Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

Почему Fail2ban не работает как следует?

https://forum.vestacp.com/viewtopic.php?f=28&t=15579

Page 1 of 1

Почему Fail2ban не работает как следует?

Posted: Fri Nov 17, 2017 6:35 am
by Vincent
Сам процесс fail2ban-server мелькает в top.
В логи неудачные попытки входа тоже пишутся, но блокировка не происходит. Панель установил меньше недели назад, в работе fil2ban ничего не менял нигде.
Ubuntu 16.04.
SpoilerShow
/var/log/vsftpd.log
Fri Nov 17 06:23:55 2017 [pid 16639] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:02 2017 [pid 16638] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:24:08 2017 [pid 16648] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:11 2017 [pid 16647] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:24:18 2017 [pid 16656] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:20 2017 [pid 16655] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:24:26 2017 [pid 16664] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:29 2017 [pid 16663] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:24:35 2017 [pid 16673] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:37 2017 [pid 16672] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:24:43 2017 [pid 16683] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:46 2017 [pid 16680] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:24:52 2017 [pid 16690] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:24:54 2017 [pid 16688] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:25:00 2017 [pid 16700] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:25:02 2017 [pid 16697] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:25:09 2017 [pid 17135] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:25:11 2017 [pid 17134] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:25:17 2017 [pid 17143] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:25:20 2017 [pid 17142] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:25:26 2017 [pid 17153] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:25:28 2017 [pid 17150] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:25:34 2017 [pid 17161] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:25:37 2017 [pid 17158] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:26:50 2017 [pid 17169] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:26:58 2017 [pid 17167] [admin] FAIL LOGIN: Client "91.241.228.75"
Fri Nov 17 06:27:04 2017 [pid 17178] CONNECT: Client "91.241.228.75"
Fri Nov 17 06:27:06 2017 [pid 17175] [admin] FAIL LOGIN: Client "91.241.228.75"
SpoilerShow
/var/log/vesta/auth.log
2017-11-17 06:21:28 admin 103.10.52.83 failed to login
2017-11-17 06:21:32 admin 103.10.52.83 failed to login
2017-11-17 06:21:40 admin 103.10.52.83 failed to login
2017-11-17 06:21:46 admin 103.10.52.83 failed to login
2017-11-17 06:21:52 admin 103.10.52.83 failed to login
2017-11-17 06:21:58 admin 103.10.52.83 failed to login
2017-11-17 06:22:04 admin 103.10.52.83 failed to login
2017-11-17 06:22:09 admin 103.10.52.83 failed to login
2017-11-17 06:22:14 admin 103.10.52.83 failed to login
2017-11-17 06:22:19 admin 103.10.52.83 failed to login
2017-11-17 06:22:24 admin 103.10.52.83 failed to login
2017-11-17 06:22:29 admin 103.10.52.83 failed to login
2017-11-17 06:22:36 admin 103.10.52.83 failed to login
Далее полистал /var/log/fail2ban.log
SpoilerShow
2017-11-17 06:21:28,082 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:21:32,911 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:21:40,996 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:21:47,001 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:21:52,903 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:21:52,982 fail2ban.actions [30910]: NOTICE [vesta-iptables] Ban 103.10.52.83
2017-11-17 06:21:58,847 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:04,210 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:09,708 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:14,501 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:19,287 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:20,239 fail2ban.actions [30910]: NOTICE [vesta-iptables] 103.10.52.83 already banned
2017-11-17 06:22:24,605 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:29,565 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
2017-11-17 06:22:36,087 fail2ban.filter [30910]: INFO [vesta-iptables] Found 103.10.52.83
Фильтр вроде бы как срабатывает, но по факту ip не банится. Что еще интересно в этом логе срабатывания только для vestacp, а для ftp они отсутствуют.
Так же в /var/log/fail2ban.log есть какие то ошибки:
SpoilerShow
2017-11-16 18:41:57,966 fail2ban.actions [30910]: NOTICE [sshd] 80.211.154.28 already banned
2017-11-16 18:50:02,510 fail2ban.actions [30910]: NOTICE [sshd] Unban 80.211.154.28
2017-11-16 18:50:02,619 fail2ban.action [30910]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stdout: b''
2017-11-16 18:50:02,620 fail2ban.action [30910]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stderr: b''
2017-11-16 18:50:02,620 fail2ban.action [30910]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- returned 1
2017-11-16 18:50:02,621 fail2ban.CommandAction [30910]: ERROR Invariant check failed. Trying to restore a sane environment
2017-11-16 18:50:02,976 fail2ban.actions [30910]: NOTICE [ssh-iptables] Unban 80.211.154.28
2017-11-16 18:50:03,060 fail2ban.action [30910]: ERROR iptables -w -D f2b-sshd -s 80.211.154.28 -j REJECT --reject-with icmp-port-unreachable -- stdout: b''
2017-11-16 18:50:03,063 fail2ban.action [30910]: ERROR iptables -w -D f2b-sshd -s 80.211.154.28 -j REJECT --reject-with icmp-port-unreachable -- stderr: b'iptables: No chain/target/match by that name.\n'
2017-11-16 18:50:03,064 fail2ban.action [30910]: ERROR iptables -w -D f2b-sshd -s 80.211.154.28 -j REJECT --reject-with icmp-port-unreachable -- returned 1
2017-11-16 18:50:03,065 fail2ban.actions [30910]: ERROR Failed to execute unban jail 'sshd' action 'iptables-multiport' info '{'matches': 'Nov 16 18:37:38 scw-3beac2 sshd[30095]: Invalid user sshvpn from 80.211.154.28Nov 16 18:37:38 scw-3beac2 sshd[30095]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.154.28Nov 16 18:37:40 scw-3beac2 sshd[30095]: Failed password for invalid user sshvpn from 80.211.154.28 port 48220 ssh2Nov 16 18:39:21 scw-3beac2 sshd[30535]: Invalid user sshvpn from 80.211.154.28Nov 16 18:39:21 scw-3beac2 sshd[30535]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.211.154.28', 'time': 1510857601.5688908, 'failures': 5, 'ip': '80.211.154.28'}': Error unbanning 80.211.154.28
SSH не банит тоже. Перезапускать службу пробовал.

Re: Почему Fail2ban не работает как следует?

Posted: Sun Nov 19, 2017 3:12 pm
by ahouse
Судя по логу какая-то нестыковка в синтаксисе команд чтоли.

Re: Почему Fail2ban не работает как следует?

Posted: Wed Nov 22, 2017 4:03 am
by demian
ответ на Ваш вопрос - потому-что кастыль.
самое простое решение выбросить Fail2ban

Code: Select all

-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -m recent --rcheck --seconds 86400 --name BLOCK --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -m hashlimit --hashlimit-above 3/min --hashlimit-burst 3 --hashlimit-mode srcip --hashlimit-name BLOCK -m recent --set --name BLOCK --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --rcheck --seconds 86400 --name BLOCK --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m hashlimit --hashlimit-above 3/min --hashlimit-burst 3 --hashlimit-mode srcip --hashlimit-name BLOCK -m recent --set --name BLOCK --rsource -j DROP
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/