Di Fail2Ban, Bagaimana Mengubah nomor port SSH?

24

Di server saya, port ssh bukan standar 22. Saya telah menetapkan yang berbeda. Jika saya mensetup fail2ban, apakah ia dapat mendeteksi port itu? Bagaimana saya bisa mengatakannya untuk memeriksa port itu daripada port 22?

Output dari iptables -L -v -n:

 Chain fail2ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                                                         
    0     0 DROP       all  --  *      *       119.235.2.158        0.0.0.0/0                                                                                           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                           

 Chain fail2ban-ssh-ddos (0 references)
 pkts bytes target     prot opt in     out     source               destination

Output dari status iptables layanan:

iptables: unrecognized service

Musim panas dari fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf:

Summary
=======

Addresses found:
[1]
[2]
[3]
    113.59.222.240 (Wed Mar 21 18:24:47 2012)
    113.59.222.240 (Wed Mar 21 18:24:52 2012)
    119.235.14.153 (Wed Mar 21 21:52:53 2012)
    113.59.222.21 (Thu Mar 22 07:50:44 2012)
    176.9.57.203 (Fri Mar 23 19:34:29 2012)
    176.9.57.203 (Fri Mar 23 19:34:42 2012)
    113.59.222.56 (Sat Mar 31 14:23:52 2012)
    113.59.222.56 (Sat Mar 31 14:24:05 2012)
    119.235.14.183 (Mon Apr 02 20:49:13 2012)
    119.235.14.168 (Sat Apr 21 09:58:56 2012)
    119.235.2.158 (Wed Apr 25 13:11:03 2012)
    119.235.2.158 (Wed Apr 25 13:11:40 2012)
    119.235.2.158 (Wed Apr 25 13:11:43 2012)
    119.235.2.158 (Wed Apr 25 13:11:47 2012)
    119.235.2.158 (Wed Apr 25 13:12:49 2012)
    119.235.2.158 (Wed Apr 25 13:12:52 2012)
    119.235.2.158 (Wed Apr 25 13:12:55 2012)
    119.235.2.158 (Wed Apr 25 13:12:58 2012)
    119.235.2.158 (Wed Apr 25 13:13:02 2012)
    119.235.2.158 (Wed Apr 25 13:13:04 2012)
    119.235.2.158 (Wed Apr 25 13:13:25 2012)
    119.235.2.158 (Wed Apr 25 13:19:18 2012)
    119.235.2.158 (Wed Apr 25 13:19:52 2012)
    119.235.2.158 (Wed Apr 25 13:19:55 2012)
    119.235.2.158 (Wed Apr 25 13:19:55 2012)
    119.235.2.158 (Wed Apr 25 13:19:58 2012)
    119.235.2.158 (Wed Apr 25 13:20:02 2012)
    119.235.2.158 (Wed Apr 25 13:20:05 2012)
    119.235.2.158 (Wed Apr 25 13:40:16 2012)
[4]
[5]
    119.235.2.158 (Wed Apr 25 13:11:38 2012)
    119.235.2.158 (Wed Apr 25 13:12:46 2012)
    119.235.2.158 (Wed Apr 25 13:19:49 2012)
[6]
    119.235.2.155 (Wed Mar 21 13:13:30 2012)
    113.59.222.240 (Wed Mar 21 18:24:43 2012)
    119.235.14.153 (Wed Mar 21 21:52:51 2012)
    176.9.57.203 (Fri Mar 23 19:34:26 2012)
    119.235.2.158 (Wed Apr 25 13:19:15 2012)
[7]
[8]
[9]
[10]

Date template hits:
1169837 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 37

However, look at the above section 'Running tests' which could contain important
information.

The jail.conf:

    # Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <[email protected]>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 14400
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define 
# action_* variables. Can be overriden globally or per 
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section 
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME] 
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 4

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter  = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6

[xinetd-fail]

enabled   = false
filter    = xinetd-fail
port      = all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2


[ssh-ddos]

enabled = true
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = false
port    = http,https
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = false
port      = http,https
filter    = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6

[apache-noscript]

enabled = false
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled = false
port    = http,https
filter  = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2

 [nginx-auth]
 enabled = true
 filter = nginx-auth
 action = iptables-multiport[name=NoAuthFailures, port="http,https"]
 logpath = /var/log/nginx*/*error*.log
 bantime = 600 # 10 minutes
 maxretry = 6

 [nginx-login]
 enabled = true
 filter = nginx-login
 action = iptables-multiport[name=NoLoginFailures, port="http,https"]
 logpath = /var/log/nginx*/*access*.log
 bantime = 600 # 10 minutes
 maxretry = 6

 [nginx-badbots]
 enabled  = true
 filter = apache-badbots
 action = iptables-multiport[name=BadBots, port="http,https"]
 logpath = /var/log/nginx*/*access*.log
 bantime = 86400 # 1 day
 maxretry = 1

 [nginx-noscript]
 enabled = true
 action = iptables-multiport[name=NoScript, port="http,https"]
 filter = nginx-noscript
 logpath = /var/log/nginx*/*access*.log
 maxretry = 6
 bantime  = 86400 # 1 day

 [nginx-proxy]
 enabled = true
 action = iptables-multiport[name=NoProxy, port="http,https"]
 filter = nginx-proxy
 logpath = /var/log/nginx*/*access*.log
 maxretry = 0
 bantime  = 86400 # 1 day


#
# FTP servers
#

[vsftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


[proftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


[wuftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled  = false
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = false
port     = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log


# DNS Servers


# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# };
#
# in your named.conf to provide proper logging

# !!! WARNING !!!
#   Since UDP is connectionless protocol, spoofing of IP and immitation
#   of illegal actions is way too simple.  Thus enabling of this filter
#   might provide an easy way for implementing a DoS against a chosen
#   victim. See
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
#   Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled  = false
#port     = domain,953
#protocol = udp
#filter   = named-refused
#logpath  = /var/log/named/security.log

[named-refused-tcp]

enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log

Saya baru saja melihat kesalahan dalam fail2ban log:

2012-04-25 14: 57: 29.359 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh-ddos

THpubs
sumber
OS? CentOS / Ubuntu / ...? Output untuk/etc/init.d/iptables status
Bart De Vos
@BartDeVos OS Ubuntu 11.04 ... "/etc/init.d/iptables status" = bash: /etc/init.d/iptables: Tidak ada file atau direktori seperti itu ... Catatan: Saya menggunakan APF untuk mengelola iptables!
THpubs
Mungkin ada masalah Anda. Bagaimana dengan menonaktifkan apf, mengatur firewall dasar dengan iptables dan melihat apakah masalahnya masih ada?
Bart De Vos
@ BartDeVos Itulah masalahnya ... Saya dalam sistem VPS ... Saya pikir itu openvz ... Jadi, beberapa firewall seperti UFW tidak akan berfungsi di sini!
THpubs
Bisakah kamu lari ufw enable?
Bart De Vos

Jawaban:

22

Fail2Ban menggunakan file /etc/fail2ban/jail.localdan mencari [ssh]bagian, Anda dapat mengubah port di sana.

[ssh]
enabled  = true
port     = ssh

Anda dapat mengubah portnilai menjadi bilangan bulat positif.

Jika tidak berfungsi dan Anda ingin melihat lebih jauh, lihatlah /etc/fail2ban/jail.conf, harus ada sesuatu seperti:

 logpath = /var/log/auth.log

Itulah yang digunakan fail2ban untuk mendeteksi login palsu.

Jika tidak berfungsi dengan benar, Anda dapat mencoba beberapa hal untuk menunjukkan masalah. Mulailah dengan memeriksa apakah sudah diinstal:

dpkg -l |grep fail   

Periksa apakah layanan berjalan:

/etc/init.d/fail2ban status 

Periksa apakah SSH-jail Anda sudah diatur:

sudo fail2ban-client status  

Periksa file log:

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

Periksa tanggal / waktu Anda:

date && tail -2 /var/log/auth.log

(Anda harus mendapatkan tanggal terlebih dahulu, diikuti oleh baris terakhir auth.log. Jika Anda masih tidak dapat menentukan kesalahan, tambahkan file konfigurasi Anda ke posting Anda.

Bart De Vos
sumber
Tampaknya tidak berfungsi ... Tidak memblokir login saya yang gagal!
THpubs
1
Log menunjukkan bahwa IP saya diblokir ... Tapi saya masih bisa masuk!
THpubs
Apa output untuk iptables -L -v -ndan / atauservice iptables status
Bart De Vos
Saya menambahkan output ke pertanyaan ... silakan cek ...
THpubs
8
Jawaban ini menyesatkan. Meskipun, fail2ban tidak peduli dengan port ssh untuk deteksi, ia hanya akan memblokir port standar (mis. Salah) (22) sehingga pengguna jahat masih dapat terus terhubung ke port non standar. Jawaban ini memiliki detail tentang mengubah port yang diblokir.
Robd
35

fail2ban akan mendeteksi upaya login dengan konten log. fail2ban tidak menggunakan port untuk deteksi, hanya untuk memblokir.
Untuk memblokir port yang tepat, Anda harus memberi tahu fail2ban yang mana untuk dapat mengatur iptable dengan benar.
Ke /etc/fail2ban/jail.local:

[ssh]
enabled  = true
port     = ssh   <-- just modify this with your port    port = 1234

Metode lain adalah memblokir semuanya dari host yang menyinggung. Jadi iptable akan menjatuhkan setiap paquets darinya, bukan hanya ssh.
Di awal /etc/fail2ban/jail.local:

banaction = iptables-multiport     <-- regular blocking (one or several ports)
banaction = iptables-allports      <-- block everything

Dengan iptables-allportsAnda tidak perlu repot tentang port. Biarkan saja yang default.

Gregory MOUSSAT
sumber
Hebat ... berfungsi sampai batas tertentu .. Tapi saya baru saja melihat kesalahan pada log fail2ban: "2012-04-25 14: 57: 29.359 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh-ddos" juga itu tidak akan memblokir saya jika saya gagal masuk ... Itu hanya akan memblokir saya jika saya melakukannya dengan sangat cepat. Jika saya menunggu sampai SSH untuk mengatakan kata sandi salah, itu tidak akan memblokir saya!
THpubs
2
Saya khawatir Anda harus membaca dokumen. Fail2ban memiliki parameter untuk menyetel jumlah upaya sebelum diblokir.
Gregory MOUSSAT
7

Singkatnya: jika Anda mengubah nomor port ssh ANDA HARUS MENAMBAHKANNYA DI DALAM jail.localfile!

Sebagai contoh: (Saya menggunakan SSH, SFTP pada port 1234)

di jail.local:

[ssh]

enabled  = true

port     = ssh,sftp,1234

filter   = sshd

logpath  = /var/log/auth.log

maxretry = 6
Iklan Memento
sumber
Terima kasih, bekerja seperti yang diharapkan, hanya perlu memodifikasi logpath ke / var / log / secure
AMB
0

Saya tahu bahwa ini tidak sepenuhnya menjawab pertanyaan, tetapi toh ...

Sebagai cara lain untuk menyelesaikan masalah, Anda dapat mempertimbangkan untuk menjaga port standar dalam konfigurasi server Anda, dan kemudian melakukan NAT di router Anda.

Sebagai contoh, dalam pengaturan saya, saya juga tidak menggunakan port standar untuk ssh dari luar, tetapi konfigurasi server saya standar untuk ssh (dan juga untuk ftp, vpn dll.) Saya hanya membuka port non-standar di router dan minta mereka diteruskan ke port standar.

Cara melakukannya menghemat banyak waktu ketika mengkonfigurasi pengaturan saya.

Vering
sumber
0

Saya tahu ini adalah utas lama tetapi inilah yang muncul di pencarian google untuk subjek ini. Saya tidak melihat ada yang memberikan jawaban yang paling benar (imo) jadi ini dia.

Untuk mengubah Linux bernama definisi port secara global pergi ke /etc/services

ssh             22/tcp
ssh             22/udp

Tidak perlu mengubah apa pun dalam konfigurasi fail2ban atau dalam aplikasi lain apa pun yang menggunakan port bernama Linux.

Fred Flint
sumber