660
contributi
Fail2ban: differenze tra le versioni
Vai alla navigazione
Vai alla ricerca
nessun oggetto della modifica
m (spostato nella sezione più appropriata) |
Nessun oggetto della modifica |
||
| Riga 67: | Riga 67: | ||
# /etc/init.d/fail2ban restart | # /etc/init.d/fail2ban restart | ||
</pre> | </pre> | ||
==Prova di funzionamento== | |||
Fino a qui tutto bene , ora volendo potete testare fail2ban | |||
ma prima andiamo a creare gli errori di login nel file di log , | |||
nel mio esempio ho cercato di accedere al servizio FTP | |||
inserendo nome utente e/o pawwsord sbagliate | |||
con il comando: | |||
fail2ban-regex "file di log" "filtro prescelto" | |||
esempio : | |||
fail2ban-regex /var/log/secure.log /etc/fail2ban/filter.d/proftpd.conf | |||
il comando va eseguito con sudo o con i permessi di su. | |||
Riporto ora l'output di queso comando : | |||
barabba@server:~$ fail2ban-regex /var/log/secure.log /etc/fail2ban/filter.d/proftpd.conf | |||
Running tests | |||
Use regex file : /etc/fail2ban/filter.d/proftpd.conf | |||
Use log file : /var/log/secure.log | |||
Results | |||
Failregex | |||
|- Regular expressions: | |||
| [1] (S+[])[: -]+ USER S+: no such user found from S+ [[0-9.]+] to S+:S+s+$ | |||
| [2] (S+[])[: -]+ USER S+ (Login failed): Incorrect password.$ | |||
| [3] (S+[])[: -]+ SECURITY VIOLATION: S+ login attempted.$ | |||
| [4] (S+[])[: -]+ Maximum login attempts (d+) exceeded$ | |||
| [5] USER S+: no such user found from S* ?[] to S+s*$ | |||
| | |||
`- Number of matches: | |||
[1] 0 match(es) | |||
[2] 6 match(es) | |||
[3] 0 match(es) | |||
[4] 0 match(es) | |||
[5] 28 match(es) | |||
Ignoreregex | |||
|- Regular expressions: | |||
| | |||
`- Number of matches: | |||
Summary | |||
Addresses found: | |||
[1] | |||
[2] | |||
xxx.xxx.xxx.88 (Mon Jun 30 22:09:54 2008) | |||
xxx.xxx.xxx.88 (Mon Jun 30 22:10:15 2008) | |||
xxx.xxx.xxx.88 (Mon Jun 30 22:10:31 2008) | |||
xxx.xxx.xxx.253 (Tue Jul 01 10:43:51 2008) | |||
xxx.xxx.xxx.253 (Tue Jul 01 11:10:58 2008) | |||
xxx.xxx.xxx.253 (Tue Jul 01 11:14:12 2008) | |||
[3] | |||
[4] | |||
[5] | |||
xxx.xxx.xxx.253 (Tue Jul 01 09:26:54 2008) | |||
xxx.xxx.xxx.253 (Tue Jul 01 09:27:09 2008) | |||
xxx.xxx.xxx.253 (Tue Jul 01 09:27:24 2008) | |||
xxx.xxx.xxx.253 (Tue Jul 01 10:43:08 2008) | |||
xxx.xxx.xxx.253 (Tue Jul 01 10:43:22 2008) | |||
xxx.xxx.xxx.253 (Tue Jul 01 11:14:34 2008) | |||
xxx.xxx.xxx.193 (Tue Jul 01 13:02:16 2008) | |||
xxx.xxx.xxx.193 (Tue Jul 01 13:02:47 2008) | |||
xxx.xxx.xxx.193 (Tue Jul 01 13:03:05 2008) | |||
xxx.xxx.xxx.99 (Tue Jul 01 14:19:12 2008) | |||
xxx.xxx.xxx.99 (Tue Jul 01 14:19:14 2008) | |||
Date template hits: | |||
734 hit(s): Month Day Hour:Minute:Second | |||
0 hit(s): Weekday Month Day Hour:Minute:Second Year | |||
0 hit(s): Weekday Month Day Hour:Minute:Second | |||
0 hit(s): Year/Month/Day Hour:Minute:Second | |||
0 hit(s): Day/Month/Year Hour:Minute:Second | |||
0 hit(s): Day/Month/Year:Hour:Minute:Second | |||
0 hit(s): Year-Month-Day Hour:Minute:Second | |||
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond] | |||
0 hit(s): TAI64N | |||
0 hit(s): Epoch | |||
Success, the total number of match is 19 | |||
However, look at the above section 'Running tests' which could contain important | |||
information. | |||
Come potete vedere ho aggiunto una regola (numero 5 ) al filtro proftpd.conf : | |||
USER S+: no such user found from S* ?[] to S+s*$ | |||
adesso con questa riga aggiunta riesce a bannarmi gli IP | |||
che provano a loggarsi con nome utente sbagliato | |||
cosa che prima non avveniva , infatti il test non rilevava | |||
alcun errore dal file di log. | |||
Grazie a questo semplice test potete già | |||
testare se fail2ban è in grado di rilevare possibili errori | |||
dai vostri file di log , altrimenti non vi resta che modificare | |||
i vari filtri in /etc/fail2ban/filter.d/ oppure cercarne uno che funzioni | |||
e aggingerlo alla lista come ho fatto io per il mio file /etc/fail2ban/filter.d/proftpd.conf | |||
Per finire vi lascio alla mail che vi arriva in caso un IP venga bannato : | |||
Subject: [Fail2Ban] proftpd: banned 58.252.70.99 | |||
From: Fail2Ban | |||
Hi, | |||
The IP 58.252.70.99 has just been banned by Fail2Ban after | |||
3 attempts against proftpd. | |||
Here are more information about 58.252.70.99: | |||
% [whois.apnic.net node-2] | |||
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html | |||
inetnum: 58.252.70.0 - 58.252.70.255 | |||
netname: haidatong | |||
country: CN | |||
descr: haidatong, Foshan, Guangdong province | |||
admin-c: CG272-AP | |||
tech-c: CG272-AP | |||
status: ASSIGNED NON-PORTABLE | |||
changed: wangjj238@cnc.cn 20071221 | |||
mnt-by: MAINT-CNCGROUP-GD | |||
source: APNIC | |||
route: 58.252.0.0/17 | |||
descr: CNC Group CHINA169 Guangdong Province Network | |||
country: CN | |||
origin: AS4837 | |||
mnt-by: MAINT-CNCGROUP-RR | |||
changed: abuse@cnc-noc.net 20080620 | |||
source: APNIC | |||
Lines containing IP:58.252.70.99 in /var/log/secure.log | |||
Jul 01 14:19:09 kserver proftpd[25566] localhost.localdomain (::ffff:58.252.70.99[::ffff:58.252.70.99]): FTP session opened. | |||
Jul 01 14:19:12 kserver proftpd[25566] localhost.localdomain (::ffff:58.252.70.99[::ffff:58.252.70.99]): no such user 'Administrator' | |||
Jul 01 14:19:12 kserver proftpd[25566] localhost.localdomain (::ffff:58.252.70.99[::ffff:58.252.70.99]): USER Administrator: no such user found from ::ffff:58.252.70.99 [::ffff:58.252.70.99] to ::ffff:192.168.0.50:21 | |||
Jul 01 14:19:14 kserver proftpd[25566] localhost.localdomain (::ffff:58.252.70.99[::ffff:58.252.70.99]): no such user 'Administrator' | |||
Jul 01 14:19:14 kserver proftpd[25566] localhost.localdomain (::ffff:58.252.70.99[::ffff:58.252.70.99]): USER Administrator: no such user found from ::ffff:58.252.70.99 [::ffff:58.252.70.99] to ::ffff:192.168.0.50:21 | |||
Jul 01 14:19:16 kserver proftpd[25566] localhost.localdomain (::ffff:58.252.70.99[::ffff:58.252.70.99]): no such user 'Administrator' | |||
Jul 01 14:19:16 kserver proftpd[25566] localhost.localdomain (::ffff:58.252.70.99[::ffff:58.252.70.99]): USER Administrator: no such user found from ::ffff:58.252.70.99 [::ffff:58.252.70.99] to ::ffff:192.168.0.50:21 | |||
Jul 01 14:19:16 kserver proftpd[25566] localhost.localdomain (::ffff:58.252.70.99[::ffff:58.252.70.99]): Maximum login attempts (3) exceeded, connection refused | |||
Jul 01 14:19:16 kserver proftpd[25566] localhost.localdomain (::ffff:58.252.70.99[::ffff:58.252.70.99]): FTP session closed. | |||
Regards, | |||
Fail2Ban | |||
[[Categoria:Sicurezza]] | [[Categoria:Sicurezza]] | ||
[[Categoria:Firewalling]] | [[Categoria:Firewalling]] | ||