Fail2ban: differenze tra le versioni

Fail2ban (visualizza wikitesto)

Versione delle 14:29, 16 set 2008

5 765 byte aggiunti , 16 set 2008

nessun oggetto della modifica

Mm-barabba

660

contributi

@@ Riga 67: / Riga 67: @@
 # /etc/init.d/fail2ban restart
 </pre>
+==Prova di funzionamento==
+Fino a qui tutto bene , ora volendo potete testare fail2ban
+ma prima andiamo a creare gli errori di login nel file di log ,
+nel mio esempio ho cercato di accedere al servizio FTP
+inserendo nome utente e/o pawwsord sbagliate
+con il comando:
+ fail2ban-regex "file di log" "filtro prescelto"
+esempio :
+ fail2ban-regex /var/log/secure.log /etc/fail2ban/filter.d/proftpd.conf
+il comando va eseguito con sudo o con i permessi di su.
+Riporto ora l'output di queso comando :
+ barabba@server:~$ fail2ban-regex /var/log/secure.log /etc/fail2ban/filter.d/proftpd.conf
+ Running tests
+ Use regex file : /etc/fail2ban/filter.d/proftpd.conf
+ Use log file : /var/log/secure.log
+ Results
+ Failregex
+ |- Regular expressions:
+ | [1] (S+[])[: -]+ USER S+: no such user found from S+ [[0-9.]+] to S+:S+s+$
+ | [2] (S+[])[: -]+ USER S+ (Login failed): Incorrect password.$
+ | [3] (S+[])[: -]+ SECURITY VIOLATION: S+ login attempted.$
+ | [4] (S+[])[: -]+ Maximum login attempts (d+) exceeded$
+ | [5] USER S+: no such user found from S* ?[] to S+s*$
+ |
+ `- Number of matches:
+ [1] 0 match(es)
+ [2] 6 match(es)
+ [3] 0 match(es)
+ [4] 0 match(es)
+ [5] 28 match(es)
+ Ignoreregex
+ |- Regular expressions:
+ |
+ `- Number of matches:
+ Summary
+ Addresses found:
+ [1]
+ [2]
+ xxx.xxx.xxx.88 (Mon Jun 30 22:09:54 2008)
+ xxx.xxx.xxx.88 (Mon Jun 30 22:10:15 2008)
+ xxx.xxx.xxx.88 (Mon Jun 30 22:10:31 2008)
+ xxx.xxx.xxx.253 (Tue Jul 01 10:43:51 2008)
+ xxx.xxx.xxx.253 (Tue Jul 01 11:10:58 2008)
+ xxx.xxx.xxx.253 (Tue Jul 01 11:14:12 2008)
+ [3]
+ [4]
+ [5]
+ xxx.xxx.xxx.253 (Tue Jul 01 09:26:54 2008)
+ xxx.xxx.xxx.253 (Tue Jul 01 09:27:09 2008)
+ xxx.xxx.xxx.253 (Tue Jul 01 09:27:24 2008)
+ xxx.xxx.xxx.253 (Tue Jul 01 10:43:08 2008)
+ xxx.xxx.xxx.253 (Tue Jul 01 10:43:22 2008)
+ xxx.xxx.xxx.253 (Tue Jul 01 11:14:34 2008)
+ xxx.xxx.xxx.193 (Tue Jul 01 13:02:16 2008)
+ xxx.xxx.xxx.193 (Tue Jul 01 13:02:47 2008)
+ xxx.xxx.xxx.193 (Tue Jul 01 13:03:05 2008)
+ xxx.xxx.xxx.99 (Tue Jul 01 14:19:12 2008)
+ xxx.xxx.xxx.99 (Tue Jul 01 14:19:14 2008)
+ Date template hits:
+hit(s): Month Day Hour:Minute:Second
+hit(s): Weekday Month Day Hour:Minute:Second Year
+hit(s): Weekday Month Day Hour:Minute:Second
+hit(s): Year/Month/Day Hour:Minute:Second
+hit(s): Day/Month/Year Hour:Minute:Second
+hit(s): Day/Month/Year:Hour:Minute:Second
+hit(s): Year-Month-Day Hour:Minute:Second
+hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
+hit(s): TAI64N
+hit(s): Epoch
+ Success, the total number of match is 19
+ However, look at the above section 'Running tests' which could contain important
+ information.
+Come potete vedere ho aggiunto una regola (numero 5 ) al filtro proftpd.conf :
+USER S+: no such user found from S* ?[] to S+s*$
+adesso con questa riga aggiunta riesce a bannarmi gli IP
+che provano a loggarsi con nome utente sbagliato
+cosa che prima non avveniva , infatti il test non rilevava
+alcun errore dal file di log.
+Grazie a questo semplice test potete già
+testare se fail2ban è in grado di rilevare possibili errori
+dai vostri file di log , altrimenti non vi resta che modificare
+i vari filtri in  /etc/fail2ban/filter.d/ oppure cercarne uno che funzioni
+e aggingerlo alla lista come ho fatto io per il mio file  /etc/fail2ban/filter.d/proftpd.conf
+Per finire vi lascio alla mail che vi arriva in caso un IP venga bannato :
+ Subject: [Fail2Ban] proftpd: banned 58.252.70.99
+ From: Fail2Ban
+ Hi,
+ The IP 58.252.70.99 has just been banned by Fail2Ban after
+attempts against proftpd.
+ Here are more information about 58.252.70.99:
+ % [whois.apnic.net node-2]
+ % Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html
+ inetnum:      58.252.70.0 - 58.252.70.255
+ netname:      haidatong
+ country:      CN
+ descr:        haidatong, Foshan, Guangdong province
+ admin-c:      CG272-AP
+ tech-c:       CG272-AP
+ status:       ASSIGNED NON-PORTABLE
+ changed:      wangjj238@cnc.cn 20071221
+ mnt-by:       MAINT-CNCGROUP-GD
+ source:       APNIC
+ route:        58.252.0.0/17
+ descr:        CNC Group CHINA169 Guangdong Province Network
+ country:      CN
+ origin:       AS4837
+ mnt-by:       MAINT-CNCGROUP-RR
+ changed:      abuse@cnc-noc.net 20080620
+ source:       APNIC
+ Lines containing IP:58.252.70.99 in /var/log/secure.log
+ Jul 01 14:19:09 kserver proftpd[25566] localhost.localdomain      (::ffff:58.252.70.99[::ffff:58.252.70.99]): FTP session opened.
+ Jul 01 14:19:12 kserver proftpd[25566] localhost.localdomain (::ffff:58.252.70.99[::ffff:58.252.70.99]): no such user 'Administrator'
+ Jul 01 14:19:12 kserver proftpd[25566] localhost.localdomain  (::ffff:58.252.70.99[::ffff:58.252.70.99]): USER Administrator: no such user found   from ::ffff:58.252.70.99 [::ffff:58.252.70.99] to ::ffff:192.168.0.50:21
+ Jul 01 14:19:14 kserver proftpd[25566] localhost.localdomain  (::ffff:58.252.70.99[::ffff:58.252.70.99]): no such user 'Administrator'
+ Jul 01 14:19:14 kserver proftpd[25566] localhost.localdomain  (::ffff:58.252.70.99[::ffff:58.252.70.99]): USER Administrator: no such user found   from ::ffff:58.252.70.99 [::ffff:58.252.70.99] to ::ffff:192.168.0.50:21
+ Jul 01 14:19:16 kserver proftpd[25566] localhost.localdomain  (::ffff:58.252.70.99[::ffff:58.252.70.99]): no such user 'Administrator'
+ Jul 01 14:19:16 kserver proftpd[25566] localhost.localdomain  (::ffff:58.252.70.99[::ffff:58.252.70.99]): USER Administrator: no such user found  from ::ffff:58.252.70.99 [::ffff:58.252.70.99] to ::ffff:192.168.0.50:21
+ Jul 01 14:19:16 kserver proftpd[25566] localhost.localdomain  (::ffff:58.252.70.99[::ffff:58.252.70.99]): Maximum login attempts (3) exceeded, connection refused
+ Jul 01 14:19:16 kserver proftpd[25566] localhost.localdomain  (::ffff:58.252.70.99[::ffff:58.252.70.99]): FTP session closed.
+ Regards,
+ Fail2Ban
 [[Categoria:Sicurezza]]
 [[Categoria:Firewalling]]