Hallo Gurus
sollte es hier falsch sein bitte um verschieben es war schwierig es ist Netzwerk und doch Sicherheit 😕
Ich hätt da mal ein Problem, seit Anfang September versuchen verschiedene Chinesische IP's auf mein Rechner zuzugreifen.
Ich habe den Artikel Baustelle/Verlassen/fail2ban nur halb verstanden ich möchte das die IP's gesperrt bleiben oder geht das nicht ? könntet Ihr so freundlich sein und mal über meine .log und .conf schauen und mir sagen was ich verbessern kann
jail.local
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 | # # WARNING: heavily refactored in 0.9.0 release. Please review and # customize settings for your setup. # # Changes: in most of the cases you should not modify this # file, but provide customizations in jail.local file, # or separate .conf files under jail.d/ directory, e.g.: # # HOW TO ACTIVATE JAILS: # # YOU SHOULD NOT MODIFY THIS FILE. # # It will probably be overwritten or improved in a distribution update. # # Provide customizations in a jail.local file or a jail.d/customisation.local. # For example to change the default bantime for all jails and to enable the # ssh-iptables jail the following (uncommented) would appear in the .local file. # See man 5 jail.conf for details. # # [DEFAULT] # bantime = -1 # # [sshd] # enabled = true # # See jail.conf(5) man page for more information # Comments: use '#' for comment lines and ';' (following a space) for inline comments [INCLUDES] #before = paths-distro.conf before = paths-debian.conf # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # # MISCELLANEOUS OPTIONS # # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 # External command that will take an tagged arguments to ignore, e.g. <ip>, # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command <ip> ignorecommand = # "bantime" is the number of seconds that a host is banned. bantime = -1 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 5 # "backend" specifies the backend used to get files modification. # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". # This option can be overridden in each jail as well. # # pyinotify: requires pyinotify (a file alteration monitor) to be installed. # If pyinotify is not installed, Fail2ban will use auto. # gamin: requires Gamin (a file alteration monitor) to be installed. # If Gamin is not installed, Fail2ban will use auto. # polling: uses a polling algorithm which does not require external libraries. # systemd: uses systemd python library to access the systemd journal. # Specifying "logpath" is not valid for this backend. # See "journalmatch" in the jails associated filter config # auto: will try to use the following backends, in order: # pyinotify, gamin, polling. # # Note: if systemd backend is choses as the default but you enable a jail # for which logs are present only in its own log files, specify some other # backend for that jail (e.g. polling) and provide empty value for # journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 backend = auto # "usedns" specifies if jails should trust hostnames in logs, # warn when DNS lookups are performed, or ignore all hostnames in logs # # yes: if a hostname is encountered, a DNS lookup will be performed. # warn: if a hostname is encountered, a DNS lookup will be performed, # but it will be logged as a warning. # no: if a hostname is encountered, will not be used for banning, # but it will be logged as info. usedns = warn # "logencoding" specifies the encoding of the log files handled by the jail # This is used to decode the lines from the log file. # Typical examples: "ascii", "utf-8" # # auto: will use the system locale setting logencoding = auto # "enabled" enables the jails. # By default all jails are disabled, and it should stay this way. # Enable only relevant to your setup jails in your .local or jail.d/*.conf # # true: jail will be enabled and log files will get monitored for changes # false: jail is not enabled enabled = false # "filter" defines the filter to use by the jail. # By default jails have names matching their filter name # filter = %(__name__)s # # ACTIONS # # Some options used for actions # Destination email address used solely for the interpolations in # jail.{conf,local,d/*} configuration files. destemail = root@localhost # Sender email address used solely for some actions sender = root@localhost # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the # mailing. Change mta configuration parameter to mail if you want to # revert to conventional 'mail'. mta = sendmail # Default protocol protocol = tcp # Specify chain where jumps would need to be added in iptables-* actions chain = INPUT # Ports to be banned # Usually should be overridden in a particular jail port = 0:65535 # # Action shortcuts. To be used to define action parameter # Default banning action (e.g. iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action # # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines # to the destemail. action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines # to the destemail. action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # Report block via blocklist.de fail2ban reporting service API # # See the IMPORTANT note in action.d/blocklist_de.conf for when to # use this action. Create a file jail.d/blocklist_de.local containing # [Init] # blocklist_de_apikey = {api key from registration] # action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"] # Report ban via badips.com, and use as blacklist # # See BadIPsAction docstring in config/action.d/badips.py for # documentation for this action. # # NOTE: This action relies on banaction being present on start and therefore # should be last action defined for a jail. # action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_)s # # JAILS # # # SSH servers # [sshd] port = ssh logpath = %(sshd_log)s [sshd-ddos] # This jail corresponds to the standard configuration in Fail2ban. # The mail-whois action send a notification e-mail with a whois request # in the body. port = ssh logpath = %(sshd_log)s [dropbear] port = ssh logpath = %(dropbear_log)s [selinux-ssh] port = ssh logpath = %(auditd_log)s maxretry = 5 # # HTTP servers # [apache-auth] port = http,https logpath = %(apache_error_log)s [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. port = http,https logpath = %(apache_access_log)s bantime = -1 maxretry = 5 [apache-noscript] port = http,https logpath = %(apache_error_log)s maxretry = 5 [apache-overflows] port = http,https logpath = %(apache_error_log)s maxretry = 5 [apache-nohome] port = http,https logpath = %(apache_error_log)s maxretry = 5 [apache-botsearch] port = http,https logpath = %(apache_error_log)s maxretry = 5 [apache-fakegooglebot] port = http,https logpath = %(apache_access_log)s maxretry = 5 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip> [apache-modsecurity] port = http,https logpath = %(apache_error_log)s maxretry = 5 [apache-shellshock] port = http,https logpath = %(apache_error_log)s maxretry = 5 [nginx-http-auth] port = http,https logpath = %(nginx_error_log)s [nginx-botsearch] port = http,https logpath = %(nginx_error_log)s maxretry = 5 # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year # of usage in production environments. [php-url-fopen] port = http,https logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] port = http,https logpath = %(suhosin_log)s [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications port = http,https logpath = %(lighttpd_error_log)s # # Webmail and groupware servers # [roundcube-auth] port = http,https logpath = logpath = %(roundcube_errors_log)s [openwebmail] port = http,https logpath = /var/log/openwebmail.log [horde] port = http,https logpath = /var/log/horde/horde.log [groupoffice] port = http,https logpath = /home/groupoffice/log/info.log [sogo-auth] # Monitor SOGo groupware server # without proxy this would be: # port = 20000 port = http,https logpath = /var/log/sogo/sogo.log [tine20] logpath = /var/log/tine20/tine20.log port = http,https maxretry = 5 # # Web Applications # # [drupal-auth] port = http,https logpath = %(syslog_daemon)s [guacamole] port = http,https logpath = /var/log/tomcat*/catalina.out [monit] #Ban clients brute-forcing the monit gui login filter = monit port = 2812 logpath = /var/log/monit [webmin-auth] port = 10000 logpath = %(syslog_authpriv)s [froxlor-auth] port = http,https logpath = %(syslog_authpriv)s # # HTTP Proxy servers # # [squid] port = 80,443,3128,8080 logpath = /var/log/squid/access.log [3proxy] port = 3128 logpath = /var/log/3proxy.log # # FTP servers # [proftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(proftpd_log)s [pure-ftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(pureftpd_log)s maxretry = 5 [gssftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(syslog_daemon)s maxretry = 5 [wuftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(wuftpd_log)s maxretry = 5 [vsftpd] # or overwrite it in jails.local to be # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats port = ftp,ftp-data,ftps,ftps-data logpath = %(vsftpd_log)s # # Mail servers # # ASSP SMTP Proxy Jail [assp] port = smtp,465,submission logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] port = smtp,465,submission logpath = %(syslog_mail)s [postfix] port = smtp,465,submission logpath = %(postfix_log)s [postfix-rbl] port = smtp,465,submission logpath = %(syslog_mail)s maxretry = 5 [sendmail-auth] port = submission,465,smtp logpath = %(syslog_mail)s [sendmail-reject] port = smtp,465,submission logpath = %(syslog_mail)s [qmail-rbl] filter = qmail port = smtp,465,submission logpath = /service/qmail/log/main/current # dovecot defaults to logging to the mail syslog facility # but can be set by syslog_facility in the dovecot configuration. [dovecot] port = pop3,pop3s,imap,imaps,submission,465,sieve logpath = %(dovecot_log)s [sieve] port = smtp,465,submission logpath = %(dovecot_log)s [solid-pop3d] port = pop3,pop3s logpath = %(solidpop3d_log)s [exim] port = smtp,465,submission logpath = %(exim_main_log)s [exim-spam] port = smtp,465,submission logpath = %(exim_main_log)s [kerio] port = imap,smtp,imaps,465 logpath = /opt/kerio/mailserver/store/logs/security.log # # Mail servers authenticators: might be used for smtp,ftp,imap servers, so # all relevant ports get banned # [courier-auth] port = smtp,465,submission,imap3,imaps,pop3,pop3s logpath = %(syslog_mail)s [postfix-sasl] port = smtp,465,submission,imap3,imaps,pop3,pop3s # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. logpath = %(postfix_log)s [perdition] port = imap3,imaps,pop3,pop3s logpath = %(syslog_mail)s [squirrelmail] port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] port = imap3,imaps logpath = %(syslog_mail)s [uwimap-auth] port = imap3,imaps logpath = %(syslog_mail)s # # # DNS servers # # !!! WARNING !!! # Since UDP is connection-less protocol, spoofing of IP and imitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html # Please DO NOT USE this jail unless you know what you are doing. # # IMPORTANT: see filter.d/named-refused for instructions to enable logging # This jail blocks UDP traffic for DNS requests. # [named-refused-udp] # # filter = named-refused # port = domain,953 # protocol = udp # logpath = /var/log/named/security.log # IMPORTANT: see filter.d/named-refused for instructions to enable logging # This jail blocks TCP traffic for DNS requests. [named-refused] port = domain,953 logpath = /var/log/named/security.log [nsd] port = 53 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log # # Miscellaneous # [asterisk] port = 5060,5061 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/asterisk/messages maxretry = 5 [freeswitch] port = 5060,5061 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/freeswitch.log maxretry = 5 # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or # equivalent section: # log-warning = 2 # # for syslog (daemon facility) # [mysqld_safe] # syslog # # for own logfile # [mysqld] # log-error=/var/log/mysqld.log [mysqld-auth] port = 3306 logpath = %(mysql_log)s maxretry = 5 # Jail for more extended banning of persistent abusers # !!! WARNINGS !!! # 1. Make sure that your loglevel specified in fail2ban.conf/.local # is not at DEBUG level -- which might then cause fail2ban to fall into # an infinite loop constantly feeding itself with non-informative lines # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) # to maintain entries for failed logins for sufficient amount of time [recidive] logpath = /var/log/fail2ban.log banaction = iptables-allports bantime = -1 ; ever findtime = 86400 ; 1 day maxretry = 5 # Generic filter for PAM. Has to be used with action which bans all # ports such as iptables-allports, shorewall [pam-generic] # pam-generic filter can be customized to monitor specific subset of 'tty's banaction = iptables-allports logpath = %(syslog_authpriv)s [xinetd-fail] banaction = iptables-multiport-log logpath = %(syslog_daemon)s maxretry = 5 # stunnel - need to set port for this [stunnel] logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] port = 5222 logpath = /var/log/ejabberd/ejabberd.log [counter-strike] logpath = /opt/cstrike/logs/L[0-9]*.log # Firewall: http://www.cstrike-planet.com/faq/6 tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] # consider low maxretry and a long bantime # nobody except your own Nagios server should ever probe nrpe [nagios] enabled = false logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility maxretry = 5 [oracleims] # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above enabled = false logpath = /opt/sun/comms/messaging64/log/mail.log_current maxretry = 6 banaction = iptables-allports [directadmin] enabled = false logpath = /var/log/directadmin/login.log port = 2222 [portsentry] enabled = false logpath = /var/lib/portsentry/portsentry.history maxretry = 5 [pass2allow-ftp] # this pass2allow example allows FTP traffic after successful HTTP authentication port = ftp,ftp-data,ftps,ftps-data # knocking_url variable must be overridden to some secret value in filter.d/apache-pass.local filter = apache-pass # access log of the website with HTTP auth logpath = %(apache_access_log)s blocktype = RETURN returntype = DROP bantime = -1 maxretry = 5 findtime = 1 |
iptables -nL
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 | Chain INPUT (policy ACCEPT) target prot opt source destination f2b-sshd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-sshd (1 references) target prot opt source destination REJECT all -- 91.224.161.69 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 91.224.160.131 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 91.224.160.108 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 91.224.160.106 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 90.34.136.241 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 54.70.50.120 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 46.165.210.13 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 43.252.189.102 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 221.194.47.249 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 221.194.47.229 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 221.194.47.224 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 221.194.47.208 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 212.83.173.88 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 185.110.132.201 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 172.12.82.211 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 138.186.113.56 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 121.18.238.98 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 121.18.238.114 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 121.18.238.109 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 121.18.238.104 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 119.249.54.88 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 119.249.54.75 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 119.249.54.68 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 119.249.54.66 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 103.207.36.121 0.0.0.0/0 reject-with icmp-port-unreachable RETURN all -- 0.0.0.0/0 0.0.0.0/0 |
auth.log
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 | Sep 23 18:36:26 Phanom smbd: pam_unix(samba:session): session closed for user nobody Sep 23 18:50:04 Phanom systemd-logind[1120]: New seat seat0. Sep 23 18:50:04 Phanom systemd-logind[1120]: Watching system buttons on /dev/input/event1 (Power Button) Sep 23 18:50:04 Phanom systemd-logind[1120]: Watching system buttons on /dev/input/event0 (Power Button) Sep 23 18:50:04 Phanom sshd[1502]: Server listening on 0.0.0.0 port 22. Sep 23 18:50:04 Phanom sshd[1502]: Server listening on :: port 22. Sep 23 18:50:05 Phanom lightdm: pam_unix(lightdm-autologin:session): session opened for user quattro by (uid=0) Sep 23 18:50:05 Phanom systemd-logind[1120]: New session c1 of user quattro. Sep 23 18:50:05 Phanom systemd: pam_unix(systemd-user:session): session opened for user quattro by (uid=0) Sep 23 18:50:06 Phanom gnome-keyring-daemon[1774]: couldn't access control socket: /run/user/1000/keyring/control: Datei oder Verzeichnis nicht gefunden Sep 23 18:50:06 Phanom gnome-keyring-daemon[1775]: couldn't access control socket: /run/user/1000/keyring/control: Datei oder Verzeichnis nicht gefunden Sep 23 18:50:12 Phanom sshd[1502]: Received SIGHUP; restarting. Sep 23 18:50:12 Phanom sshd[1502]: Server listening on 0.0.0.0 port 22. Sep 23 18:50:12 Phanom sshd[1502]: Server listening on :: port 22. Sep 23 18:50:13 Phanom gnome-keyring-daemon[1775]: The SSH agent was already initialized Sep 23 18:50:13 Phanom gnome-keyring-daemon[1775]: The PKCS#11 component was already initialized Sep 23 18:50:13 Phanom gnome-keyring-daemon[1775]: The Secret Service was already initialized Sep 23 18:50:13 Phanom sshd[1502]: Received SIGHUP; restarting. Sep 23 18:50:13 Phanom sshd[1502]: Server listening on 0.0.0.0 port 22. Sep 23 18:50:13 Phanom sshd[1502]: Server listening on :: port 22. Sep 23 18:50:14 Phanom polkitd(authority=local): Registered Authentication Agent for unix-session:c1 (system bus name :1.60 [/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8) Sep 23 18:50:23 Phanom smbd: pam_unix(samba:session): session closed for user nobody Sep 23 18:53:54 Phanom sudo: quattro : TTY=pts/1 ; PWD=/home/quattro ; USER=root ; COMMAND=/bin/bash Sep 23 18:53:54 Phanom sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Sep 23 19:06:43 Phanom smbd: pam_unix(samba:session): session closed for user nobody Sep 23 19:17:01 Phanom CRON[8352]: pam_unix(cron:session): session opened for user root by (uid=0) Sep 23 19:17:01 Phanom CRON[8352]: pam_unix(cron:session): session closed for user root Sep 23 19:19:57 Phanom polkitd(authority=local): Operator of unix-session:c1 successfully authenticated as unix-user:quattro to gain ONE-SHOT authorization for action com.ubuntu.pkexec.synaptic for unix-process:8823:180294 [/bin/sh /usr/bin/synaptic-pkexec] (owned by unix-user:quattro) Sep 23 19:19:57 Phanom pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=1000) Sep 23 19:19:57 Phanom pkexec: pam_systemd(polkit-1:session): Cannot create session: Already running in a session Sep 23 19:19:57 Phanom pkexec[8826]: quattro: Executing command [USER=root] [TTY=unknown] [CWD=/home/quattro] [COMMAND=/usr/sbin/synaptic] Sep 23 19:44:28 Phanom polkitd(authority=local): Operator of unix-session:c1 successfully authenticated as unix-user:quattro to gain ONE-SHOT authorization for action com.ubuntu.pkexec.synaptic for unix-process:18571:327320 [/bin/sh /usr/bin/synaptic-pkexec] (owned by unix-user:quattro) Sep 23 19:44:28 Phanom pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=1000) Sep 23 19:44:28 Phanom pkexec: pam_systemd(polkit-1:session): Cannot create session: Already running in a session Sep 23 19:44:28 Phanom pkexec[18573]: quattro: Executing command [USER=root] [TTY=unknown] [CWD=/home/quattro] [COMMAND=/usr/sbin/synaptic] Sep 23 19:53:09 Phanom sudo: root : TTY=pts/1 ; PWD=/home/quattro ; USER=root ; COMMAND=/usr/bin/apt-get install cups cups-client cups-bsd Sep 23 19:53:09 Phanom sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Sep 23 19:53:54 Phanom sudo: pam_unix(sudo:session): session closed for user root Sep 23 19:57:46 Phanom polkitd(authority=local): Operator of unix-session:c1 successfully authenticated as unix-user:quattro to gain ONE-SHOT authorization for action com.ubuntu.pkexec.synaptic for unix-process:23808:407116 [/bin/sh /usr/bin/synaptic-pkexec] (owned by unix-user:quattro) Sep 23 19:57:46 Phanom pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=1000) Sep 23 19:57:46 Phanom pkexec: pam_systemd(polkit-1:session): Cannot create session: Already running in a session Sep 23 19:57:46 Phanom pkexec[23809]: quattro: Executing command [USER=root] [TTY=unknown] [CWD=/home/quattro] [COMMAND=/usr/sbin/synaptic] Sep 23 19:59:21 Phanom systemd-logind[1120]: Delay lock is active (UID 1000/quattro, PID 2055/gnome-session-b) but inhibitor timeout is reached. Sep 23 19:59:21 Phanom systemd-logind[1120]: System is rebooting. Sep 23 20:00:21 Phanom systemd-logind[1102]: New seat seat0. Sep 23 20:00:21 Phanom systemd-logind[1102]: Watching system buttons on /dev/input/event1 (Power Button) Sep 23 20:00:21 Phanom systemd-logind[1102]: Watching system buttons on /dev/input/event0 (Power Button) Sep 23 20:00:21 Phanom sshd[1468]: Server listening on 0.0.0.0 port 22. Sep 23 20:00:21 Phanom sshd[1468]: Server listening on :: port 22. Sep 23 20:00:22 Phanom lightdm: pam_unix(lightdm-autologin:session): session opened for user quattro by (uid=0) Sep 23 20:00:22 Phanom systemd-logind[1102]: New session c1 of user quattro. Sep 23 20:00:22 Phanom systemd: pam_unix(systemd-user:session): session opened for user quattro by (uid=0) Sep 23 20:00:23 Phanom gnome-keyring-daemon[1733]: couldn't access control socket: /run/user/1000/keyring/control: Datei oder Verzeichnis nicht gefunden Sep 23 20:00:23 Phanom gnome-keyring-daemon[1734]: couldn't access control socket: /run/user/1000/keyring/control: Datei oder Verzeichnis nicht gefunden Sep 23 20:00:28 Phanom gnome-keyring-daemon[1733]: The SSH agent was already initialized Sep 23 20:00:28 Phanom gnome-keyring-daemon[1733]: The Secret Service was already initialized Sep 23 20:00:28 Phanom gnome-keyring-daemon[1733]: The PKCS#11 component was already initialized Sep 23 20:00:29 Phanom sshd[1468]: Received SIGHUP; restarting. Sep 23 20:00:29 Phanom sshd[1468]: Server listening on 0.0.0.0 port 22. Sep 23 20:00:29 Phanom sshd[1468]: Server listening on :: port 22. Sep 23 20:00:29 Phanom sshd[1468]: Received SIGHUP; restarting. Sep 23 20:00:29 Phanom sshd[1468]: Server listening on 0.0.0.0 port 22. Sep 23 20:00:29 Phanom sshd[1468]: Server listening on :: port 22. Sep 23 20:00:30 Phanom polkitd(authority=local): Registered Authentication Agent for unix-session:c1 (system bus name :1.64 [/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8) Sep 23 20:05:21 Phanom smbd: pam_unix(samba:session): session closed for user nobody Sep 23 20:17:01 Phanom CRON[7242]: pam_unix(cron:session): session opened for user root by (uid=0) Sep 23 20:17:01 Phanom CRON[7242]: pam_unix(cron:session): session closed for user root Sep 23 20:21:20 Phanom smbd: pam_unix(samba:session): session closed for user nobody Sep 23 20:24:34 Phanom sudo: quattro : TTY=unknown ; PWD=/home/quattro ; USER=root ; COMMAND=/usr/bin/gedit /etc/fail2ban/action.d/hostsdeny.conf Sep 23 20:24:34 Phanom sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Sep 23 20:25:57 Phanom sudo: pam_unix(sudo:session): session closed for user root Sep 23 20:26:06 Phanom smbd: pam_unix(samba:session): session closed for user nobody Sep 23 20:42:27 Phanom sudo: quattro : TTY=pts/0 ; PWD=/home/quattro ; USER=root ; COMMAND=/bin/bash Sep 23 20:42:27 Phanom sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Sep 23 20:46:20 Phanom sudo: pam_unix(sudo:session): session closed for user root |
fail2ban.log
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 | 2016-09-23 17:49:12,990 fail2ban.database [2487]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2016-09-23 17:49:12,999 fail2ban.jail [2487]: INFO Creating new jail 'sshd' 2016-09-23 17:49:13,025 fail2ban.jail [2487]: INFO Jail 'sshd' uses pyinotify 2016-09-23 17:49:13,043 fail2ban.filter [2487]: INFO Set jail log file encoding to UTF-8 2016-09-23 17:49:13,053 fail2ban.jail [2487]: INFO Initiated 'pyinotify' backend 2016-09-23 17:49:13,057 fail2ban.actions [2487]: INFO Set banTime = -1 2016-09-23 17:49:13,058 fail2ban.filter [2487]: INFO Set maxRetry = 5 2016-09-23 17:49:13,061 fail2ban.filter [2487]: INFO Added logfile = /var/log/auth.log 2016-09-23 17:49:13,066 fail2ban.filter [2487]: INFO Set findtime = 600 2016-09-23 17:49:13,066 fail2ban.filter [2487]: INFO Set jail log file encoding to UTF-8 2016-09-23 17:49:13,066 fail2ban.filter [2487]: INFO Set maxlines = 10 2016-09-23 17:49:13,146 fail2ban.server [2487]: INFO Jail sshd is not a JournalFilter instance 2016-09-23 17:49:13,169 fail2ban.jail [2487]: INFO Jail 'sshd' started 2016-09-23 17:49:13,285 fail2ban.actions [2487]: NOTICE [sshd] Ban 103.207.36.121 2016-09-23 17:49:13,458 fail2ban.actions [2487]: NOTICE [sshd] Ban 119.249.54.66 2016-09-23 17:49:13,706 fail2ban.actions [2487]: NOTICE [sshd] Ban 119.249.54.68 2016-09-23 17:49:14,054 fail2ban.actions [2487]: NOTICE [sshd] Ban 119.249.54.75 2016-09-23 17:49:14,470 fail2ban.actions [2487]: NOTICE [sshd] Ban 119.249.54.88 2016-09-23 17:49:14,854 fail2ban.actions [2487]: NOTICE [sshd] Ban 121.18.238.104 2016-09-23 17:49:15,240 fail2ban.actions [2487]: NOTICE [sshd] Ban 121.18.238.109 2016-09-23 17:49:15,546 fail2ban.actions [2487]: NOTICE [sshd] Ban 121.18.238.114 2016-09-23 17:49:15,852 fail2ban.actions [2487]: NOTICE [sshd] Ban 121.18.238.98 2016-09-23 17:49:16,189 fail2ban.actions [2487]: NOTICE [sshd] Ban 138.186.113.56 2016-09-23 17:49:16,338 fail2ban.actions [2487]: NOTICE [sshd] Ban 172.12.82.211 2016-09-23 17:49:16,508 fail2ban.actions [2487]: NOTICE [sshd] Ban 185.110.132.201 2016-09-23 17:49:16,702 fail2ban.actions [2487]: NOTICE [sshd] Ban 212.83.173.88 2016-09-23 17:49:16,872 fail2ban.actions [2487]: NOTICE [sshd] Ban 221.194.47.208 2016-09-23 17:49:17,176 fail2ban.actions [2487]: NOTICE [sshd] Ban 221.194.47.224 2016-09-23 17:49:17,585 fail2ban.actions [2487]: NOTICE [sshd] Ban 221.194.47.229 2016-09-23 17:49:17,865 fail2ban.actions [2487]: NOTICE [sshd] Ban 221.194.47.249 2016-09-23 17:49:18,232 fail2ban.actions [2487]: NOTICE [sshd] Ban 43.252.189.102 2016-09-23 17:49:18,388 fail2ban.actions [2487]: NOTICE [sshd] Ban 46.165.210.13 2016-09-23 17:49:18,555 fail2ban.actions [2487]: NOTICE [sshd] Ban 54.70.50.120 2016-09-23 17:49:18,728 fail2ban.actions [2487]: NOTICE [sshd] Ban 90.34.136.241 2016-09-23 17:49:18,988 fail2ban.actions [2487]: NOTICE [sshd] Ban 91.224.160.106 2016-09-23 17:49:19,135 fail2ban.actions [2487]: NOTICE [sshd] Ban 91.224.160.108 2016-09-23 17:49:19,276 fail2ban.actions [2487]: NOTICE [sshd] Ban 91.224.160.131 2016-09-23 17:49:19,460 fail2ban.actions [2487]: NOTICE [sshd] Ban 91.224.161.69 2016-09-23 17:49:25,997 fail2ban.filter [2487]: WARNING Unable to find a corresponding IP address for 12Sep: [Errno -2] Name or service not known 2016-09-23 18:49:13,111 fail2ban.server [2487]: INFO Exiting Fail2ban 2016-09-23 18:50:05,429 fail2ban.server [1593]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.3 2016-09-23 18:50:05,431 fail2ban.database [1593]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2016-09-23 18:50:05,439 fail2ban.jail [1593]: INFO Creating new jail 'sshd' 2016-09-23 18:50:05,472 fail2ban.jail [1593]: INFO Jail 'sshd' uses pyinotify 2016-09-23 18:50:05,489 fail2ban.filter [1593]: INFO Set jail log file encoding to UTF-8 2016-09-23 18:50:05,497 fail2ban.jail [1593]: INFO Initiated 'pyinotify' backend 2016-09-23 18:50:05,502 fail2ban.filter [1593]: INFO Added logfile = /var/log/auth.log 2016-09-23 18:50:05,504 fail2ban.filter [1593]: INFO Set findtime = 600 2016-09-23 18:50:05,505 fail2ban.actions [1593]: INFO Set banTime = -1 2016-09-23 18:50:05,505 fail2ban.filter [1593]: INFO Set jail log file encoding to UTF-8 2016-09-23 18:50:05,506 fail2ban.filter [1593]: INFO Set maxRetry = 5 2016-09-23 18:50:05,506 fail2ban.filter [1593]: INFO Set maxlines = 10 2016-09-23 18:50:05,577 fail2ban.server [1593]: INFO Jail sshd is not a JournalFilter instance 2016-09-23 18:50:05,594 fail2ban.jail [1593]: INFO Jail 'sshd' started 2016-09-23 18:50:05,688 fail2ban.actions [1593]: NOTICE [sshd] Ban 103.207.36.121 2016-09-23 18:50:05,898 fail2ban.actions [1593]: NOTICE [sshd] Ban 119.249.54.66 2016-09-23 18:50:06,109 fail2ban.actions [1593]: NOTICE [sshd] Ban 119.249.54.68 2016-09-23 18:50:06,320 fail2ban.actions [1593]: NOTICE [sshd] Ban 119.249.54.75 2016-09-23 18:50:06,436 fail2ban.actions [1593]: NOTICE [sshd] Ban 119.249.54.88 2016-09-23 18:50:06,648 fail2ban.actions [1593]: NOTICE [sshd] Ban 121.18.238.104 2016-09-23 18:50:06,861 fail2ban.actions [1593]: NOTICE [sshd] Ban 121.18.238.109 2016-09-23 18:50:07,074 fail2ban.actions [1593]: NOTICE [sshd] Ban 121.18.238.114 2016-09-23 18:50:07,286 fail2ban.actions [1593]: NOTICE [sshd] Ban 121.18.238.98 2016-09-23 18:50:07,499 fail2ban.actions [1593]: NOTICE [sshd] Ban 138.186.113.56 2016-09-23 18:50:07,709 fail2ban.actions [1593]: NOTICE [sshd] Ban 172.12.82.211 2016-09-23 18:50:07,919 fail2ban.actions [1593]: NOTICE [sshd] Ban 185.110.132.201 2016-09-23 18:50:08,130 fail2ban.actions [1593]: NOTICE [sshd] Ban 212.83.173.88 2016-09-23 18:50:08,340 fail2ban.actions [1593]: NOTICE [sshd] Ban 221.194.47.208 2016-09-23 18:50:08,551 fail2ban.actions [1593]: NOTICE [sshd] Ban 221.194.47.224 2016-09-23 18:50:08,767 fail2ban.actions [1593]: NOTICE [sshd] Ban 221.194.47.229 2016-09-23 18:50:08,977 fail2ban.actions [1593]: NOTICE [sshd] Ban 221.194.47.249 2016-09-23 18:50:09,188 fail2ban.actions [1593]: NOTICE [sshd] Ban 43.252.189.102 2016-09-23 18:50:09,398 fail2ban.actions [1593]: NOTICE [sshd] Ban 46.165.210.13 2016-09-23 18:50:09,608 fail2ban.actions [1593]: NOTICE [sshd] Ban 54.70.50.120 2016-09-23 18:50:09,818 fail2ban.actions [1593]: NOTICE [sshd] Ban 90.34.136.241 2016-09-23 18:50:10,028 fail2ban.actions [1593]: NOTICE [sshd] Ban 91.224.160.106 2016-09-23 18:50:10,238 fail2ban.actions [1593]: NOTICE [sshd] Ban 91.224.160.108 2016-09-23 18:50:10,448 fail2ban.actions [1593]: NOTICE [sshd] Ban 91.224.160.131 2016-09-23 18:50:10,658 fail2ban.actions [1593]: NOTICE [sshd] Ban 91.224.161.69 2016-09-23 19:59:21,991 fail2ban.server [1593]: INFO Stopping all jails 2016-09-23 19:59:22,926 fail2ban.actions [1593]: NOTICE [sshd] Unban 103.207.36.121 2016-09-23 19:59:23,187 fail2ban.actions [1593]: NOTICE [sshd] Unban 119.249.54.66 2016-09-23 19:59:23,406 fail2ban.actions [1593]: NOTICE [sshd] Unban 119.249.54.68 2016-09-23 19:59:23,625 fail2ban.actions [1593]: NOTICE [sshd] Unban 119.249.54.75 2016-09-23 19:59:23,844 fail2ban.actions [1593]: NOTICE [sshd] Unban 119.249.54.88 2016-09-23 19:59:24,063 fail2ban.actions [1593]: NOTICE [sshd] Unban 121.18.238.104 2016-09-23 19:59:24,282 fail2ban.actions [1593]: NOTICE [sshd] Unban 121.18.238.109 2016-09-23 19:59:24,499 fail2ban.actions [1593]: NOTICE [sshd] Unban 121.18.238.114 2016-09-23 19:59:24,718 fail2ban.actions [1593]: NOTICE [sshd] Unban 121.18.238.98 2016-09-23 19:59:24,935 fail2ban.actions [1593]: NOTICE [sshd] Unban 138.186.113.56 2016-09-23 19:59:25,152 fail2ban.actions [1593]: NOTICE [sshd] Unban 172.12.82.211 2016-09-23 19:59:25,370 fail2ban.actions [1593]: NOTICE [sshd] Unban 185.110.132.201 2016-09-23 19:59:25,587 fail2ban.actions [1593]: NOTICE [sshd] Unban 212.83.173.88 2016-09-23 19:59:25,806 fail2ban.actions [1593]: NOTICE [sshd] Unban 221.194.47.208 2016-09-23 19:59:26,024 fail2ban.actions [1593]: NOTICE [sshd] Unban 221.194.47.224 2016-09-23 19:59:26,244 fail2ban.actions [1593]: NOTICE [sshd] Unban 221.194.47.229 2016-09-23 19:59:26,465 fail2ban.actions [1593]: NOTICE [sshd] Unban 221.194.47.249 2016-09-23 19:59:26,684 fail2ban.actions [1593]: NOTICE [sshd] Unban 43.252.189.102 2016-09-23 19:59:26,901 fail2ban.actions [1593]: NOTICE [sshd] Unban 46.165.210.13 2016-09-23 19:59:27,118 fail2ban.actions [1593]: NOTICE [sshd] Unban 54.70.50.120 2016-09-23 19:59:27,336 fail2ban.actions [1593]: NOTICE [sshd] Unban 90.34.136.241 2016-09-23 19:59:27,554 fail2ban.actions [1593]: NOTICE [sshd] Unban 91.224.160.106 2016-09-23 19:59:27,771 fail2ban.actions [1593]: NOTICE [sshd] Unban 91.224.160.108 2016-09-23 19:59:27,989 fail2ban.actions [1593]: NOTICE [sshd] Unban 91.224.160.131 2016-09-23 19:59:28,207 fail2ban.actions [1593]: NOTICE [sshd] Unban 91.224.161.69 2016-09-23 19:59:28,534 fail2ban.jail [1593]: INFO Jail 'sshd' stopped 2016-09-23 19:59:28,548 fail2ban.server [1593]: INFO Exiting Fail2ban 2016-09-23 20:00:22,136 fail2ban.server [1555]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.3 2016-09-23 20:00:22,137 fail2ban.database [1555]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2016-09-23 20:00:22,141 fail2ban.jail [1555]: INFO Creating new jail 'sshd' 2016-09-23 20:00:22,173 fail2ban.jail [1555]: INFO Jail 'sshd' uses pyinotify 2016-09-23 20:00:22,190 fail2ban.filter [1555]: INFO Set jail log file encoding to UTF-8 2016-09-23 20:00:22,198 fail2ban.jail [1555]: INFO Initiated 'pyinotify' backend 2016-09-23 20:00:22,201 fail2ban.filter [1555]: INFO Set maxRetry = 5 2016-09-23 20:00:22,204 fail2ban.filter [1555]: INFO Added logfile = /var/log/auth.log 2016-09-23 20:00:22,207 fail2ban.actions [1555]: INFO Set banTime = -1 2016-09-23 20:00:22,208 fail2ban.filter [1555]: INFO Set jail log file encoding to UTF-8 2016-09-23 20:00:22,208 fail2ban.filter [1555]: INFO Set findtime = 600 2016-09-23 20:00:22,209 fail2ban.filter [1555]: INFO Set maxlines = 10 2016-09-23 20:00:22,279 fail2ban.server [1555]: INFO Jail sshd is not a JournalFilter instance 2016-09-23 20:00:22,298 fail2ban.jail [1555]: INFO Jail 'sshd' started 2016-09-23 20:00:22,390 fail2ban.actions [1555]: NOTICE [sshd] Ban 103.207.36.121 2016-09-23 20:00:22,600 fail2ban.actions [1555]: NOTICE [sshd] Ban 119.249.54.66 2016-09-23 20:00:22,811 fail2ban.actions [1555]: NOTICE [sshd] Ban 119.249.54.68 2016-09-23 20:00:23,023 fail2ban.actions [1555]: NOTICE [sshd] Ban 119.249.54.75 2016-09-23 20:00:23,140 fail2ban.actions [1555]: NOTICE [sshd] Ban 119.249.54.88 2016-09-23 20:00:23,356 fail2ban.actions [1555]: NOTICE [sshd] Ban 121.18.238.104 2016-09-23 20:00:23,568 fail2ban.actions [1555]: NOTICE [sshd] Ban 121.18.238.109 2016-09-23 20:00:23,780 fail2ban.actions [1555]: NOTICE [sshd] Ban 121.18.238.114 2016-09-23 20:00:23,992 fail2ban.actions [1555]: NOTICE [sshd] Ban 121.18.238.98 2016-09-23 20:00:24,206 fail2ban.actions [1555]: NOTICE [sshd] Ban 138.186.113.56 2016-09-23 20:00:24,419 fail2ban.actions [1555]: NOTICE [sshd] Ban 172.12.82.211 2016-09-23 20:00:24,535 fail2ban.actions [1555]: NOTICE [sshd] Ban 185.110.132.201 2016-09-23 20:00:24,649 fail2ban.actions [1555]: NOTICE [sshd] Ban 212.83.173.88 2016-09-23 20:00:24,862 fail2ban.actions [1555]: NOTICE [sshd] Ban 221.194.47.208 2016-09-23 20:00:25,075 fail2ban.actions [1555]: NOTICE [sshd] Ban 221.194.47.224 2016-09-23 20:00:25,188 fail2ban.actions [1555]: NOTICE [sshd] Ban 221.194.47.229 2016-09-23 20:00:25,428 fail2ban.actions [1555]: NOTICE [sshd] Ban 221.194.47.249 2016-09-23 20:00:25,642 fail2ban.actions [1555]: NOTICE [sshd] Ban 43.252.189.102 2016-09-23 20:00:25,852 fail2ban.actions [1555]: NOTICE [sshd] Ban 46.165.210.13 2016-09-23 20:00:26,062 fail2ban.actions [1555]: NOTICE [sshd] Ban 54.70.50.120 2016-09-23 20:00:26,272 fail2ban.actions [1555]: NOTICE [sshd] Ban 90.34.136.241 2016-09-23 20:00:26,481 fail2ban.actions [1555]: NOTICE [sshd] Ban 91.224.160.106 2016-09-23 20:00:26,691 fail2ban.actions [1555]: NOTICE [sshd] Ban 91.224.160.108 2016-09-23 20:00:26,900 fail2ban.actions [1555]: NOTICE [sshd] Ban 91.224.160.131 2016-09-23 20:00:27,109 fail2ban.actions [1555]: NOTICE [sshd] Ban 91.224.161.69 |
verstehe es nicht das er bei reboot die IP's erst Unban und dann wieder Ban
Danke Gruß Phanom
Bearbeitet von Cruiz:
Bitte verzichte in Zukunft auf überflüssige Hervorhebungen im Titel!