Pages : 1
#1 Le 01/09/2015, à 17:53
- blesso
Fail2ban plus de bannisement
Bonjour à tous,
J'utilise F2B pour mon serveur et je rencontre un soucis un peu gênant en ce moment.
Lorsqu'une tentative d'accès est détectée, f2b me transmet bien un mail m'alertant avec l'adresse IP et tout ce qui va bien mais quand je consulte Iptables, aucune IP n'est bannie ...
J'ai essayé de trouver le problème mais je sèche ...
La commande "sudo service fail2ban status" me renvoie :
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since mar. 2015-09-01 17:32:22 CEST; 12min ago
Docs: man:fail2ban(1)
Process: 8327 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 9044 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
Main PID: 9071 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─9071 /usr/bin/python3 /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
sept. 01 17:32:01 XXXXX.fr systemd[1]: Starting Fail2Ban Service...
sept. 01 17:32:02 XXXXX.fr fail2ban-client[9044]: 2015-09-01 17:32:02,073 fail2ban.server [9046]: INFO Starting Fail2ban v0.9.1
sept. 01 17:32:02 XXXXX.fr fail2ban-client[9044]: 2015-09-01 17:32:02,073 fail2ban.server [9046]: INFO Starting in daemon mode
sept. 01 17:32:10 XXXXX.fr fail2ban-client[9044]: ERROR NOK: ("File option must be 'head' or 'tail'",)
sept. 01 17:32:11 XXXXX.fr fail2ban-client[9044]: ERROR NOK: ("File option must be 'head' or 'tail'",)
sept. 01 17:32:22 XXXXX.fr systemd[1]: Started Fail2Ban Service.Pour la commande sudo iptables -L :
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-dovecot tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps,submission,urd,sieve
f2b-xinetd-fail-tcp tcp -- anywhere anywhere multiport dports 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
f2b-pam-generic tcp -- anywhere anywhere
f2b-mysqld-auth tcp -- anywhere anywhere multiport dports mysql
f2b-uwimap-auth tcp -- anywhere anywhere multiport dports imap3,imaps
f2b-postfix-sasl tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap3,imaps,pop3,pop3s
f2b-courier-auth tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap3,imaps,pop3,pop3s
f2b-sieve tcp -- anywhere anywhere multiport dports smtp,urd,submission
f2b-sendmail-reject tcp -- anywhere anywhere multiport dports smtp,urd,submission
f2b-sendmail-auth tcp -- anywhere anywhere multiport dports submission,urd,smtp
f2b-postfix tcp -- anywhere anywhere multiport dports smtp,urd,submission
f2b-courier-smtp tcp -- anywhere anywhere multiport dports smtp,urd,submission
f2b-gssftpd tcp -- anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data
f2b-webmin-auth tcp -- anywhere anywhere multiport dports 10321
f2b-horde tcp -- anywhere anywhere multiport dports http,https
f2b-openwebmail tcp -- anywhere anywhere multiport dports http,https
f2b-roundcube-auth tcp -- anywhere anywhere multiport dports http,https
f2b-lighttpd-auth tcp -- anywhere anywhere multiport dports http,https
f2b-suhosin tcp -- anywhere anywhere multiport dports http,https
f2b-php-url-fopen tcp -- anywhere anywhere multiport dports http,https
f2b-nginx-http-auth tcp -- anywhere anywhere multiport dports 0:65535
f2b-apache-shellshock tcp -- anywhere anywhere multiport dports http,https
f2b-apache-modsecurity tcp -- anywhere anywhere multiport dports http,https
f2b-apache-botsearch tcp -- anywhere anywhere multiport dports http,https
f2b-apache-nohome tcp -- anywhere anywhere multiport dports http,https
f2b-apache-overflows tcp -- anywhere anywhere multiport dports http,https
f2b-apache-noscript tcp -- anywhere anywhere multiport dports http,https
f2b-apache-badbots tcp -- anywhere anywhere multiport dports http,https
f2b-apache-auth tcp -- anywhere anywhere multiport dports http,https
f2b-selinux-ssh tcp -- anywhere anywhere multiport dports ssh
f2b-dropbear tcp -- anywhere anywhere multiport dports ssh
f2b-sshd-ddos tcp -- anywhere anywhere multiport dports ssh
f2b-sshd tcp -- anywhere anywhere multiport dports ssh,3445
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-apache-auth (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-badbots (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-botsearch (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-modsecurity (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-nohome (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-noscript (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-overflows (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-apache-shellshock (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-courier-auth (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-courier-smtp (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-dovecot (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-dropbear (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-gssftpd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-horde (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-lighttpd-auth (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-mysqld-auth (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-nginx-http-auth (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-openwebmail (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-pam-generic (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-php-url-fopen (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-postfix (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-postfix-sasl (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-recidive (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-roundcube-auth (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-selinux-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-sendmail-auth (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-sendmail-reject (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-sieve (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-sshd-ddos (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-suhosin (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-uwimap-auth (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-webmin-auth (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-xinetd-fail-tcp (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-xinetd-fail-tcp-log (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 6/min burst 2 LOG level warning prefix "f2b-xinetd-fail-tcp:DROP "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain f2b-xinetd-fail-udp (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-xinetd-fail-udp-log (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 6/min burst 2 LOG level warning prefix "f2b-xinetd-fail-udp:DROP "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachablePour l'uname -a :
Linux XXXXX.fr 3.19.0-27-generic #29-Ubuntu SMP Fri Aug 14 21:43:37 UTC 2015 x86_64 x86_64 x86_64 GNU/LinuxLa version installée est la 0.9.1-1.
Merci encore pour votre aide
Hors ligne
#2 Le 01/09/2015, à 22:19
- J5012
Re : Fail2ban plus de bannisement
tu as deja lu ca ?
http://doc.ubuntu-fr.org/fail2ban
Hors ligne
#3 Le 01/09/2015, à 22:32
- blesso
Re : Fail2ban plus de bannisement
Salut,
Oui, j'utilise fail2ban depuis pas mal d'années. J'ai suivi de nombreuses fois la doc.
Pour compléter l'investigation, j'ai découvert des erreurs récurrentes dans le log de f2b :
...
NOTICE [recidive] Ban 185.49.14.190
2015-09-01 17:32:32,384 fail2ban.action [9071]: ERROR iptables -n -L INPUT | grep -q 'f2b-recidive[ \t]' -- stdout: b''
2015-09-01 17:32:32,390 fail2ban.action [9071]: ERROR iptables -n -L INPUT | grep -q 'f2b-recidive[ \t]' -- stderr: b''
2015-09-01 17:32:32,392 fail2ban.action [9071]: ERROR iptables -n -L INPUT | grep -q 'f2b-recidive[ \t]' -- returned 1
2015-09-01 17:32:32,398 fail2ban.CommandAction [9071]: ERROR Invariant check failed. Trying to restore a sane environment
...
CRITICAL Unable to restore environment
2015-09-01 17:32:34,028 fail2ban.actions [9071]: ERROR Failed to execute ban jail 'recidive' action 'iptables-multiport' info 'CallingMap({'time': 1441121546.4391558, 'ipfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x7f6c3071d6a8>, 'ipjailmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7f6c3071d488>, 'failures': 2, 'ipmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7f6c3071d378>, 'ip': '185.49.14.190', 'matches': '2015-09-01 16:51:16,529 fail2ban.actions [9826]: NOTICE [apache-auth] Ban 185.49.14.190\n2015-09-01 16:54:43,229 fail2ban.actions [9826]: NOTICE [apache-auth] Ban 185.49.14.190', 'ipjailfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x7f6c3071d598>})': Error banning 185.49.14.190
2015-09-01 17:32:34,993 fail2ban.actions [9071]: ERROR Failed to execute ban jail 'recidive' action 'sendmail-whois-lines' info 'CallingMap({'time': 1441121546.4391558, 'ipfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x7f6c3071d6a8>, 'ipjailmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7f6c3071d488>, 'failures': 2, 'ipmatches': <function Actions.__checkBan.<locals>.<lambda> at 0x7f6c3071d378>, 'ip': '185.49.14.190', 'matches': '2015-09-01 16:51:16,529 fail2ban.actions [9826]: NOTICE [apache-auth] Ban 185.49.14.190\n2015-09-01 16:54:43,229 fail2ban.actions [9826]: NOTICE [apache-auth] Ban 185.49.14.190', 'ipjailfailures': <function Actions.__checkBan.<locals>.<lambda> at 0x7f6c3071d598>})': 'NoneType' object is not subscriptable
2015-09-01 17:32:34,993 fail2ban.actions [9071]: NOTICE [recidive] Unban 185.49.14.190
...
NOTICE [apache-auth] Unban 185.49.14.190
2015-09-01 17:37:59,956 fail2ban.action [9071]: ERROR iptables -D f2b-apache-auth -s 185.49.14.190 -j REJECT --reject-with icmp-port-unreachable -- stdout: b''
2015-09-01 17:37:59,956 fail2ban.action [9071]: ERROR iptables -D f2b-apache-auth -s 185.49.14.190 -j REJECT --reject-with icmp-port-unreachable -- stderr: b'iptables: No chain/target/match by that name.\n'
2015-09-01 17:37:59,956 fail2ban.action [9071]: ERROR iptables -D f2b-apache-auth -s 185.49.14.190 -j REJECT --reject-with icmp-port-unreachable -- returned 1
2015-09-01 17:37:59,956 fail2ban.actions [9071]: ERROR Failed to execute unban jail 'apache-auth' action 'iptables-multiport' info '{'time': 1441121878.9265513, 'failures': 2, 'matches': '', 'ip': '185.49.14.190'}': Error unbanning 185.49.14.190
2015-09-01 17:38:50,884 fail2ban.transmitter [9071]: WARNING Command ['set', 'f2b-apache-auth', 'banip', '185.49.14.190'] has failed. Received UnknownJailException('f2b-apache-auth',)
...Si ça peut aider ...
Hors ligne
Pages : 1