blackdreadhead
Goto Top

Fail2Ban konfigurieren

Moin,

ich versuche mit zunehmender Verzweiflung auf einem Opensuse12.1 fail2ban zu installieren. Installation hat funktioniert. Dienst wird auch gestartet. IPtables habe ich auf true gestellt in der jail.local.

Alles soweit so gut. aber das teil weigert sicht irgendwas zu bannen.

Gruß BdH

Content-ID: 257031

Url: https://administrator.de/contentid/257031

Ausgedruckt am: 08.11.2024 um 14:11 Uhr

Gersen
Gersen 08.12.2014 um 12:16:48 Uhr
Goto Top
Hallo,

was sagt denn das Logfile (/var/log/fail2ban.log) - ggf. mit erhöhtem Loglevel (Option "loglevel" in der Konfigurationsdatei)? - Und wie sieht die Konfigurationsdatei überhaupt aus?

Gruß,
Gersen
nikoatit
nikoatit 08.12.2014 um 12:21:52 Uhr
Goto Top
Hi,

IPtables auch konfiguriert?
Fail2Ban ist ohne eine "Basis-Konfiguration" recht machtlos.

Gruß
blackdreadhead
blackdreadhead 08.12.2014 um 13:03:20 Uhr
Goto Top
"2014-12-08 12:57:32,937 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2014-12-08 12:57:32,938 fail2ban.jail : INFO Creating new jail 'ssh-iptables'
2014-12-08 12:57:32,938 fail2ban.jail : INFO Jail 'ssh-iptables' uses poller
2014-12-08 12:57:32,949 fail2ban.filter : INFO Set maxRetry = 5
2014-12-08 12:57:32,950 fail2ban.filter : INFO Set findtime = 600
2014-12-08 12:57:32,951 fail2ban.actions: INFO Set banTime = 600
2014-12-08 12:57:32,983 fail2ban.jail : INFO Creating new jail 'ssh-tcpwrapper'
2014-12-08 12:57:32,984 fail2ban.jail : INFO Jail 'ssh-tcpwrapper' uses poller
2014-12-08 12:57:32,984 fail2ban.filter : INFO Set maxRetry = 5
2014-12-08 12:57:32,985 fail2ban.filter : INFO Set findtime = 600
2014-12-08 12:57:32,986 fail2ban.actions: INFO Set banTime = 600
2014-12-08 12:57:33,001 fail2ban.jail : INFO Creating new jail 'ssh'
2014-12-08 12:57:33,001 fail2ban.jail : INFO Jail 'ssh' uses poller
2014-12-08 12:57:33,002 fail2ban.filter : INFO Set maxRetry = 5
2014-12-08 12:57:33,003 fail2ban.filter : INFO Set findtime = 600
2014-12-08 12:57:33,003 fail2ban.actions: INFO Set banTime = 600
2014-12-08 12:57:33,016 fail2ban.jail : INFO Creating new jail 'apache'
2014-12-08 12:57:33,016 fail2ban.jail : INFO Jail 'apache' uses poller
2014-12-08 12:57:33,017 fail2ban.filter : INFO Set maxRetry = 5
2014-12-08 12:57:33,017 fail2ban.filter : INFO Set findtime = 600
2014-12-08 12:57:33,018 fail2ban.actions: INFO Set banTime = 600
2014-12-08 12:57:33,025 fail2ban.jail : INFO Jail 'ssh-iptables' started
2014-12-08 12:57:33,029 fail2ban.jail : INFO Jail 'ssh-tcpwrapper' started
2014-12-08 12:57:33,034 fail2ban.jail : INFO Jail 'ssh' started
2014-12-08 12:57:33,044 fail2ban.jail : INFO Jail 'apache' started
2014-12-08 12:58:53,164 fail2ban.jail : INFO Jail 'apache' stopped
2014-12-08 12:58:54,189 fail2ban.jail : INFO Jail 'ssh-iptables' stopped
2014-12-08 12:58:55,167 fail2ban.jail : INFO Jail 'ssh' stopped
2014-12-08 12:58:56,186 fail2ban.jail : INFO Jail 'ssh-tcpwrapper' stopped
2014-12-08 12:58:56,189 fail2ban.server : INFO Exiting Fail2ban
2014-12-08 12:58:56,473 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2014-12-08 12:58:56,474 fail2ban.comm : DEBUG Command: ['add', 'ssh-iptables', 'polling']
2014-12-08 12:58:56,474 fail2ban.jail : INFO Creating new jail 'ssh-iptables'
2014-12-08 12:58:56,474 fail2ban.jail : INFO Jail 'ssh-iptables' uses poller
2014-12-08 12:58:56,484 fail2ban.filter : DEBUG Created Filter
2014-12-08 12:58:56,484 fail2ban.filter : DEBUG Created FilterPoll
2014-12-08 12:58:56,485 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'maxretry', '5']
2014-12-08 12:58:56,485 fail2ban.filter : INFO Set maxRetry = 5
2014-12-08 12:58:56,485 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addignoreip', '127.0.0.1']
2014-12-08 12:58:56,485 fail2ban.filter : DEBUG Add 127.0.0.1 to ignore list
2014-12-08 12:58:56,486 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'findtime', '600']
2014-12-08 12:58:56,486 fail2ban.filter : INFO Set findtime = 600
2014-12-08 12:58:56,486 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'bantime', '600']
2014-12-08 12:58:56,486 fail2ban.actions: INFO Set banTime = 600
2014-12-08 12:58:56,487 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*(?:error: PAM: )?Authentication failure for .* from <HOST>\\s*$']
2014-12-08 12:58:56,489 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\\s*$']
2014-12-08 12:58:56,491 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*Failed (?:password|publickey) for .* from <HOST>(?: port \\d*)?(?: ssh\\d*)?$']
2014-12-08 12:58:56,494 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*ROOT LOGIN REFUSED.* FROM <HOST>\\s*$']
2014-12-08 12:58:56,496 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*[iI](?:llegal|nvalid) user .* from <HOST>\\s*$']
2014-12-08 12:58:56,498 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*User \\S+ from <HOST> not allowed because not listed in AllowUsers$']
2014-12-08 12:58:56,501 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*authentication failure; logname=\\S* uid=\\S* euid=\\S* tty=\\S* ruser=\\S* rhost=<HOST>(?:\\s+user=.*)?\\s*$']
2014-12-08 12:58:56,503 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*refused connect from \\S+ \\(<HOST>\\)\\s*$']
2014-12-08 12:58:56,506 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\\s*$']
2014-12-08 12:58:56,509 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addfailregex', "^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*User \\S+ from <HOST> not allowed because none of user's groups are listed in AllowGroups$"]
2014-12-08 12:58:56,512 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addaction', 'iptables']
2014-12-08 12:58:56,512 fail2ban.actions.action: DEBUG Created Action
2014-12-08 12:58:56,512 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'actionban', 'iptables', 'iptables -I fail2ban-<name> 1 -s <ip> -j DROP']
2014-12-08 12:58:56,512 fail2ban.actions.action: DEBUG Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2014-12-08 12:58:56,513 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'actionstop', 'iptables', 'iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>']
2014-12-08 12:58:56,513 fail2ban.actions.action: DEBUG Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2014-12-08 12:58:56,513 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'actionstart', 'iptables', 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>']
2014-12-08 12:58:56,513 fail2ban.actions.action: DEBUG Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2014-12-08 12:58:56,514 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'actionunban', 'iptables', 'iptables -D fail2ban-<name> -s <ip> -j DROP']
2014-12-08 12:58:56,514 fail2ban.actions.action: DEBUG Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2014-12-08 12:58:56,514 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'actioncheck', 'iptables', 'iptables -n -L INPUT | grep -q fail2ban-<name>']
2014-12-08 12:58:56,514 fail2ban.actions.action: DEBUG Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2014-12-08 12:58:56,515 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'setcinfo', 'iptables', 'protocol', 'tcp']
2014-12-08 12:58:56,515 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'setcinfo', 'iptables', 'name', 'SSH']
2014-12-08 12:58:56,516 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'setcinfo', 'iptables', 'port', 'ssh']
2014-12-08 12:58:56,516 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'addaction', 'sendmail-whois']
2014-12-08 12:58:56,516 fail2ban.actions.action: DEBUG Created Action
2014-12-08 12:58:56,517 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'actionban', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] <name>: banned <ip>\nFrom: Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere are more information about <ip>:\\n\n`/usr/bin/whois <ip>`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
2014-12-08 12:58:56,517 fail2ban.actions.action: DEBUG Set actionBan = printf %b "Subject: [Fail2Ban] <name>: banned <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here are more information about <ip>:\n
`/usr/bin/whois <ip>`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2014-12-08 12:58:56,517 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'actionstop', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] <name>: stopped\nFrom: Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
2014-12-08 12:58:56,517 fail2ban.actions.action: DEBUG Set actionStop = printf %b "Subject: [Fail2Ban] <name>: stopped
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2014-12-08 12:58:56,518 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'actionstart', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] <name>: started\nFrom: Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
2014-12-08 12:58:56,518 fail2ban.actions.action: DEBUG Set actionStart = printf %b "Subject: [Fail2Ban] <name>: started
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2014-12-08 12:58:56,518 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'actionunban', 'sendmail-whois', '']
2014-12-08 12:58:56,518 fail2ban.actions.action: DEBUG Set actionUnban =
2014-12-08 12:58:56,519 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'actioncheck', 'sendmail-whois', '']
2014-12-08 12:58:56,519 fail2ban.actions.action: DEBUG Set actionCheck =
2014-12-08 12:58:56,519 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'setcinfo', 'sendmail-whois', 'dest', '<meineadresse>']
2014-12-08 12:58:56,520 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'setcinfo', 'sendmail-whois', 'name', 'SSH']
2014-12-08 12:58:56,520 fail2ban.comm : DEBUG Command: ['set', 'ssh-iptables', 'setcinfo', 'sendmail-whois', 'sender', 'fail2ban@mail.com']
2014-12-08 12:58:56,521 fail2ban.comm : DEBUG Command: ['add', 'ssh-tcpwrapper', 'polling']
2014-12-08 12:58:56,521 fail2ban.jail : INFO Creating new jail 'ssh-tcpwrapper'
2014-12-08 12:58:56,521 fail2ban.jail : INFO Jail 'ssh-tcpwrapper' uses poller
2014-12-08 12:58:56,521 fail2ban.filter : DEBUG Created Filter
2014-12-08 12:58:56,521 fail2ban.filter : DEBUG Created FilterPoll
2014-12-08 12:58:56,522 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'maxretry', '5']
2014-12-08 12:58:56,522 fail2ban.filter : INFO Set maxRetry = 5
2014-12-08 12:58:56,522 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'addignoreip', '127.0.0.1']
2014-12-08 12:58:56,522 fail2ban.filter : DEBUG Add 127.0.0.1 to ignore list
2014-12-08 12:58:56,523 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'addignoreregex', 'for myuser from']
2014-12-08 12:58:56,523 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'findtime', '600']
2014-12-08 12:58:56,523 fail2ban.filter : INFO Set findtime = 600
2014-12-08 12:58:56,524 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'bantime', '600']
2014-12-08 12:58:56,524 fail2ban.actions: INFO Set banTime = 600
2014-12-08 12:58:56,524 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*(?:error: PAM: )?Authentication failure for .* from <HOST>\\s*$']
2014-12-08 12:58:56,525 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\\s*$']
2014-12-08 12:58:56,525 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*Failed (?:password|publickey) for .* from <HOST>(?: port \\d*)?(?: ssh\\d*)?$']
2014-12-08 12:58:56,526 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*ROOT LOGIN REFUSED.* FROM <HOST>\\s*$']
2014-12-08 12:58:56,527 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*[iI](?:llegal|nvalid) user .* from <HOST>\\s*$']
2014-12-08 12:58:56,528 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*User \\S+ from <HOST> not allowed because not listed in AllowUsers$']
2014-12-08 12:58:56,529 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*authentication failure; logname=\\S* uid=\\S* euid=\\S* tty=\\S* ruser=\\S* rhost=<HOST>(?:\\s+user=.*)?\\s*$']
2014-12-08 12:58:56,530 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*refused connect from \\S+ \\(<HOST>\\)\\s*$']
2014-12-08 12:58:56,531 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\\s*$']
2014-12-08 12:58:56,533 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'addfailregex', "^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*User \\S+ from <HOST> not allowed because none of user's groups are listed in AllowGroups$"]
2014-12-08 12:58:56,534 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'addaction', 'hostsdeny']
2014-12-08 12:58:56,534 fail2ban.actions.action: DEBUG Created Action
2014-12-08 12:58:56,534 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'actionban', 'hostsdeny', 'IP=<ip> &&\nprintf %b "ALL: $IP\\n" >> <file>']
2014-12-08 12:58:56,535 fail2ban.actions.action: DEBUG Set actionBan = IP=<ip> &&
printf %b "ALL: $IP\n" >> <file>
2014-12-08 12:58:56,535 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'actionstop', 'hostsdeny', '']
2014-12-08 12:58:56,535 fail2ban.actions.action: DEBUG Set actionStop =
2014-12-08 12:58:56,536 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'actionstart', 'hostsdeny', '']
2014-12-08 12:58:56,536 fail2ban.actions.action: DEBUG Set actionStart =
2014-12-08 12:58:56,536 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'actionunban', 'hostsdeny', 'IP=<ip> && sed -i.old /ALL:\\ $IP/d <file>']
2014-12-08 12:58:56,536 fail2ban.actions.action: DEBUG Set actionUnban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file>
2014-12-08 12:58:56,537 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'actioncheck', 'hostsdeny', '']
2014-12-08 12:58:56,537 fail2ban.actions.action: DEBUG Set actionCheck =
2014-12-08 12:58:56,537 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'setcinfo', 'hostsdeny', 'file', '/etc/hosts.deny']
2014-12-08 12:58:56,538 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'addaction', 'sendmail-whois']
2014-12-08 12:58:56,538 fail2ban.actions.action: DEBUG Created Action
2014-12-08 12:58:56,538 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'actionban', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] <name>: banned <ip>\nFrom: Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere are more information about <ip>:\\n\n`/usr/bin/whois <ip>`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
2014-12-08 12:58:56,538 fail2ban.actions.action: DEBUG Set actionBan = printf %b "Subject: [Fail2Ban] <name>: banned <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here are more information about <ip>:\n
`/usr/bin/whois <ip>`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2014-12-08 12:58:56,539 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'actionstop', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] <name>: stopped\nFrom: Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
2014-12-08 12:58:56,539 fail2ban.actions.action: DEBUG Set actionStop = printf %b "Subject: [Fail2Ban] <name>: stopped
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2014-12-08 12:58:56,539 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'actionstart', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] <name>: started\nFrom: Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
2014-12-08 12:58:56,539 fail2ban.actions.action: DEBUG Set actionStart = printf %b "Subject: [Fail2Ban] <name>: started
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2014-12-08 12:58:56,540 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'actionunban', 'sendmail-whois', '']
2014-12-08 12:58:56,540 fail2ban.actions.action: DEBUG Set actionUnban =
2014-12-08 12:58:56,540 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'actioncheck', 'sendmail-whois', '']
2014-12-08 12:58:56,540 fail2ban.actions.action: DEBUG Set actionCheck =
2014-12-08 12:58:56,541 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'setcinfo', 'sendmail-whois', 'dest', '<meineadresse>']
2014-12-08 12:58:56,541 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'setcinfo', 'sendmail-whois', 'name', 'SSH']
2014-12-08 12:58:56,542 fail2ban.comm : DEBUG Command: ['set', 'ssh-tcpwrapper', 'setcinfo', 'sendmail-whois', 'sender', 'fail2ban']
2014-12-08 12:58:56,542 fail2ban.comm : DEBUG Command: ['add', 'ssh', 'polling']
2014-12-08 12:58:56,542 fail2ban.jail : INFO Creating new jail 'ssh'
2014-12-08 12:58:56,542 fail2ban.jail : INFO Jail 'ssh' uses poller
2014-12-08 12:58:56,542 fail2ban.filter : DEBUG Created Filter
2014-12-08 12:58:56,543 fail2ban.filter : DEBUG Created FilterPoll
2014-12-08 12:58:56,543 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'maxretry', '5']
2014-12-08 12:58:56,543 fail2ban.filter : INFO Set maxRetry = 5
2014-12-08 12:58:56,543 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addignoreip', '127.0.0.1']
2014-12-08 12:58:56,543 fail2ban.filter : DEBUG Add 127.0.0.1 to ignore list
2014-12-08 12:58:56,544 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'findtime', '600']
2014-12-08 12:58:56,544 fail2ban.filter : INFO Set findtime = 600
2014-12-08 12:58:56,544 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'bantime', '600']
2014-12-08 12:58:56,545 fail2ban.actions: INFO Set banTime = 600
2014-12-08 12:58:56,545 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*(?:error: PAM: )?Authentication failure for .* from <HOST>\\s*$']
2014-12-08 12:58:56,545 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\\s*$']
2014-12-08 12:58:56,546 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*Failed (?:password|publickey) for .* from <HOST>(?: port \\d*)?(?: ssh\\d*)?$']
2014-12-08 12:58:56,547 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*ROOT LOGIN REFUSED.* FROM <HOST>\\s*$']
2014-12-08 12:58:56,548 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*[iI](?:llegal|nvalid) user .* from <HOST>\\s*$']
2014-12-08 12:58:56,548 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*User \\S+ from <HOST> not allowed because not listed in AllowUsers$']
2014-12-08 12:58:56,549 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*authentication failure; logname=\\S* uid=\\S* euid=\\S* tty=\\S* ruser=\\S* rhost=<HOST>(?:\\s+user=.*)?\\s*$']
2014-12-08 12:58:56,551 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*refused connect from \\S+ \\(<HOST>\\)\\s*$']
2014-12-08 12:58:56,552 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\\s*$']
2014-12-08 12:58:56,553 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', "^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?face-sad?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?face-smile?\\s*User \\S+ from <HOST> not allowed because none of user's groups are listed in AllowGroups$"]
2014-12-08 12:58:56,554 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addaction', 'iptables']
2014-12-08 12:58:56,554 fail2ban.actions.action: DEBUG Created Action
2014-12-08 12:58:56,555 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionban', 'iptables', 'iptables -I fail2ban-<name> 1 -s <ip> -j DROP']
2014-12-08 12:58:56,555 fail2ban.actions.action: DEBUG Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2014-12-08 12:58:56,555 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionstop', 'iptables', 'iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>']
2014-12-08 12:58:56,555 fail2ban.actions.action: DEBUG Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2014-12-08 12:58:56,556 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionstart', 'iptables', 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>']
2014-12-08 12:58:56,556 fail2ban.actions.action: DEBUG Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2014-12-08 12:58:56,556 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionunban', 'iptables', 'iptables -D fail2ban-<name> -s <ip> -j DROP']
2014-12-08 12:58:56,556 fail2ban.actions.action: DEBUG Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2014-12-08 12:58:56,557 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actioncheck', 'iptables', 'iptables -n -L INPUT | grep -q fail2ban-<name>']
2014-12-08 12:58:56,557 fail2ban.actions.action: DEBUG Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2014-12-08 12:58:56,557 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'setcinfo', 'iptables', 'protocol', 'tcp']
2014-12-08 12:58:56,558 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'setcinfo', 'iptables', 'name', 'ssh']
2014-12-08 12:58:56,558 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'setcinfo', 'iptables', 'port', 'ssh']
2014-12-08 12:58:56,559 fail2ban.comm : DEBUG Command: ['add', 'apache', 'polling']
2014-12-08 12:58:56,559 fail2ban.jail : INFO Creating new jail 'apache'
2014-12-08 12:58:56,559 fail2ban.jail : INFO Jail 'apache' uses poller
2014-12-08 12:58:56,559 fail2ban.filter : DEBUG Created Filter
2014-12-08 12:58:56,559 fail2ban.filter : DEBUG Created FilterPoll
2014-12-08 12:58:56,560 fail2ban.comm : DEBUG Command: ['set', 'apache', 'maxretry', '5']
2014-12-08 12:58:56,560 fail2ban.filter : INFO Set maxRetry = 5
2014-12-08 12:58:56,560 fail2ban.comm : DEBUG Command: ['set', 'apache', 'addignoreip', '127.0.0.1']
2014-12-08 12:58:56,560 fail2ban.filter : DEBUG Add 127.0.0.1 to ignore list
2014-12-08 12:58:56,561 fail2ban.comm : DEBUG Command: ['set', 'apache', 'findtime', '600']
2014-12-08 12:58:56,561 fail2ban.filter : INFO Set findtime = 600
2014-12-08 12:58:56,561 fail2ban.comm : DEBUG Command: ['set', 'apache', 'bantime', '600']
2014-12-08 12:58:56,561 fail2ban.actions: INFO Set banTime = 600
2014-12-08 12:58:56,562 fail2ban.comm : DEBUG Command: ['set', 'apache', 'addfailregex', '[[]client <HOST>] user .* authentication failure']
2014-12-08 12:58:56,562 fail2ban.comm : DEBUG Command: ['set', 'apache', 'addfailregex', '[[]client <HOST>] user .* not found']
2014-12-08 12:58:56,563 fail2ban.comm : DEBUG Command: ['set', 'apache', 'addfailregex', '[[]client <HOST>] user .* password mismatch']
2014-12-08 12:58:56,564 fail2ban.comm : DEBUG Command: ['set', 'apache', 'addaction', 'iptables']
2014-12-08 12:58:56,564 fail2ban.actions.action: DEBUG Created Action
2014-12-08 12:58:56,565 fail2ban.comm : DEBUG Command: ['set', 'apache', 'actionban', 'iptables', 'iptables -I fail2ban-<name> 1 -s <ip> -j DROP']
2014-12-08 12:58:56,565 fail2ban.actions.action: DEBUG Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2014-12-08 12:58:56,565 fail2ban.comm : DEBUG Command: ['set', 'apache', 'actionstop', 'iptables', 'iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>']
2014-12-08 12:58:56,565 fail2ban.actions.action: DEBUG Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2014-12-08 12:58:56,566 fail2ban.comm : DEBUG Command: ['set', 'apache', 'actionstart', 'iptables', 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>']
2014-12-08 12:58:56,566 fail2ban.actions.action: DEBUG Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2014-12-08 12:58:56,566 fail2ban.comm : DEBUG Command: ['set', 'apache', 'actionunban', 'iptables', 'iptables -D fail2ban-<name> -s <ip> -j DROP']
2014-12-08 12:58:56,566 fail2ban.actions.action: DEBUG Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2014-12-08 12:58:56,567 fail2ban.comm : DEBUG Command: ['set', 'apache', 'actioncheck', 'iptables', 'iptables -n -L INPUT | grep -q fail2ban-<name>']
2014-12-08 12:58:56,567 fail2ban.actions.action: DEBUG Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2014-12-08 12:58:56,567 fail2ban.comm : DEBUG Command: ['set', 'apache', 'setcinfo', 'iptables', 'protocol', 'tcp']
2014-12-08 12:58:56,568 fail2ban.comm : DEBUG Command: ['set', 'apache', 'setcinfo', 'iptables', 'name', 'apache']
2014-12-08 12:58:56,568 fail2ban.comm : DEBUG Command: ['set', 'apache', 'setcinfo', 'iptables', 'port', 'http']
2014-12-08 12:58:56,569 fail2ban.comm : DEBUG Command: ['start', 'ssh-iptables']
2014-12-08 12:58:56,569 fail2ban.jail : INFO Jail 'ssh-iptables' started
2014-12-08 12:58:56,569 fail2ban.comm : DEBUG Command: ['start', 'ssh-tcpwrapper']
2014-12-08 12:58:56,570 fail2ban.actions.action: DEBUG iptables -N fail2ban-SSH
iptables -A fail2ban-SSH -j RETURN
iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH
2014-12-08 12:58:56,573 fail2ban.jail : INFO Jail 'ssh-tcpwrapper' started
2014-12-08 12:58:56,573 fail2ban.comm : DEBUG Command: ['start', 'ssh']
2014-12-08 12:58:56,573 fail2ban.actions.action: DEBUG
2014-12-08 12:58:56,578 fail2ban.jail : INFO Jail 'ssh' started
2014-12-08 12:58:56,579 fail2ban.comm : DEBUG Command: ['start', 'apache']
2014-12-08 12:58:56,579 fail2ban.actions.action: DEBUG iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp --dport ssh -j fail2ban-ssh
2014-12-08 12:58:56,582 fail2ban.actions.action: DEBUG returned successfully
2014-12-08 12:58:56,582 fail2ban.actions.action: DEBUG printf %b "Subject: [Fail2Ban] SSH: started
From: Fail2Ban <fail2ban>
To: <meineadresse>\n
Hi,\n
The jail SSH has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban <meineadresse>
2014-12-08 12:58:56,586 fail2ban.jail : INFO Jail 'apache' started
2014-12-08 12:58:56,590 fail2ban.actions.action: DEBUG iptables -N fail2ban-apache
iptables -A fail2ban-apache -j RETURN
iptables -I INPUT -p tcp --dport http -j fail2ban-apache
2014-12-08 12:58:56,594 fail2ban.actions.action: DEBUG iptables -N fail2ban-SSH
iptables -A fail2ban-SSH -j RETURN
iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned successfully
2014-12-08 12:58:56,595 fail2ban.actions.action: DEBUG printf %b "Subject: [Fail2Ban] SSH: started
From: Fail2Ban <fail2ban@mail.com>
To: <meineadresse>\n
Hi,\n
The jail SSH has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban@mail.com <meineadresse>
2014-12-08 12:58:56,617 fail2ban.actions.action: DEBUG iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp --dport ssh -j fail2ban-ssh returned successfully
2014-12-08 12:58:56,624 fail2ban.actions.action: DEBUG iptables -N fail2ban-apache
iptables -A fail2ban-apache -j RETURN
iptables -I INPUT -p tcp --dport http -j fail2ban-apache returned successfully
2014-12-08 12:58:56,633 fail2ban.actions.action: DEBUG printf %b "Subject: [Fail2Ban] SSH: started
From: Fail2Ban <fail2ban>
To: <meineadresse>\n
Hi,\n
The jail SSH has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban <meineadresse> returned successfully
2014-12-08 12:58:56,635 fail2ban.actions.action: DEBUG printf %b "Subject: [Fail2Ban] SSH: started
From: Fail2Ban <fail2ban@mail.com>
To: <meineadresse>\n
Hi,\n
The jail SSH has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban@mail.com <meineadresse> returned successfully
"

Sieht so ganz ok aus oder?
blackdreadhead
blackdreadhead 08.12.2014 um 13:04:06 Uhr
Goto Top
hmpf. Nein.

was sollte da rein?
Gersen
Gersen 08.12.2014 um 13:28:21 Uhr
Goto Top
Poste doch mal die Konfiguration (/etc/fail2ban/jail.conf, glaube ich). Du kannst den Inhalt ja auch mal mit diesem Beispiel abgleichen. Welche Dienste willst Du denn mit f2b absichern?
blackdreadhead
blackdreadhead 08.12.2014 um 13:37:05 Uhr
Goto Top
Hi,

eigentlich nur SSH. leider kann ich meinem Chef ein Pubkey-Verfahren nicht schmackhaft machen. Hab zwar den Standartport geändert, hat aber nich völlig geholfen...


  1. Fail2Ban configuration file
#
  1. Author: Cyril Jaquier
#
  1. $Revision: 611 $
#

  1. The DEFAULT allows a global definition of the options. They can be override
  2. in each jail afterwards.

[DEFAULT]

  1. "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
  2. ban a host which matches an address in this list. Several addresses can be
  3. defined using space separator.
ignoreip = 127.0.0.1

  1. "bantime" is the number of seconds that a host is banned.
bantime = 3600

  1. A host is banned if it has generated "maxretry" during the last "findtime"
  2. seconds.
findtime = 600

  1. "maxretry" is the number of failures before a host get banned.
maxretry = 5

  1. "backend" specifies the backend used to get files modification. Available
  2. options are "gamin", "polling" and "auto". This option can be overridden in
  3. each jail too (use "gamin" for a jail and "polling" for another).
#
  1. gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
  2. is not installed, Fail2ban will use polling.
  3. polling: uses a polling algorithm which does not require external libraries.
  4. auto: will choose Gamin if available and polling otherwise.
backend = auto


  1. This jail corresponds to the standard configuration in Fail2ban 0.6.
  2. The mail-whois action send a notification e-mail with a whois request
  3. in the body.

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=<meineAdresse>, sender=fail2ban@mail.com]
logpath = /var/log/messages
maxretry = 5

[proftpd-iptables]

enabled = false
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=you@mail.com]
logpath = /var/log/messages
maxretry = 6

  1. This jail forces the backend to "polling".

[sasl-iptables]

enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=you@mail.com]
logpath = /var/log/mail

  1. Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
  2. used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, dest=you@mail.com]
ignoreregex = for myuser from
logpath = /var/log/messages

  1. This jail demonstrates the use of wildcards in "logpath".
  2. Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled = false
filter = apache-auth
action = hostsdeny
logpath = /var/log/apache2/error_log
maxretry = 6

  1. The hosts.deny path can be defined with the "file" argument if it is
  2. not in /etc.

[postfix-tcpwrapper]

enabled = true
filter = postfix
action = hostsdeny
sendmail[name=Postfix, dest=you@mail.com]
logpath = /var/log/mail
bantime = 300

  1. Do not ban anybody. Just report information about the remote host.
  2. A notification is sent at most every 600 seconds (bantime).

[vsftpd-notification]

enabled = false
filter = vsftpd
action = sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath = /var/log/messages
maxretry = 5
bantime = 1800

  1. Same as above but with banning the IP address.

[vsftpd-iptables]

enabled = false
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath = /var/log/messages
maxretry = 5
bantime = 1800

  1. Ban hosts which agent identifies spammer robots crawling the web
  2. for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled = false
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
logpath = /var/log/apache2/access_log
bantime = 172800
maxretry = 1

[courierpop3]

enabled = false
port = pop3
filter = courierlogin
action = iptables[name=%(__name__)s, port=%(port)s]
logpath = /var/log/mail
maxretry = 5


[courierimap]

enabled = false
port = imap2
filter = courierlogin
action = iptables[name=%(__name__)s, port=%(port)s]
logpath = /var/log/mail
maxretry = 5
Lochkartenstanzer
Lochkartenstanzer 08.12.2014 um 13:52:12 Uhr
Goto Top
Zitat von @blackdreadhead:

Sieht so ganz ok aus oder?

Nö, es gibt aber ein Code-Tag, mit dem man das etwas üebrsichtlicher darstellen lassen kann. face-smile

lks