ubuntuusers.de

Fail2ban mit Postfix und SASL funktioniert nicht

Status: Ungelöst | Ubuntu-Version: Server 22.04 (Jammy Jellyfish)
Antworten |

gnude

Avatar von gnude

Anmeldungsdatum:
11. Juli 2014

Beiträge: 843

Hallo, ich habe mal eine Frage zum Thema Mailserver / Fail2ban. Die Situation ist aktuell wie folgt.... installierte Software: Postfix, Dovecot, Fetchmail. Der Mailserver an sich tut was er soll. (Versand und Empfang)

In den Log Dateien habe ich nun viele Loginversuche auf smtp:

Beispiel in der /var/log/auth.log

May 17 05:11:21 server2204 saslauthd[1876009]:                 : auth failure: [user=testing] [service=smtp] [realm=test_domain.de] [mech=shadow] [reason=Invalid username]
May 17 05:11:27 server2204 saslauthd[1875996]:                 : auth failure: [user=testing] [service=smtp] [realm=test_domain.de] [mech=shadow] [reason=Invalid username]
May 17 05:11:33 server2204 saslauthd[1876013]:                 : auth failure: [user=postgresql] [service=smtp] [realm=test_domain.de] [mech=shadow] [reason=Invalid username]
May 17 05:11:36 server2204 saslauthd[1876014]:                 : auth failure: [user=testing] [service=smtp] [realm=test_domain.de] [mech=shadow] [reason=Invalid username]
May 17 05:11:48 server2204 saslauthd[1876008]:                 : auth failure: [user=postgresql] [service=smtp] [realm=test_domain.de] [mech=shadow] [reason=Invalid username]
May 17 05:11:48 server2204 saslauthd[1876009]:                 : auth failure: [user=testing] [service=smtp] [realm=test_domain.de] [mech=shadow] [reason=Invalid username]
May 17 05:11:58 server2204 saslauthd[1875996]:                 : auth failure: [user=postgresql] [service=smtp] [realm=test_domain.de] [mech=shadow] [reason=Invalid username]
May 17 05:12:05 server2204 saslauthd[1876013]:                 : auth failure: [user=postgresql] [service=smtp] [realm=test_domain.de] [mech=shadow] [reason=Invalid username]
May 17 05:12:10 server2204 saslauthd[1876014]:                 : auth failure: [user=postgresql] [service=smtp] [realm=test_domain.de] [mech=shadow] [reason=Invalid username]
May 17 05:12:17 server2204 saslauthd[1876008]:                 : auth failure: [user=postgresql] [service=smtp] [realm=test_domain.de] [mech=shadow] [reason=Invalid username]
May 17 05:12:24 server2204 saslauthd[1876009]:                 : auth failure: [user=postgresql] [service=smtp] [realm=test_domain.de] [mech=shadow] [reason=Invalid username]
May 17 05:12:30 server2204 saslauthd[1875996]:                 : auth failure: [user=postgresql] [service=smtp] [realm=test_domain.de] [mech=shadow] [reason=Invalid username]
May 17 05:12:38 server2204 saslauthd[1876013]:                 : auth failure: [user=postgresql] [service=smtp] [realm=test_domain.de] [mech=shadow] [reason=Invalid username]
May 17 05:12:46 server2204 saslauthd[1876014]:                 : auth failure: [user=postgresql] [service=smtp] [realm=test_domain.de] [mech=shadow] [reason=Invalid username]

und in der /var/log/mail.log

May 17 05:11:58 server2204 postfix/smtpd[1890931]: warning: unknown[109.xxx.yyy.zz]: SASL LOGIN authentication failed: authentication failure
May 17 05:12:05 server2204 postfix/smtpd[1890931]: warning: unknown[109.xxx.yyy.zz]: SASL LOGIN authentication failed: authentication failure
May 17 05:12:10 server2204 postfix/smtpd[1890931]: warning: unknown[109.xxx.yyy.zz]: SASL LOGIN authentication failed: authentication failure
May 17 05:12:17 server2204 postfix/smtpd[1890931]: warning: unknown[109.xxx.yyy.zz]: SASL LOGIN authentication failed: authentication failure
May 17 05:12:24 server2204 postfix/smtpd[1890931]: warning: unknown[109.xxx.yyy.zz]: SASL LOGIN authentication failed: authentication failure
May 17 05:12:30 server2204 postfix/smtpd[1890931]: warning: unknown[109.xxx.yyy.zz]: SASL LOGIN authentication failed: authentication failure
May 17 05:12:38 server2204 postfix/smtpd[1890931]: warning: unknown[109.xxx.yyy.zz]: SASL LOGIN authentication failed: authentication failure
May 17 05:12:46 server2204 postfix/smtpd[1890931]: warning: unknown[109.xxx.yyy.zz]: SASL LOGIN authentication failed: authentication failure

Für mich sieht es jetzt so aus als wenn permanent versucht wird per SMTP auf dem Server zuzugreifen bzw. Nachrichten zu verschicken. Auf jeden Fall würde ich gern diese Versuche auszusperren.

Ich habe nun Fail2ban installiert und habe versucht das so anzupassen das die Logins gesperrt werden. Leider ohne Erfolg.

Die ausgabe von Fail2ban :

root@server2204:/# fail2ban-client status
Status
|- Number of jail:	4
`- Jail list:	postfix, postfix-sasl, sasl, sshd
root@server2204:/# 

Und keine der "aktiven" Jails hat bisher etwas gesperrt. Beispiel:

root@server2204:/# fail2ban-client status sasl
Status for the jail: sasl
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:	
root@server2204:/# fail2ban-client status postfix-sasl
Status for the jail: postfix-sasl
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/mail.log
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:	

root@server2204:/# 

Jetzt ist die Frage.... an welchen Stellen muss ich die Einstellungs-Datei bearbeiten, oder welche Daten muss ich hier posten um da weiter zu kommen?

Bearbeitet von Thomas_Do:

URLs und IP-Adressen unkenntlich gemacht, da es sich im personenbezogene Daten handeln kann.

DJKUhpisse Team-Icon

Supporter, Wikiteam
Avatar von DJKUhpisse

Anmeldungsdatum:
18. Oktober 2016

Beiträge: 18211

Wohnort: in deinem Browser, hier auf dem Bildschirm

Was sagt denn

fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfixgeraffel --print-all-matched

Pfade halt noch anpassen.

gnude

(Themenstarter)
Avatar von gnude

Anmeldungsdatum:
11. Juli 2014

Beiträge: 843

DJKUhpisse schrieb:

Was sagt denn

fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfixgeraffel --print-all-matched

Pfade halt noch anpassen.

root@server2204:/etc/fail2ban/filter.d# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf --print-all-matched

Running tests
=============

Use   failregex filter file : postfix, basedir: /etc/fail2ban
Use      datepattern : {^LN-BEG} : Default Detectors
Use         log file : /var/log/mail.log
Use         encoding : UTF-8


Results
=======

Prefregex: 115 total
|  ^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?postfix(-\w+)?/\w+(?:/smtp[ds])?(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix(-\w+)?/\w+(?:/smtp[ds])?(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?(?:\w+: reject:|(?:improper command pipelining|too many errors) after \S+) (?P<content>.+)$
`-

Failregex: 114 total
|-  #) [# of hits] regular expression
|   1) [8] ^RCPT from [^[]*\[<HOST>\](?::\d+)?: 55[04] 5\.7\.1\s
|   7) [106] ^from [^[]*\[<HOST>\](?::\d+)?:?
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [31392] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 31392 lines, 0 ignored, 114 matched, 31278 missed
[processed in 2.53 sec]

|- Matched line(s):
|  May 12 01:48:45 server2204 postfix/smtpd[1756820]: NOQUEUE: reject: RCPT from unknown[79.110.49.173]: 554 5.7.1 <spameri@tiscali.it>: Relay access denied; from=<spameri@tiscali.it> to=<spameri@tiscali.it> proto=ESMTP helo=<WIN-4TTI4DH7SGH>
|  May 12 15:44:51 server2204 postfix/smtpd[1770265]: NOQUEUE: reject: RCPT from unknown[79.110.49.173]: 554 5.7.1 <spameri@tiscali.it>: Relay access denied; from=<spameri@tiscali.it> to=<spameri@tiscali.it> proto=ESMTP helo=<WIN-4TTI4DH7SGH>
|  May 12 23:44:52 server2204 postfix/smtpd[1777618]: NOQUEUE: reject: RCPT from unknown[109.206.237.16]: 554 5.7.1 <spameri@tiscali.it>: Relay access denied; from=<spameri@tiscali.it> to=<spameri@tiscali.it> proto=ESMTP helo=<WIN-CLJ1B0GQ6JP>
|  May 13 04:46:18 server2204 postfix/smtpd[1782323]: NOQUEUE: reject: RCPT from unknown[109.206.237.26]: 554 5.7.1 <spameri@tiscali.it>: Relay access denied; from=<spameri@tiscali.it> to=<spameri@tiscali.it> proto=ESMTP helo=<WIN-CLJ1B0GQ6JP>
|  May 14 07:42:52 server2204 postfix/smtpd[1807993]: NOQUEUE: reject: RCPT from keeper-us-east-1d.mxtoolbox.com[18.209.86.113]: 554 5.7.1 <test@mxtoolboxsmtpdiag.com>: Relay access denied; from=<supertool@mxtoolboxsmtpdiag.com> to=<test@mxtoolboxsmtpdiag.com> proto=ESMTP helo=<keeper-us-east-1d.mxtoolbox.com>
|  May 14 08:29:39 server2204 postfix/smtpd[1809136]: NOQUEUE: reject: RCPT from scanners.hostedscan.com[173.255.236.224]: 554 5.7.1 <openvasvt@example.com>: Relay access denied; from=<openvasvt@hostedscan-worker-openvas-pod> to=<openvasvt@example.com> proto=SMTP helo=<example.com>
|  May 14 08:48:54 server2204 postfix/smtpd[1809660]: improper command pipelining after STARTTLS from scanners.hostedscan.com[173.255.236.224]: NOOP\r\n
|  May 14 08:49:05 server2204 postfix/smtpd[1809661]: NOQUEUE: reject: RCPT from scanners.hostedscan.com[173.255.236.224]: 554 5.7.1 <root+:; sleep 16 ;>: Relay access denied; from=<openvasvt@hostedscan-worker-openvas-pod> to=<"root+:; sleep 16 ;"> proto=SMTP helo=<hostedscan-worker-openvas-pod>
|  May 14 08:49:34 server2204 postfix/smtpd[1809665]: improper command pipelining after STARTTLS from scanners.hostedscan.com[173.255.236.224]: NOOP\r\n
|  May 14 09:18:21 server2204 postfix/smtpd[1810218]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 09:18:32 server2204 postfix/smtpd[1810233]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 09:19:18 server2204 postfix/smtpd[1810235]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 09:19:24 server2204 postfix/smtpd[1810236]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 10:33:47 server2204 postfix/smtpd[1811504]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 10:33:48 server2204 postfix/smtpd[1811512]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 11:58:51 server2204 postfix/smtpd[1812751]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 12:00:08 server2204 postfix/smtpd[1812751]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 12:01:41 server2204 postfix/smtpd[1812751]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 12:03:01 server2204 postfix/smtpd[1812751]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 14:31:16 server2204 postfix/smtpd[1815520]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 14:55:13 server2204 postfix/smtpd[1815913]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 15:58:24 server2204 postfix/smtpd[1816841]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 15:59:44 server2204 postfix/smtpd[1816841]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 16:15:39 server2204 postfix/smtpd[1817166]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 16:16:47 server2204 postfix/smtpd[1817166]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 17:38:00 server2204 postfix/smtpd[1818286]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 17:55:49 server2204 postfix/smtpd[1818649]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 18:52:21 server2204 postfix/smtpd[1819653]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 18:53:25 server2204 postfix/smtpd[1819653]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 19:09:49 server2204 postfix/smtpd[1819850]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 19:10:53 server2204 postfix/smtpd[1819850]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 20:06:28 server2204 postfix/smtpd[1820788]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 20:32:02 server2204 postfix/smtpd[1821106]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 21:39:58 server2204 postfix/smtpd[1822205]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 21:41:14 server2204 postfix/smtpd[1822205]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 22:05:08 server2204 postfix/smtpd[1822587]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 22:06:15 server2204 postfix/smtpd[1822587]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 23:06:32 server2204 postfix/smtpd[1823499]: too many errors after AUTH from unknown[109.206.237.38]
|  May 14 23:33:45 server2204 postfix/smtpd[1823899]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 00:23:55 server2204 postfix/smtpd[1824795]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 00:25:03 server2204 postfix/smtpd[1824795]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 00:52:01 server2204 postfix/smtpd[1825619]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 00:53:05 server2204 postfix/smtpd[1825619]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 01:43:18 server2204 postfix/smtpd[1826402]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 02:17:27 server2204 postfix/smtpd[1826906]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 03:02:25 server2204 postfix/smtpd[1827555]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 03:03:33 server2204 postfix/smtpd[1827555]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 03:36:42 server2204 postfix/smtpd[1828025]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 03:38:20 server2204 postfix/smtpd[1828025]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 04:28:20 server2204 postfix/smtpd[1828821]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 05:08:46 server2204 postfix/smtpd[1829399]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 05:52:01 server2204 postfix/smtpd[1830069]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 05:53:09 server2204 postfix/smtpd[1830069]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 06:27:52 server2204 postfix/smtpd[1843305]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 06:28:56 server2204 postfix/smtpd[1843305]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 09:00:10 server2204 postfix/smtpd[1845943]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 09:00:23 server2204 postfix/smtpd[1845916]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 09:02:26 server2204 postfix/smtpd[1846002]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 09:02:31 server2204 postfix/smtpd[1845943]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 11:05:33 server2204 postfix/smtpd[1848617]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 11:06:39 server2204 postfix/smtpd[1848642]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 12:19:28 server2204 postfix/smtpd[1849932]: NOQUEUE: reject: RCPT from unknown[194.169.175.117]: 554 5.7.1 <spameri@tiscali.it>: Relay access denied; from=<spameri@tiscali.it> to=<spameri@tiscali.it> proto=ESMTP helo=<WIN-HHIJ7MIVESP>
|  May 15 13:03:57 server2204 postfix/smtpd[1850567]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 13:04:13 server2204 postfix/smtpd[1850588]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 13:05:34 server2204 postfix/smtpd[1850588]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 13:05:51 server2204 postfix/smtpd[1850567]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 15:00:59 server2204 postfix/smtpd[1852354]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 15:03:27 server2204 postfix/smtpd[1852354]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 17:31:45 server2204 postfix/smtpd[1854581]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 17:33:15 server2204 postfix/smtpd[1854581]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 17:38:16 server2204 postfix/smtpd[1854657]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 17:40:04 server2204 postfix/smtpd[1854657]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 19:35:13 server2204 postfix/smtpd[1856445]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 19:45:47 server2204 postfix/smtpd[1856646]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 21:37:06 server2204 postfix/smtpd[1858244]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 21:38:49 server2204 postfix/smtpd[1858244]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 21:44:49 server2204 postfix/smtpd[1858444]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 21:46:19 server2204 postfix/smtpd[1858444]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 23:41:22 server2204 postfix/smtpd[1860202]: too many errors after AUTH from unknown[109.206.237.38]
|  May 15 23:41:42 server2204 postfix/smtpd[1860205]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 01:36:59 server2204 postfix/smtpd[1862098]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 01:37:14 server2204 postfix/smtpd[1862101]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 01:38:20 server2204 postfix/smtpd[1862098]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 01:38:48 server2204 postfix/smtpd[1862101]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 03:51:23 server2204 postfix/smtpd[1864111]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 03:51:46 server2204 postfix/smtpd[1864115]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 06:45:57 server2204 postfix/smtpd[1867342]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 06:46:00 server2204 postfix/smtpd[1867345]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 06:49:26 server2204 postfix/smtpd[1867342]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 06:49:28 server2204 postfix/smtpd[1867345]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 10:20:37 server2204 postfix/smtpd[1871316]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 10:20:40 server2204 postfix/smtpd[1871313]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 12:27:24 server2204 postfix/smtpd[1873464]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 12:29:09 server2204 postfix/smtpd[1873462]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 12:59:21 server2204 postfix/smtpd[1874120]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 13:00:13 server2204 postfix/smtpd[1874117]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 15:18:14 server2204 postfix/smtpd[1877756]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 15:18:33 server2204 postfix/smtpd[1877753]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 17:16:19 server2204 postfix/smtpd[1879530]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 17:16:30 server2204 postfix/smtpd[1879533]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 17:18:13 server2204 postfix/smtpd[1879530]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 17:18:24 server2204 postfix/smtpd[1879533]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 20:29:36 server2204 postfix/smtpd[1882795]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 20:30:09 server2204 postfix/smtpd[1882792]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 23:32:01 server2204 postfix/smtpd[1885669]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 23:33:28 server2204 postfix/smtpd[1885672]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 23:34:46 server2204 postfix/smtpd[1885669]: too many errors after AUTH from unknown[109.206.237.38]
|  May 16 23:35:40 server2204 postfix/smtpd[1885672]: too many errors after AUTH from unknown[109.206.237.38]
|  May 17 02:26:33 server2204 postfix/smtpd[1888529]: too many errors after AUTH from unknown[109.206.237.38]
|  May 17 02:27:43 server2204 postfix/smtpd[1888532]: too many errors after AUTH from unknown[109.206.237.38]
|  May 17 05:09:33 server2204 postfix/smtpd[1890934]: too many errors after AUTH from unknown[109.206.237.38]
|  May 17 05:09:41 server2204 postfix/smtpd[1890931]: too many errors after AUTH from unknown[109.206.237.38]
|  May 17 05:11:51 server2204 postfix/smtpd[1890934]: too many errors after AUTH from unknown[109.206.237.38]
|  May 17 05:12:48 server2204 postfix/smtpd[1890931]: too many errors after AUTH from unknown[109.206.237.38]
`-
Missed line(s): too many to print.  Use --print-all-missed to print all 31278 lines
root@server2204:/etc/fail2ban/filter.d# 
root@server2204:/etc/fail2ban/filter.d# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix-sasl.conf --print-all-matched

Running tests
=============

Use   failregex filter file : postfix-sasl, basedir: /etc/fail2ban
Use      datepattern : {^LN-BEG} : Default Detectors
ERROR: No failure-id group in '^(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$'
root@server2204:/etc/fail2ban/filter.d# 

DJKUhpisse Team-Icon

Supporter, Wikiteam
Avatar von DJKUhpisse

Anmeldungsdatum:
18. Oktober 2016

Beiträge: 18211

Wohnort: in deinem Browser, hier auf dem Bildschirm

/etc/fail2ban/filter.d/postfix.conf scheint hier zu passen. Spricht aus deiner Sicht was dagegen, das zu verwenden?

gnude

(Themenstarter)
Avatar von gnude

Anmeldungsdatum:
11. Juli 2014

Beiträge: 843

DJKUhpisse schrieb:

/etc/fail2ban/filter.d/postfix.conf scheint hier zu passen. Spricht aus deiner Sicht was dagegen, das zu verwenden?

Nein spricht nichts dagegen. Aber ... wie binde ich das korrekt ein? Welche Dateien muss ich korrekt bearbeiten???

DJKUhpisse Team-Icon

Supporter, Wikiteam
Avatar von DJKUhpisse

Anmeldungsdatum:
18. Oktober 2016

Beiträge: 18211

Wohnort: in deinem Browser, hier auf dem Bildschirm

Im jail musst du den Filter eintragen und als Aktion dann was wählen. Schau in actions.d nach, was dir gefällt.

gnude

(Themenstarter)
Avatar von gnude

Anmeldungsdatum:
11. Juli 2014

Beiträge: 843

Ich komm da grade nicht weiter.

Die Frage ist ob Fail2ban überhaupt läuft. Ich habe auch einen ssh den er absichern soll. Habe grade eine Reihe von fehlerhaten Logins selbst erzeugt die auch in der /var/log/auth.log korrekt erfasst werden. Aber fail2ban zeigt das nicht an.

root@server2204:/etc/fail2ban# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:	
root@server2204:/etc/fail2ban# 
May 17 08:24:03 server2204 sshd[1895104]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62.xxx.yyy.zz  user=root
May 17 08:24:06 server2204 sshd[1895104]: Failed password for root from 62.xxx.yyy.zz port 48444 ssh2
May 17 08:24:09 server2204 sshd[1895104]: Failed password for root from 62.xxx.yyy.zz port 48444 ssh2
May 17 08:24:13 server2204 sshd[1895104]: Failed password for root from 62.xxx.yyy.zz port 48444 ssh2
May 17 08:24:14 server2204 sshd[1895104]: Connection closed by authenticating user root 62.xxx.yyy.zz port 48444 [preauth]
May 17 08:24:14 server2204 sshd[1895104]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=62.xxx.yyy.zz  user=root
May 17 08:24:16 server2204 sshd[1895106]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62.xxx.yyy.zz  user=root
May 17 08:24:18 server2204 sshd[1895106]: Failed password for root from 62.xxx.yyy.zz port 38692 ssh2
May 17 08:24:23 server2204 sshd[1895106]: Failed password for root from 62.xxx.yyy.zz port 38692 ssh2
May 17 08:24:39 server2204 sshd[1895106]: Failed password for root from 62.xxx.yyy.zz port 38692 ssh2

Bearbeitet von Thomas_Do:

IP-Adressen unkenntlich gemacht.

gnude

(Themenstarter)
Avatar von gnude

Anmeldungsdatum:
11. Juli 2014

Beiträge: 843

Vielleicht ... sollte erstmal der ssh Filter laufen. Welche Dateien zur Fehlersuche kann ich hier posten ?

DJKUhpisse Team-Icon

Supporter, Wikiteam
Avatar von DJKUhpisse

Anmeldungsdatum:
18. Oktober 2016

Beiträge: 18211

Wohnort: in deinem Browser, hier auf dem Bildschirm

Zeige mal diene Jail-Dateien.

gnude

(Themenstarter)
Avatar von gnude

Anmeldungsdatum:
11. Juli 2014

Beiträge: 843

DJKUhpisse schrieb:

Zeige mal diene Jail-Dateien.

Hier sind die Dateien.... ich habe aber einen anderen SSH Port, wo müsste der korrekt angepasst werden?

/etc/fail2ban/jail.conf

#
# WARNING: heavily refactored in 0.9.0 release.  Please review and
#          customize settings for your setup.
#
# Changes:  in most of the cases you should not modify this
#           file, but provide customizations in jail.local file,
#           or separate .conf files under jail.d/ directory, e.g.:
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwritten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
#
# [DEFAULT]
# bantime = 1h
#
# [sshd]
# enabled = true
#
# See jail.conf(5) man page for more information



# Comments: use '#' for comment lines and ';' (following a space) for inline comments


[INCLUDES]

#before = paths-distro.conf
before = paths-debian.conf

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "bantime.increment" allows to use database for searching of previously banned ip's to increase a 
# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
#bantime.increment = true

# "bantime.rndtime" is the max number of seconds using for mixing with random time 
# to prevent "clever" botnets calculate exact time IP can be unbanned again:
#bantime.rndtime = 

# "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further)
#bantime.maxtime = 

# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
# default value of factor is 1 and with default value of formula, the ban time 
# grows by 1, 2, 4, 8, 16 ...
#bantime.factor = 1

# "bantime.formula" used by default to calculate next value of ban time, default value below,
# the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32...
#bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor
#
# more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
#bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)

# "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding 
# previously ban count and given "bantime.factor" (for multipliers default is 1);
# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, 
# always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
#bantime.multipliers = 1 2 4 8 16 32 64
# following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin,
# for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
#bantime.multipliers = 1 5 30 60 300 720 1440 2880

# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed 
# cross over all jails, if false (dafault), only current jail of the ban IP will be searched
#bantime.overalljails = false

# --------------------

# "ignoreself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses.
#ignoreself = true

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
#ignoreip = 127.0.0.1/8 ::1

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 10m

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 10m

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

# "maxmatches" is the number of matches stored in ticket (resolvable via tag <matches> in actions).
maxmatches = %(maxretry)s

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#              If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#              If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external libraries.
# systemd:   uses systemd python library to access the systemd journal.
#              Specifying "logpath" is not valid for this backend.
#              See "journalmatch" in the jails associated filter config
# auto:      will try to use the following backends, in order:
#              pyinotify, gamin, polling.
#
# Note: if systemd backend is chosen as the default but you enable a jail
#       for which logs are present only in its own log files, specify some other
#       backend for that jail (e.g. polling) and provide empty value for
#       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
#   warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes:   if a hostname is encountered, a DNS lookup will be performed.
# warn:  if a hostname is encountered, a DNS lookup will be performed,
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
# raw:   use raw value (no hostname), allow use it for no-host filters/actions (example user)
usedns = warn

# "logencoding" specifies the encoding of the log files handled by the jail
#   This is used to decode the lines from the log file.
#   Typical examples:  "ascii", "utf-8"
#
#   auto:   will use the system locale setting
logencoding = auto

# "enabled" enables the jails.
#  By default all jails are disabled, and it should stay this way.
#  Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true:  jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = false


# "mode" defines the mode of the filter (see corresponding filter implementation for more info).
mode = normal

# "filter" defines the filter to use by the jail.
#  By default jails have names matching their filter name
#
filter = %(__name__)s[mode=%(mode)s]


#
# ACTIONS
#

# Some options used for actions

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost

# Sender email address used solely for some actions
sender = root@<fq-hostname>

# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

# Specify chain where jumps would need to be added in ban-actions expecting parameter chain
chain = <known/chain>

# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535

# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
fail2ban_agent = Fail2Ban/%(fail2ban_version)s

#
# Action shortcuts. To be used to define action parameter

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports

# The simplest action to take: ban only
action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(action_)s
            %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(action_)s
             %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
#
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
# to the destemail.
action_xarf = %(action_)s
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]

# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
# to the destemail.
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

# Report block via blocklist.de fail2ban reporting service API
# 
# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in 
# corresponding jail.d/my-jail.local file).
#
action_blocklist_de  = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]

# Report ban via badips.com, and use as blacklist
#
# See BadIPsAction docstring in config/action.d/badips.py for
# documentation for this action.
#
# NOTE: This action relies on banaction being present on start and therefore
# should be last action defined for a jail.
#
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
#
# Report ban via badips.com (uses action.d/badips.conf for reporting only)
#
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]

# Report ban via abuseipdb.com.
#
# See action.d/abuseipdb.conf for usage example and details.
#
action_abuseipdb = abuseipdb

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s


#
# JAILS
#

#
# SSH servers
#

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
mode   = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 2
findtime = 60
bantime = 3600


[dropbear]

port     = ssh
logpath  = %(dropbear_log)s
backend  = %(dropbear_backend)s


[selinux-ssh]

port     = ssh
logpath  = %(auditd_log)s


#
# HTTP servers
#

[apache-auth]

port     = http,https
logpath  = %(apache_error_log)s


[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 48h
maxretry = 1


[apache-noscript]

port     = http,https
logpath  = %(apache_error_log)s


[apache-overflows]

port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2


[apache-nohome]

port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2


[apache-botsearch]

port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2


[apache-fakegooglebot]

port     = http,https
logpath  = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>


[apache-modsecurity]

port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2


[apache-shellshock]

port    = http,https
logpath = %(apache_error_log)s
maxretry = 1


[openhab-auth]

filter = openhab
banaction = %(banaction_allports)s
logpath = /opt/openhab/logs/request.log


[nginx-http-auth]

port    = http,https
logpath = %(nginx_error_log)s

# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` 
# and define `limit_req` and `limit_req_zone` as described in nginx documentation
# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
# or for example see in 'config/filter.d/nginx-limit-req.conf'
[nginx-limit-req]
port    = http,https
logpath = %(nginx_error_log)s

[nginx-botsearch]

port     = http,https
logpath  = %(nginx_error_log)s
maxretry = 2


# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.

[php-url-fopen]

port    = http,https
logpath = %(nginx_access_log)s
          %(apache_access_log)s


[suhosin]

port    = http,https
logpath = %(suhosin_log)s


[lighttpd-auth]
# Same as above for Apache's mod_auth
# It catches wrong authentifications
port    = http,https
logpath = %(lighttpd_error_log)s


#
# Webmail and groupware servers
#

[roundcube-auth]

port     = http,https
logpath  = %(roundcube_errors_log)s
# Use following line in your jail.local if roundcube logs to journal.
#backend = %(syslog_backend)s


[openwebmail]

port     = http,https
logpath  = /var/log/openwebmail.log


[horde]

port     = http,https
logpath  = /var/log/horde/horde.log


[groupoffice]

port     = http,https
logpath  = /home/groupoffice/log/info.log


[sogo-auth]
# Monitor SOGo groupware server
# without proxy this would be:
# port    = 20000
port     = http,https
logpath  = /var/log/sogo/sogo.log


[tine20]

logpath  = /var/log/tine20/tine20.log
port     = http,https


#
# Web Applications
#
#

[drupal-auth]

port     = http,https
logpath  = %(syslog_daemon)s
backend  = %(syslog_backend)s

[guacamole]

port     = http,https
logpath  = /var/log/tomcat*/catalina.out
#logpath  = /var/log/guacamole.log

[monit]
#Ban clients brute-forcing the monit gui login
port = 2812
logpath  = /var/log/monit
           /var/log/monit.log


[webmin-auth]

port    = 10000
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s


[froxlor-auth]

port    = http,https
logpath  = %(syslog_authpriv)s
backend  = %(syslog_backend)s


#
# HTTP Proxy servers
#
#

[squid]

port     =  80,443,3128,8080
logpath = /var/log/squid/access.log


[3proxy]

port    = 3128
logpath = /var/log/3proxy.log


#
# FTP servers
#


[proftpd]

port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(proftpd_log)s
backend  = %(proftpd_backend)s


[pure-ftpd]

port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(pureftpd_log)s
backend  = %(pureftpd_backend)s


[gssftpd]

port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(syslog_daemon)s
backend  = %(syslog_backend)s


[wuftpd]

port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(wuftpd_log)s
backend  = %(wuftpd_backend)s


[vsftpd]
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(vsftpd_log)s


#
# Mail servers
#

# ASSP SMTP Proxy Jail
[assp]

port     = smtp,465,submission
logpath  = /root/path/to/assp/logs/maillog.txt


[courier-smtp]

port     = smtp,465,submission
logpath  = %(syslog_mail)s
backend  = %(syslog_backend)s


[postfix]
# To use another modes set filter parameter "mode" in jail.local:
mode    = more
port    = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s


[postfix-rbl]

filter   = postfix[mode=rbl]
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
maxretry = 1


[sendmail-auth]

port    = submission,465,smtp
logpath = %(syslog_mail)s
backend = %(syslog_backend)s


[sendmail-reject]
# To use more aggressive modes set filter parameter "mode" in jail.local:
# normal (default), extra or aggressive
# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
#mode    = normal
port     = smtp,465,submission
logpath  = %(syslog_mail)s
backend  = %(syslog_backend)s


[qmail-rbl]

filter  = qmail
port    = smtp,465,submission
logpath = /service/qmail/log/main/current


# dovecot defaults to logging to the mail syslog facility
# but can be set by syslog_facility in the dovecot configuration.
#[dovecot]

#port    = pop3,pop3s,imap,imaps,submission,465,sieve
#logpath = %(dovecot_log)s
#backend = %(dovecot_backend)s


[sieve]

port   = smtp,465,submission
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s


[solid-pop3d]

port    = pop3,pop3s
logpath = %(solidpop3d_log)s


[exim]
# see filter.d/exim.conf for further modes supported from filter:
#mode = normal
port   = smtp,465,submission
logpath = %(exim_main_log)s


[exim-spam]

port   = smtp,465,submission
logpath = %(exim_main_log)s


[kerio]

port    = imap,smtp,imaps,465
logpath = /opt/kerio/mailserver/store/logs/security.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courier-auth]

port     = smtp,465,submission,imap,imaps,pop3,pop3s
logpath  = %(syslog_mail)s
backend  = %(syslog_backend)s


[postfix-sasl]

filter   = postfix[mode=auth]
port     = smtp,465,submission,imap,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s


[perdition]

port   = imap,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s


[squirrelmail]

port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log


[cyrus-imap]

port   = imap,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s


[uwimap-auth]

port   = imap,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s


#
#
# DNS servers
#


# !!! WARNING !!!
#   Since UDP is connection-less protocol, spoofing of IP and imitation
#   of illegal actions is way too simple.  Thus enabling of this filter
#   might provide an easy way for implementing a DoS against a chosen
#   victim. See
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
#   Please DO NOT USE this jail unless you know what you are doing.
#
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks UDP traffic for DNS requests.
# [named-refused-udp]
#
# filter   = named-refused
# port     = domain,953
# protocol = udp
# logpath  = /var/log/named/security.log

# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.

[named-refused]

port     = domain,953
logpath  = /var/log/named/security.log


[nsd]

port     = 53
action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
logpath = /var/log/nsd.log


#
# Miscellaneous
#

[asterisk]

port     = 5060,5061
action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
logpath  = /var/log/asterisk/messages
maxretry = 10


[freeswitch]

port     = 5060,5061
action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
logpath  = /var/log/freeswitch.log
maxretry = 10


# enable adminlog; it will log to a file inside znc's directory by default.
[znc-adminlog]

port     = 6667
logpath  = /var/lib/znc/moddata/adminlog/znc.log


# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
# equivalent section:
# log-warnings = 2
#
# for syslog (daemon facility)
# [mysqld_safe]
# syslog
#
# for own logfile
# [mysqld]
# log-error=/var/log/mysqld.log
[mysqld-auth]

port     = 3306
logpath  = %(mysql_log)s
backend  = %(mysql_backend)s


# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
[mongodb-auth]
# change port when running with "--shardsvr" or "--configsvr" runtime operation
port     = 27017
logpath  = /var/log/mongodb/mongodb.log


# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
#    is not at DEBUG level -- which might then cause fail2ban to fall into
#    an infinite loop constantly feeding itself with non-informative lines
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
#    to maintain entries for failed logins for sufficient amount of time
[recidive]

logpath  = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime  = 1w
findtime = 1d


# Generic filter for PAM. Has to be used with action which bans all
# ports such as iptables-allports, shorewall

[pam-generic]
# pam-generic filter can be customized to monitor specific subset of 'tty's
banaction = %(banaction_allports)s
logpath  = %(syslog_authpriv)s
backend  = %(syslog_backend)s


[xinetd-fail]

banaction = iptables-multiport-log
logpath   = %(syslog_daemon)s
backend   = %(syslog_backend)s
maxretry  = 2


# stunnel - need to set port for this
[stunnel]

logpath = /var/log/stunnel4/stunnel.log


[ejabberd-auth]

port    = 5222
logpath = /var/log/ejabberd/ejabberd.log


[counter-strike]

logpath = /opt/cstrike/logs/L[0-9]*.log
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
action_  = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"]
           %(default/action_)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp"]

[softethervpn]
port     = 500,4500
protocol = udp
logpath  = /usr/local/vpnserver/security_log/*/sec.log

[gitlab]
port    = http,https
logpath = /var/log/gitlab/gitlab-rails/application.log

[grafana]
port    = http,https
logpath = /var/log/grafana/grafana.log

[bitwarden]
port    = http,https
logpath = /home/*/bwdata/logs/identity/Identity/log.txt

[centreon]
port    = http,https
logpath = /var/log/centreon/login.log

# consider low maxretry and a long bantime
# nobody except your own Nagios server should ever probe nrpe
[nagios]

logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
backend  = %(syslog_backend)s
maxretry = 1


[oracleims]
# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
logpath = /opt/sun/comms/messaging64/log/mail.log_current
banaction = %(banaction_allports)s

[directadmin]
logpath = /var/log/directadmin/login.log
port = 2222

[portsentry]
logpath  = /var/lib/portsentry/portsentry.history
maxretry = 1

[pass2allow-ftp]
# this pass2allow example allows FTP traffic after successful HTTP authentication
port         = ftp,ftp-data,ftps,ftps-data
# knocking_url variable must be overridden to some secret value in jail.local
knocking_url = /knocking/
filter       = apache-pass[knocking_url="%(knocking_url)s"]
# access log of the website with HTTP auth
logpath      = %(apache_access_log)s
blocktype    = RETURN
returntype   = DROP
action       = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s,
                        actionstart_on_demand=false, actionrepair_on_unban=true]
bantime      = 1h
maxretry     = 1
findtime     = 1


[murmur]
# AKA mumble-server
port     = 64738
action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
logpath  = /var/log/mumble-server/mumble-server.log


[screensharingd]
# For Mac OS Screen Sharing Service (VNC)
logpath  = /var/log/system.log
logencoding = utf-8

[haproxy-http-auth]
# HAProxy by default doesn't log to file you'll need to set it up to forward
# logs to a syslog server which would then write them to disk.
# See "haproxy-http-auth" filter for a brief cautionary note when setting
# maxretry and findtime.
logpath  = /var/log/haproxy.log

[slapd] port    = ldap,ldaps
logpath = /var/log/slapd.log

[domino-smtp]
port    = smtp,ssmtp
logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log

[phpmyadmin-syslog]
port    = http,https
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s


[zoneminder]
# Zoneminder HTTP/HTTPS web interface auth
# Logs auth failures to apache2 error log
port    = http,https
logpath = %(apache_error_log)s

[traefik-auth]
# to use 'traefik-auth' filter you have to configure your Traefik instance,
# see `filter.d/traefik-auth.conf` for details and service example.
port    = http,https
logpath = /var/log/traefik/access.log

[scanlogd]
logpath = %(syslog_local0)s
banaction = %(banaction_allports)s

#[dovecot-pop3imap]
#enabled = true
#filter = dovecot-pop3imap
#action = iptables-multiport[name=dovecot-pop3imap, port="pop3,imap", protocol=tcp]
#logpath = /var/log/mail.log
#maxretry = 1
#findtime = 1200
#bantime = 1200

[sasl]
enabled  = true
port     = smtp
filter   = postfix-sasl
logpath  = /var/log/mail.log
maxretry = 1

#[dovecot-test]
#enabled = true
#port = pop3,pop3s,imap,imaps
#filter = dovecot
#logpath = /var/log/mail.log
#maxretry = 1

[dovecot]
enabled  = true
action   = iptables-ipset-proto6[protocol=tcp,name=sshd,bantime=86400]
port     = 25,465,587
filter   = dovecot
logpath  = /var/log/auth.log
maxretry = 3
findtime = 1200
bantime = 3600
ignoreip = 127.0.0.0/8

/etc/fail2ban/jail.d/defaults-debian.conf

[sshd]
enabled = true

[postfix]
enabled = true

[postfix-sasl]
enabled = true

/etc/fail2ban/filter.d/sshd.conf

# Fail2Ban filter for openssh
#
# If you want to protect OpenSSH from being bruteforced by password
# authentication then get public key authentication working before disabling
# PasswordAuthentication in sshd_config.
#
#
# "Connection from <HOST> port \d+" requires LogLevel VERBOSE in sshd_config
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[DEFAULT]

_daemon = sshd

# optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
__pref = (?:(?:error|fatal): (?:PAM: )?)?
# optional suffix (logged from several ssh versions) like " [preauth]"
#__suff = (?: port \d+)?(?: \[preauth\])?\s*
__suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s*
__on_port_opt = (?: (?:port \d+|on \S+)){0,2}
# close by authenticating user:
__authng_user = (?: (?:invalid|authenticating) user <F-USER>\S+|.*?</F-USER>)?

# for all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found",
# see ssherr.c for all possible SSH_ERR_..._ALG_MATCH errors.
__alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+)

# PAM authentication mechanism, can be overridden, e. g. `filter = sshd[__pam_auth='pam_ldap']`:
__pam_auth = pam_[a-z]+

[Definition]

prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID>%(__pref)s<F-CONTENT>.+</F-CONTENT>$

cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?%(__suff)s$
            ^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>%(__suff)s$
            <cmnfailre-failed-pub-<publickey>>
            ^Failed <cmnfailed> for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
            ^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST>
            ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>%(__suff)s$
            ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because not listed in AllowUsers%(__suff)s$
            ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because listed in DenyUsers%(__suff)s$
            ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because not in any group%(__suff)s$
            ^refused connect from \S+ \(<HOST>\)
            ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$
            ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because a group is listed in DenyGroups%(__suff)s$
            ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups%(__suff)s$
            ^<F-NOFAIL>%(__pam_auth)s\(sshd:auth\):\s+authentication failure;</F-NOFAIL>(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=<F-ALT_USER>\S*</F-ALT_USER>\s+rhost=<HOST>(?:\s+user=<F-USER>\S*</F-USER>)?%(__suff)s$
            ^maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
            ^User <F-USER>\S+|.*?</F-USER> not allowed because account is locked%(__suff)s
            ^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\S+</F-USER> <HOST>%(__on_port_opt)s:\s*Change of username or service not allowed:\s*.*\[preauth\]\s*$
            ^Disconnecting: Too many authentication failures(?: for <F-USER>\S+|.*?</F-USER>)?%(__suff)s$
            ^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>%(__on_port_opt)s:\s*11:
            <mdre-<mode>-other>
            ^<F-MLFFORGET><F-MLFGAINED>Accepted \w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\S+</F-USER> from <HOST>(?:\s|$)

cmnfailed-any = \S+
cmnfailed-ignore = \b(?!publickey)\S+
cmnfailed-invalid = <cmnfailed-ignore>
cmnfailed-nofail = (?:<F-NOFAIL>publickey</F-NOFAIL>|\S+)
cmnfailed = <cmnfailed-<publickey>>

mdre-normal =
# used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode)
mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__suff)s|\s*)$

mdre-ddos = ^Did not receive identification string from <HOST>
            ^kex_exchange_identification: (?:[Cc]lient sent invalid protocol identifier|[Cc]onnection closed by remote host)
            ^Bad protocol version identification '.*' from <HOST>
            ^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:
            ^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer
# same as mdre-normal-other, but as failure (without <F-NOFAIL>) and [preauth] only:
mdre-ddos-other = ^<F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET> (?:by|from)%(__authng_user)s <HOST>%(__on_port_opt)s\s+\[preauth\]\s*$

mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available
            ^Unable to negotiate with <HOST>%(__on_port_opt)s: no matching <__alg_match> found.
            ^Unable to negotiate a <__alg_match>
            ^no matching <__alg_match> found:
# part of mdre-ddos-other, but user name is supplied (invalid/authenticating) on [preauth] phase only:
mdre-extra-other = ^<F-MLFFORGET>Disconnected</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\S+|.*?</F-USER> <HOST>%(__on_port_opt)s \[preauth\]\s*$

mdre-aggressive = %(mdre-ddos)s
                  %(mdre-extra)s
# mdre-extra-other is fully included within mdre-ddos-other:
mdre-aggressive-other = %(mdre-ddos-other)s

# Parameter "publickey": nofail (default), invalid, any, ignore
publickey = nofail
# consider failed publickey for invalid users only:
cmnfailre-failed-pub-invalid = ^Failed publickey for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
# consider failed publickey for valid users too (don't need RE, see cmnfailed):
cmnfailre-failed-pub-any =
# same as invalid, but consider failed publickey for valid users too, just as no failure (helper to get IP and user-name only, see cmnfailed):
cmnfailre-failed-pub-nofail = <cmnfailre-failed-pub-invalid>
# don't consider failed publickey as failures (don't need RE, see cmnfailed):
cmnfailre-failed-pub-ignore =

cfooterre = ^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>

failregex = %(cmnfailre)s
            <mdre-<mode>>
            %(cfooterre)s

# Parameter "mode": normal (default), ddos, extra or aggressive (combines all)
# Usage example (for jail.local):
#   [sshd]
#   mode = extra
#   # or another jail (rewrite filter parameters of jail):
#   [sshd-aggressive]
#   filter = sshd[mode=aggressive]
#
mode = normal

#filter = sshd[mode=aggressive]

ignoreregex = 

maxlines = 1

journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd

# DEV Notes:
#
#   "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because
#   it is coming before use of <HOST> which is not hard-anchored at the end as well,
#   and later catch-all's could contain user-provided input, which need to be greedily
#   matched away first.
#
# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black and Sergey Brester aka sebres
# Rewritten using prefregex (and introduced "mode" parameter) by Serg G. Brester.

kB Team-Icon

Supporter, Wikiteam
Avatar von kB

Anmeldungsdatum:
4. Oktober 2007

Beiträge: 9680

Wohnort: Münster

gnude schrieb:

[…] Die Frage ist ob Fail2ban überhaupt läuft.

Nun, Du hast das Wiki fail2ban gelesen? Und fail2ban-server fehlerfrei gestartet? Und Du siehst den gestarteten Prozess?

Sonst läuft es nicht.

Antworten |