Правила для file2ban

[gurvinek]

file2ban не блокирует атакующих. В логе вот это:

Code: Select all

2015-02-26 02:20:31 no host name found for IP address 209.160.72.123
2015-02-26 02:20:34 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=test)
2015-02-26 02:20:35 no host name found for IP address 209.160.72.123
2015-02-26 02:20:42 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=info)
2015-02-26 02:20:43 no host name found for IP address 209.160.72.123
2015-02-26 02:20:54 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=admin)
2015-02-26 02:20:55 no host name found for IP address 209.160.72.123
2015-02-26 02:21:13 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=spam)
2015-02-26 02:21:14 no host name found for IP address 209.160.72.123
2015-02-26 02:21:32 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=webmaster)
2015-02-26 02:21:33 no host name found for IP address 209.160.72.123
2015-02-26 02:21:51 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=orders)
2015-02-26 02:21:52 no host name found for IP address 209.160.72.123
2015-02-26 02:22:10 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=support)
2015-02-26 02:22:10 no host name found for IP address 209.160.72.123
2015-02-26 02:22:29 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=abuse)
2015-02-26 02:22:29 no host name found for IP address 209.160.72.123
2015-02-26 02:22:48 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=sales)
2015-02-26 02:22:48 no host name found for IP address 209.160.72.123
2015-02-26 02:23:07 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=guest)
2015-02-26 02:23:07 no host name found for IP address 209.160.72.123
2015-02-26 02:23:26 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=postmaster)
2015-02-26 02:23:26 no host name found for IP address 209.160.72.123
2015-02-26 02:23:45 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=john)
2015-02-26 02:23:45 no host name found for IP address 209.160.72.123
2015-02-26 02:24:04 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=postfix)
2015-02-26 02:24:04 no host name found for IP address 209.160.72.123
2015-02-26 02:24:23 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=mike)
2015-02-26 02:24:23 no host name found for IP address 209.160.72.123
2015-02-26 02:24:42 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=alex)
2015-02-26 02:24:42 no host name found for IP address 209.160.72.123
2015-02-26 02:25:01 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=jobs)
2015-02-26 02:25:01 no host name found for IP address 209.160.72.123
2015-02-26 02:25:20 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=public)
2015-02-26 02:25:20 no host name found for IP address 209.160.72.123
2015-02-26 02:25:34 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:25:39 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=ryan)
2015-02-26 02:25:39 no host name found for IP address 209.160.72.123
2015-02-26 02:25:42 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:25:54 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:25:58 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=rudy)
2015-02-26 02:25:58 no host name found for IP address 209.160.72.123
2015-02-26 02:26:13 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:26:17 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=news)
2015-02-26 02:26:17 no host name found for IP address 209.160.72.123
2015-02-26 02:26:32 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:26:36 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=backup)
2015-02-26 02:26:37 no host name found for IP address 209.160.72.123
2015-02-26 02:26:51 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:26:55 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=scanner)
2015-02-26 02:26:55 no host name found for IP address 209.160.72.123
2015-02-26 02:27:10 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:27:14 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=scan)
2015-02-26 02:27:14 no host name found for IP address 209.160.72.123
2015-02-26 02:27:29 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:27:33 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=xerox)
2015-02-26 02:27:33 no host name found for IP address 209.160.72.123
2015-02-26 02:27:48 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:27:52 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=reception)
2015-02-26 02:27:52 no host name found for IP address 209.160.72.123
2015-02-26 02:28:07 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:28:11 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=utente)
2015-02-26 02:28:11 no host name found for IP address 209.160.72.123
2015-02-26 02:28:26 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:28:30 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=besadmin)
2015-02-26 02:28:30 no host name found for IP address 209.160.72.123
2015-02-26 02:28:45 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:28:49 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=usuario)
2015-02-26 02:28:49 no host name found for IP address 209.160.72.123
2015-02-26 02:29:04 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:29:08 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=office)
2015-02-26 02:29:08 no host name found for IP address 209.160.72.123
2015-02-26 02:29:23 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:29:27 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=account)
2015-02-26 02:29:27 no host name found for IP address 209.160.72.123
2015-02-26 02:29:42 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:29:46 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=accounts)
2015-02-26 02:29:46 no host name found for IP address 209.160.72.123
2015-02-26 02:30:01 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:30:05 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=service)
2015-02-26 02:30:05 no host name found for IP address 209.160.72.123
2015-02-26 02:30:20 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:30:24 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=services)
2015-02-26 02:30:25 no host name found for IP address 209.160.72.123
2015-02-26 02:30:39 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:30:43 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=sms)
2015-02-26 02:30:43 no host name found for IP address 209.160.72.123
2015-02-26 02:30:58 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:31:02 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=mail)
2015-02-26 02:31:02 no host name found for IP address 209.160.72.123
2015-02-26 02:31:17 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:31:21 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=ventes)
2015-02-26 02:31:22 no host name found for IP address 209.160.72.123
2015-02-26 02:31:36 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:31:40 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=manager)
2015-02-26 02:31:40 no host name found for IP address 209.160.72.123
2015-02-26 02:31:55 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:31:59 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=shipping)
2015-02-26 02:31:59 no host name found for IP address 209.160.72.123
2015-02-26 02:32:14 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:32:18 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=staff)
2015-02-26 02:32:18 no host name found for IP address 209.160.72.123
2015-02-26 02:32:33 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:32:37 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=help)
2015-02-26 02:32:37 no host name found for IP address 209.160.72.123
2015-02-26 02:32:52 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:32:56 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=helpdesk)
2015-02-26 02:32:56 no host name found for IP address 209.160.72.123
2015-02-26 02:33:11 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:33:15 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=fax)
2015-02-26 02:33:15 no host name found for IP address 209.160.72.123
2015-02-26 02:33:30 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:33:34 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=temp)
2015-02-26 02:33:34 no host name found for IP address 209.160.72.123
2015-02-26 02:33:49 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:33:53 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=user)
2015-02-26 02:33:53 no host name found for IP address 209.160.72.123
2015-02-26 02:34:08 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:34:12 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=root)
2015-02-26 02:34:12 no host name found for IP address 209.160.72.123
2015-02-26 02:34:27 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:34:31 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=assistance)
2015-02-26 02:34:31 no host name found for IP address 209.160.72.123
2015-02-26 02:34:46 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:34:50 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=administrator)
2015-02-26 02:34:50 no host name found for IP address 209.160.72.123
2015-02-26 02:35:05 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:35:09 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=administrateur)
2015-02-26 02:35:09 no host name found for IP address 209.160.72.123
2015-02-26 02:35:24 SMTP command timeout on TLS connection from (localhost) [209.160.72.123]
2015-02-26 02:35:28 dovecot_login authenticator failed for (localhost) [209.160.72.123]: 535 Incorrect authentication data (set_id=administrador)

Пробовал добавлять новые правила, но видимо чего то не так прописываю. В итоге вернул к изначальному варианту.
Подскажите, что и где прописать, чтобы file2ban блокировал такой перебор паролей?
В логе file2ban за все время работы ни одного блокированного IP, только старт служб и ротация логов.

[Deeryo]

Привет, я пробовал менять правила в файле /etc/fail2ban/filter.d/exim.conf

Code: Select all

[INCLUDES]
before = exim-common.conf

[Definition]
failregex = login authenticator failed for (\S+ )?\(\S+\) \[<HOST>\](:\d+)?: 535 Incorrect authentication data
             ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
             ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (relay not permitted|Sender verify failed|Unknown user)\s*$
             ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (connection from|"\S+") %(host_info)s(next )?input=".*"\s*$
             ^%(pid)s SMTP call from \S+ \[<HOST>\](:\d+)? (I=\[\S+\]:\d+ )?dropped: too many nonmail commands \(last was "\S+"\)\s*$

ignoreregex = 

/etc/fail2ban/filter.d/dovecot.conf

Code: Select all

[INCLUDES]
before = common.conf

[Definition]
failregex = login: .*auth failed.*attempts.* rip=<HOST>,.*$
ignoreregex =

[gurvinek]

Уважаемая администрация! Будте так добры, выложите рабочие конфиги для file2ban. Ну никак не хочет он блокировать никого. В логах очень много попыток входа на разные сервисы всякими ботами, а file2ban с конфигом по умолчанию упорно молчит. Очень хочется эти попытки пресекать.
Заранее спасибо.

P.S. Пробовал изменять конфиг по совету Deeryo - все равно тишина.

[skurudo]

Займитесь, напишите https://github.com/fail2ban/fail2ban/issues создателям и что не работает.
Как только будет готовое решение - можно будет обновить, почему нет?

Поймите правильно file2ban - не VestaCP, а сторонний продукт, который пилят и допиливают совершенно другие люди. Они идет в комплекте с неким базовым конфигом, но дальнейшие модификации (как и других конфигов) за пользователями.

[Deeryo]

Fail2ban и в других местах не работает без напильника, такой вот он

[gurvinek]

Да я все понимаю, просто наверняка у кого то да работает. Может кто поделится конфигами. Ведь логи наверняка у всех генерируются одинаково.
И обращаясь к разработчикам, я имел ввиду, что из коробки базовые конфиги уже прописаны ими, и по делу, должно бы все работать. Но не работает.

[Mihanja80]

Да я все понимаю, просто наверняка у кого то да работает. Может кто поделится конфигами. Ведь логи наверняка у всех генерируются одинаково.
И обращаясь к разработчикам, я имел ввиду, что из коробки базовые конфиги уже прописаны ими, и по делу, должно бы все работать. Но не работает.

Должны бы, вот только разработчики панели и разработчики file2ban совсем разные люди :/

У меня иногда показывает китайцев которых забанило...

[sol]

Вот мой конфиг file2ban все работает

Code: Select all

cat /etc/fail2ban/jail.local 

[ssh-iptables]
enabled  = true
filter   = sshd
action   = vesta[name=SSH]
logpath  = /var/log/secure
maxretry = 3

[vsftpd-iptables]
enabled  = true
filter   = vsftpd
action   = vesta[name=FTP]
logpath  = /var/log/vsftpd.log
maxretry = 3

[exim-iptables]
enabled = true
filter  = exim
action  = vesta[name=MAIL]
logpath = /var/log/exim/main.log

[dovecot-iptables]
enabled = true
filter  = dovecot
action  = vesta[name=MAIL]
logpath = /var/log/dovecot.log

[mysqld-iptables]
enabled  = true
filter   = mysqld-auth
action   = vesta[name=DB]
logpath  = /var/log/mysqld.log
maxretry = 5

[vesta-iptables]
enabled = true
filter  = vesta
action  = vesta[name=VESTA]
logpath = /var/log/vesta/auth.log
maxretry = 3

Настойки срабатываний по умолчанию для всех фильров (если не конкретно не определено)

Code: Select all

# "bantime" is the number of seconds that a host is banned.
bantime  =  86400

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

Еще добавил от себя

Code: Select all

cat /etc/fail2ban/fail2ban.conf |grep logtarget
# Option: logtarget
#         If you change logtarget from the default value and you are
logtarget = /var/log/fail2ban.log

И фильтр для рецедивистов

Code: Select all

[recidive]

enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log
action   = iptables-allports[name=recidive,protocol=all]
           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime  = 1814400  ;3 week
findtime = 345600   ;4 day
maxretry = 3

на выходе имею вот такое

[gurvinek]

У меня file2ban почему то вообще никого не банит. Правила запускаются, статус показывает, что все работает, fail2ban-regex по регуляркам в логах что-то находит, но в логе file2ban только записи о запуске правил. И все. Куда копать? Подскажите...

[skurudo]

У меня file2ban почему то вообще никого не банит. Правила запускаются, статус показывает, что все работает, fail2ban-regex по регуляркам в логах что-то находит, но в логе file2ban только записи о запуске правил. И все. Куда копать? Подскажите...

Пути к логам проверить для начала.
Что пишет сам fail2ban в свой лог посмотреть.