We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Fail2ban не блокирует атакующих
-
- Posts: 30
- Joined: Tue Sep 24, 2013 4:58 pm
Fail2ban не блокирует атакующих
До этого все хорошо работало на двух VPS, шли отчеты на мейл, атакующие блокировались.
Две недели назад переехал на новый VPS, все быстренько развернул, настроил. По логам атаки есть, Logwatch тоже шлет логи с атаками, но Fail2ban ничего не делает.
Centos 6, Vesta CP последняя.
Конфиг
Менял logpath = /var/log/vsftpd.log на /var/log/secure не помогло.
Куда еще смотреть?
Две недели назад переехал на новый VPS, все быстренько развернул, настроил. По логам атаки есть, Logwatch тоже шлет логи с атаками, но Fail2ban ничего не делает.
Centos 6, Vesta CP последняя.
Конфиг
Code: Select all
# Fail2Ban jail base specification file
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwitten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
#
# [DEFAULT]
#bantime = 3600
#
# [ssh-iptables]
#enabled = true
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =
# "bantime" is the number of seconds that a host is banned.
bantime =3600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
backend = auto
# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = warn
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
[pam-generic]
enabled = false
filter = pam-generic
action = iptables-allports[name=pam,protocol=all]
logpath = /var/log/secure
[xinetd-fail]
enabled = false
filter = xinetd-fail
action = iptables-allports[name=xinetd,protocol=all]
logpath = /var/log/daemon*log
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected], [email protected], sendername="Fail2Ban"]
logpath = /var/log/secure
maxretry = 3
[ssh-ddos]
enabled = false
filter = sshd-ddos
action = iptables[name=SSHDDOS, port=ssh, protocol=tcp]
logpath = /var/log/sshd.log
maxretry = 2
[dropbear]
enabled = false
filter = dropbear
action = iptables[name=dropbear, port=ssh, protocol=tcp]
logpath = /var/log/messages
maxretry = 5
[proftpd-iptables]
enabled = false
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, [email protected]]
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[gssftpd-iptables]
enabled = false
filter = gssftpd
action = iptables[name=GSSFTPd, port=ftp, protocol=tcp]
sendmail-whois[name=GSSFTPd, [email protected]]
logpath = /var/log/daemon.log
maxretry = 6
[pure-ftpd]
enabled = false
filter = pure-ftpd
action = iptables[name=pureftpd, port=ftp, protocol=tcp]
logpath = /var/log/pureftpd.log
maxretry = 6
[wuftpd]
enabled = false
filter = wuftpd
action = iptables[name=wuftpd, port=ftp, protocol=tcp]
logpath = /var/log/daemon.log
maxretry = 6
[sendmail-auth]
enabled = false
filter = sendmail-auth
action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]
logpath = /var/log/mail.log
[sendmail-reject]
enabled = false
filter = sendmail-reject
action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]
logpath = /var/log/mail.log
# This jail forces the backend to "polling".
[sasl-iptables]
enabled = false
filter = postfix-sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, [email protected]]
logpath = /var/log/mail.log
# ASSP SMTP Proxy Jail
[assp]
enabled = false
filter = assp
action = iptables-multiport[name=assp,port="25,465,587"]
logpath = /root/path/to/assp/logs/maillog.txt
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".
[ssh-tcpwrapper]
enabled = false
filter = sshd
action = hostsdeny[daemon_list=sshd]
sendmail-whois[name=SSH, [email protected]]
ignoreregex = for myuser from
logpath = /var/log/sshd.log
# Here we use blackhole routes for not requiring any additional kernel support
# to store large volumes of banned IPs
[ssh-route]
enabled = false
filter = sshd
action = route
logpath = /var/log/sshd.log
maxretry = 5
# Here we use a combination of Netfilter/Iptables and IPsets
# for storing large volumes of banned IPs
#
# IPset comes in two versions. See ipset -V for which one to use
# requires the ipset package and kernel support.
[ssh-iptables-ipset4]
enabled = false
filter = sshd
action = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/sshd.log
maxretry = 5
[ssh-iptables-ipset6]
enabled = false
filter = sshd
action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
logpath = /var/log/sshd.log
maxretry = 5
# bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
# table number must be unique.
#
# This will create a deny rule for that table ONLY if a rule
# for the table doesn't ready exist.
#
[ssh-bsd-ipfw]
enabled = false
filter = sshd
action = bsd-ipfw[port=ssh,table=1]
logpath = /var/log/auth.log
maxretry = 5
# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.
[apache-tcpwrapper]
enabled = false
filter = apache-auth
action = hostsdeny
logpath = /var/log/apache*/*error.log
/home/www/myhomepage/error.log
maxretry = 6
[apache-modsecurity]
enabled = false
filter = apache-modsecurity
action = iptables-multiport[name=apache-modsecurity,port="80,443"]
logpath = /var/log/apache*/*error.log
/home/www/myhomepage/error.log
maxretry = 2
[apache-overflows]
enabled = false
filter = apache-overflows
action = iptables-multiport[name=apache-overflows,port="80,443"]
logpath = /var/log/apache*/*error.log
/home/www/myhomepage/error.log
maxretry = 2
[apache-nohome]
enabled = false
filter = apache-nohome
action = iptables-multiport[name=apache-nohome,port="80,443"]
logpath = /var/log/apache*/*error.log
/home/www/myhomepage/error.log
maxretry = 2
[nginx-http-auth]
enabled = false
filter = nginx-http-auth
action = iptables-multiport[name=nginx-http-auth,port="80,443"]
logpath = /var/log/nginx/error.log
[squid]
enabled = false
filter = squid
action = iptables-multiport[name=squid,port="80,443,8080"]
logpath = /var/log/squid/access.log
# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.
[postfix-tcpwrapper]
enabled = false
filter = postfix
action = hostsdeny[file=/not/a/standard/path/hosts.deny]
sendmail[name=Postfix, [email protected]]
logpath = /var/log/postfix.log
bantime = 300
[cyrus-imap]
enabled = false
filter = cyrus-imap
action = iptables-multiport[name=cyrus-imap,port="143,993"]
logpath = /var/log/mail*log
[courierlogin]
enabled = false
filter = courierlogin
action = iptables-multiport[name=courierlogin,port="25,110,143,465,587,993,995"]
logpath = /var/log/mail*log
[couriersmtp]
enabled = false
filter = couriersmtp
action = iptables-multiport[name=couriersmtp,port="25,465,587"]
logpath = /var/log/mail*log
[qmail-rbl]
enabled = false
filter = qmail
action = iptables-multiport[name=qmail-rbl,port="25,465,587"]
logpath = /service/qmail/log/main/current
[sieve]
enabled = false
filter = sieve
action = iptables-multiport[name=sieve,port="25,465,587"]
logpath = /var/log/mail*log
# Do not ban anybody. Just report information about the remote host.
# A notification is sent at most every 600 seconds (bantime).
[vsftpd-notification]
enabled = true
filter = vsftpd
action = sendmail-whois[name=VSFTPD, [email protected]]
logpath = /var/log/secure
maxretry = 3
bantime = 3600
# Same as above but with banning the IP address.
[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, [email protected]]
logpath = /var/log/secure
maxretry = 3
bantime = 3600
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
[apache-badbots]
enabled = false
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, [email protected]]
logpath = /var/www/*/logs/access_log
bantime = 172800
maxretry = 1
# Use shorewall instead of iptables.
[apache-shorewall]
enabled = false
filter = apache-noscript
action = shorewall
sendmail[name=Postfix, [email protected]]
logpath = /var/log/apache2/error_log
# Monitor roundcube server
[roundcube-iptables]
enabled = false
filter = roundcube-auth
action = iptables-multiport[name=RoundCube, port="http,https"]
logpath = /var/log/roundcube/userlogins
# Monitor SOGo groupware server
[sogo-iptables]
enabled = false
filter = sogo-auth
# without proxy this would be:
# port = 20000
action = iptables-multiport[name=SOGo, port="http,https"]
logpath = /var/log/sogo/sogo.log
[groupoffice]
enabled = false
filter = groupoffice
action = iptables-multiport[name=groupoffice, port="http,https"]
logpath = /home/groupoffice/log/info.log
[openwebmail]
enabled = false
filter = openwebmail
logpath = /var/log/openwebmail.log
action = ipfw
sendmail-whois[name=openwebmail, [email protected]]
maxretry = 5
[horde]
enabled = false
filter = horde
logpath = /var/log/horde/horde.log
action = iptables-multiport[name=horde, port="http,https"]
maxretry = 5
# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.
[php-url-fopen]
enabled = false
action = iptables-multiport[name=php-url-open, port="http,https"]
filter = php-url-fopen
logpath = /var/www/*/logs/access_log
maxretry = 1
[suhosin]
enabled = false
filter = suhosin
action = iptables-multiport[name=suhosin, port="http,https"]
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2
[lighttpd-auth]
enabled = false
filter = lighttpd-auth
action = iptables-multiport[name=lighttpd-auth, port="http,https"]
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2
# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.
[ssh-ipfw]
enabled = false
filter = sshd
action = ipfw[localhost=192.168.0.1]
sendmail-whois[name="SSH,IPFW", [email protected]]
logpath = /var/log/auth.log
ignoreip = 168.192.0.1
# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks UDP traffic for DNS requests.
# [named-refused-udp]
#
# enabled = false
# filter = named-refused
# action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
# sendmail-whois[name=Named, [email protected]]
# logpath = /var/log/named/security.log
# ignoreip = 168.192.0.1
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.
[named-refused-tcp]
enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
sendmail-whois[name=Named, [email protected]]
logpath = /var/log/named/security.log
ignoreip = 168.192.0.1
[nsd]
enabled = false
filter = nsd
action = iptables-multiport[name=nsd-tcp, port="domain", protocol=tcp]
iptables-multiport[name=nsd-udp, port="domain", protocol=udp]
logpath = /var/log/nsd.log
[asterisk]
enabled = false
filter = asterisk
action = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
sendmail-whois[name=Asterisk, [email protected], [email protected]]
logpath = /var/log/asterisk/messages
maxretry = 10
[freeswitch]
enabled = false
filter = freeswitch
logpath = /var/log/freeswitch.log
maxretry = 10
action = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp]
iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp]
[ejabberd-auth]
enabled = false
filter = ejabberd-auth
logpath = /var/log/ejabberd/ejabberd.log
action = iptables[name=ejabberd, port=xmpp-client, protocol=tcp]
# Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )
# use [asterisk] for new jails
[asterisk-tcp]
enabled = false
filter = asterisk
action = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
sendmail-whois[name=Asterisk, [email protected], [email protected]]
logpath = /var/log/asterisk/messages
maxretry = 10
# Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )
# use [asterisk] for new jails
[asterisk-udp]
enabled = false
filter = asterisk
action = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
sendmail-whois[name=Asterisk, [email protected], [email protected]]
logpath = /var/log/asterisk/messages
maxretry = 10
[mysqld-iptables]
enabled = false
filter = mysqld-auth
action = iptables[name=mysql, port=3306, protocol=tcp]
sendmail-whois[name=MySQL, dest=root, [email protected]]
logpath = /var/log/mysqld.log
maxretry = 5
[mysqld-syslog]
enabled = false
filter = mysqld-auth
action = iptables[name=mysql, port=3306, protocol=tcp]
logpath = /var/log/daemon.log
maxretry = 5
# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
# Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
[recidive]
enabled = false
filter = recidive
logpath = /var/log/fail2ban.log
action = iptables-allports[name=recidive,protocol=all]
sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
# PF is a BSD based firewall
[ssh-pf]
enabled = false
filter = sshd
action = pf
logpath = /var/log/sshd.log
maxretry = 5
[3proxy]
enabled = false
filter = 3proxy
action = iptables[name=3proxy, port=3128, protocol=tcp]
logpath = /var/log/3proxy.log
[exim]
enabled = false
filter = exim
action = iptables-multiport[name=exim,port="25,465,587"]
logpath = /var/log/exim/mainlog
[exim-spam]
enabled = false
filter = exim-spam
action = iptables-multiport[name=exim-spam,port="25,465,587"]
logpath = /var/log/exim/mainlog
[perdition]
enabled = false
filter = perdition
action = iptables-multiport[name=perdition,port="110,143,993,995"]
logpath = /var/log/maillog
[uwimap-auth]
enabled = false
filter = uwimap-auth
action = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]
logpath = /var/log/maillog
[osx-ssh-ipfw]
enabled = false
filter = sshd
action = osx-ipfw
logpath = /var/log/secure.log
maxretry = 5
[ssh-apf]
enabled = false
filter = sshd
action = apf[name=SSH]
logpath = /var/log/secure
maxretry = 5
[osx-ssh-afctl]
enabled = false
filter = sshd
action = osx-afctl[bantime=600]
logpath = /var/log/secure.log
maxretry = 5
[webmin-auth]
enabled = false
filter = webmin-auth
action = iptables-multiport[name=webmin,port="10000"]
logpath = /var/log/auth.log
# dovecot defaults to logging to the mail syslog facility
# but can be set by syslog_facility in the dovecot configuration.
[dovecot]
enabled = false
filter = dovecot
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
logpath = /var/log/mail.log
[dovecot-auth]
enabled = false
filter = dovecot
action = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
logpath = /var/log/secure
[solid-pop3d]
enabled = false
filter = solid-pop3d
action = iptables-multiport[name=solid-pop3, port="pop3,pop3s", protocol=tcp]
logpath = /var/log/mail.log
[selinux-ssh]
enabled = false
filter = selinux-ssh
action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
logpath = /var/log/audit/audit.log
maxretry = 5
# See the IMPORTANT note in action.d/blocklist_de.conf for when to
# use this action
#
# Report block via blocklist.de fail2ban reporting service API
# See action.d/blocklist_de.conf for more information
[ssh-blocklist]
enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected], [email protected], sendername="Fail2Ban"]
blocklist_de[email="[email protected]", apikey="xxxxxx", service=%(filter)s]
logpath = /var/log/sshd.log
maxretry = 20
# consider low maxretry and a long bantime
# nobody except your own Nagios server should ever probe nrpe
[nagios]
enabled = false
filter = nagios
action = iptables[name=Nagios, port=5666, protocol=tcp]
sendmail-whois[name=Nagios, [email protected], [email protected], sendername="Fail2Ban"]
logpath = /var/log/messages ; nrpe.cfg may define a different log_facility
maxretry = 1
Code: Select all
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-VESTA tcp -- anywhere anywhere tcp dpt:us-srv
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
fail2ban-MAIL tcp -- anywhere anywhere multiport dports smtp,urd,submission,ms-v-worlds,pop3,pop3s,imap,imaps
ACCEPT tcp -- anywhere anywhere multiport dports 52000:52100
ACCEPT tcp -- anywhere anywhere tcp dpt:15019
ACCEPT tcp -- anywhere anywhere multiport dports http,https
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:us-srv
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- site.ru anywhere
ACCEPT all -- localhost anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:smtp
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT tcp -- anywhere anywhere tcp spt:pop3
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT tcp -- anywhere anywhere tcp spt:imap
ACCEPT tcp -- anywhere anywhere tcp spt:mysql
ACCEPT tcp -- anywhere anywhere tcp spt:postgres
ACCEPT tcp -- anywhere anywhere tcp spt:webcache
ACCEPT tcp -- anywhere anywhere tcp spt:8433
ACCEPT tcp -- anywhere anywhere tcp spt:us-srv
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-MAIL (1 references)
target prot opt source destination
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-VESTA (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain vesta (0 references)
Code: Select all
ervice fail2ban status
fail2ban-server (pid 8711) is running...
Status
|- Number of jail: 5
`- Jail list: ssh-iptables, vesta-iptables, dovecot-iptables, vsftpd-notification, exim-iptables
[root@konstantin k0nstant1n]# service fail2ban status
fail2ban-server (pid 8711) is running...
Status
|- Number of jail: 5
`- Jail list: ssh-iptables, vesta-iptables, dovecot-iptables, vsftpd-notification, exim-iptables
Code: Select all
service iptables status
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 fail2ban-VESTA tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8083
2 fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
3 fail2ban-MAIL tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587,2525,110,995,143,993
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 52000:52100
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:15019
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8083
9 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
10 ACCEPT all -- 91.214.71.117 0.0.0.0/0
11 ACCEPT all -- 127.0.0.1 0.0.0.0/0
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:20
13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:21
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22
15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:25
16 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
17 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:80
18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:443
19 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:110
20 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:123
21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:143
22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:3306
23 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:5432
24 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:8080
25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:8433
26 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:8083
27 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain fail2ban-MAIL (1 references)
num target prot opt source destination
Chain fail2ban-SSH (1 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-VESTA (1 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain vesta (0 references)
num target prot opt source destination
-
- Posts: 30
- Joined: Tue Sep 24, 2013 4:58 pm
Re: Fail2ban не блокирует атакующих
Вспомнил кое-что, может все дело в этом?
После базовой настройки создал нового пользователя, восстанавливал бекапы так:
sudo /usr/local/vesta/bin/v-restore-user admin admin.2015-01-06.tar, т.е. не под root. А раньше все делал рутом и только потом добавлял нового пользователя.
Может дело в правах?
После базовой настройки создал нового пользователя, восстанавливал бекапы так:
sudo /usr/local/vesta/bin/v-restore-user admin admin.2015-01-06.tar, т.е. не под root. А раньше все делал рутом и только потом добавлял нового пользователя.
Может дело в правах?
Re: Fail2ban не блокирует атакующих
Столкнулся с похожей проблемой. Ручками вбиты через веб-интерфейс ип-адреса в блеклист, но с этих адресов почему то успешно заполняются вебформы.
Re: Fail2ban не блокирует атакующих
Посмотреть лог fail2ban'a там все написано почему не сработал или сработал.