We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Почему Fail2ban не работает как следует?
Почему Fail2ban не работает как следует?
Сам процесс fail2ban-server мелькает в top.
В логи неудачные попытки входа тоже пишутся, но блокировка не происходит. Панель установил меньше недели назад, в работе fil2ban ничего не менял нигде.
Ubuntu 16.04.
Далее полистал /var/log/fail2ban.log
Фильтр вроде бы как срабатывает, но по факту ip не банится. Что еще интересно в этом логе срабатывания только для vestacp, а для ftp они отсутствуют.
Так же в /var/log/fail2ban.log есть какие то ошибки:
SSH не банит тоже. Перезапускать службу пробовал.
В логи неудачные попытки входа тоже пишутся, но блокировка не происходит. Панель установил меньше недели назад, в работе fil2ban ничего не менял нигде.
Ubuntu 16.04.
SpoilerShow
/var/log/vsftpd.log
Fri Nov 17 06:23:55 2017 [pid 16639] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:02 2017 [pid 16638] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:24:08 2017 [pid 16648] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:11 2017 [pid 16647] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:24:18 2017 [pid 16656] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:20 2017 [pid 16655] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:24:26 2017 [pid 16664] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:29 2017 [pid 16663] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:24:35 2017 [pid 16673] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:37 2017 [pid 16672] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:24:43 2017 [pid 16683] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:46 2017 [pid 16680] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:24:52 2017 [pid 16690] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:54 2017 [pid 16688] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:25:00 2017 [pid 16700] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:25:02 2017 [pid 16697] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:25:09 2017 [pid 17135] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:25:11 2017 [pid 17134] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:25:17 2017 [pid 17143] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:25:20 2017 [pid 17142] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:25:26 2017 [pid 17153] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:25:28 2017 [pid 17150] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:25:34 2017 [pid 17161] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:25:37 2017 [pid 17158] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:26:50 2017 [pid 17169] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:26:58 2017 [pid 17167] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:27:04 2017 [pid 17178] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:27:06 2017 [pid 17175] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:23:55 2017 [pid 16639] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:02 2017 [pid 16638] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:24:08 2017 [pid 16648] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:11 2017 [pid 16647] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:24:18 2017 [pid 16656] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:20 2017 [pid 16655] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:24:26 2017 [pid 16664] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:29 2017 [pid 16663] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:24:35 2017 [pid 16673] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:37 2017 [pid 16672] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:24:43 2017 [pid 16683] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:46 2017 [pid 16680] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:24:52 2017 [pid 16690] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:54 2017 [pid 16688] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:25:00 2017 [pid 16700] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:25:02 2017 [pid 16697] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:25:09 2017 [pid 17135] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:25:11 2017 [pid 17134] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:25:17 2017 [pid 17143] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:25:20 2017 [pid 17142] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:25:26 2017 [pid 17153] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:25:28 2017 [pid 17150] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:25:34 2017 [pid 17161] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:25:37 2017 [pid 17158] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:26:50 2017 [pid 17169] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:26:58 2017 [pid 17167] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:27:04 2017 [pid 17178] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:27:06 2017 [pid 17175] [admin] FAIL LOGIN: Client "91.241.228.75"
SpoilerShow
/var/log/vesta/auth.log
2017-11-17 06:21:28 admin 103.10.52.83 failed to login
2017-11-17 06:21:32 admin 103.10.52.83 failed to login
2017-11-17 06:21:40 admin 103.10.52.83 failed to login
2017-11-17 06:21:46 admin 103.10.52.83 failed to login
2017-11-17 06:21:52 admin 103.10.52.83 failed to login
2017-11-17 06:21:58 admin 103.10.52.83 failed to login
2017-11-17 06:22:04 admin 103.10.52.83 failed to login
2017-11-17 06:22:09 admin 103.10.52.83 failed to login
2017-11-17 06:22:14 admin 103.10.52.83 failed to login
2017-11-17 06:22:19 admin 103.10.52.83 failed to login
2017-11-17 06:22:24 admin 103.10.52.83 failed to login
2017-11-17 06:22:29 admin 103.10.52.83 failed to login
2017-11-17 06:22:36 admin 103.10.52.83 failed to login
2017-11-17 06:21:28 admin 103.10.52.83 failed to login
2017-11-17 06:21:32 admin 103.10.52.83 failed to login
2017-11-17 06:21:40 admin 103.10.52.83 failed to login
2017-11-17 06:21:46 admin 103.10.52.83 failed to login
2017-11-17 06:21:52 admin 103.10.52.83 failed to login
2017-11-17 06:21:58 admin 103.10.52.83 failed to login
2017-11-17 06:22:04 admin 103.10.52.83 failed to login
2017-11-17 06:22:09 admin 103.10.52.83 failed to login
2017-11-17 06:22:14 admin 103.10.52.83 failed to login
2017-11-17 06:22:19 admin 103.10.52.83 failed to login
2017-11-17 06:22:24 admin 103.10.52.83 failed to login
2017-11-17 06:22:29 admin 103.10.52.83 failed to login
2017-11-17 06:22:36 admin 103.10.52.83 failed to login
SpoilerShow
2017-11-17 06:21:28,082 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:21:32,911 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:21:40,996 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:21:47,001 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:21:52,903 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:21:52,982 fail2ban.actions [30910]: NOTICE [vesta-iptables] Ban 103.10.52.83
2017-11-17 06:21:58,847 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:04,210 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:09,708 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:14,501 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:19,287 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:20,239 fail2ban.actions [30910]: NOTICE [vesta-iptables] 103.10.52.83 already banned
2017-11-17 06:22:24,605 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:29,565 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:36,087 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:21:32,911 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:21:40,996 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:21:47,001 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:21:52,903 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:21:52,982 fail2ban.actions [30910]: NOTICE [vesta-iptables] Ban 103.10.52.83
2017-11-17 06:21:58,847 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:04,210 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:09,708 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:14,501 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:19,287 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:20,239 fail2ban.actions [30910]: NOTICE [vesta-iptables] 103.10.52.83 already banned
2017-11-17 06:22:24,605 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:29,565 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:36,087 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
Так же в /var/log/fail2ban.log есть какие то ошибки:
SpoilerShow
2017-11-16 18:41:57,966 fail2ban.actions [30910]: NOTICE [sshd] 80.211.154.28 already banned
2017-11-16 18:50:02,510 fail2ban.actions [30910]: NOTICE [sshd] Unban 80.211.154.28
2017-11-16 18:50:02,619 fail2ban.action [30910]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stdout: b''
2017-11-16 18:50:02,620 fail2ban.action [30910]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stderr: b''
2017-11-16 18:50:02,620 fail2ban.action [30910]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- returned 1
2017-11-16 18:50:02,621 fail2ban.CommandAction [30910]: ERROR Invariant check failed. Trying to restore a sane environment
2017-11-16 18:50:02,976 fail2ban.actions [30910]: NOTICE [ssh-iptables] Unban 80.211.154.28
2017-11-16 18:50:03,060 fail2ban.action [30910]: ERROR iptables -w -D f2b-sshd -s 80.211.154.28 -j REJECT --reject-with icmp-port-unreachable -- stdout: b''
2017-11-16 18:50:03,063 fail2ban.action [30910]: ERROR iptables -w -D f2b-sshd -s 80.211.154.28 -j REJECT --reject-with icmp-port-unreachable -- stderr: b'iptables: No chain/target/match by that name.\n'
2017-11-16 18:50:03,064 fail2ban.action [30910]: ERROR iptables -w -D f2b-sshd -s 80.211.154.28 -j REJECT --reject-with icmp-port-unreachable -- returned 1
2017-11-16 18:50:03,065 fail2ban.actions [30910]: ERROR Failed to execute unban jail 'sshd' action 'iptables-multiport' info '{'matches': 'Nov 16 18:37:38 scw-3beac2 sshd[30095]: Invalid user sshvpn from 80.211.154.28Nov 16 18:37:38 scw-3beac2 sshd[30095]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.154.28Nov 16 18:37:40 scw-3beac2 sshd[30095]: Failed password for invalid user sshvpn from 80.211.154.28 port 48220 ssh2Nov 16 18:39:21 scw-3beac2 sshd[30535]: Invalid user sshvpn from 80.211.154.28Nov 16 18:39:21 scw-3beac2 sshd[30535]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.154.28', 'time': 1510857601.5688908, 'failures': 5, 'ip': '80.211.154.28'}': Error unbanning 80.211.154.28
2017-11-16 18:50:02,510 fail2ban.actions [30910]: NOTICE [sshd] Unban 80.211.154.28
2017-11-16 18:50:02,619 fail2ban.action [30910]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stdout: b''
2017-11-16 18:50:02,620 fail2ban.action [30910]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stderr: b''
2017-11-16 18:50:02,620 fail2ban.action [30910]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- returned 1
2017-11-16 18:50:02,621 fail2ban.CommandAction [30910]: ERROR Invariant check failed. Trying to restore a sane environment
2017-11-16 18:50:02,976 fail2ban.actions [30910]: NOTICE [ssh-iptables] Unban 80.211.154.28
2017-11-16 18:50:03,060 fail2ban.action [30910]: ERROR iptables -w -D f2b-sshd -s 80.211.154.28 -j REJECT --reject-with icmp-port-unreachable -- stdout: b''
2017-11-16 18:50:03,063 fail2ban.action [30910]: ERROR iptables -w -D f2b-sshd -s 80.211.154.28 -j REJECT --reject-with icmp-port-unreachable -- stderr: b'iptables: No chain/target/match by that name.\n'
2017-11-16 18:50:03,064 fail2ban.action [30910]: ERROR iptables -w -D f2b-sshd -s 80.211.154.28 -j REJECT --reject-with icmp-port-unreachable -- returned 1
2017-11-16 18:50:03,065 fail2ban.actions [30910]: ERROR Failed to execute unban jail 'sshd' action 'iptables-multiport' info '{'matches': 'Nov 16 18:37:38 scw-3beac2 sshd[30095]: Invalid user sshvpn from 80.211.154.28Nov 16 18:37:38 scw-3beac2 sshd[30095]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.154.28Nov 16 18:37:40 scw-3beac2 sshd[30095]: Failed password for invalid user sshvpn from 80.211.154.28 port 48220 ssh2Nov 16 18:39:21 scw-3beac2 sshd[30535]: Invalid user sshvpn from 80.211.154.28Nov 16 18:39:21 scw-3beac2 sshd[30535]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.154.28', 'time': 1510857601.5688908, 'failures': 5, 'ip': '80.211.154.28'}': Error unbanning 80.211.154.28
Re: Почему Fail2ban не работает как следует?
Судя по логу какая-то нестыковка в синтаксисе команд чтоли.
Re: Почему Fail2ban не работает как следует?
ответ на Ваш вопрос - потому-что кастыль.
самое простое решение выбросить Fail2ban
самое простое решение выбросить Fail2ban
Code: Select all
-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -m recent --rcheck --seconds 86400 --name BLOCK --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -m hashlimit --hashlimit-above 3/min --hashlimit-burst 3 --hashlimit-mode srcip --hashlimit-name BLOCK -m recent --set --name BLOCK --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --rcheck --seconds 86400 --name BLOCK --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m hashlimit --hashlimit-above 3/min --hashlimit-burst 3 --hashlimit-mode srcip --hashlimit-name BLOCK -m recent --set --name BLOCK --rsource -j DROP