Hallo,
Habe schon einiges (Tutorials, etc) über Fail2Ban und ipTables gelesen nur da sind einige Fragen die ich stellen muss.
Bei den meisten Tutorials wird geschrieben das man action = %(action_mwl)s nutzen soll nur muss ich sagen das die Attacken dennoch weitergehen.
Ein weiteres Tutorial (http://www.looke.ch/wp/list-based-permanent-bans-with-fail2ban) blockiert die Attacken mit ipTables doch wenn ich ein Auszug der ipTables ansehe sind die IPs nicht eingetragen.
Mein jail.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1/8 xx.xxx.xxx.xx findtime = 10800 bantime = 21600 maxretry = 3 action = %(action_mwl)s backend = auto destemail = fail2ban@blocklist.de sendermail = admin@localhost banaction = iptables-multiport [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 4 action = %(action_mwl)s |
Nun nach dem Tutorial habe ich auch die Datei /etc/fail2ban/action.d/iptables-multiport.conf angepasst
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 | # Fail2Ban configuration file # # Author: Cyril Jaquier # Modified by Yaroslav Halchenko for multiport banning and Lukas Camenzind for persistent banning # # [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name> # Load local list of offenders if [ -f /etc/fail2ban/ip.blacklist ]; then cat /etc/fail2ban/ip.blacklist | grep -e <name>$ | cut -d "," -s -f 1 | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done; fi # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionban = if ! iptables -C fail2ban-<name> -s <ip> -j DROP; then iptables -I fail2ban-<name> 1 -s <ip> -j DROP; fi # Add offenders to local blacklist, if not already there if ! grep -Fxq '<ip>,<name>' /etc/fail2ban/ip.blacklist; then echo '<ip>,<name>' >> /etc/fail2ban/ip.blacklist; fi # Report offenders to badips.com wget -q -O /dev/null www.badips.com/add/<name>/<ip> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP # Disabled clearing out entry from ip.blacklist (somehow happens after each stop of fail2ban) # sed --in-place '/<ip>,<name>/d' /etc/fail2ban/ip.blacklist [Init] # Defaut name of the chain # name = default # Option: port # Notes.: specifies port to monitor # Values: [ NUM | STRING ] Default: # port = ssh # Option: protocol # Notes.: internally used by config reader for interpolations. # Values: [ tcp | udp | icmp | all ] Default: tcp # |
Unter /etc/fail2ban/ip.blocklist sind bereits Einträge vorhanden
1 2 3 4 5 | 194.63.142.101,sasl 78.37.215.18,postfix 95.70.120.147,postfix 78.37.215.18,sasl 95.70.120.147,sasl |
ipTables auszug mit iptables -L INPUT -v -n
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | Chain INPUT (policy DROP 73 packets, 4794 bytes) pkts bytes target prot opt in out source destination 1176 124K fail2ban-sasl-blocklist tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,143,220,993,110,995 0 0 fail2ban-proftpd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20,990,989 16217 1140K fail2ban-apache tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 0 0 fail2ban-ssh-blocklist tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 1176 124K fail2ban-sasl tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,143,220,993,110,995 9 2418 fail2ban-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465 16362 1153K fail2ban-apache-overflows tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 0 0 fail2ban-ssh-ddos tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 0 0 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 1596K 236M ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0 1596K 236M ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0 10944 748K ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0 10928 747K ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0 10928 747K ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0 10928 747K ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0 10832 740K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 7326 478K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 |
Auch auf blocklist.de kann ich keine Reports finden. Kann meine Fehler nicht finden ☹ und würde mich über Hilfe sehr freuen.
lg karadayi