Könnt Ihr mir sagen was das bedeutet ?
Eigentlich sagt fail2ban ja das die ip gebannt ist aber es wird trotzdem nichts in den iptables angezeigt. Als action habe ich nichts angegeben weil in der jail.conf ja steht das als Standard iptables-multiport genommen wird, oder sollte ich das lieber zu jeder def einzeln eintragen und es wird gar keine Standardaction genommen ?
Wo habe ich den Gedankenfehler und was bedeutet DSN Lookup : 1995 ?
Was ist das für eine seltsame IP 0.0.7.203 ?
Das sind die wichtigsten jail.local Einstellungen (die .... bedeuten das da noch mehr steht)
Und das der Filter
iptables-multiport
Das steht in den iptables (1994 ist mein ssh Port)
Wäre nett wenn Ihr mir mal kurz helfen könntet.
Gruss
Eigentlich sagt fail2ban ja das die ip gebannt ist aber es wird trotzdem nichts in den iptables angezeigt. Als action habe ich nichts angegeben weil in der jail.conf ja steht das als Standard iptables-multiport genommen wird, oder sollte ich das lieber zu jeder def einzeln eintragen und es wird gar keine Standardaction genommen ?
Wo habe ich den Gedankenfehler und was bedeutet DSN Lookup : 1995 ?
Was ist das für eine seltsame IP 0.0.7.203 ?
Code:
fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Sep 2 09:04:31 server33 fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Sep 2 09:04:42 server33 fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Sep 2 09:04:43 server33 fail2ban.actions: WARNING [nginx-404block] Ban 0.0.7.203
Sep 2 09:04:59 server33 fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Sep 2 09:05:16 server33 fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Sep 2 09:05:21 server33 fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Sep 2 09:05:21 server33 fail2ban.actions: INFO [nginx-404block] 0.0.7.203 already banned
Sep 2 09:05:46 server33 fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Sep 2 09:05:50 server33 fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Sep 2 09:06:06 server33 fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Sep 2 09:06:07 server33 fail2ban.actions: INFO [nginx-404block] 0.0.7.203 already banned
Sep 2 09:06:10 server33 fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Sep 2 09:06:14 server33 fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Sep 2 09:06:21 server33 fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Sep 2 09:06:21 server33 fail2ban.actions: INFO [nginx-404block] 0.0.7.203 already banned
Sep 2 09:06:24 server33 fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Sep 2 09:06:35 server33 fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Sep 2 09:06:41 server33 fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Sep 2 09:06:42 server33 fail2ban.actions: INFO [nginx-404block] 0.0.7.203 already banned
Sep 2 09:06:51 server33 fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Sep 2 09:06:56 server33 fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Sep 2 09:11:23 server33 fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Sep 2 09:11:24 server33 fail2ban.actions: INFO [nginx-404block] 0.0.7.203 already banned
Sep 2 09:11:39 server33 fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Sep 2 09:11:47 server33 fail2ban.filter : WARNING Determined IP using DNS Lookup: 1995 = ['0.0.7.203']
Das sind die wichtigsten jail.local Einstellungen (die .... bedeuten das da noch mehr steht)
Code:
........
# "bantime" is the number of seconds that a host is banned.
bantime = 3600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 86400
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
banaction = iptables-multiport
........
[nginx-404block]
enabled = true
port = http,https
filter = nginx-404block
logpath = /var/log/nginx/access*.log
maxretry = 3
bantime = 2592000
findtime = 86400
Und das der Filter
Code:
[Definition]
failregex = <HOST> - - \[.*\] "GET /.* HTTP/1\.[01]" 404 [0-9]+.*$
ignoreregex =
iptables-multiport
Code:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
#
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
[Init]
# Default name of the chain
#
name = default
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = ssh
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT
Das steht in den iptables (1994 ist mein ssh Port)
Code:
[root@server ~]# sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1994
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1994
fail2ban-BadBots tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1994
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-BadBots (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SSH (3 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Wäre nett wenn Ihr mir mal kurz helfen könntet.
Gruss