Fail2ban - banned list

[Nanotraktor]

/var/log/secure ?

[usr999]

/var/log/secure

SpoilerShow

tail -n100 /var/log/secure
Mar 28 12:35:34 IX-0238 sshd[18650]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:34 IX-0238 sshd[18579]: Failed password for root from 222.186.21.226 port 4513 ssh2
Mar 28 12:35:34 IX-0238 sshd[18579]: fatal: Read from socket failed: Connection reset by peer [preauth]
Mar 28 12:35:34 IX-0238 sshd[18579]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.226 user=root
Mar 28 12:35:34 IX-0238 sshd[18579]: PAM service(sshd) ignoring max retries; 5 > 3
Mar 28 12:35:35 IX-0238 sshd[18650]: Failed password for root from 121.12.127.94 port 4917 ssh2
Mar 28 12:35:36 IX-0238 sshd[18650]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:37 IX-0238 sshd[18785]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.226 user=root
Mar 28 12:35:37 IX-0238 sshd[18785]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:37 IX-0238 sshd[18650]: Failed password for root from 121.12.127.94 port 4917 ssh2
Mar 28 12:35:39 IX-0238 sshd[18650]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:39 IX-0238 sshd[18785]: Failed password for root from 222.186.21.226 port 4978 ssh2
Mar 28 12:35:39 IX-0238 sshd[18787]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.12.127.94 user=root
Mar 28 12:35:39 IX-0238 sshd[18787]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:39 IX-0238 sshd[18785]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:41 IX-0238 sshd[18650]: Failed password for root from 121.12.127.94 port 4917 ssh2
Mar 28 12:35:42 IX-0238 sshd[18787]: Failed password for root from 121.12.127.94 port 3498 ssh2
Mar 28 12:35:42 IX-0238 sshd[18785]: Failed password for root from 222.186.21.226 port 4978 ssh2
Mar 28 12:35:42 IX-0238 sshd[18787]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:42 IX-0238 sshd[18785]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:43 IX-0238 sshd[18650]: fatal: Read from socket failed: Connection reset by peer [preauth]
Mar 28 12:35:43 IX-0238 sshd[18650]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.12.127.94 user=root
Mar 28 12:35:43 IX-0238 sshd[18650]: PAM service(sshd) ignoring max retries; 5 > 3
Mar 28 12:35:44 IX-0238 sshd[18787]: Failed password for root from 121.12.127.94 port 3498 ssh2
Mar 28 12:35:44 IX-0238 sshd[18785]: Failed password for root from 222.186.21.226 port 4978 ssh2
Mar 28 12:35:44 IX-0238 sshd[18787]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:44 IX-0238 sshd[18785]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:45 IX-0238 sshd[18910]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.12.127.94 user=root
Mar 28 12:35:45 IX-0238 sshd[18910]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:46 IX-0238 sshd[18787]: Failed password for root from 121.12.127.94 port 3498 ssh2
Mar 28 12:35:46 IX-0238 sshd[18785]: Failed password for root from 222.186.21.226 port 4978 ssh2
Mar 28 12:35:46 IX-0238 sshd[18785]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:46 IX-0238 sshd[18787]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:47 IX-0238 sshd[18910]: Failed password for root from 121.12.127.94 port 3517 ssh2
Mar 28 12:35:47 IX-0238 sshd[18910]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:48 IX-0238 sshd[18785]: Failed password for root from 222.186.21.226 port 4978 ssh2
Mar 28 12:35:48 IX-0238 sshd[18787]: Failed password for root from 121.12.127.94 port 3498 ssh2
Mar 28 12:35:48 IX-0238 sshd[18787]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:49 IX-0238 sshd[18785]: fatal: Read from socket failed: Connection reset by peer [preauth]
Mar 28 12:35:49 IX-0238 sshd[18785]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.226 user=root
Mar 28 12:35:49 IX-0238 sshd[18785]: PAM service(sshd) ignoring max retries; 5 > 3
Mar 28 12:35:49 IX-0238 sshd[18910]: Failed password for root from 121.12.127.94 port 3517 ssh2
Mar 28 12:35:49 IX-0238 sshd[18910]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:51 IX-0238 sshd[18787]: Failed password for root from 121.12.127.94 port 3498 ssh2
Mar 28 12:35:51 IX-0238 sshd[18787]: fatal: Read from socket failed: Connection reset by peer [preauth]
Mar 28 12:35:51 IX-0238 sshd[18787]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.12.127.94 user=root
Mar 28 12:35:51 IX-0238 sshd[18787]: PAM service(sshd) ignoring max retries; 5 > 3
Mar 28 12:35:51 IX-0238 sshd[18910]: Failed password for root from 121.12.127.94 port 3517 ssh2
Mar 28 12:35:52 IX-0238 sshd[18910]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:53 IX-0238 sshd[19069]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.12.127.94 user=root
Mar 28 12:35:53 IX-0238 sshd[19069]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:53 IX-0238 sshd[18910]: Failed password for root from 121.12.127.94 port 3517 ssh2
Mar 28 12:35:54 IX-0238 sshd[18910]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:54 IX-0238 sshd[19072]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.226 user=root
Mar 28 12:35:54 IX-0238 sshd[19072]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:55 IX-0238 sshd[19069]: Failed password for root from 121.12.127.94 port 2796 ssh2
Mar 28 12:35:55 IX-0238 sshd[18910]: Failed password for root from 121.12.127.94 port 3517 ssh2
Mar 28 12:35:55 IX-0238 sshd[19069]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:56 IX-0238 sshd[18910]: fatal: Read from socket failed: Connection reset by peer [preauth]
Mar 28 12:35:56 IX-0238 sshd[18910]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.12.127.94 user=root
Mar 28 12:35:56 IX-0238 sshd[18910]: PAM service(sshd) ignoring max retries; 5 > 3
Mar 28 12:35:56 IX-0238 sshd[19072]: Failed password for root from 222.186.21.226 port 1762 ssh2
Mar 28 12:35:56 IX-0238 sshd[19072]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:57 IX-0238 sshd[19069]: Failed password for root from 121.12.127.94 port 2796 ssh2
Mar 28 12:35:58 IX-0238 sshd[19105]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.12.127.94 user=root
Mar 28 12:35:58 IX-0238 sshd[19105]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:58 IX-0238 sshd[19072]: Failed password for root from 222.186.21.226 port 1762 ssh2
Mar 28 12:35:58 IX-0238 sshd[19069]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:58 IX-0238 sshd[19072]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:35:59 IX-0238 sshd[19105]: Failed password for root from 121.12.127.94 port 4525 ssh2
Mar 28 12:36:00 IX-0238 sshd[19069]: Failed password for root from 121.12.127.94 port 2796 ssh2
Mar 28 12:36:00 IX-0238 sshd[19072]: Failed password for root from 222.186.21.226 port 1762 ssh2
Mar 28 12:36:00 IX-0238 sshd[19069]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:36:00 IX-0238 sshd[19105]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:36:00 IX-0238 sshd[19072]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:36:03 IX-0238 sshd[19069]: Failed password for root from 121.12.127.94 port 2796 ssh2
Mar 28 12:36:03 IX-0238 sshd[19105]: Failed password for root from 121.12.127.94 port 4525 ssh2
Mar 28 12:36:03 IX-0238 sshd[19072]: Failed password for root from 222.186.21.226 port 1762 ssh2
Mar 28 12:36:03 IX-0238 sshd[19069]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:36:03 IX-0238 sshd[19105]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:36:03 IX-0238 sshd[19072]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:36:05 IX-0238 sshd[19069]: Failed password for root from 121.12.127.94 port 2796 ssh2
Mar 28 12:36:05 IX-0238 sshd[19105]: Failed password for root from 121.12.127.94 port 4525 ssh2
Mar 28 12:36:05 IX-0238 sshd[19072]: Failed password for root from 222.186.21.226 port 1762 ssh2
Mar 28 12:36:05 IX-0238 sshd[19069]: fatal: Read from socket failed: Connection reset by peer [preauth]
Mar 28 12:36:05 IX-0238 sshd[19069]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.12.127.94 user=root
Mar 28 12:36:05 IX-0238 sshd[19069]: PAM service(sshd) ignoring max retries; 5 > 3
Mar 28 12:36:05 IX-0238 sshd[19105]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:36:05 IX-0238 sshd[19072]: fatal: Read from socket failed: Connection reset by peer [preauth]
Mar 28 12:36:05 IX-0238 sshd[19072]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.226 user=root
Mar 28 12:36:05 IX-0238 sshd[19072]: PAM service(sshd) ignoring max retries; 5 > 3
Mar 28 12:36:07 IX-0238 sshd[19105]: Failed password for root from 121.12.127.94 port 4525 ssh2
Mar 28 12:36:08 IX-0238 sshd[19105]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:36:09 IX-0238 sshd[19264]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.12.127.94 user=root
Mar 28 12:36:09 IX-0238 sshd[19264]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Mar 28 12:36:09 IX-0238 sshd[19105]: Failed password for root from 121.12.127.94 port 4525 ssh2
Mar 28 12:36:10 IX-0238 sshd[19105]: fatal: Read from socket failed: Connection reset by peer [preauth]
Mar 28 12:36:10 IX-0238 sshd[19105]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.12.127.94 user=root
Mar 28 12:36:10 IX-0238 sshd[19105]: PAM service(sshd) ignoring max retries; 5 > 3
Mar 28 12:36:11 IX-0238 sshd[19264]: Failed password for root from 121.12.127.94 port 4308 ssh2

[usr999]

По дефолту Fail2ban так и не заработал

Last failed login: Wed Mar 30 15:30:59 EDT 2016 from 222.186.21.135 on ssh:notty
There were 15035 failed login attempts since the last successful login.
Last login: Wed Mar 30 10:58:11 2016 from 45.32.233.169


По дефолту в /etc/fail2ban/jail.conf
было enabled = false
Я активировал jails

Code: Select all

# "enabled" enables the jails.
#  By default all jails are disabled, and it should stay this way.
#  Enable only relevant to your setup jails in your .local or jail.d/*.conf
# 
# true:  jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
#enabled = false
enabled = true

Но после перестал запускатся fail2ban в ошибках пишет

Code: Select all

[root@IX-0238 fail2ban]# service fail2ban restart
Redirecting to /bin/systemctl restart  fail2ban.service
Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details.

Code: Select all

[root@IX-0238 fail2ban]# journalctl -xe
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Начат процесс запуска юнита fail2ban.service.
мар 30 17:05:35 IX-0238.quadix.co fail2ban-client[683]: ERROR  No file(s) found for glob /var/log/lighttpd/error.log
мар 30 17:05:35 IX-0238.quadix.co fail2ban-client[683]: ERROR  Failed during configuration: Have not found any log file for lighttpd-auth j
мар 30 17:05:35 IX-0238.quadix.co systemd[1]: fail2ban.service: control process exited, code=exited status=255
мар 30 17:05:35 IX-0238.quadix.co systemd[1]: Failed to start Fail2Ban Service.
-- Subject: Ошибка юнита fail2ban.service
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Произошел сбой юнита fail2ban.service.
-- 
-- Результат: failed.
мар 30 17:05:35 IX-0238.quadix.co systemd[1]: Unit fail2ban.service entered failed state.
мар 30 17:05:35 IX-0238.quadix.co systemd[1]: fail2ban.service failed.
мар 30 17:05:35 IX-0238.quadix.co sshd[527]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
мар 30 17:05:35 IX-0238.quadix.co systemd[1]: fail2ban.service holdoff time over, scheduling restart.
мар 30 17:05:35 IX-0238.quadix.co systemd[1]: Starting Fail2Ban Service...
-- Subject: Начинается запуск юнита fail2ban.service
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Начат процесс запуска юнита fail2ban.service.
мар 30 17:05:35 IX-0238.quadix.co fail2ban-client[692]: ERROR  No file(s) found for glob /var/log/lighttpd/error.log
мар 30 17:05:35 IX-0238.quadix.co fail2ban-client[692]: ERROR  Failed during configuration: Have not found any log file for lighttpd-auth j
мар 30 17:05:35 IX-0238.quadix.co systemd[1]: fail2ban.service: control process exited, code=exited status=255
мар 30 17:05:35 IX-0238.quadix.co systemd[1]: Failed to start Fail2Ban Service.
-- Subject: Ошибка юнита fail2ban.service
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Произошел сбой юнита fail2ban.service.
-- 
-- Результат: failed.
мар 30 17:05:35 IX-0238.quadix.co systemd[1]: Unit fail2ban.service entered failed state.
мар 30 17:05:35 IX-0238.quadix.co systemd[1]: fail2ban.service failed.

Запускается если обратно выключить enabled = false в Jails но тогда не блокирует ничего и работает в холостую.

Содержимое jail.conf точно как тут https://github.com/fail2ban/fail2ban/bl ... /jail.conf

[Mr.Erbutw]

Есть решение или нет так как fail2ban не помогает видимо

Last failed login: Wed Mar 30 15:30:59 EDT 2016 from 222.186.21.135 on ssh:notty
There were 15035 failed login attempts since the last successful login.
Last login: Wed Mar 30 10:58:11 2016 from 45.32.233.169

fail2ban - настройки стоит *5 раз для перебора вроде по умолчанию.
Можно настроить под свой вкус.

* - но возможно и 3, могу ошибаться

p.s. Рекомендую проверить секцию.

Code: Select all

[sshd]


port     = ssh
filter   = sshd
logpath  = %(ssh_log)s
maxretry = 3

[usr999]

Как я понял так он ругаеться на правила в jail.conf так как там все сервисы, но я пробовал оставлял в нем только sshd но не помогло

[Mr.Erbutw]

Как я понял так он ругаеться на правила в jail.conf так как там все сервисы, но я пробовал оставлял в нем только sshd но не помогло

если центос7.2 fail2ban есть косяк в fail2ban-server-0.9.3-1.el7.noarch он не работает должным оброзом.
па пробую ниже версию поставить.

[usr999]

У меня как раз он и есть

cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)

fail2ban-server-0.9.3-1.el7.noarch


Скажите как правильно переустановить его что бы веста не поломалась

[Mr.Erbutw]

У меня как раз он и есть

cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)

fail2ban-server-0.9.3-1.el7.noarch


Скажите как правильно переустановить его что бы веста не поломалась

Code: Select all

yum remove fail2ban

Code: Select all

yum autoremove

и

Code: Select all

wget ftp://ftp.pbone.net/mirror/archive.fedoraproject.org/fedora/linux/updates/8/i386.newkey/fail2ban-0.8.3-16.fc8.noarch.rpm

Code: Select all

yum install ./fail2ban-0.8.3-16.fc8.noarch.rpm 

банит отлично.
*только не отображает в панели ( быны )

[skurudo]

Можно их и на дольше блочить, если 600 секунд мало ;)

Порой существует вероятность выстрелить себе в ногу, потому время уже по желанию. )

[s3inc]

Еще вопрос к знатокам, как понимать это fail2ban brute-force monitor Процессор: 5.3 Память: 735 мб? это размер логов? или что это? где и как посмотреть?