Fail2ban: differenze tra le versioni

nessun oggetto della modifica
m (spostato nella sezione più appropriata)
Nessun oggetto della modifica
Riga 67: Riga 67:
# /etc/init.d/fail2ban restart
# /etc/init.d/fail2ban restart
</pre>
</pre>
==Prova di funzionamento==
Fino a qui tutto bene , ora volendo potete testare fail2ban
ma prima andiamo a creare gli errori di login nel file di log ,
nel mio esempio ho cercato di accedere al servizio FTP
inserendo nome utente e/o pawwsord sbagliate
con il comando:
fail2ban-regex "file di log" "filtro prescelto"
esempio :
fail2ban-regex /var/log/secure.log /etc/fail2ban/filter.d/proftpd.conf
il comando va eseguito con sudo o con i permessi di su.
Riporto ora l'output di queso comando :
barabba@server:~$ fail2ban-regex /var/log/secure.log /etc/fail2ban/filter.d/proftpd.conf
Running tests
Use regex file : /etc/fail2ban/filter.d/proftpd.conf
Use log file : /var/log/secure.log
Results
Failregex
|- Regular expressions:
| [1] (S+[])[: -]+ USER S+: no such user found from S+ [[0-9.]+] to S+:S+s+$
| [2] (S+[])[: -]+ USER S+ (Login failed): Incorrect password.$
| [3] (S+[])[: -]+ SECURITY VIOLATION: S+ login attempted.$
| [4] (S+[])[: -]+ Maximum login attempts (d+) exceeded$
| [5] USER S+: no such user found from S* ?[] to S+s*$
|
`- Number of matches:
[1] 0 match(es)
[2] 6 match(es)
[3] 0 match(es)
[4] 0 match(es)
[5] 28 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
Addresses found:
[1]
[2]
xxx.xxx.xxx.88 (Mon Jun 30 22:09:54 2008)
xxx.xxx.xxx.88 (Mon Jun 30 22:10:15 2008)
xxx.xxx.xxx.88 (Mon Jun 30 22:10:31 2008)
xxx.xxx.xxx.253 (Tue Jul 01 10:43:51 2008)
xxx.xxx.xxx.253 (Tue Jul 01 11:10:58 2008)
xxx.xxx.xxx.253 (Tue Jul 01 11:14:12 2008)
[3]
[4]
[5]
xxx.xxx.xxx.253 (Tue Jul 01 09:26:54 2008)
xxx.xxx.xxx.253 (Tue Jul 01 09:27:09 2008)
xxx.xxx.xxx.253 (Tue Jul 01 09:27:24 2008)
xxx.xxx.xxx.253 (Tue Jul 01 10:43:08 2008)
xxx.xxx.xxx.253 (Tue Jul 01 10:43:22 2008)
xxx.xxx.xxx.253 (Tue Jul 01 11:14:34 2008)
xxx.xxx.xxx.193 (Tue Jul 01 13:02:16 2008)
xxx.xxx.xxx.193 (Tue Jul 01 13:02:47 2008)
xxx.xxx.xxx.193 (Tue Jul 01 13:03:05 2008)
xxx.xxx.xxx.99 (Tue Jul 01 14:19:12 2008)
xxx.xxx.xxx.99 (Tue Jul 01 14:19:14 2008)
Date template hits:
734 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch
Success, the total number of match is 19
However, look at the above section 'Running tests' which could contain important
information.
Come potete vedere ho aggiunto una regola (numero 5 ) al filtro proftpd.conf :
USER S+: no such user found from S* ?[] to S+s*$
adesso con questa riga aggiunta riesce a bannarmi gli IP
che provano a loggarsi con nome utente sbagliato
cosa che prima non avveniva , infatti il test non rilevava
alcun errore dal file di log.
Grazie a questo semplice test potete già
testare se fail2ban è in grado di rilevare possibili errori
dai vostri file di log , altrimenti non vi resta che modificare
i vari filtri in  /etc/fail2ban/filter.d/ oppure cercarne uno che funzioni
e aggingerlo alla lista come ho fatto io per il mio file  /etc/fail2ban/filter.d/proftpd.conf
Per finire vi lascio alla mail che vi arriva in caso un IP venga bannato :
Subject: [Fail2Ban] proftpd: banned 58.252.70.99
From: Fail2Ban
Hi,
The IP 58.252.70.99 has just been banned by Fail2Ban after
3 attempts against proftpd.
Here are more information about 58.252.70.99:
% [whois.apnic.net node-2]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html
inetnum:      58.252.70.0 - 58.252.70.255
netname:      haidatong
country:      CN
descr:        haidatong, Foshan, Guangdong province
admin-c:      CG272-AP
tech-c:      CG272-AP
status:      ASSIGNED NON-PORTABLE
changed:      wangjj238@cnc.cn 20071221
mnt-by:      MAINT-CNCGROUP-GD
source:      APNIC
route:        58.252.0.0/17
descr:        CNC Group CHINA169 Guangdong Province Network
country:      CN
origin:      AS4837
mnt-by:      MAINT-CNCGROUP-RR
changed:      abuse@cnc-noc.net 20080620
source:      APNIC
Lines containing IP:58.252.70.99 in /var/log/secure.log
Jul 01 14:19:09 kserver proftpd[25566] localhost.localdomain      (::ffff:58.252.70.99[::ffff:58.252.70.99]): FTP session opened.
Jul 01 14:19:12 kserver proftpd[25566] localhost.localdomain (::ffff:58.252.70.99[::ffff:58.252.70.99]): no such user 'Administrator'
Jul 01 14:19:12 kserver proftpd[25566] localhost.localdomain  (::ffff:58.252.70.99[::ffff:58.252.70.99]): USER Administrator: no such user found  from ::ffff:58.252.70.99 [::ffff:58.252.70.99] to ::ffff:192.168.0.50:21
Jul 01 14:19:14 kserver proftpd[25566] localhost.localdomain  (::ffff:58.252.70.99[::ffff:58.252.70.99]): no such user 'Administrator'
Jul 01 14:19:14 kserver proftpd[25566] localhost.localdomain  (::ffff:58.252.70.99[::ffff:58.252.70.99]): USER Administrator: no such user found  from ::ffff:58.252.70.99 [::ffff:58.252.70.99] to ::ffff:192.168.0.50:21
Jul 01 14:19:16 kserver proftpd[25566] localhost.localdomain  (::ffff:58.252.70.99[::ffff:58.252.70.99]): no such user 'Administrator'
Jul 01 14:19:16 kserver proftpd[25566] localhost.localdomain  (::ffff:58.252.70.99[::ffff:58.252.70.99]): USER Administrator: no such user found  from ::ffff:58.252.70.99 [::ffff:58.252.70.99] to ::ffff:192.168.0.50:21
Jul 01 14:19:16 kserver proftpd[25566] localhost.localdomain  (::ffff:58.252.70.99[::ffff:58.252.70.99]): Maximum login attempts (3) exceeded, connection refused
Jul 01 14:19:16 kserver proftpd[25566] localhost.localdomain  (::ffff:58.252.70.99[::ffff:58.252.70.99]): FTP session closed.
Regards,
Fail2Ban


[[Categoria:Sicurezza]]
[[Categoria:Sicurezza]]
[[Categoria:Firewalling]]
[[Categoria:Firewalling]]
660

contributi