conf Use single line : Jun 16 12:45:22 vml000080 postfix/smtpd[21888]: wa... Results ======= Failregex: 1 total |- #) [# of hits] regular expression | 1) [1] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [1] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? `- Lines: 1 lines, 0 ignored, 1 matched, 0 missed
- ganze Logdatei:
Zum Bewerten einer ganzen Logdatei, wie z.B. /var/log/maillog verwendet man folgenden Aufruf.# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-sasl.conf
Running tests ============= Use failregex file : /etc/fail2ban/filter.d/postfix-sasl.conf Use log file : /var/log/maillog Use encoding : UTF-8 Results ======= Failregex: 43 total |- #) [# of hits] regular expression | 1) [43] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [29628] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? `- Lines: 29628 lines, 0 ignored, 43 matched, 29585 missed Missed line(s): too many to print. Use --print-all-missed to print all 29585 lines
Weiterführende Informationen findet man in der man-üage von fail2ban-regex.
FAIL2BAN-REGEX(1) User Commands FAIL2BAN-REGEX(1) NAME fail2ban-regex - test Fail2ban "failregex" option SYNOPSIS fail2ban-regex [OPTIONS] <LOG> <REGEX> [IGNOREREGEX] DESCRIPTION Fail2Ban reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. This tools can test regular expressions for "fail2ban". LOG: string a string representing a log line filename path to a log file (/var/log/auth.log) "systemd-journal" search systemd journal (systemd-python required) REGEX: string a string representing a ’failregex’ filename path to a filter file (filter.d/sshd.conf) IGNOREREGEX: string a string representing an ’ignoreregex’ filename path to a filter file (filter.d/sshd.conf) OPTIONS --version show program’s version number and exit -h, --help show this help message and exit -d DATEPATTERN, --datepattern=DATEPATTERN set custom pattern used to match date/times -e ENCODING, --encoding=ENCODING File encoding. Default: system locale -L MAXLINES, --maxlines=MAXLINES maxlines for multi-line regex -m JOURNALMATCH, --journalmatch=JOURNALMATCH journalctl style matches overriding filter file. "systemd-journal" only -l LOG_LEVEL, --log-level=LOG_LEVEL Log level for the Fail2Ban logger to use -v, --verbose Be verbose in output -D, --debuggex Produce debuggex.com urls for debugging there --print-no-missed Do not print any missed lines --print-no-ignored Do not print any ignored lines --print-all-missed Print all missed lines, no matter how many --print-all-ignored Print all ignored lines, no matter how many -t, --log-traceback Enrich log-messages with compressed tracebacks --full-traceback Either to make the tracebacks full, not compressed (as by default) AUTHOR Written by Cyril Jaquier <cyril.jaquier@fail2ban.org>. Many contributions by Yaroslav O. Halchenko and Steven Hiscocks. REPORTING BUGS Report bugs to https://github.com/fail2ban/fail2ban/issues COPYRIGHT Copyright © 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors Copyright of modifications held by their respective authors. Licensed under the GNU General Public License v2 (GPL). SEE ALSO fail2ban-client(1) fail2ban-server(1) fail2ban-regex 0.9.0 March 2014 FAIL2BAN-REGEX(1)
fail2ban-testcases
Der Form halber gehen wir noch kurz auf die Möglichkeit ein, den Programmcode mit Hilfe von fail2ban-testcases zu testen. Im normalen Betrieb wird diese Option i.d.R. nicht verwendet und wird z.B. beim Bau des RPM-Paketes aufgerufen. Einen sehr ausführlichen Bericht bekommt ein entwickler z.B. bei folgendem Aufruf.
# fail2ban-testcases --no-network --log-level=heavydebug
Dem Normalsterblichen wird sich sicherlich keine tiefergehnde information offenbaren.
Die einzelnen Optionen von fail2ban-testcases kann man mit Aufruf der Option --help abrufen.
# fail2ban-testcases --help
Usage: /usr/bin/fail2ban-testcases [OPTIONS] [regexps] Script to run Fail2Ban tests battery Options: --version show program's version number and exit -h, --help show this help message and exit -l LOG_LEVEL, --log-level=LOG_LEVEL Log level for the logger to use during running tests -n, --no-network Do not run tests that require the network -t, --log-traceback Enrich log-messages with compressed tracebacks --full-traceback Either to make the tracebacks full, not compressed (as by default)
$ fail2ban-testcases
Fail2ban 0.9.0 test suite. Python 2.7.5 (default, Jun 17 2014, 18:11:42) [GCC 4.8.2 20140120 (Red Hat 4.8.2-16)]. Please wait... .....................................................................................s..................................................................................................................................................... ---------------------------------------------------------------------- Ran 235 tests in 91.004s OK (skipped=1)
Grund-Konfiguration
Bei der Konfiguration von fail2ban wird von Seiten der Entwickler empfohlen, nicht die defaultconfig-Dateien zu bearbeiten, sondern sich lokale Kopieen zu erzeugen. Der Maintainer des RPMs hat dies schon berücksichtigt und sowohl von der fail2ban.conf eine fail2ban.local und von der jail.conf eine jail.local angelegt.
allg. Einstellungen
Der Standardpfad für die Konfiguration von fail2ban ist /etc/fail2ban. Mit der Option -c beim straten des fail2ban-client kann dieser Pfad gesetzt werde. Bei einer typischen Konfiguration sieht so aus:
/etc/fail2ban/ ├── action.d │ ├── apf.conf │ ├── badips.conf │ ├── badips.py │ ├── blocklist_de.conf │ ├── dshield.conf │ ├── dummy.conf │ ├── firewallcmd-ipset.conf │ ├── firewallcmd-new.conf │ ├── iptables-allports.conf │ ├── iptables-blocktype.conf │ ├── iptables.conf │ ├── iptables-ipset-proto4.conf │ ├── iptables-ipset-proto6-allports.conf │ ├── iptables-ipset-proto6.conf │ ├── iptables-multiport.conf │ ├── iptables-multiport-log.conf │ ├── iptables-new.conf │ ├── iptables-xt_recent-echo.conf │ ├── mail.conf │ ├── mynetwatchman.conf │ ├── route.conf │ ├── sendmail-buffered.conf │ ├── sendmail-common.conf │ ├── sendmail.conf │ ├── sendmail-whois.conf │ ├── sendmail-whois-ipjailmatches.conf │ ├── sendmail-whois-ipmatches.conf │ ├── sendmail-whois-lines.conf │ ├── sendmail-whois-matches.conf │ ├── smtp.py │ ├── smtp.pyc │ ├── smtp.pyo │ └── xarf-login-attack.conf ├── fail2ban.conf ├── fail2ban.d ├── fail2ban.local ├── filter.d │ ├── 3proxy.conf │ ├── apache-auth.conf │ ├── apache-badbots.conf │ ├── apache-botsearch.conf │ ├── apache-common.conf │ ├── apache-modsecurity.conf │ ├── apache-nohome.conf │ ├── apache-noscript.conf │ ├── apache-overflows.conf │ ├── assp.conf │ ├── asterisk.conf │ ├── common.conf │ ├── counter-strike.conf │ ├── courier-auth.conf │ ├── courier-smtp.conf │ ├── cyrus-imap.conf │ ├── dovecot.conf │ ├── dropbear.conf │ ├── ejabberd-auth.conf │ ├── exim-common.conf │ ├── exim.conf │ ├── exim-spam.conf │ ├── freeswitch.conf │ ├── groupoffice.conf │ ├── gssftpd.conf │ ├── guacamole.conf │ ├── horde.conf │ ├── kerio.conf │ ├── lighttpd-auth.conf │ ├── mysqld-auth.conf │ ├── nagios.conf │ ├── named-refused.conf │ ├── nginx-http-auth.conf │ ├── nsd.conf │ ├── openwebmail.conf │ ├── pam-generic.conf │ ├── perdition.conf │ ├── php-url-fopen.conf │ ├── postfix.conf │ ├── postfix-sasl.conf │ ├── proftpd.conf │ ├── pure-ftpd.conf │ ├── qmail.conf │ ├── recidive.conf │ ├── roundcube-auth.conf │ ├── selinux-common.conf │ ├── selinux-ssh.conf │ ├── sendmail-auth.conf │ ├── sendmail-reject.conf │ ├── sieve.conf │ ├── sogo-auth.conf │ ├── solid-pop3d.conf │ ├── squid.conf │ ├── squirrelmail.conf │ ├── sshd.conf │ ├── sshd-ddos.conf │ ├── stunnel.conf │ ├── suhosin.conf │ ├── tine20.conf │ ├── uwimap-auth.conf │ ├── vsftpd.conf │ ├── webmin-auth.conf │ ├── wuftpd.conf │ └── xinetd-fail.conf ├── jail.conf ├── jail.d ├── jail.local ├── jail.local.rpmnew ├── paths-centos.conf └── paths-common.conf 4 directories, 104 files
In der Konfigurationsdatei fail2ban.local werden folgende Parameter definiert:
Option | Beschreibung |
---|---|
loglevel | Definition des loglevels bei der Ausgabe. |
logtarget | Definition des Logziels, also z.B. STDERR (Konsole), SYSLOG oder /Pfad/Datei zum Schreiben in ein eigenes Logfile. |
socket | Definition des UNIX-Sockets über den fail2ban-client mit dem fail2ban-server kommuniziert. |
pidfile | Definition des PID-Files, in dem die Prozess ID des fail2ban-servers gespeichert wird. |
dbfile | Definition des Sqlite3-Datenbankfiles, in dem fail2ban die persistente Daten speichern soll. |
dbpurgeage | Definition der Zeitspanne nach dem alte Daten aus der Datenbank gelöscht werden sollen. (default 86.400 Sekunden = 24 Stunden) |
# cat /etc/fail2ban/fail2ban.local
- /etc/fail2ban/fail2ban.local
# Fail2Ban main configuration file # # Comments: use '#' for comment lines and ';' (following a space) for inline comments # # Changes: in most of the cases you should not modify this # file, but provide customizations in fail2ban.local file, e.g.: # # [Definition] # loglevel = DEBUG # [Definition] # Option: loglevel # Notes.: Set the log level output. # CRITICAL # ERROR # WARNING # NOTICE # INFO # DEBUG # Values: [ LEVEL ] Default: ERROR # loglevel = INFO # Option: logtarget # Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT. # Only one log target can be specified. # If you change logtarget from the default value and you are # using logrotate -- also adjust or disable rotation in the # corresponding configuration file # (e.g. /etc/logrotate.d/fail2ban on Debian systems) # Values: [ STDOUT | STDERR | SYSLOG | FILE ] Default: STDERR # logtarget = /var/log/fail2ban.log # Option: socket # Notes.: Set the socket file. This is used to communicate with the daemon. Do # not remove this file when Fail2ban runs. It will not be possible to # communicate with the server afterwards. # Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.sock # socket = /var/run/fail2ban/fail2ban.sock # Option: pidfile # Notes.: Set the PID file. This is used to store the process ID of the # fail2ban server. # Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid # pidfile = /var/run/fail2ban/fail2ban.pid # Options: dbfile # Notes.: Set the file for the fail2ban persistent data to be stored. # A value of ":memory:" means database is only stored in memory # and data is lost once fail2ban is stops. # A value of "None" disables the database. # Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3 dbfile = /var/lib/fail2ban/fail2ban.sqlite3 # Options: dbpurgeage # Notes.: Sets age at which bans should be purged from the database # Values: [ SECONDS ] Default: 86400 (24hours) dbpurgeage = 86400
Jails
Die wichtigste Konfigurationsdatei ist vermutlich jail.conf bzw. jail.local, in der die einzelnen jails definiert werden. In der Datei enthält bereits einige Musterbeispiele vorhanden, die man bei Bedarf einfach aktivieren kann.
Am Anfang der jail.local wird in der Section [INCLUDES] die Datei paths-centos.conf eingebunden, die die wichtigsten CentOS spezifischen Definitionen (Logdateipfade) enthält.
# vim /etc/fail2ban/paths-centos.conf
- etc/fail2ban/paths-centos.conf
# CentOS [INCLUDES] before = paths-common.conf after = paths-overrides.local [DEFAULT] syslog_mail = /var/log/maillog syslog_mail_warn = /var/log/maillog syslog_authpriv = /var/log/secure syslog_user = /var/log/messages syslog_ftp = /var/log/messages syslog_daemon = /var/log/messages syslog_local0 = /var/log/messages apache_error_log = /var/log/httpd/*error_log apache_access_log = /var/log/httpd/*access_log # /etc/proftpd/proftpd.conf (ExtendedLog for Anonymous) # proftpd_log = /var/log/proftpd/auth.log # Tested and it worked out in /var/log/messages so assuming syslog_ftp for now. mysql_log = /var/lib/mysql/mysqld.log
Als nächstes finden wir die Definition der Defaultwerte in der Section [DEFAULT] in der Konfigurationsdatei jail.local.
# vim /etc/fail2ban/jail.local
... # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # # MISCELLANEOUS OPTIONS # # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 # External command that will take an tagged arguments to ignore, e.g. <ip>, # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command <ip> ignorecommand = # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 5 # "backend" specifies the backend used to get files modification. # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". # This option can be overridden in each jail as well. # # pyinotify: requires pyinotify (a file alteration monitor) to be installed. # If pyinotify is not installed, Fail2ban will use auto. # gamin: requires Gamin (a file alteration monitor) to be installed. # If Gamin is not installed, Fail2ban will use auto. # polling: uses a polling algorithm which does not require external libraries. # systemd: uses systemd python library to access the systemd journal. # Specifying "logpath" is not valid for this backend. # See "journalmatch" in the jails associated filter config # auto: will try to use the following backends, in order: # pyinotify, gamin, polling. backend = auto # "usedns" specifies if jails should trust hostnames in logs, # warn when DNS lookups are performed, or ignore all hostnames in logs # # yes: if a hostname is encountered, a DNS lookup will be performed. # warn: if a hostname is encountered, a DNS lookup will be performed, # but it will be logged as a warning. # no: if a hostname is encountered, will not be used for banning, # but it will be logged as info. usedns = warn # "logencoding" specifies the encoding of the log files handled by the jail # This is used to decode the lines from the log file. # Typical examples: "ascii", "utf-8" # # auto: will use the system locale setting logencoding = auto # "enabled" enables the jails. # By default all jails are disabled, and it should stay this way. # Enable only relevant to your setup jails in your .local or jail.d/*.conf # # true: jail will be enabled and log files will get monitored for changes # false: jail is not enabled enabled = false # "filter" defines the filter to use by the jail. # By default jails have names matching their filter name # filter = %(__name__)s ...
Nachfolgende Werte werden vorgegeben und können entweder als neuen Standardwert gesetzt, oder in den einzelnen jails überschrieben werden.
Option | Standardwert | Beschreibung |
---|---|---|
ignoreip | 127.0.0.1/8 | Liste von IP-Adressen oder Netzwerken (mit Kommatas getrennt), die von einem ban, also vom Sperren ausgenommen werden sollen. |
ignorecommand | Externer Befehl der bei der Bewertung negativ besetzt werden soll | |
bantime | 600 | Zeitspanne in Sekunden, die ein Host gesperrt werden soll |
findtime | 600 | Zeitspanne in Sekunden, in denen das erneute Auffinden einer IP-Adresse überwacht bzw. gewertet wird |
maxretry | 5 | Maximale Anzahl, die definiert, wie oft eine IP-Adresse aufgefunden werden muss, damit die action ausgeführt, also. z.B. ein Host gesperrt, werden soll. |
backend | auto | Definition des backends dass zur Überwachung der Logdatei in einem jail verwendet werden soll. |
usedns | warn | Festlegung, ob Hostnamen in Logdateien vertraut oder ein NDS-Lokkup gemacht werden soll, oder ob Hostnamen in Logfiles ignoriert werden sollen. |
logencoding | auto | Definition des Zeichensatzes/Code-Tabelle, die beim Überwachen des Logfiles verwendet werden soll. |
enabled | false | Festlegung, ob per se, alle jails in der Konfigurationsdatei aktiviert werden sollen. |
filter | %(name)s | Festlegung der filter-Namen, die bei der jail-Konfiguration verwendet werden sollen. Als Standard wird der der Name des jail beim zugehörigen filter verwendet. |
Nachdem wir uns die grundlegenden Konfigurationsparameter angesehen haben, betrachten wir nun an Hand des nachfolgenden Beispiels, wie eine jail-Definition genauer ansehen kann.
[ssh-iptables] #enabled = false enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] # mail-whois[name=SSH, dest=yourmail@mail.com] #logpath = /var/log/sshd.log logpath = /var/log/secure maxretry = 5
Mit diesen Einstellungen wird folgendes festgelegt:
- Der Definitionsbereich [ssh-iptables] wird aktiviert.
- Der Filter sshd.conf im Unterverzeichnis filter.d wird verwendet.
- Die Aktion iptables.conf aus dem Unterverzeichnis action.d wird ausgeführt, sobald der Filter oft genug anschlägt. Die zweite Aktion mail-whois wird nicht ausgeführt, da diese auskommentiert ist.
- Die Logdatei /var/log/secure wird überwacht.
- Wird 5x der betreffende logeintrag gefunden, werden die definierten action ausgeführt.
In einem jail werden gewöhnlich filter und action kombiniert. Je jail ist nur ein filter erlaubt; jedoch können mehrere action je jail definiert werden. So kann man z.B. bei einem SSH-Einbruchsversuch, erst mit Hilfe des iptables-Paketfilters die Quell-IP sperren und dann z.B. via whois Informationen des beanstandeten Hosts erfragen und die Daten dann per eMail an den verantwortlichen Admin senden. Genauso könnte man „nur“ eine eMail versenden, sobald die Seite noaccess.html auf dem Webserver angesprochen wird.
Fail2ban ist nicht nur auf SSH beschränkt. Fail2ban liefert viele Beispiele an filter undaction, die man als Vorlage verwenden kann, bzw. die man aktivieren und erweitern kann. Im Unterverzeichnis filter.d sind viele Filter vordefiniert, die man dann einfach in der Konfigurationsdatei jail.local aktivieren kann.
Der Abschnitt [ssh-ddos] kann hier als Beispiel dienen, wie man einen filter, einfach und schnell aktivieren kann. Die Variable logpath ist in jedem Fall, der eigenen Umgebung anzupassen:
[ssh-ddos] enabled = true port = ssh,sftp filter = sshd-ddos logpath = /var/log/messages maxretry = 2
Actions
Im Konfigurationsbereich ACTIONS erfolt die Festlegung systemweiter Parameter, die später bei der Definition der einzelnen jails als Variablen verwendet werden, bzw. auch dort überschrieben werden, können.
Werfen wir also einen Blick in diesen Bereich der Konfigurationsdatei jail.local*.
# vim /etc/fail2ban/jail.local
... # # ACTIONS # # Some options used for actions # Destination email address used solely for the interpolations in # jail.{conf,local,d/*} configuration files. # Django : 2014-06-12 # default: destemail = root@localhost destemail = django@nausch.org # Sender email address used solely for some actions # Django : 2014-06-12 # default: sender = root@localhost sender = fail2ban@vml000010.dmz.nausch.org # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the # mailing. Change mta configuration parameter to mail if you want to # revert to conventional 'mail'. mta = sendmail # Default protocol protocol = tcp # Specify chain where jumps would need to be added in iptables-* actions chain = INPUT # Ports to be banned # Usually should be overridden in a particular jail port = 0:65535 # # Action shortcuts. To be used to define action parameter # Default banning action (e.g. iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action # # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines # to the destemail. action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] # Report block via blocklist.de fail2ban reporting service API # # See the IMPORTANT note in action.d/blocklist_de.conf for when to # use this action. Create a file jail.d/blocklist_de.local containing # [Init] # blocklist_de_apikey = {api key from registration] # action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"] # Report ban via badips.com, and use as blacklist # # See BadIPsAction docstring in config/action.d/badips.py for # documentation for this action. # # NOTE: This action relies on banaction being present on start and therefore # should be last action defined for a jail. # action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_)s ...
Folgende Variablen und Festlegungen werden in dem vorgenannten Abschnitt definiert.
Option | Wert | Beschreibung |
---|---|---|
destemail | django@nausch.org | Empfänger-Adresse an die etwaige Meldungen gesendet werden soll, in unserem Beispiel erhält django@nausch.org diese Nachrichten. |
sender | fail2ban@vml000010.dmz.nausch.org | Absenderadresse der Status-eMails (mail from) |
mta | sendmail | Binary, welches zum Verschicken der Statusnachrichten verwendet werden soll. Nicht verwechseln mit dem Mailserver „sendmail“! |
protocol | tcp | Default Protokoll |
chain | INPUT | Name der iptables-chain in die benötigte Portblockingdefinitionen eingefügt werden sollen |
port | 0:65535 | Portbereich, der ggf. gesperrt werden soll. |
Neben der Definition der Standardparameter werden noch ein paar wichtige action definiert, die wir später so bei den einzelnen jails leicht integrieren können.
- banaction :
Default banning action, also der Paketfilter, der zum Sperren von Hosts und Services verwendet wird.banaction = iptables-multiport
- action_ :
Dies ist die einfachste Variante bei den actions, denn es wir nur der verursachende Host gesperrt.action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- action_mw :
Bei dieser action wird der Verursacher gesperrt und dem bei destemail definiertem Empfänger eine Nachricht mit den whois-Daten des Verursachers geschickt.action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
- action_mwl :
Bei dieser action wird der Verursacher gesperrt und dem bei destemail definiertem Empfänger eine Nachricht mit den whois-Daten des Verursachers und den fraglichen Logzeilen, bei dem der Filter angeschlagen hatte, geschickt.action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
- action_xarf :
Bei dieser action wird der Verursacher gesperrt, sowie der Abuse-Adresxse aus dem whois-Daten des Verursachenden Host eine xarf eMail geschickt.
Bei Verwendung dieser action wird auf die Anmerkungen in der action Definition xarf-login_attack verwiesen.
# less /etc/fail2ban/action.d/xarf-login-attack.conf
# Fail2Ban action for sending xarf Login-Attack messages to IP owner # # IMPORTANT: # # Emailing a IP owner of abuse is a serious complain. Make sure that it is # serious. Fail2ban developers and network owners recommend you only use this # action for: # * The recidive where the IP has been banned multiple times # * Where maxretry has been set quite high, beyond the normal user typing # password incorrectly. # * For filters that have a low likelyhood of receiving human errors # # DEPENDANCIES: # # This requires the dig command from bind-utils # # This uses the https://abusix.com/contactdb.html to lookup abuse contacts. # # XARF is a specification for sending a formatted response # for non-messaging based abuse including: # # Login-Attack, Malware-Attack, Fraud (Phishing, etc.), Info DNSBL # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action # # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines # to the destemail.
Also keinenfalls leichtfertig und unüberlegt diese action einsetzen!
action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
- action_blocklist_de :
Melden des blockierten Hosts an via blocklist.de über deren Fail2ban-Reporting-Service-API.action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
- action_badips :
Bei dieser action wird der blockierte Host an badips.com gemeldet und als blacklist verwendet.action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
- action :
Definition der Default action. Dieser wert kann systemweit oder auch je einzelnem jail gesetzt werden.action = %(action_)s
Filters
Im Verzeichnis /etc/fail2ban/filter.d finden sich bereits vorgefertigte, für wirklich fast alle Anwendungsfälle praxistaugliche, Filterdefinitionen mit regular Expressions.
# ll -alF /etc/fail2ban/filter.d/
total 264
drwxr-xr-x 2 root root 4096 Jun 17 17:47 ./
drwxr-xr-x 6 root root 4096 Jun 17 15:11 ../
-rw-r--r-- 1 root root 442 Mar 15 01:18 3proxy.conf
-rw-r--r-- 1 root root 3233 Mar 15 01:18 apache-auth.conf
-rw-r--r-- 1 root root 2736 Mar 15 01:18 apache-badbots.conf
-rw-r--r-- 1 root root 1537 Mar 15 01:18 apache-botsearch.conf
-rw-r--r-- 1 root root 813 Mar 15 01:18 apache-common.conf
-rw-r--r-- 1 root root 402 Mar 15 01:18 apache-modsecurity.conf
-rw-r--r-- 1 root root 596 Mar 15 01:18 apache-nohome.conf
-rw-r--r-- 1 root root 1187 Mar 15 01:18 apache-noscript.conf
-rw-r--r-- 1 root root 2000 Mar 15 01:18 apache-overflows.conf
-rw-r--r-- 1 root root 1156 Mar 15 01:18 assp.conf
-rw-r--r-- 1 root root 2270 Mar 15 01:18 asterisk.conf
-rw-r--r-- 1 root root 1671 Mar 15 01:18 common.conf
-rw-r--r-- 1 root root 238 Mar 15 01:18 counter-strike.conf
-rw-r--r-- 1 root root 393 Mar 15 01:18 courier-auth.conf
-rw-r--r-- 1 root root 352 Mar 15 01:18 courier-smtp.conf
-rw-r--r-- 1 root root 418 Mar 15 01:18 cyrus-imap.conf
-rw-r--r-- 1 root root 1440 Mar 15 01:18 dovecot.conf
-rw-r--r-- 1 root root 1696 Mar 15 01:18 dropbear.conf
-rw-r--r-- 1 root root 1282 Mar 15 01:18 ejabberd-auth.conf
-rw-r--r-- 1 root root 403 Mar 15 01:18 exim-common.conf
-rw-r--r-- 1 root root 1349 Mar 15 01:18 exim.conf
-rw-r--r-- 1 root root 2158 Mar 15 01:18 exim-spam.conf
-rw-r--r-- 1 root root 942 Mar 15 01:18 freeswitch.conf
-rw-r--r-- 1 root root 223 Mar 15 01:18 groupoffice.conf
-rw-r--r-- 1 root root 322 Mar 15 01:18 gssftpd.conf
-rw-r--r-- 1 root root 512 Mar 15 01:18 guacamole.conf
-rw-r--r-- 1 root root 404 Mar 15 01:18 horde.conf
-rw-r--r-- 1 root root 466 Mar 15 01:18 kerio.conf
-rw-r--r-- 1 root root 323 Mar 15 01:18 lighttpd-auth.conf
-rw-r--r-- 1 root root 886 Mar 15 01:18 mysqld-auth.conf
-rw-r--r-- 1 root root 400 Mar 15 01:18 nagios.conf
-rw-r--r-- 1 root root 1579 Mar 15 01:18 named-refused.conf
-rw-r--r-- 1 root root 422 Mar 15 01:18 nginx-http-auth.conf
-rw-r--r-- 1 root root 701 Mar 15 01:18 nsd.conf
-rw-r--r-- 1 root root 495 Mar 15 01:18 openwebmail.conf
-rw-r--r-- 1 root root 808 Mar 15 01:18 pam-generic.conf
-rw-r--r-- 1 root root 568 Mar 15 01:18 perdition.conf
-rw-r--r-- 1 root root 834 Mar 15 01:18 php-url-fopen.conf
-rw-r--r-- 1 root root 745 Mar 15 01:18 postfix.conf
-rw-r--r-- 1 root root 312 Mar 15 01:18 postfix-sasl.conf
-rw-r--r-- 1 root root 1054 Mar 15 01:18 proftpd.conf
-rw-r--r-- 1 root root 1725 Mar 15 01:18 pure-ftpd.conf
-rw-r--r-- 1 root root 795 Mar 15 01:18 qmail.conf
-rw-r--r-- 1 root root 1276 Mar 15 01:18 recidive.conf
-rw-r--r-- 1 root root 890 Mar 15 01:18 roundcube-auth.conf
-rw-r--r-- 1 root root 517 Mar 15 01:18 selinux-common.conf
-rw-r--r-- 1 root root 570 Mar 15 01:18 selinux-ssh.conf
-rw-r--r-- 1 root root 330 Mar 15 01:18 sendmail-auth.conf
-rw-r--r-- 1 root root 2424 Mar 15 01:18 sendmail-reject.conf
-rw-r--r-- 1 root root 371 Mar 15 01:18 sieve.conf
-rw-r--r-- 1 root root 472 Mar 15 01:18 sogo-auth.conf
-rw-r--r-- 1 root root 1093 Mar 15 01:18 solid-pop3d.conf
-rw-r--r-- 1 root root 193 Mar 15 01:18 squid.conf
-rw-r--r-- 1 root root 185 Mar 15 01:18 squirrelmail.conf
-rw-r--r-- 1 root root 2779 Mar 15 01:18 sshd.conf
-rw-r--r-- 1 root root 761 Mar 15 01:18 sshd-ddos.conf
-rw-r--r-- 1 root root 348 Mar 15 01:18 stunnel.conf
-rw-r--r-- 1 root root 645 Mar 15 01:18 suhosin.conf
-rw-r--r-- 1 root root 821 Mar 15 01:18 tine20.conf
-rw-r--r-- 1 root root 374 Mar 15 01:18 uwimap-auth.conf
-rw-r--r-- 1 root root 621 Mar 15 01:18 vsftpd.conf
-rw-r--r-- 1 root root 444 Mar 15 01:18 webmin-auth.conf
-rw-r--r-- 1 root root 514 Mar 15 01:18 wuftpd.conf
-rw-r--r-- 1 root root 503 Mar 15 01:18 xinetd-fail.conf
Will oder muß man einen eigenen speziellen failregex Filter bauen, dann muss man dringend nachfolgende Regeln beachten. Man kann sich auch sehr schön an den vielen Beispielen orientieren, die dort aufgeführt sind.
- Ein failregex kann aus mehreren Zeilen bestehen, von denen dann jede eine einzelne Zeile der Protokolldatei als Übereinstimmung finden kann.
- In jeder Zeile einer failregex muss die Ip-Adresse bzw. der Hostname als (?P<host> … ) eingebunden werden (siehe Beispiel in der /etc/fail2ban/filter.d/common.conf). . Die sit eine Python spezifische Erweiterung, die, in diesem aufgezeigten Beispiel, der Variable <host> den Hostname bzw. die IP-Adresse des Angreifers zuweist. Somit ist die IP-Adresse des Angreifers bei jeder regex-Überprüfung bekannt. Andernfalls bricht fail2ban mit der Fehlermeldung „No 'host' group“ ab.
- Der Einfachheit halber kann man den vordefinierten tag <HOST> in den eigenen failregex-Definitionen verwenden. <HOST> ist ein alias für
(?:::f{4,6}:)?(?P<host>\S+)
, was entweder einem Hostnamen oder einer IPv4-Adresse (ggf. in einer IPv6-Adresse eingebettet), repräsentiert. - Im action script wird der tag <ip> mit der IP-Adresse des Hosts besetzt, die im tag<host> ermittelt wurde.
- Damit eine Log-Zeile von der eigen definierten failregex erfasst werden kann, müssen zwei Teile übereinstimmen. Dies ist am Anfang der Logzeile ein auswertbarer Zeitstempel bze. eine regex und der Rest der Zeile mit der eigentlichen failregex. Beginnt der failregex mit einem ^-Zeichen als Anker, dann markiert dieser Anker mitt ggf. folgenden Leerzeichgen der Rest der Zeile.
- Wird der Zeitstempel der Logzeile nicht erkannt, wird auch ein Treffer der failregex fehlschlagen! Daher wird empfohlen, jede eigene failregex-Definition ausführlich zu testen, ob der betreffende Zeotstempel auch erkannt wird. Im Fehlerfall hat man aktuell nur zwei Möglichkeiten. Entweder passt man die Zeitstempel im Logfile des betreffenden Daemon an, damit dieser von fail2ban erkannt wird. Im anderen Fall kann man einen Bugreport aufmachen und bitten, dieses besondere Zeitstempel in den nächsten Release von fail2ban aufzunehmen.
Baustelle
# service fail2ban start Starting fail2ban: [ OK ]
# cat /var/log/fail2ban.log 2014-06-11 12:03:36,460 fail2ban.server.server[21260]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.0 2014-06-11 12:03:36,462 fail2ban.server.database[21260]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2014-06-11 12:03:37,566 fail2ban.server.database[21260]: WARNING New database created. Version '2'
# cat /var/log/fail2ban.log
2014-06-11 12:37:51,938 fail2ban.server.server[23574]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.0 2014-06-11 12:37:51,940 fail2ban.server.database[23574]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2014-06-11 12:37:51,944 fail2ban.server.jail[23574]: INFO Creating new jail 'sshd-ddos' 2014-06-11 12:37:51,944 fail2ban.server.jail[23574]: INFO Jail 'sshd-ddos' uses poller 2014-06-11 12:37:52,006 fail2ban.server.filter[23574]: INFO Set jail log file encoding to UTF-8 2014-06-11 12:37:52,006 fail2ban.server.jail[23574]: INFO Initiated 'polling' backend 2014-06-11 12:37:52,200 fail2ban.server.filter[23574]: INFO Added logfile = /var/log/secure 2014-06-11 12:37:52,201 fail2ban.server.filter[23574]: INFO Set maxRetry = 5 2014-06-11 12:37:52,202 fail2ban.server.filter[23574]: INFO Set jail log file encoding to UTF-8 2014-06-11 12:37:52,203 fail2ban.server.actions[23574]: INFO Set banTime = 600 2014-06-11 12:37:52,208 fail2ban.server.filter[23574]: INFO Set findtime = 600 2014-06-11 12:37:52,208 fail2ban.server.filter[23574]: INFO Set maxlines = 10 2014-06-11 12:37:52,573 fail2ban.server.server[23574]: INFO Jail sshd-ddos is not a JournalFilter instance 2014-06-11 12:37:52,592 fail2ban.server.jail[23574]: INFO Creating new jail 'postfix-sasl' 2014-06-11 12:37:52,592 fail2ban.server.jail[23574]: INFO Jail 'postfix-sasl' uses poller 2014-06-11 12:37:52,593 fail2ban.server.filter[23574]: INFO Set jail log file encoding to UTF-8 2014-06-11 12:37:52,594 fail2ban.server.jail[23574]: INFO Initiated 'polling' backend 2014-06-11 12:37:52,750 fail2ban.server.filter[23574]: INFO Added logfile = /var/log/maillog 2014-06-11 12:37:52,751 fail2ban.server.filter[23574]: INFO Set maxRetry = 5 2014-06-11 12:37:52,752 fail2ban.server.filter[23574]: INFO Set jail log file encoding to UTF-8 2014-06-11 12:37:52,753 fail2ban.server.actions[23574]: INFO Set banTime = 600 2014-06-11 12:37:52,757 fail2ban.server.filter[23574]: INFO Set findtime = 600 2014-06-11 12:37:52,818 fail2ban.server.jail[23574]: INFO Jail 'sshd-ddos' started 2014-06-11 12:37:52,848 fail2ban.server.jail[23574]: INFO Jail 'postfix-sasl' started
# service fail2ban status
fail2ban-server (pid 23574) is running... Status |- Number of jail: 2 `- Jail list: postfix-sasl, sshd-ddos
# iptables -nvL f2b-sasl
Chain f2b-sasl (1 references) pkts bytes target prot opt in out source destination 13 556 REJECT all -- * * 202.191.206.242 0.0.0.0/0 reject-with icmp-port-unreachable 1265 194K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Programmstart
erster manueller Start
In RPM wird uns ein Startupscript mitgeliefert - über dieses starten wir unseren SMTP-Server.
# service fail2ban start
Starting fail2ban: [ OK ]
Im eigenen Logfile von fail2ban wird auch der Start entsprechend dokumentiert.
# less /var/log/fail2ban.log
2014-06-14 00:12:19,028 fail2ban.server.server[11950]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.0 2014-06-14 00:12:19,029 fail2ban.server.database[11950]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2014-06-14 00:12:19,260 fail2ban.server.jail[11950]: INFO Creating new jail 'dovecot' 2014-06-14 00:12:19,261 fail2ban.server.jail[11950]: INFO Jail 'dovecot' uses poller 2014-06-14 00:12:19,291 fail2ban.server.filter[11950]: INFO Set jail log file encoding to UTF-8 2014-06-14 00:12:19,292 fail2ban.server.jail[11950]: INFO Initiated 'polling' backend 2014-06-14 00:12:19,612 fail2ban.server.filter[11950]: INFO Added logfile = /var/log/maillog 2014-06-14 00:12:19,613 fail2ban.server.filter[11950]: INFO Set maxRetry = 5 2014-06-14 00:12:19,616 fail2ban.server.filter[11950]: INFO Set jail log file encoding to UTF-8 2014-06-14 00:12:19,616 fail2ban.server.actions[11950]: INFO Set banTime = 600 2014-06-14 00:12:19,618 fail2ban.server.filter[11950]: INFO Set findtime = 600 2014-06-14 00:12:19,643 fail2ban.server.server[11950]: INFO Jail dovecot is not a JournalFilter instance 2014-06-14 00:12:19,657 fail2ban.server.jail[11950]: INFO Creating new jail 'sshd-ddos' 2014-06-14 00:12:19,657 fail2ban.server.jail[11950]: INFO Jail 'sshd-ddos' uses poller 2014-06-14 00:12:19,658 fail2ban.server.filter[11950]: INFO Set jail log file encoding to UTF-8 2014-06-14 00:12:19,659 fail2ban.server.jail[11950]: INFO Initiated 'polling' backend 2014-06-14 00:12:20,001 fail2ban.server.filter[11950]: INFO Added logfile = /var/log/secure 2014-06-14 00:12:20,003 fail2ban.server.filter[11950]: INFO Set maxRetry = 5 2014-06-14 00:12:20,004 fail2ban.server.filter[11950]: INFO Set jail log file encoding to UTF-8 2014-06-14 00:12:20,005 fail2ban.server.actions[11950]: INFO Set banTime = 600 2014-06-14 00:12:20,006 fail2ban.server.filter[11950]: INFO Set findtime = 600 2014-06-14 00:12:20,007 fail2ban.server.filter[11950]: INFO Set maxlines = 10 2014-06-14 00:12:20,221 fail2ban.server.server[11950]: INFO Jail sshd-ddos is not a JournalFilter instance 2014-06-14 00:12:20,235 fail2ban.server.jail[11950]: INFO Creating new jail 'sieve' 2014-06-14 00:12:20,235 fail2ban.server.jail[11950]: INFO Jail 'sieve' uses poller 2014-06-14 00:12:20,237 fail2ban.server.filter[11950]: INFO Set jail log file encoding to UTF-8 2014-06-14 00:12:20,237 fail2ban.server.jail[11950]: INFO Initiated 'polling' backend 2014-06-14 00:12:20,485 fail2ban.server.filter[11950]: INFO Added logfile = /var/log/maillog 2014-06-14 00:12:20,486 fail2ban.server.filter[11950]: INFO Set maxRetry = 5 2014-06-14 00:12:20,487 fail2ban.server.filter[11950]: INFO Set jail log file encoding to UTF-8 2014-06-14 00:12:20,488 fail2ban.server.actions[11950]: INFO Set banTime = 600 2014-06-14 00:12:20,489 fail2ban.server.filter[11950]: INFO Set findtime = 600 2014-06-14 00:12:20,507 fail2ban.server.jail[11950]: INFO Creating new jail 'postfix-sasl' 2014-06-14 00:12:20,507 fail2ban.server.jail[11950]: INFO Jail 'postfix-sasl' uses poller 2014-06-14 00:12:20,508 fail2ban.server.filter[11950]: INFO Set jail log file encoding to UTF-8 2014-06-14 00:12:20,509 fail2ban.server.jail[11950]: INFO Initiated 'polling' backend 2014-06-14 00:12:20,660 fail2ban.server.filter[11950]: INFO Added logfile = /var/log/maillog 2014-06-14 00:12:20,661 fail2ban.server.filter[11950]: INFO Set maxRetry = 5 2014-06-14 00:12:20,662 fail2ban.server.filter[11950]: INFO Set jail log file encoding to UTF-8 2014-06-14 00:12:20,663 fail2ban.server.actions[11950]: INFO Set banTime = 600 2014-06-14 00:12:20,664 fail2ban.server.filter[11950]: INFO Set findtime = 600 2014-06-14 00:12:20,695 fail2ban.server.jail[11950]: INFO Jail 'dovecot' started 2014-06-14 00:12:20,752 fail2ban.server.jail[11950]: INFO Jail 'sshd-ddos' started 2014-06-14 00:12:20,775 fail2ban.server.jail[11950]: INFO Jail 'sieve' started 2014-06-14 00:12:20,864 fail2ban.server.jail[11950]: INFO Jail 'postfix-sasl' started
automatisches Starten des Dienste beim Systemstart
Damit nun unser SMTP-Mailserver beim Booten automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor.
# chkconfig fail2ban on
Anschließend überprüfen wir noch unsere Änderung:
# chkconfig --list | grep fail2ban
fail2ban 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Problembehandlung
Wichtig Damit beim Starten des Daemon keine Warnmeldung, wie z.B.
Starting fail2ban: WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''
ist bei allen aktivierten Filtern zu prüfen, ob dort ein
ignoreregex =
enthalten ist. Bei Bedarf, also einfach nachtragen!
erweiterte Konfiguration
Konfigurationsbeispiel
Zur Zeit scheint es von irgendwelchen Spielkindern sehr beliebt zu sein, wahllos igendwelche Dateien bei (m)einer Dokuwiki-Installation anzufordern.
Diesen Scriptkiddies wollen wir doch gleich mal mit Hilfe von fail2ban ein wenig auf die Sprünge helfen.
Als Praxisbeispiel werden wir nun die gerade angesprochenen Spielkindern eine besondere Behandlung angedeihen lassen.
- Log-Einträge
Als erstes schauen wir uns mal an, wie diese abnormen Anfragen Negativ aufgefallen sind. Dazu werfen wir einen Blick in das betreffende Error-Logfile unseres Webservers.# less /var/log/httpd/kunde_1408/web_error.log> <code>[Wed Jun 18 09:17:24 2014] [error] [client 80.72.40.41] File does not exist: /var/www/dokuwiki/nyet.gif [Wed Jun 18 09:17:24 2014] [error] [client 80.72.40.41] File does not exist: /var/www/dokuwiki/components [Wed Jun 18 09:17:24 2014] [error] [client 80.72.40.41] File does not exist: /var/www/dokuwiki/administrator [Wed Jun 18 09:17:24 2014] [error] [client 80.72.40.41] File does not exist: /var/www/dokuwiki/components [Wed Jun 18 09:17:24 2014] [error] [client 80.72.40.41] File does not exist: /var/www/dokuwiki/components [Wed Jun 18 09:17:25 2014] [error] [client 80.72.40.41] File does not exist: /var/www/dokuwiki/components [Wed Jun 18 09:17:25 2014] [error] [client 80.72.40.41] File does not exist: /var/www/dokuwiki/cs-CZ [Wed Jun 18 09:17:25 2014] [error] [client 80.72.40.41] File does not exist: /var/www/dokuwiki/cs-CZ
Wir haben also in dem Logfile folgende drei Werte:
- Datum
- Verursacher Quell-Host-IP
-File does not exist: /var/www/dokuwiki/
- failregex ermitteln
Aus den wiederkehrenden Meldungen im Logfile können wir nun eine failregex ableiten, die wie folgt aussehen kann:'\[error\].\[client.<HOST>\].*File.does.not.exist'
- failregex testen
Nachdem wir die failregex definiert haben, können wir diese schon mal testen.# fail2ban-regex "[Tue Jun 17 08:11:01 2014] [error] [client 195.191.24.12] File does not exist: /var/www/dokuwiki/components" '\[error\].\[client.<HOST>\].*File.does.not.exist:'
Running tests ============= Use failregex line : \[error\].\[client.<HOST>\].*File.does.not.exist: Use single line : [Tue Jun 17 08:11:01 2014] [error] [client 195.191... Results ======= Failregex: 1 total |- #) [# of hits] regular expression | 1) [1] \[error\].\[client.<HOST>\].*File.does.not.exist: `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [1] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? `- Lines: 1 lines, 0 ignored, 1 matched, 0 missed
Nachdem der Test positiv ausfiel, können wir noch einen zweiten Test, gegen die Logdatei selbst vornehmen.
# fail2ban-regex /var/log/httpd/kunde_1408/web_error.log '\[error\].\[client.<HOST>\].*File.does.not.exist:'
Running tests ============= Use failregex line : \[error\].\[client.<HOST>\].*File.does.not.exist: Use log file : /var/log/httpd/kunde_1408/web_error.log Use encoding : UTF-8 Results ======= Failregex: 961 total |- #) [# of hits] regular expression | 1) [961] \[error\].\[client.<HOST>\].*File.does.not.exist: `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [2043] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? `- Lines: 2043 lines, 0 ignored, 961 matched, 1082 missed Missed line(s): too many to print. Use --print-all-missed to print all 1082 lines
- Filter definieren
Als nächstes definieren wir uns unseren Filter.# vim /etc/fail2ban/filter.d/apache-dw-nofile.conf
# Django : 2014-06-18 # Fail2Ban Filter zum Ermitteln von Web-Anfragen auf viele unbekannte Dateien bei # unserem Apache Webserver. # # Zur Zeit scheint es von irgendwelchen Spielkindern sehr beliebt zu sein, wahllos # igendwelche Dateien bei (m)einer Dokuwiki-Installation anzufordern. Diesen # Scriptkiddies wollen wir mit Hilfe von **fail2ban** ein wenig auf die Sprünge # helfen. [INCLUDES] before = common.conf [Definition] failregex = \[error\].\[client.<HOST>\].*File.does.not.exist: ignoreregex = \[error\].\[client.<HOST>\].*File.does.not.exist:.robots.txt # Author: Django <django@nausch.org>
- Filter testen
Um sicherzustellen, dass der gerade angelegte Filter auch zuschlägt wiederholen wir den Test mit fail2ban-regex.# fail2ban-regex /var/log/httpd/kunde_1408/web_error.log /etc/fail2ban/filter.d/apache-dw-nofile.conf
<code>Running tests ============= Use failregex line : \[error\].\[client.<HOST>\].*File.does.not.exist: Use log file : /var/log/httpd/kunde_1408/web_error.log Use encoding : UTF-8 Results ======= Failregex: 961 total |- #) [# of hits] regular expression | 1) [961] \[error\].\[client.<HOST>\].*File.does.not.exist: `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [2043] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? `- Lines: 2043 lines, 0 ignored, 961 matched, 1082 missed Missed line(s): too many to print. Use --print-all-missed to print all 1082 lines
Auch dieser Test hat funktioniert, wir können also daran schon mal einen machen.
- Jail definieren
Passend zu unserem Filter benötigen wir nun noch ein jail in dem wir dann festlegen, was passieren soll, wenn dieser Filter zugeschlagen hat.# vim /etc/fail2ban/jail.local
... [apache-dw-nofile] enabled = true port = http,https action = %(action_mwl)s logpath = /var/log/httpd/kunde_1408/web_error.log findtime = 60 maxretry = 3 bantime = 3600 ...
Mit dieser jail Definition haben wir festgelegt, dass die action action_mwl ausgeführt werden soll, wenn der filer apache-dw-nofile innerhalb von 1 Minute 3x anschlägt. In diesem Fall wird der Host für 1 Stunde ausgesperrt.
- Konfiguration testen
Bevor wir den neuen Filter scharf schalten, testen wir noch kurz unsere Konfigurationsänderungen.# fail2ban-client -d
['set', 'logtarget', '/var/log/fail2ban.log'] ['set', 'loglevel', 'INFO'] ['set', 'dbpurgeage', 86400] ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3'] ['add', 'apache-dw-nofile', 'auto'] ['set', 'apache-dw-nofile', 'usedns', 'warn'] ['set', 'apache-dw-nofile', 'addlogpath', '/var/log/httpd/kunde_1408/web_error.log', 'head'] ['set', 'apache-dw-nofile', 'maxretry', 3] ['set', 'apache-dw-nofile', 'addignoreip', '127.0.0.1/8'] ['set', 'apache-dw-nofile', 'logencoding', 'auto'] ['set', 'apache-dw-nofile', 'bantime', 3600] ['set', 'apache-dw-nofile', 'ignorecommand', ''] ['set', 'apache-dw-nofile', 'findtime', 60] ['set', 'apache-dw-nofile', 'addfailregex', '\\[error\\].\\[client.<HOST>\\].*File.does.not.exist:'] ['set', 'apache-dw-nofile', 'addignoreregex', '\\[error\\].\\[client.<HOST>\\].*File.does.not.exist:.robots.txt'] ['set', 'apache-dw-nofile', 'addaction', 'iptables-multiport'] ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'actionban', 'iptables -I f2b-<name> 1 -s <ip> -j <blocktype>\n# Django : 2014-04-16\n# reporting only 4 badips.com\nwget -q -0 /dev/null www.badips.com/add/<name>/<ip>'] ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'actionstop', 'iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\niptables -F f2b-<name>\niptables -X f2b-<name>'] ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'actionstart', 'iptables -N f2b-<name>\niptables -A f2b-<name> -j RETURN\niptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>'] ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'actionunban', 'iptables -D f2b-<name> -s <ip> -j <blocktype>'] ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'actioncheck', "iptables -n -L <chain> | grep -q 'f2b-<name>[ \\t]'"] ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'protocol', 'tcp'] ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'name', 'apache-dw-nofile'] ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'chain', 'INPUT'] ['set', 'apache-dw-nofile', 'action', 'iptables-multiport', 'port', 'http,https'] ['set', 'apache-dw-nofile', 'addaction', 'sendmail-whois-lines'] ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'actionban', 'printf %b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`\nDate: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere is more information about <ip>:\\n\n`/usr/bin/whois <ip> || echo missing whois program`\\n\\n\nLines containing IP:<ip> in <logpath>\\n\n`grep \'[^0-9]<ip>[^0-9]\' <logpath>`\\n\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>'] ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'actionstop', 'printf %b "Subject: [Fail2Ban] <name>: stopped on `uname -n`\nDate: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>'] ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'actionstart', 'printf %b "Subject: [Fail2Ban] <name>: started on `uname -n`\nDate: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>'] ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'actionunban', ''] ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'actioncheck', ''] ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'name', 'apache-dw-nofile'] ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'chain', 'INPUT'] ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'dest', 'f2b-reports@nausch.org'] ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'logpath', '/var/log/httpd/kunde_1408/web_error.log'] ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'sendername', 'Fail2Ban'] ['set', 'apache-dw-nofile', 'action', 'sendmail-whois-lines', 'sender', 'fail2ban'] ['start', 'apache-dw-nofile']
Nun steht nichts mehr im Weg und wir können unsere Konfiguration aktivieren.
# service fail2ban restart
Stopping fail2ban: [ OK ] Starting fail2ban: [ OK ]
Schon nach kurzer Zeit werden wir nun nichtr mehr so belästigt, wie früher.
# iptables -nvL
...
Chain f2b-apache-dw-nofile (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 31.186.170.148 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 46.32.252.31 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 91.206.200.218 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 184.107.58.119 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 37.58.149.98 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 70.38.11.12 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 91.185.212.8 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 80.172.225.139 0.0.0.0/0 reject-with icmp-port-unreachable