Contenu | Rechercher | Menus

Annonce

Si vous avez des soucis pour rester connecté, déconnectez-vous puis reconnectez-vous depuis ce lien en cochant la case
Me connecter automatiquement lors de mes prochaines visites.

À propos de l'équipe du forum.

#1 Le 17/04/2007, à 08:13

compte supprimé

fail2ban fait son boulot sous Edgy ? :o

Bjour

Alors que je pensais bloquer à la 3ème tentative de mauvaise connexion, Logwatch me sort ça ce matin :

--------------------- SSHD Begin ------------------------


Failed logins from:
    129.125.169.180 (sgi1.farm.rug.nl): 3500 times
       root/password: 3482 times
       mail/password: 7 times
       mysql/password: 3 times
       sshd/password: 2 times
       backup/password: 1 time
       clamav/password: 1 time
       games/password: 1 time
       news/password: 1 time
       nobody/password: 1 time
       www-data/password: 1 time

Illegal users from:
    59.125.204.97 (59-125-204-97.HINET-IP.hinet.net): 21 times
       admin/password: 1 time
(...)
    129.125.169.180 (sgi1.farm.rug.nl): 968 times
       admin/password: 212 times
       test/password: 10 times
       guest/password: 9 times
(...)

---------------------- SSHD End -------------------------

Mon /etc/fail2ban.conf

# Fail2Ban configuration file
#
# $Revision: 1.9 $
#
# 2005.06.21  modified for readability  Iain Lea  iain@bricbrac.de

[DEFAULT]
# Option:  background
# Notes.:  start fail2ban as a daemon. Output is redirect to logfile.
# Values:  [true | false]  Default:  false
#
background = true

# Option:  verbose
# Notes.:  verbosity of the output.
#           0 - regular level
#           1 - INFO level
#           2 - DEBUG level (but commands get executed as opposed to
#                debug option)
# Values:  NUM  Default:  0
#
verbose = 1

# Option:  debug
# Notes.:  enable debug mode. No real commands gets executed but only
#          reported, more verbose output, bypass root user test.
# Values:  [true | false]  Default:  false
#
debug = false

# Option:  logtargets
# Notes.:  log targets. Space separated list of logging targets.
# Values:  STDERR SYSLOG file  Default:  /var/log/fail2ban.log
#
logtargets = /var/log/fail2ban.log

# Option:  syslog-target
# Notes.:  where to find syslog facility if logtarget SYSLOG.
# Values:  SOCKET HOST HOST:PORT  Default: /dev/log
#
syslog-target = /dev/log

# Option:  syslog-facility
# Notes.:  which syslog facility to use if logtarget SYSLOG.
# Values:  NUM  Default: 1
#
syslog-facility = 1

# Option:  pidlock
# Notes.:  path of the PID lock file (must be able to write to file).
# Values:  FILE  Default:  /var/run/fail2ban.pid
#
pidlock = /var/run/fail2ban.pid

# Option:  maxfailures
# Notes.:  number of failures before IP gets banned.
# Values:  NUM  Default:  5
#
maxfailures = 3

# Option:  bantime
# Notes.:  number of seconds an IP will be banned. If set to a negative
#          value, IP will never be unbanned (permanent banning).
# Values:  NUM  Default:  600
#
bantime = 2000

# Option:  findtime
# Notes.:  lifetime in seconds of a "failed" log entry.
# Values:  NUM  Default:  600
#
findtime = 600

# Option:  ignoreip
# Notes.:  space separated list of IP's to be ignored by fail2ban.
#          You can use CIDR mask in order to specify a range.
#          Example:  ignoreip = 192.168.0.1/24 123.45.235.65
# Values:  IP  Default: 
#
ignoreip =

# Option:  cmdstart
# Notes.:  command executed once at the start of Fail2Ban
# Values:  CMD  Default:
#
cmdstart =

# Option:  cmdend
# Notes.:  command executed once at the end of Fail2Ban.
# Values:  CMD  Default:
#
cmdend =

# Option:  polltime
# Notes.:  number of seconds fail2ban sleeps between iterations.
# Values:  NUM  Default:  1
#
polltime = 1

# Option:  reinittime
# Notes.:  minimal number of seconds between the re-initialization of
#          firewalls due to external changes in their rules (see fwcheck)
# Values:  NUM  Default:  100
#
reinittime = 10

# Option:  maxreinits
# Notes.:  maximal number of re-initialization of firewalls due to external
#          changes. -1 stays for infinite, so only reinittime is of importance
# Values:  NUM  Default:  -1
#
maxreinits = 1000

# NOTE: Interpolations
#
# fwstart, as well as fwend, fwcheck, fwban, fwunban, use interpolations
# so %(__name__)s  will be substituted by a name of each section
# (unless the option is overriden in a section).
# If you are going to use interpolations in your setup, please make
# sure that you specified options port and protocol (which also has
# an option in DEFAULT).
#

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

# Option:  fwchain
# Notes.:  chain from which to jump into fail2ban chains
# Values:  TEXT  Default: INPUT
#
fwchain = INPUT

# Option:  fwstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD  Default:
#
fwstart = iptables -N fail2ban-%(__name__)s
          iptables -A fail2ban-%(__name__)s -j RETURN
          iptables -I %(fwchain)s -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s

# Option:  fwend
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD  Default:
#
fwend = iptables -D %(fwchain)s -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s
        iptables -F fail2ban-%(__name__)s
        iptables -X fail2ban-%(__name__)s

# Option:  fwcheck
# Notes.:  command executed once before each fwban command
# Values:  CMD  Default:
#
fwcheck = iptables -L %(fwchain)s | grep -q fail2ban-%(__name__)s

# Option:  fwban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <failtime>  unix timestamp of the last failure
#          <bantime>  unix timestamp of the ban time
# Values:  CMD
# Default: iptables -I INPUT 1 -s <ip> -j DROP
#
fwban = iptables -I fail2ban-%(__name__)s 1 -s <ip> -j DROP

# Option:  fwunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <bantime>  unix timestamp of the ban time
#          <unbantime>  unix timestamp of the unban time
# Values:  CMD
# Default: iptables -D INPUT -s <ip> -j DROP
#
fwunban = iptables -D fail2ban-%(__name__)s -s <ip> -j DROP

[MAIL]
# Option:  enabled
# Notes.:  enable mail notification when banning an IP address.
# Values:  [true | false]  Default:  false
#
enabled = true

# Option:  host
# Notes.:  host running the mail server.
# Values:  STR  Default:  localhost
#
host = localhost

# Option:  port
# Notes.:  port of the mail server.
# Values:  INT  Default:  25
#
port = 25

# Option:  user
# Notes.:  the username for smtp-server if authentification is required.
#          if user is empty, no authentification is done.
# Values:  STR  Default: 
#
user =

# Option:  password
# Notes.:  the smtp-user's password if authentification is required.
# Values:  STR  Default: 
#
password =

# Option:  from
# Notes.:  e-mail address of the sender.
# Values:  MAIL  Default:  fail2ban
#
from = fail2ban@localhost

# Option:  to
# Notes.:  e-mail addresses of the receiver. Addresses are space
#          separated.
# Values:  MAIL  Default:  root
#
to = monpseudo@mamachine

# Option:  localtime
# Notes.:  report local time (including timezone) or GMT
# Values:  [true | false]  Default:  false
#
localtime = true

# Option:  subject
# Notes.:  subject of the e-mail.
# Tags:    <section> active section (eg ssh, apache, etc)
#          <ip>  IP address
#          <failures>  number of failures
#          <failtime>  unix timestamp of the last failure
# Values:  TEXT  Default:  [Fail2Ban] <section>: Banned <ip>
#
subject = [Fail2Ban] <section>: Banned <ip>

# Option:  message
# Notes.:  message of the e-mail.
# Tags:    <section> active section (eg ssh, apache, etc)
#          <ip>  IP address
#          <failures>  number of failures
#          <failtime>  unix timestamp of the last failure
#          <br>  new line
# Values:  TEXT  Default:
#
message = Hi,<br>
          The IP <ip> has just been banned by Fail2Ban after
          <failures> attempts against <section>.<br>
          Regards,<br>
          Fail2Ban

# You can define a new section for each log file to check for
# password failure. Each section has to define the following
# options: logfile, fwban, fwunban, timeregex, timepattern,
# failregex.


[SASL]
# Option:  enabled
# Notes.:  enable monitoring for this section.
# Values:  [true | false]  Default:  true
#
enabled = false

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
#
port = smtp

# Option:  logfile
# Notes.:  logfile to monitor.
# Values:  FILE  Default:  /var/log/auth.log
#
logfile = /var/log/mail.log

# Option:  timeregex
# Notes.:  regex to match timestamp
# Values:  [Mar  7 17:53:28]
# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
#
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}

# Option:  timepattern
# Notes.:  format used in "timeregex" fields definition. Note that '%' must be
#          escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule)
# Values:  TEXT  Default:  %%b %%d %%H:%%M:%%S
#
timepattern = %%b %%d %%H:%%M:%%S

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile.
# Values:  TEXT  Default:
#
failregex = : warning: [-._\w]+\[(?P<host>[.\d]+)\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$


[Apache]
# Option:  enabled
# Notes.:  enable monitoring for this section.
# Values:  [true | false]  Default:  false
#
enabled = true

# Option:  logfile
# Notes.:  logfile to monitor.
# Values:  FILE  Default:  /var/log/apache/error.log
# Other.: /var/log/apache2/error.log
#
logfile = /var/log/apache2/error.log

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
#
port = http

# Option:  timeregex
# Notes.:  regex to match timestamp in Apache logfile. For TAI64N format,
#          use timeregex = @[0-9a-f]{24}
# Values:  [Wed Jan 05 15:08:01 2005]
# Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
#
timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}

# Option:  timepattern
# Notes.:  format used in "timeregex" fields definition. Note that '%' must be
#          escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule).
#          For TAI64N format, use timepattern = tai64n
# Values:  TEXT  Default:  %%a %%b %%d %%H:%%M:%%S %%Y
#
timepattern = %%a %%b %%d %%H:%%M:%%S %%Y

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile.
# Values:  TEXT  Default:  [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not found)
#
failregex = [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not found)

[ApacheAttacks]
# Option:  enabled
# Notes.:  enable monitoring for this section.
# Values:  [true | false]  Default:  false
#
enabled = false

# Option:  logfile
# Notes.:  logfile to monitor.
# Values:  FILE  Default:  /var/log/apache/access.log
#
logfile = /var/log/apache/access.log

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
#
port = http

# Option:  maxfailures
# Notes.:  number of failures before IP gets banned.
# Values:  NUM  Default:  5
#
maxfailures = 2

# Option:  timeregex
# Notes.:  regex to match timestamp in Apache access logfile.
# Values:  [19/Feb/2006:08:38:18]
# Default: \d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2}
#
timeregex = \d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2}

# Option:  timepattern
# Notes.:  format used in "timeregex" fields definition. Note that '%' must be
#          escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule)
# Values:  TEXT  Default: %%d/%%b/%%Y:%%H:%%M:%%S
#
timepattern = %%d/%%b/%%Y:%%H:%%M:%%S

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile.
# Values:  TEXT  Default:  [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not found)
#
failregex = ^(?P<host>\S*) -.*"GET .*(?:awstats\.pl\?configdir=|index2\.php\?_REQUEST\[option\].*)\|echo.*

[VSFTPD]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: false
#
enabled = false

# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/secure
#
logfile = /var/log/vsftpd.log

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
#
port = ftp

# Option: timeregex
# Notes.: regex to match timestamp in VSFTPD logfile.
# Values: [Mar 7 17:53:28]
# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
#
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}

# Option: timepattern
# Notes.: format used in "timeregex" fields definition. Note that '%' must be
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule)
# Values: TEXT Default: %%b %%d %%H:%%M:%%S
#
timepattern = %%b %%d %%H:%%M:%%S

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
#
failregex = \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$


[PROFTPD]
# Option: enabled
# Notes.: enable monitoring for this section.
# Values: [true | false] Default: false
#
enabled = false

# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/proftpd/proftpd.log
# Other.: /var/log/auth.log
#
logfile = /var/log/proftpd/proftpd.log

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default: ftp
#
port = ftp

# Option: timeregex
# Notes.: regex to match timestamp in VSFTPD logfile.
# Values: [Mar 7 17:53:28]
# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
#
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}

# Option: timepattern
# Notes.: format used in "timeregex" fields definition. Note that '%' must be
# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule)
# Values: TEXT Default: %%b %%d %%H:%%M:%%S
#
timepattern = %%b %%d %%H:%%M:%%S

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default:
#
failregex = USER \S+: no such user found from \S* ?\[(?P<host>\S+)\] to \S+\s*$


[SSH]
# Option:  enabled
# Notes.:  enable monitoring for this section.
# Values:  [true | false]  Default:  true
#
enabled = true

# Option:  logfile
# Notes.:  logfile to monitor.
# Values:  FILE  Default:  /var/log/auth.log
#
logfile = /var/log/auth.log

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
#
port = ssh

# Option:  timeregex
# Notes.:  regex to match timestamp in SSH logfile. For TAI64N format,
#          use timeregex = @[0-9a-f]{24}
# Values:  [Mar  7 17:53:28]
# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
#
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}

# Option:  timepattern
# Notes.:  format used in "timeregex" fields definition. Note that '%' must be
#          escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule).
#          For TAI64N format, use timepattern = tai64n
# Values:  TEXT  Default:  %%b %%d %%H:%%M:%%S
#
timepattern = %%b %%d %%H:%%M:%%S

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile.
# Values:  TEXT  Default:  (?:Authentication failure|Failed (?:keyboard-interactive/pam|password)) for(?: illegal user)? .* from (?:::f{4,6}:)?(?P<host>\S*)
#
failregex = : (?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P<host>\S*)

Et dans /var/log/fail2ban.log on dirait que j'ai aussi un petit problème de locale :

2007-04-17 08:51:01,797 WARNING: Restoring firewall rules...
2007-04-17 08:51:01,836 INFO: Exiting...
2007-04-17 08:51:02,238 WARNING: Verbose level is 1
2007-04-17 08:51:02,239 INFO: Fail2Ban v0.6.1 is running
2007-04-17 08:51:02,249 INFO: Enabled sections: ['SSH', 'Apache']
2007-04-17 08:51:02,249 WARNING:  is not a valid IP address
2007-04-17 08:51:02,271 ERROR: time data did not match format:  data=Apr 17 07:42:29  fmt=%b %d %H:%M:%S
2007-04-17 08:51:02,271 ERROR: Please check the format and your locale settings.
2007-04-17 08:51:02,274 ERROR: time data did not match format:  data=Apr 17 08:51:01  fmt=%b %d %H:%M:%S
2007-04-17 08:51:02,274 ERROR: Please check the format and your locale settings.
2007-04-17 08:51:02,331 ERROR: time data did not match format:  data=Sun Apr 15 07:39:34 2007  fmt=%a %b %d %H:%M:%S %Y
2007-04-17 08:51:02,331 ERROR: Please check the format and your locale settings.
2007-04-17 08:51:02,332 ERROR: time data did not match format:  data=Sun Apr 15 07:39:34 2007  fmt=%a %b %d %H:%M:%S %Y
2007-04-17 08:51:02,332 ERROR: Please check the format and your locale settings.
2007-04-17 08:54:04,470 ERROR: time data did not match format:  data=Apr 17 07:42:29  fmt=%b %d %H:%M:%S
2007-04-17 08:54:04,470 ERROR: Please check the format and your locale settings.
2007-04-17 08:54:04,843 ERROR: time data did not match format:  data=Apr 17 08:54:04  fmt=%b %d %H:%M:%S
2007-04-17 08:54:04,843 ERROR: Please check the format and your locale settings.

$ locale
LANG=fr_FR.UTF-8
LC_CTYPE="fr_FR.UTF-8"
LC_NUMERIC="fr_FR.UTF-8"
LC_TIME="fr_FR.UTF-8"
LC_COLLATE="fr_FR.UTF-8"
LC_MONETARY="fr_FR.UTF-8"
LC_MESSAGES="fr_FR.UTF-8"
LC_PAPER="fr_FR.UTF-8"
LC_NAME="fr_FR.UTF-8"
LC_ADDRESS="fr_FR.UTF-8"
LC_TELEPHONE="fr_FR.UTF-8"
LC_MEASUREMENT="fr_FR.UTF-8"
LC_IDENTIFICATION="fr_FR.UTF-8"
LC_ALL=

Je sais plus quoi faire, help mad
Merci.

Dernière modification par weenu (Le 17/04/2007, à 08:17)

#2 Le 17/04/2007, à 10:32

YannTech

Re : fail2ban fait son boulot sous Edgy ? :o

il faut passer en en_US et ça roule

Hors ligne

#3 Le 17/04/2007, à 12:53

compte supprimé

Re : fail2ban fait son boulot sous Edgy ? :o

Salut YannTech

J'avais déjà fait ça : LANG=en_US.utf8 sudo /etc/init.d/fail2ban restart
Par contre, je ne sais pour quelle raison, ça a fini par me refaire ces erreurs. Sans doute en repassant en fr_FR ?