fail2ban zeigt komische Meldung bezogen auf proftpd

B

Bernett22

New Member
Hallo Forum,

ich habe mal eine Frage.

Kennt jemand diese Meldung von fail2ban ?

Code: 
2009-05-16 13:50:01,825 fail2ban.filter : ERROR  No failregex is set

Das Logfile läuft über damit. Die Meldung kommt aber nur, wenn ich in der jail.conf den Bereich für proftpd auf true setze.
Code: 
[proftpd-iptables]

enabled  = true

was kann ich dagegen tun ? Ich bitte um Rat. Ich möchte schon gerne proftpd damit überwachen lassen.
 
Der Eintrag besagt, dass für den Dienst proftp, obgleich er enabled ist, keine Regular Expressions definiert sind, mit denen er die Logs durchsuchen soll und dann die IPs sperren soll.
 
Hallo,

danke für deine Antwort.

Entschuldige bitte, aber was genau meinst du mit "Regular Expressions" ? Wie müsste die aussehen ?

Das Log sieht so aus:

Code: 
May 17 13:43:00 server01 proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser=mmuster rhost=x.x.x.x  user=mmuster
May 17 13:43:02 server01 proftpd[13715]: server01.xxx.de (x.x.x.x[x.x.x.x]) - USER mmuster (Login failed): Incorrect password.
May 17 13:43:02 server01 proftpd[13715]: server01.xxx.de (x.x.x.x[x.x.x.x]) - FTP session closed.

die proftpd.conf

Code: 
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$
            \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$
            \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$
            \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
 
Ja das sind eigentlich die richtigen regext Regeln.

Was ist denn die Ausgabe von:
Code: 
fail2ban-client -d
 
Code: 
server01:/# fail2ban-client -d
ERROR  Invalid argument ['https"'] in 'name=BadBots, port="http,https"'
ERROR  No file found for /var/log/postfix.log
['set', 'loglevel', 3]
['set', 'logtarget', '/var/log/fail2ban.log']
['add', 'ssh-iptables', 'auto']
['set', 'ssh-iptables', 'addlogpath', '/var/log/auth.log']
['set', 'ssh-iptables', 'maxretry', 3]
['set', 'ssh-iptables', 'addignoreip', '127.0.0.1']
['set', 'ssh-iptables', 'findtime', 600]
['set', 'ssh-iptables', 'bantime', 600]
['set', 'ssh-iptables', 'failregex', '(?:(?:Authentication failure|Failed [-/\\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) <HOST>(?: port \\d*)?(?: ssh\\d*)?\\s*$']
['set', 'ssh-iptables', 'ignoreregex', '']
['set', 'ssh-iptables', 'addaction', 'iptables']
['set', 'ssh-iptables', 'actionban', 'iptables', 'iptables -I fail2ban-<name> 1 -s <ip> -j DROP']
['set', 'ssh-iptables', 'actionstop', 'iptables', 'iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>']
['set', 'ssh-iptables', 'actionstart', 'iptables', 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>']
['set', 'ssh-iptables', 'actionunban', 'iptables', 'iptables -D fail2ban-<name> -s <ip> -j DROP']
['set', 'ssh-iptables', 'actioncheck', 'iptables', 'iptables -n -L INPUT | grep -q fail2ban-<name>']
['set', 'ssh-iptables', 'setcinfo', 'iptables', 'protocol', 'tcp']
['set', 'ssh-iptables', 'setcinfo', 'iptables', 'name', 'SSH']
['set', 'ssh-iptables', 'setcinfo', 'iptables', 'port', '10022']
['set', 'ssh-iptables', 'addaction', 'sendmail-whois']
['set', 'ssh-iptables', 'actionban', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] <name>: banned <ip>\nFrom: Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere are more information about <ip>:\\n\n`/usr/bin/whois <ip>`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'ssh-iptables', 'actionstop', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] <name>: stopped\nFrom: Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'ssh-iptables', 'actionstart', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] <name>: started\nFrom: Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'ssh-iptables', 'actionunban', 'sendmail-whois', '']
['set', 'ssh-iptables', 'actioncheck', 'sendmail-whois', '']
['set', 'ssh-iptables', 'setcinfo', 'sendmail-whois', 'dest', 'xxx']
['set', 'ssh-iptables', 'setcinfo', 'sendmail-whois', 'name', 'SSH']
['set', 'ssh-iptables', 'setcinfo', 'sendmail-whois', 'sender', 'fail2ban@mail.com']
['add', 'postfix-tcpwrapper', 'auto']
['set', 'postfix-tcpwrapper', 'maxretry', 3]
['set', 'postfix-tcpwrapper', 'addignoreip', '127.0.0.1']
['set', 'postfix-tcpwrapper', 'findtime', 600]
['set', 'postfix-tcpwrapper', 'bantime', 300]
['set', 'postfix-tcpwrapper', 'failregex', 'reject: RCPT from (.*)\\[<HOST>\\]: 554']
['set', 'postfix-tcpwrapper', 'ignoreregex', '']
['set', 'postfix-tcpwrapper', 'addaction', 'hostsdeny']
['set', 'postfix-tcpwrapper', 'actionban', 'hostsdeny', 'IP=<ip> &&\nprintf %b "ALL: $IP\\n" >> <file>']
['set', 'postfix-tcpwrapper', 'actionstop', 'hostsdeny', '']
['set', 'postfix-tcpwrapper', 'actionstart', 'hostsdeny', '']
['set', 'postfix-tcpwrapper', 'actionunban', 'hostsdeny', 'IP=<ip> && sed -i.old /ALL:\\ $IP/d <file>']
['set', 'postfix-tcpwrapper', 'actioncheck', 'hostsdeny', '']
['set', 'postfix-tcpwrapper', 'setcinfo', 'hostsdeny', 'file', '/not/a/standard/path/hosts.deny']
['set', 'postfix-tcpwrapper', 'addaction', 'sendmail']
['set', 'postfix-tcpwrapper', 'actionban', 'sendmail', 'printf %b "Subject: [Fail2Ban] <name>: banned <ip>\nFrom: Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against <name>.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'postfix-tcpwrapper', 'actionstop', 'sendmail', 'printf %b "Subject: [Fail2Ban] <name>: stopped\nFrom: Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'postfix-tcpwrapper', 'actionstart', 'sendmail', 'printf %b "Subject: [Fail2Ban] <name>: started\nFrom: Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'postfix-tcpwrapper', 'actionunban', 'sendmail', '']
['set', 'postfix-tcpwrapper', 'actioncheck', 'sendmail', '']
['set', 'postfix-tcpwrapper', 'setcinfo', 'sendmail', 'dest', 'xxx']
['set', 'postfix-tcpwrapper', 'setcinfo', 'sendmail', 'name', 'Postfix']
['set', 'postfix-tcpwrapper', 'setcinfo', 'sendmail', 'sender', 'fail2ban']
['add', 'apache-badbots', 'auto']
['set', 'apache-badbots', 'addlogpath', '/var/www/vhosts/xxx/statistics/logs/access_log']
['set', 'apache-badbots', 'maxretry', 1]
['set', 'apache-badbots', 'addignoreip', '127.0.0.1']
['set', 'apache-badbots', 'findtime', 600]
['set', 'apache-badbots', 'bantime', 172800]
['set', 'apache-badbots', 'failregex', '^<HOST> -.*"(GET|POST).*HTTP.*"(?:atSpider/1\\.0|autoemailspider|China Local Browse 2\\.6|ContentSmartz|DataCha0s/2\\.0|DataCha0s/2\\.0|DBrowse 1\\.4b|DBrowse 1\\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\\.4b|Educate Search VxB|EmailSiphon|EmailWolf 1\\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Industry Program 1\\.0\\.x|ISC Systems iRc Search 2\\.1|IUPUI Research Bot v 1\\.9a|LARBIN-EXPERIMENTAL \\(efp@gmx\\.net\\)|LetsCrawl\\.com/1\\.0 +http\\://letscrawl\\.com/|Lincoln State Web Browser|LWP\\:\\:Simple/5\\.803|Mac Finder 1\\.0\\.xx|MFC Foundation Class Library 4\\.0|Microsoft URL Control - 6\\.00\\.8xxx|Missauga Locate 1\\.0\\.0|Missigua Locator 1\\.9|Missouri College Browse|Mizzu Labs 2\\.2|Mo College 1\\.9|Mozilla/2\\.0 \\(compatible; NEWT ActiveX; Win32\\)|Mozilla/3\\.0 \\(compatible; Indy Library\\)|Mozilla/4\\.0 \\(compatible; Advanced Email Extractor v2\\.xx\\)|Mozilla/4\\.0 \\(compatible; Iplexx Spider/1\\.0 http\\://www\\.iplexx\\.at\\)|Mozilla/4\\.0 \\(compatible; MSIE 5\\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\\.0 efp@gmx\\.net|Mozilla/5\\.0 \\(Version\\: xxxx Type\\:xx\\)|MVAClient|NASA Search 1\\.0|Nsauditor/1\\.x|PBrowse 1\\.4b|PEval 1\\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\\.0\\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\\.com|sogou spider|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\\.2|User-Agent\\: Mozilla/4\\.0 \\(compatible; MSIE 6\\.0; Windows NT 5\\.1\\)|WebVulnCrawl\\.blogspot\\.com/1\\.0 libwww-perl/5\\.803|Wells Search II|WEP Search 00|EmailCollector|WebEMailExtrac|TrackBack/1\\.02|sogou music spider)"$']
['set', 'apache-badbots', 'ignoreregex', '']
['set', 'apache-badbots', 'addaction', 'iptables-multiport']
['set', 'apache-badbots', 'actionban', 'iptables-multiport', 'iptables -I fail2ban-<name> 1 -s <ip> -j DROP']
['set', 'apache-badbots', 'actionstop', 'iptables-multiport', 'iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>']
['set', 'apache-badbots', 'actionstart', 'iptables-multiport', 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>']
['set', 'apache-badbots', 'actionunban', 'iptables-multiport', 'iptables -D fail2ban-<name> -s <ip> -j DROP']
['set', 'apache-badbots', 'actioncheck', 'iptables-multiport', 'iptables -n -L INPUT | grep -q fail2ban-<name>']
['set', 'apache-badbots', 'setcinfo', 'iptables-multiport', 'protocol', 'tcp']
['set', 'apache-badbots', 'setcinfo', 'iptables-multiport', 'name', 'BadBots']
['set', 'apache-badbots', 'setcinfo', 'iptables-multiport', 'port', '"http']
['set', 'apache-badbots', 'addaction', 'sendmail-buffered']
['set', 'apache-badbots', 'actionban', 'sendmail-buffered', 'printf %b "`date`: <ip> (<failures> failures)\\n" >> <tmpfile>\nLINE=$( wc -l <tmpfile> | awk \'{ print $1 }\' )\nif [ $LINE -ge <lines> ]; then\nprintf %b "Subject: [Fail2Ban] <name>: summary\nFrom: Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThese hosts have been banned by Fail2Ban.\\n\n`cat <tmpfile>`\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>\nrm <tmpfile>\nfi']
['set', 'apache-badbots', 'actionstop', 'sendmail-buffered', 'if [ -f <tmpfile> ]; then\nprintf %b "Subject: [Fail2Ban] <name>: summary\nFrom: Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThese hosts have been banned by Fail2Ban.\\n\n`cat <tmpfile>`\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>\nrm <tmpfile>\nfi\nprintf %b "Subject: [Fail2Ban] <name>: stopped\nFrom: Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'apache-badbots', 'actionstart', 'sendmail-buffered', 'printf %b "Subject: [Fail2Ban] <name>: started\nFrom: Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started successfully.\\n\nOutput will be buffered until <lines> lines are available.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'apache-badbots', 'actionunban', 'sendmail-buffered', '']
['set', 'apache-badbots', 'actioncheck', 'sendmail-buffered', '']
['set', 'apache-badbots', 'setcinfo', 'sendmail-buffered', 'dest', 'xxx']
['set', 'apache-badbots', 'setcinfo', 'sendmail-buffered', 'tmpfile', '/tmp/fail2ban-mail.txt']
['set', 'apache-badbots', 'setcinfo', 'sendmail-buffered', 'lines', '5']
['set', 'apache-badbots', 'setcinfo', 'sendmail-buffered', 'name', 'BadBots']
['set', 'apache-badbots', 'setcinfo', 'sendmail-buffered', 'sender', 'fail2ban']
['add', 'proftpd-iptables', 'auto']
['set', 'proftpd-iptables', 'addlogpath', '/var/log/auth.log']
['set', 'proftpd-iptables', 'maxretry', 5]
['set', 'proftpd-iptables', 'addignoreip', '127.0.0.1']
['set', 'proftpd-iptables', 'findtime', 600]
['set', 'proftpd-iptables', 'bantime', 600]
['set', 'proftpd-iptables', 'failregex', '\\(\\S+\\[<HOST>\\]\\)[: -]+ USER \\S+: no such user found from \\S+ \\[\\S+\\] to \\S+:\\S+$\n\\(\\S+\\[<HOST>\\]\\)[: -]+ USER \\S+ \\(Login failed\\): Incorrect password\\.$\n\\(\\S+\\[<HOST>\\]\\)[: -]+ SECURITY VIOLATION: \\S+ login attempted\\.$\n\\(\\S+\\[<HOST>\\]\\)[: -]+ Maximum login attempts \\(\\d+\\) exceeded$\nUSER \\S+: no such user found from \\S* ?\\[<HOST>\\] to \\S+\\s*$\nproftpd: \\(pam_unix\\) authentication failure; .*']
['set', 'proftpd-iptables', 'ignoreregex', '']
['set', 'proftpd-iptables', 'addaction', 'iptables']
['set', 'proftpd-iptables', 'actionban', 'iptables', 'iptables -I fail2ban-<name> 1 -s <ip> -j DROP']
['set', 'proftpd-iptables', 'actionstop', 'iptables', 'iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>']
['set', 'proftpd-iptables', 'actionstart', 'iptables', 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>']
['set', 'proftpd-iptables', 'actionunban', 'iptables', 'iptables -D fail2ban-<name> -s <ip> -j DROP']
['set', 'proftpd-iptables', 'actioncheck', 'iptables', 'iptables -n -L INPUT | grep -q fail2ban-<name>']
['set', 'proftpd-iptables', 'setcinfo', 'iptables', 'protocol', 'tcp']
['set', 'proftpd-iptables', 'setcinfo', 'iptables', 'name', 'ProFTPD']
['set', 'proftpd-iptables', 'setcinfo', 'iptables', 'port', 'ftp']
['set', 'proftpd-iptables', 'addaction', 'sendmail-whois']
['set', 'proftpd-iptables', 'actionban', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] <name>: banned <ip>\nFrom: Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere are more information about <ip>:\\n\n`/usr/bin/whois <ip>`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'proftpd-iptables', 'actionstop', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] <name>: stopped\nFrom: Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'proftpd-iptables', 'actionstart', 'sendmail-whois', 'printf %b "Subject: [Fail2Ban] <name>: started\nFrom: Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'proftpd-iptables', 'actionunban', 'sendmail-whois', '']
['set', 'proftpd-iptables', 'actioncheck', 'sendmail-whois', '']
['set', 'proftpd-iptables', 'setcinfo', 'sendmail-whois', 'dest', 'xxx']
['set', 'proftpd-iptables', 'setcinfo', 'sendmail-whois', 'name', 'ProFTPD']
['set', 'proftpd-iptables', 'setcinfo', 'sendmail-whois', 'sender', 'fail2ban']
['start', 'ssh-iptables']
['start', 'postfix-tcpwrapper']
['start', 'apache-badbots']
['start', 'proftpd-iptables']
 
Last edited by a moderator:
Code: 
Package: fail2ban
Priority: optional
Section: net
Installed-Size: 488
Maintainer: Yaroslav Halchenko <debian@onerussian.com>
Architecture: all
Version: 0.7.5-2etch1
Depends: python2.4, python-central (>= 0.5.8), python (>= 2.4), iptables, lsb-base (>= 2.0-7)
Suggests: python-gamin, mailx
Filename: pool/main/f/fail2ban/fail2ban_0.7.5-2etch1_all.deb
 
Hier ich stehe bei meinem Problem grade total auf dem Schlauch mein Failban hat irgend ein Fehler aber ich finde ihn einfach nicht :p:o:confused: Bzw.ich versteh grade nicht was der Gute mir damit sagen möchte =(
 

Attachments

Code: 
ERROR  No file found for /var/log/secure
Was bitte, ist daran missverständlich?

Abgesehen davon ist es schlechter Stil fremde Threads zu kapern.
 
You must log in or register to reply here.
Back
Top