fail2ban работает, но не имеет смысла неудачные попытки входа в систему

Question

Недавно я установил fail2ban на сервере CentOS 6. Я настроил для защиты попытки взлома ssh. Но fail2ban не имеет смысла ломать попытки.

Я протестировал фильтр с помощью fail2ban-regex и думаю, что что-то не так в фильтре.

fail2ban-regex вывод:

% fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/sshd.conf
Use         log file : /var/log/secure


Results
=======

Failregex: 13248 total
|-  #) [# of hits] regular expression
|   3) [13059] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Failed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
|   5) [101] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$
|   9) [88] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [45621] MONTH Day Hour:Minute:Second
`-

Lines: 45621 lines, 0 ignored, 13248 matched, 32373 missed
Missed line(s):: too many to print.  Use --print-all-missed to print all 32373 lines

На моей настройке логи SSHD записываются в /var /log /secure

Логи выглядят так:

Feb  2 04:31:26 twmp sshd[31779]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info  user=root
Feb  2 04:31:27 twmp sshd[31782]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info  user=root
Feb  2 04:31:28 twmp sshd[31779]: Failed password for root from 199.71.214.66 port 50984 ssh2
Feb  2 04:31:28 twmp sshd[31780]: Received disconnect from 199.71.214.66: 11: Bye Bye
Feb  2 04:31:29 twmp sshd[31785]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info  user=root
Feb  2 04:31:29 twmp sshd[31782]: Failed password for root from 199.71.214.66 port 53998 ssh2
Feb  2 04:31:29 twmp sshd[31783]: Received disconnect from 199.71.214.66: 11: Bye Bye
Feb  2 04:31:30 twmp sshd[31788]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info  user=root
Feb  2 04:31:31 twmp sshd[31785]: Failed password for root from 199.71.214.66 port 52127 ssh2
Feb  2 04:31:32 twmp sshd[31786]: Received disconnect from 199.71.214.66: 11: Bye Bye
Feb  2 04:31:33 twmp sshd[31791]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info  user=root
Feb  2 04:31:33 twmp sshd[31788]: Failed password for root from 199.71.214.66 port 55001 ssh2
Feb  2 04:31:33 twmp sshd[31789]: Received disconnect from 199.71.214.66: 11: Bye Bye
Feb  2 04:31:34 twmp sshd[31794]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info  user=root
Feb  2 04:31:35 twmp sshd[31791]: Failed password for root from 199.71.214.66 port 53390 ssh2
Feb  2 04:31:35 twmp sshd[31794]: Failed password for root from 199.71.214.66 port 56186 ssh2
Feb  2 04:31:36 twmp sshd[31792]: Received disconnect from 199.71.214.66: 11: Bye Bye
Feb  2 04:31:36 twmp sshd[31795]: Received disconnect from 199.71.214.66: 11: Bye Bye
Feb  2 04:31:37 twmp sshd[31797]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info  user=root
Feb  2 04:31:37 twmp sshd[31798]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info  user=root
Feb  2 04:31:38 twmp sshd[31797]: Failed password for root from 199.71.214.66 port 57048 ssh2
Feb  2 04:31:38 twmp sshd[31799]: Received disconnect from 199.71.214.66: 11: Bye Bye
Feb  2 04:31:39 twmp sshd[31798]: Failed password for root from 199.71.214.66 port 54688 ssh2
Feb  2 04:31:39 twmp sshd[31800]: Received disconnect from 199.71.214.66: 11: Bye Bye
Feb  2 04:31:39 twmp sshd[31803]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info  user=root
Feb  2 04:31:41 twmp sshd[31806]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=happy.unixbsd.info  user=root
Feb  2 04:31:41 twmp sshd[31803]: Failed password for root from 199.71.214.66 port 57895 ssh2
Feb  2 04:31:41 twmp sshd[31804]: Received disconnect from 199.71.214.66: 11: Bye Bye

Мой файл jail.local выглядит так:

# 

Fail2Ban jail base specification file
#
# Comments: use '#' for comment lines and ';' (following a space) for inline comments

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# "bantime" is the number of seconds that a host is banned.
bantime  = 3600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 60

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#              If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#              If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external libraries.
# auto:      will try to use the following backends, in order:
#              pyinotify, gamin, polling.
backend = gamin

# "usedns" specifies if jails should trust hostnames in logs,
#   warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes:   if a hostname is encountered, a DNS lookup will be performed.
# warn:  if a hostname is encountered, a DNS lookup will be performed,
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
usedns = warn


# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = mail
destemail = "user@example.com"

# Default protocol
protocol = tcp

# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_mwl)s


[ssh-iptables]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/secure
maxretry = 3
action   = iptables-multiport[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=user@example.com, sender=sender@example.com, sendername="Fail2Ban"]

...(other disabled configurations.)

И sshd фильтр под fail2ban/filters.d это:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision$
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = sshd

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers$
            ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Файл common.conf, который входит в состав фильтров:

# Generic configuration items (to be used as interpolations) in other
# filters  or actions configurations
#

[INCLUDES]

# Load customizations if any available
after = common.local


[DEFAULT]

# Daemon definition is to be specialized (if needed) in .conf file
_daemon = \S*

#
# Shortcuts for easier comprehension of the failregex
#
# PID.
# EXAMPLES: [123]
__pid_re = (?:\[\d+\])

# Daemon name (with optional source_file:line or whatever)
# EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix)
__daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?

# extra daemon info
# EXAMPLE: [ID 800047 auth.info]
__daemon_extra_re = (?:\[ID \d+ \S+\])

# Combinations of daemon name and PID
# EXAMPLES: sshd[31607], pop(pam_unix)[4920]
__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?)

# Some messages have a kernel prefix with a timestamp
# EXAMPLES: kernel: [769570.846956]
__kernel_prefix = kernel: \[\d+\.\d+\]

__hostname = \S+

# A MD5 hex
# EXAMPLES: 07:06:27:55:b0:e3:0c:3c:5a:28:2d:7c:7e:4c:77:5f
__md5hex = (?:[\da-f]{2}:){15}[\da-f]{2}

# bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or
# <auth.info> appearing before the host as per testcases/files/logs/bsd/*.
__bsd_syslog_verbose = (<[^.]+\.[^.]+>)

# Common line prefixes (beginnings) which could be used in filters
#
#      [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
#
# This can be optional (for instance if we match named native log files)
__prefix_line = \s*%(__bsd_syslog_verbose)s?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s*

Я пробовал несколько разных конфигурационных файлов, но они по-прежнему не чувствуют сбой соединения SSH. Я проверил файл журнала fail2ban, и там ничего не записывается, кроме остановки и запуска строк.

Answer 1

CentOS выпуск 6.9 (финальный) и fail2ban-0.9.6-1.el6.1.noarch.rpm

(примечание: не перезаписывайте ваши файлы .conf, вместо этого сделайте .local файлы переопределения.)

создать (или редактировать): /etc/fail2ban/filter.d/common.local добавить следующее:

[DEFAULT]
__date_ambit = (\w{3} ( \d{1}|\d{2}) \d{2}:\d{2}:\d{2})

Это переопределяет формат даты по умолчанию, установленный в common.conf, который предполагается как MM/DD/YYYY в других форматах файла журнала. В моем тестировании остальная часть переменной регулярного выражения __prefix_line кажется, работала очень хорошо.

В моей установке исходная __prefix_line в common.conf выглядит так, если вы перезаписали свою:

__prefix_line = %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)?(?:%(__daemon_combs_re)s\s+)?(?:%(__daemon_extra_re)s\s+)?

Answer 2

Согласно этим сообщениям на форуме, __prefix_line выражение __prefix_line в common.conf не работает. Итак, я решил изменить его на .*? (Я знаю, что это очень плохое решение). Это сейчас запрещено.

Answer 3

Иногда это происходит потому, что __bsd_syslog_verbose неверен. fail2ban ожидает, что /var/log/auth.log начнется с YYYY.MM.DD (то есть: 2014.10.15), но журналы читают MMM DD (то есть: 15 октября)

Чтобы это исправить, вам нужно будет сделать следующее:

cp /etc/fail2ban/filter.d/common.conf /etc/fail2ban/filter.d/common.local

Отредактируйте common.local и установите:

__bsd_syslog_verbose = (<[^.]+ [^.]+>)

Перезапустите fail2ban:

Ubuntu (не используйте перезагрузку):

sudo service fail2ban stop
sudo service fail2ban start