Fail2ban E-Mail notification

blocklist · Oct 3, 2012

Hast du mal in der /etc/fail2ban/fail2ban.conf das Loggin auf 4 gestellt (Fail2Ban restart) und dann noch mal es getestet?
Steht dann dazu was in der /var/log/fail2ban.log wie z.B. das die IP bereits gebannt ist?

Neogreen · Oct 3, 2012

Der Log sagt folgendes:

PHP:

2012-10-03 10:37:12,490 fail2ban.filter : DEBUG  Found ******
2012-10-03 10:37:12,491 fail2ban.filter : DEBUG  Currently have failures from 1 IPs: ['*******']
2012-10-03 10:37:12,491 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2012-10-03 10:37:50,516 fail2ban.filter : DEBUG  Got event: 1 for /var/log/auth.log
2012-10-03 10:37:50,516 fail2ban.filter : DEBUG  File changed: /var/log/auth.log
2012-10-03 10:37:50,516 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2012-10-03 10:38:32,546 fail2ban.filter : DEBUG  Got event: 1 for /var/log/auth.log
2012-10-03 10:38:32,546 fail2ban.filter : DEBUG  File changed: /var/log/auth.log
2012-10-03 10:38:32,546 fail2ban.filter.datedetector: DEBUG  Sorting the template list

1x Root das ist oben der Failure danach 4x mit einen anderen benutzer ohne Schlüssel und garnichts, danach nochmals mit Schlüssel und mit falschen Passwort Fail2ban schlägt nicht an.

Dazu hatt Fail2ban folgendes gemacht

PHP:

2012-10-03 10:32:22,117 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error: PAM: )?Authentication failure for .* from <HOST>\\s*$']
2012-10-03 10:32:22,119 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\\s*$']
2012-10-03 10:32:22,120 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Failed (?:password|publickey) for .* from <HOST>(?: port \\d*)?(?: ssh\\d*)?$']
2012-10-03 10:32:22,123 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*ROOT LOGIN REFUSED.* FROM <HOST>\\s*$']
2012-10-03 10:32:22,125 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*[iI](?:llegal|nvalid) user .* from <HOST>\\s*$']
2012-10-03 10:32:22,128 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User .+ from <HOST> not allowed because not listed in AllowUsers$']
2012-10-03 10:32:22,130 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*authentication failure; logname=\\S* uid=\\S* euid=\\S* tty=\\S* ruser=\\S* rhost=<HOST>(?:\\s+user=.*)?\\s*$']
2012-10-03 10:32:22,133 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*refused connect from \\S+ \\(<HOST>\\)\\s*$']
2012-10-03 10:32:22,136 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\\s*$']
2012-10-03 10:32:22,139 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', "^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*$"]
]

Funktion ist da will aber irgendwie nicht

Hier zum vergleich der auth.log:

PHP:

Oct  3 10:37:10 Ubuntu-1204-precise-64-minimal sshd[25579]: User root from vsrv06.****** not allowed because not listed in AllowUsers (Alarm von Fail2ban danach wars das)
Oct  3 10:37:10 Ubuntu-1204-precise-64-minimal sshd[25579]: input_userauth_request: invalid user root [preauth] 
Oct  3 10:37:10 Ubuntu-1204-precise-64-minimal sshd[25579]: Connection closed by ****** [preauth]  (login versuche..... keine reaktion von Fail2ban..)
Oct  3 10:37:48 Ubuntu-1204-precise-64-minimal sshd[25675]: Connection closed by ***** [preauth]
Oct  3 10:38:30 Ubuntu-1204-precise-64-minimal sshd[25785]: Connection closed by ***** [preauth]
Oct  3 10:38:31 Ubuntu-1204-precise-64-minimal sshd[25791]: Connection closed by ***** [preauth]
Oct  3 10:40:01 Ubuntu-1204-precise-64-minimal CRON[26007]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct  3 10:40:01 Ubuntu-1204-precise-64-minimal CRON[26007]: pam_unix(cron:session): session closed for user root
Oct  3 10:41:19 Ubuntu-1204-precise-64-minimal sshd[26071]: Received disconnect from ******: 13: Unable to authenticate [preauth]

Warum löst fail2ban nicht aus?

Sofern ich ein Benutzer treffe der gegen Allowusers verstösst kommt die E-Mail.

PHP:

Oct  3 11:05:07 Ubuntu-1204-precise-64-minimal sshd[492]: User root from ***** not allowed because not listed in AllowUsers
Oct  3 11:05:07 Ubuntu-1204-precise-64-minimal sshd[492]: input_userauth_request: invalid user root [preauth]
Oct  3 11:05:07 Ubuntu-1204-precise-64-minimal sshd[492]: Connection closed by ****** [preauth]

Neogreen · Oct 3, 2012

Könnte das evtl daran liegen dass ich Keys benutze?

edit: hatt sich erledigt Pulickeys waren schuld.

Fail2ban E-Mail notification

blocklist

New Member

Neogreen

Member

Neogreen

Member

We value your privacy