Mengapa fail2ban tidak melarang serangan ini?

10

Saya telah menginstal fail2ban untuk melarang upaya bruteforce pada kata sandi ssh. Ada persyaratan bisnis untuk tidak menonaktifkan otentikasi kata sandi pada mesin ini.

fail2ban diinstal menggunakan buku masak koki yang sama yang secara efektif melarang serangan ssh pada mesin lain. Ada ssh jail yang dikonfigurasi:

# service fail2ban status
fail2ban-server (pid  5480) is running...
WARNING 'pidfile' not defined in 'Definition'. Using default one: '/var/run/fail2ban/fail2ban.pid'
Status
|- Number of jail:  1
`- Jail list:       ssh

Larangan pengguna secara manual berfungsi:

# fail2ban-client set ssh banip 103.41.124.46

Tetapi tampaknya tidak ada yang secara otomatis melarang siapa pun:

# cat /var/log/fail2ban.log
2014-11-20 18:23:47,069 fail2ban.server [67569]: INFO    Exiting Fail2ban
2014-11-20 18:44:59,202 fail2ban.server [5480]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.14
2014-11-20 18:44:59,213 fail2ban.jail   [5480]: INFO    Creating new jail 'ssh'
2014-11-20 18:44:59,214 fail2ban.jail   [5480]: INFO    Jail 'ssh' uses poller
2014-11-20 18:44:59,249 fail2ban.jail   [5480]: INFO    Initiated 'polling' backend
2014-11-20 18:44:59,270 fail2ban.filter [5480]: INFO    Added logfile = /var/log/secure
2014-11-20 18:44:59,271 fail2ban.filter [5480]: INFO    Set maxRetry = 6
2014-11-20 18:44:59,272 fail2ban.filter [5480]: INFO    Set findtime = 600
2014-11-20 18:44:59,272 fail2ban.actions[5480]: INFO    Set banTime = 300
2014-11-20 18:44:59,431 fail2ban.jail   [5480]: INFO    Jail 'ssh' started
2014-11-21 11:09:37,447 fail2ban.actions[5480]: WARNING [ssh] Ban 103.41.124.46
2014-11-21 11:10:32,602 fail2ban.actions[5480]: WARNING [ssh] Ban 122.225.97.75
2014-11-21 11:14:37,899 fail2ban.actions[5480]: WARNING [ssh] Unban 103.41.124.46
2014-11-21 11:15:32,976 fail2ban.actions[5480]: WARNING [ssh] Unban 122.225.97.75
2014-11-21 11:30:06,295 fail2ban.comm   [5480]: WARNING Command ['ban', 'ssh', '189.203.240.89'] has failed. Received Exception('Invalid command',)
2014-11-21 11:30:33,966 fail2ban.actions[5480]: WARNING [ssh] Ban 189.203.240.89
2014-11-21 11:35:34,303 fail2ban.actions[5480]: WARNING [ssh] Unban 189.203.240.89

Misalnya, ini adalah serangan /var/log/messagesyang seharusnya ditangkap dan dilarang:

Nov 21 07:51:32 my_hostname sshd[51074]: Failed password for root from 122.225.109.219 port 1788 ssh2
Nov 21 07:51:34 my_hostname sshd[51072]: Failed password for root from 122.225.109.219 port 58285 ssh2
Nov 21 07:51:35 my_hostname sshd[51076]: Failed password for invalid user admin from 122.225.109.219 port 2221 ssh2
Nov 21 07:51:35 my_hostname sshd[51074]: Failed password for root from 122.225.109.219 port 1788 ssh2
Nov 21 07:51:37 my_hostname sshd[51072]: Failed password for root from 122.225.109.219 port 58285 ssh2
Nov 21 07:51:37 my_hostname sshd[51074]: Failed password for root from 122.225.109.219 port 1788 ssh2
Nov 21 07:51:38 my_hostname sshd[51076]: Failed password for invalid user admin from 122.225.109.219 port 2221 ssh2
Nov 21 07:51:38 my_hostname sshd[51084]: Failed password for root from 122.225.109.219 port 3501 ssh2
Nov 21 07:51:39 my_hostname sshd[51072]: Failed password for root from 122.225.109.219 port 58285 ssh2

Ini juga sedang masuk /var/log/secure:

Nov 25 16:06:40 cluster-122-1413591380-db sshd[75769]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:06:46 cluster-122-1413591380-db sshd[75769]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:06:48 cluster-122-1413591380-db sshd[75778]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:06:55 cluster-122-1413591380-db sshd[75778]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:06:57 cluster-122-1413591380-db sshd[75780]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:03 cluster-122-1413591380-db sshd[75780]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:05 cluster-122-1413591380-db sshd[75793]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:12 cluster-122-1413591380-db sshd[75793]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:13 cluster-122-1413591380-db sshd[75797]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:21 cluster-122-1413591380-db sshd[75797]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:22 cluster-122-1413591380-db sshd[75803]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:28 cluster-122-1413591380-db sshd[75803]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:29 cluster-122-1413591380-db sshd[75809]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:36 cluster-122-1413591380-db sshd[75809]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:38 cluster-122-1413591380-db sshd[75811]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root

Ini milik saya jail.local:

# Fail2Ban configuration file.
#
# The configuration here inherits from /etc/fail2ban/jail.conf. Any setting
# omitted here will take it's value from that file
#
# Author: Yaroslav O. Halchenko <snip>
#
#

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8
findtime = 600
bantime  = 300
maxretry = 5

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

#
# JAILS
#

# Next jails can inherit from the configuration in /etc/fail2ban/jail.conf.
# Enable any defined in that file jail by including
#
# [SECTION_NAME]
# enabled = true
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local


[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 6

[ssh-iptables]

enabled = false

Mengapa fail2ban tidak berfungsi? Bergantian, mengapa tidak melarang penyerang di atas tanpa intervensi manual saya?

ssh security firewall fail2ban Leo
sumber
1
Port yang harus Anda perhatikan selalu 22. Port jarak jauh tidak relevan. Anda seharusnya bertanya, bukan bagaimana mengubah port, tetapi mengapa fail2ban tidak berfungsi.
Michael Hampton
Saya telah memperbarui pertanyaan.
Leo
1
2014-11-21 11:30:06,295 fail2ban.comm [5480]: WARNING Command ['ban', 'ssh', '189.203.240.89'] has failed. Received Exception('Invalid command',)Saatnya untuk melihat apa actionyang sedang Anda jalankan. Sesuatu tidak terjadi di sana.
Michael Hampton
1
Pilihan nama yang bagus untuk daemon ini ya
arielnmz
1
Baik. Di masa depan, jangan pernah menghapus informasi penting seperti itu dari pertanyaan Anda (dan terima kasih atas hasil edit setelahnya)
gparent

Jawaban:

7

Parameter logpathharus ditetapkan ke path untuk file log di mana upaya SSH akan direkam. Jadi jika itu /var/log/messages, maka /var/log/securejelas salah.

Ubah logpathparameter menjadi file yang benar.

gparent
sumber
1
/var/log/secureakan benar untuk sistem yang diturunkan Red Hat.
Michael Hampton
@MichaelHampton serverfault.com/questions/646167/…
user9517
1
/var/log/auth.log pada beberapa sistem juga.
fatal_error
1
Cobalah untuk menggunakan paket distribusi Anda untuk fail2ban atau denyhosts, karena itu akan disesuaikan untuk log autor distro Anda. Anda juga dapat membuat file seperti /etc/rsyslog.d/50-auth-logpath.conf (atau yang setara) untuk mengirim log kegagalan otentikasi ke file log yang dicari oleh fail2ban.
fatal_error
@gparent: Maaf atas tanggapan yang tertunda. Saya enggan menerima jawaban Anda dalam hal ini karena informasinya juga masuk ke / var / log / secure, bukan hanya / var / log / pesan. Saya telah menambahkannya ke pos. Bisakah Anda melihatnya?
Leo
5

Pada RHEL dan CentOS, kesalahan autentikasi pergi ke / var / log / messages atau / var / log secure:

# cat /etc/rsyslog.conf | grep auth
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

Secara default, sshd dikonfigurasi dengan SyslogFacility diatur ke AUTH, yang pergi ke / var / log / messages. Jika Anda mengganti / etc / ssh / sshd_config sebagai berikut, ia akan menuju ke / var / log / secure sebagai gantinya:

SyslogFacility AUTHPRIV

Saya bekerja dengan mesin di cloud SoftLayer, dan konfigurasi gambar dasarnya berubah dari AUTHPRIV ke AUTH sekitar tahun lalu.

Secara default, fail2ban memiliki jail berikut di /etc/fail2ban/jail.local:

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 6

Saya sarankan menambahkan penjara kedua ke /etc/fail2ban/jail.local:

[ssh-log-messages]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/messages
maxretry = 6

Setelah itu, restart fail2ban untuk menjalankan jail kedua:

service fail2ban restart

Pendekatan alternatif adalah untuk memperluas regex sshd di /etc/fail2ban/filter.d/sshd.conf. Ada informasi yang cukup di kedua / var / log / secure dan / var / log / pesan untuk melarang IP. Sayangnya, fail2ban tidak dapat mem-parsing semua pesan tanpa menambahkan regex alternatif. Ini dibiarkan sebagai latihan.

Leo
sumber