Kleines F2B-Problem...

  • Thread starter Thread starter Deleted member 14254
  • Start date Start date
D

Deleted member 14254

Guest
Hallo Zusammen,

Habe gestern, nachdem ich mich mit der Aufstellung einiger F2B-Jails umfangreich befasst habe, gegen Abend einen Test gewagt, um den 404-Fehler zu provozieren...

Habe, wie in einem anderen Thread ("Grundrauschen?") nun die folgenden Chains (Jails) aktiv:

Code: 
[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
#          sendmail-whois[name=SSH, dest=meineMail-Adresse]
logpath  = /var/log/auth.log
maxretry = 3


[ssh-ddos-iptables]

enabled  = true
filter   = sshd-ddos
action   = iptables[name=SSH, port=ssh, protocol=tcp]
#          sendmail-whois[name=SSH, dest=meineMail-Adresse]
logpath  = /var/log/auth.log
maxretry = 3


[postfix-iptables-multiport]

enabled  = true
filter   = postfix
action   = iptables-multiport[name=Postfix, port="pop3,imap", protocol=tcp]
#          sendmail-whois[name=Postfix, dest=meineMail-Adresse]
logpath  = /var/log/mail.log
maxretry = 3


[dovecot-iptables-multiport]

enabled  = true
filter   = dovecot
action   = iptables-multiport[name=Dovecot, port="pop3,imap", protocol=tcp]
#          sendmail-whois[name=Dovecot, dest=meineMail-Adresse]
logpath  = /var/log/mail.log
maxretry = 3


[apache-auth]

enabled  = true
filter   = apache-auth
action   = iptables-multiport[name=Apache-Auth, port="http,https", protocol=tcp]
#          sendmail-buffered[name=Apache-Auth, lines = 5, dest=meineMail-Adresse]
logpath  = /var/log/apache2/access_log
bantime  = 1200
maxretry = 3


[apache-badbots]

enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=Apache-BadBots, port="http,https", protocol=tcp]
#          sendmail-buffered[name=Apache-BadBots, lines = 5, dest=meineMail-Adresse]
logpath  = /var/log/apache2/access_log
bantime  = 86400
maxretry = 1


[apache-nohome]

enabled  = true
filter   = apache-nohome
action   = iptables-multiport[name=Apache-nohome, port="http,https", protocol=tcp]
#          sendmail-buffered[name=Apache-nohome, lines = 5, dest=meineMail-Adresse]
logpath  = /var/log/apache2/access_log
bantime  = 86400
maxretry = 1


[apache-noscript]

enabled  = true
filter   = apache-noscript
action   = iptables-multiport[name=Apache-noscript, port="http,https", protocol=tcp]
#          sendmail-buffered[name=Apache-noscript, lines = 5, dest=meineMail-Adresse]
logpath  = /var/log/apache2/access_log
bantime  = 86400
maxretry = 1


[apache-overflows]

enabled  = true
filter   = apache-overflows
action   = iptables-multiport[name=Apache-overflows, port="http,https", protocol=tcp]
#          sendmail-buffered[name=Apache-overflows, lines = 5, dest=meineMail-Adresse]
logpath  = /var/log/apache2/access_log
bantime  = 86400
maxretry = 1


[apache-404block]

enabled  = true
filter   = apache-404block
action   = iptables-multiport[name=Apache-404-block, port="http,https", protocol=tcp]
#          sendmail-buffered[name=Apache-404-block, lines = 5, dest=meineMail-Adresse]
logpath  = /var/log/apache2/access_log
bantime  = 86400
maxretry = 5

Das komische ist, das alle Jails ohne probleme von F2B gestartet werden. Kommentiere ich die "sendmail-Zeile" (entferne die #) - wird mir gar per Systemmail das erfolgreiche Starten aller Jails gemailed.
Das komische ist nur, das, wenn ich:

Code: 
iptables -L -v
eingebe, um zu prüfen, jede der CHAINS (0 references) besitzt... Ich habe mit einer im F2B nicht eingetragenen IP getestet um /meine-ip/phpmyadmin/index.php aufzurufen, die es - wissentlich - dort nicht gibt. Ich wollte ja, wie oben beschrieben, den 404-Fehler provozieren, um F2B zu zanken :o

Die apache-404-Jail hat folgenden Filter:

Code: 
[Definition]

# Option:  failregex
# Notes.:  regex to match failures to find a home directory on a server, which
#          became popular last days. Most often attacker just uses IP instead of
#          domain name -- so expect to see them in generic error.log if you have
#          per-domain log files.
# Values:  TEXT
#
#failregex = <HOST> - - \[.*\] "GET /.* HTTP/1\.[01]" 404 [0-9]+.*$
failregex = <HOST> - - \[.*\] "GET /.* HTTP/1\.[01]" 404 [0-9]+.*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Hat Jemand vielleicht eine Idee? Weil ich suche mir irgendwie den Wolf.

Vielen Dank für Eure Hilfe!
 
Guten Morgen,
ich benutze diesen der funktioniert auch

Code: 
failregex = <HOST> - - \[.*\] "GET /.* HTTP/1\.[01]" 404 [0-9]+.*$

nur nutze ich als jail

Code: 
[apache-404block]
enabled = true
port = http,https
filter = apache-404block
logpath = /var/log/apache2/users/*access.log
maxretry = 5
 
Last edited by a moderator:
Mal eine andere Frage


was ist eigendlich besser

Code: 
[apache-404block]
 enabled = true
 port = http,https
 filter = apache-404block
 logpath = /var/log/apache2/users/*access.log
 maxretry = 5

oder

Code: 
 [apache-404block]

 enabled = true
 filter = apache-404block
 action = iptables-multiport[name=Apache-404-block, port="http,https", protocol=tcp]
 # sendmail-buffered[name=Apache-404-block, lines = 5, dest=meineMail-Adresse]
 logpath = /var/log/apache2/access_log
 bantime = 86400
 maxretry = 5
 
Last edited by a moderator:
Ui, doch soviele ;)

Moin checker,

Guten Morgen,
ich benutze diesen der funktioniert auch...
Code: 
failregex = <HOST> - - \[.*\] "GET /.* HTTP/1\.[01]" 404 [0-9]+.*$
Click to expand...

Aber meiner (o.g.) sieht doch genauso aus...

Code: 
[Definition]

# Option:  failregex
# Notes.:  regex to match failures to find a home directory on a server, which
#          became popular last days. Most often attacker just uses IP instead of
#          domain name -- so expect to see them in generic error.log if you have
#          per-domain log files.
# Values:  TEXT
#
#failregex = <HOST> - - \[.*\] "GET /.* HTTP/1\.[01]" 404 [0-9]+.*$
[B][I]failregex = <HOST> - - \[.*\] "GET /.* HTTP/1\.[01]" 404 [0-9]+.*$[/I][/B]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Zu der Frage, welches "besser" ist...

Ich wundere mich nur, das ein Jail ohne action.d/$action - Angabe funktionieren kann...

Gut, anstelle der $action ist der Port angegeben, doch wenn ich es richtig verstehe, muss da auch eine action drinstehen:

Praktisch wie:

Code: 
if {
Bedingung}
then {Auswirkung}
else {usw...}

Vor allem, warum gibt es unterschiedliche iptables.config(s)? Also wenn Multiport-iptables, gehe ich (mal nur vom Namen) davon aus, das er für wenn auf mehr als nur einem Port abgefragt wird, bestimmt ist. Mag mich täuschen, aber...

Was steht denn bei Dir wenn Du

Code: 
iptables -L -v

bei aktiviertem f2b mit Deinen Jails aufrufst? Steht überall eine "Referenz"?

Habe vorgestern mit meinem handy miutenlang den Server genervt (nicht vorhandene Seite aufgerufen), versucht, die Handy-IP bannen zu lassen... Aber nichts...
 
Last edited by a moderator:
bei mir steht für die jails überall (über #iptables -L -v) 1 references

Code: 
Chain fail2ban-Apache-404-block (1 references)
 pkts bytes target     prot opt in     out     source               destination             
 7606  594K RETURN     all  --  any    any     anywhere             anywhere


oben in der jail.conf steht ja der Action Befehl

Code: 
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define 
# action_* variables. Can be overriden globally or per 
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
 
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section 
action = %(action_mwl)s

Aber nun zu deinem Problem:

Ich hatte die jail getestet mit domainname.de/irgendeinmist und f2b blockte mich nach dem 5 versuch.

Ist egal welche Jail ich nutzte, deine oder meine, gehen beide bei mir
 
Last edited by a moderator:
Hallo checker :)

Hmmm, das ist merkwürdig. Also bei mir gibt es nur 2 references bei den SSH/SSH-DDoS-Chains. Sind ja auch 2.

Aber warum die anderen keine references haben ist mir grade ein dickes Rätsel. Ich schaue nachher nochmal. Ich werd f2b mal beenden und dann die anderen Dienste starten und f2b wieder starten. Mal sehen, was er dann "sagt"... Komisch trotzdem...

Ich setze nachher mal meine Ergebnisse, wie es bei mir aussieht, hier rein. Möglicherweise/Wahrscheinlich, gibts da ein Konfigurations-Problem. Also das ich was übersehen habe...Sonst würden ssh/ssh-ddos ja auch nicht laufen?! Die Chains erscheinen alle. Doch ohne references...

Aber schonmal vielen Dank für Deine Hilfe!!! Später füge ich die ausgaben an. :)
 
Last edited by a moderator:
Guten Morgen,

also meine jail.conf sieht so aus

Code: 
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = Meine IPS
bantime  = 86400
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = Meine Mail

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define 
# action_* variables. Can be overriden globally or per 
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
 
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section 
action = %(action_mwl)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME] 
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled = true
port	= ssh
filter	= sshd
logpath  = /var/log/auth.log
maxretry = 3

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

enabled = true
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter	= pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 3

[xinetd-fail]

enabled   = false
filter    = xinetd-fail
port      = all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2


[ssh-ddos]

enabled = true
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 3

#
# HTTP servers
#

[apache]

enabled = true
port	= http,https
filter	= apache-auth
logpath = /var/log/apache2/users/*error.log
maxretry = 5

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = true
port	  = http,https
filter	  = apache-auth
logpath   = /var/log/apache2/users/*error.log
maxretry  = 5

[apache-noscript]

enabled = true
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache2/users/*error.log
maxretry = 5

[apache-overflows]

enabled = true
port    = http,https
filter  = apache-overflows
logpath = /var/log/apache2/users/*error.log
maxretry = 2

[apache-nohome]
enabled = true
port = http,https
filter = apache-nohome
logpath = /var/log/apache2/users/*error.log
maxretry = 5

[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/users/*access.log
maxretry = 3

[apache-404block]
enabled = false
port = http,https
filter = apache-404block
logpath = /var/log/apache2/users/*access.log
maxretry = 5

[apache-404block]

enabled  = true
filter   = apache-404block
action   = iptables-multiport[name=Apache-404-block, port="http,https", protocol=tcp]
#          sendmail-buffered[name=Apache-404-block, lines = 5, dest=linux1@gmx.de]
logpath  = /var/log/apache2/users/*access.log
bantime  = 86400
maxretry = 5

#
# FTP servers
#

[vsftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


[proftpd]

enabled  = true
port	 = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/auth.log
maxretry = 2


[wuftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled  = true
port	 = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = true
port	 = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = true
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = true
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log


# DNS Servers


# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# };
#
# in your named.conf to provide proper logging

# !!! WARNING !!!
#   Since UDP is connectionless protocol, spoofing of IP and immitation
#   of illegal actions is way too simple.  Thus enabling of this filter
#   might provide an easy way for implementing a DoS against a chosen
#   victim. See
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
#   Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled  = false
#port     = domain,953
#protocol = udp
#filter   = named-refused
#logpath  = /var/log/named/security.log

[named-refused-tcp]

enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log

[apache-w00tw00t]
enabled  = true
filter   = apache-w00tw00t
action   = iptables[name=w00tw00t, port=80, protocol=tcp]
           sendmail-whois-lines[name=w00tw00t, dest=fail2ban@blocklist.de, #sender=fail2ban@DEINE-DOMAIN, logpath=%(logpath)s]
logpath  = /var/log/apache2/users/*access.log
maxretry = 1


Und vei#iptables -L -v

Code: 
root@web:~# iptables -L -v
Chain INPUT (policy ACCEPT 80 packets, 11632 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                     
    0     0 fail2ban-proftpd  tcp  --  any    any     anywhere             anywh                                                    ere            multiport dports ftp,ftp-data,ftps,ftps-data
    0     0 fail2ban-apache-badbots  tcp  --  any    any     anywhere                                                                 anywhere            multiport dports www,https
    0     0 fail2ban-apache  tcp  --  any    any     anywhere             anywhe                                                    re            multiport dports www,https
  152  7442 fail2ban-sasl  tcp  --  any    any     anywhere             anywhere                                                                multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    0     0 fail2ban-postfix  tcp  --  any    any     anywhere             anywh                                                    ere            multiport dports smtp,ssmtp
    0     0 fail2ban-ssh  tcp  --  any    any     anywhere             anywhere                                                                multiport dports ssh
    0     0 fail2ban-couriersmtp  tcp  --  any    any     anywhere             a                                                    nywhere            multiport dports smtp,ssmtp
    0     0 fail2ban-apache-overflows  tcp  --  any    any     anywhere                                                                 anywhere            multiport dports www,https
  152  7442 fail2ban-courierauth  tcp  --  any    any     anywhere             a                                                    nywhere            multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    0     0 fail2ban-apache-multiport  tcp  --  any    any     anywhere                                                                 anywhere            multiport dports www,https
    0     0 fail2ban-ssh-ddos  tcp  --  any    any     anywhere             anyw                                                    here            multiport dports ssh
    0     0 fail2ban-apache-nohome  tcp  --  any    any     anywhere                                                                 anywhere            multiport dports www,https
    0     0 fail2ban-Apache-404-block  tcp  --  any    any     anywhere                                                                 anywhere            multiport dports www,https
  199 22821 fail2ban-pam-generic  tcp  --  any    any     anywhere             a                                                    nywhere
    0     0 fail2ban-apache-noscript  tcp  --  any    any     anywhere                                                                 anywhere            multiport dports www,https
    0     0 fail2ban-w00tw00t  tcp  --  any    any     anywhere             anyw                                                    here            tcp dpt:www
 325K   76M IMSCP_INPUT  all  --  any    any     anywhere             anywhere                                                      

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                     

Chain OUTPUT (policy ACCEPT 129 packets, 17545 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                     
 371K   76M IMSCP_OUTPUT  all  --  any    any     anywhere             anywhere                                                     

Chain IMSCP_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                     
    0     0            tcp  --  any    any     anywhere             anywhere                                                                tcp spt:submission
    0     0            tcp  --  any    any     anywhere             anywhere                                                                tcp spt:ssmtp
  278 34333            tcp  --  any    any     anywhere             anywhere                                                                tcp spt:smtp
    0     0            tcp  --  any    any     anywhere             anywhere                                                                tcp dpt:imaps
    0     0            tcp  --  any    any     anywhere             anywhere                                                                tcp dpt:pop3s
    0     0            tcp  --  any    any     anywhere             anywhere                                                                tcp dpt:submission
    0     0            tcp  --  any    any     anywhere             anywhere                                                                tcp dpt:ssmtp
    0     0            tcp  --  any    any     anywhere             anywhere                                                                tcp dpt:smtp
    0     0            tcp  --  any    any     anywhere             anywhere                                                                tcp dpt:imap2
   37  1745            tcp  --  any    any     anywhere             anywhere                                                                tcp dpt:pop3
  110 28997            tcp  --  any    any     anywhere             anywhere                                                                tcp dpt:https
  216 16422            tcp  --  any    any     anywhere             anywhere                                                                tcp dpt:www
 1702  283K RETURN     all  --  any    any     anywhere             anywhere                                                        

Chain IMSCP_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                     
    0     0            tcp  --  any    any     anywhere             anywhere                                                                tcp dpt:submission
    0     0            tcp  --  any    any     anywhere             anywhere                                                                tcp dpt:ssmtp
  334 39478            tcp  --  any    any     anywhere             anywhere                                                                tcp dpt:smtp
    0     0            tcp  --  any    any     anywhere             anywhere                                                                tcp spt:imaps
    0     0            tcp  --  any    any     anywhere             anywhere                                                                tcp spt:pop3s
    0     0            tcp  --  any    any     anywhere             anywhere                                                                tcp spt:submission
    0     0            tcp  --  any    any     anywhere             anywhere                                                                tcp spt:ssmtp
    0     0            tcp  --  any    any     anywhere             anywhere                                                                tcp spt:smtp
    0     0            tcp  --  any    any     anywhere             anywhere                                                                tcp spt:imap2
   87  4710            tcp  --  any    any     anywhere             anywhere                                                                tcp spt:pop3
   95  146K            tcp  --  any    any     anywhere             anywhere                                                                tcp spt:https
  160 66852            tcp  --  any    any     anywhere             anywhere                                                                tcp spt:www
 1833  460K RETURN     all  --  any    any     anywhere             anywhere                                                        

Chain fail2ban-Apache-404-block (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                     
    0     0 RETURN     all  --  any    any     anywhere             anywhere                                                        

Chain fail2ban-apache (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                     
    0     0 RETURN     all  --  any    any     anywhere             anywhere                                                        

Chain fail2ban-apache-badbots (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                     
    0     0 RETURN     all  --  any    any     anywhere             anywhere                                                        

Chain fail2ban-apache-multiport (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                     
    0     0 RETURN     all  --  any    any     anywhere             anywhere                                                        

Chain fail2ban-apache-nohome (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                     
    0     0 RETURN     all  --  any    any     anywhere             anywhere                                                        

Chain fail2ban-apache-noscript (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                     
    0     0 RETURN     all  --  any    any     anywhere             anywhere                                                        

Chain fail2ban-apache-overflows (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                     
    0     0 RETURN     all  --  any    any     anywhere             anywhere                                                        

Chain fail2ban-courierauth (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                     
  127  6280 DROP       all  --  any    any     winter12.vscloud-cust.net  anywhe                                                    re
   25  1162 RETURN     all  --  any    any     anywhere             anywhere                                                        

Chain fail2ban-couriersmtp (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                     
    0     0 RETURN     all  --  any    any     anywhere             anywhere                                                        

Chain fail2ban-pam-generic (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                     
  199 22821 RETURN     all  --  any    any     anywhere             anywhere                                                        

Chain fail2ban-postfix (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                     
    0     0 RETURN     all  --  any    any     anywhere             anywhere                                                        

Chain fail2ban-proftpd (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                     
    0     0 RETURN     all  --  any    any     anywhere             anywhere                                                        

Chain fail2ban-sasl (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                     
  152  7442 RETURN     all  --  any    any     anywhere             anywhere                                                        

Chain fail2ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                     
    0     0 RETURN     all  --  any    any     anywhere             anywhere                                                        

Chain fail2ban-ssh-ddos (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                     
    0     0 RETURN     all  --  any    any     anywhere             anywhere                                                        

Chain fail2ban-w00tw00t (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                     
    0     0 RETURN     all  --  any    any     anywhere             anywhere                                                        
root@web:~#


edit:
magst du mir vlt mal deine dovecot filter zeigen,hab heute auf Dovecot umgestellt.
 
Last edited by a moderator:
Hallo checker,

Vielen Dank Dir schonmal für Deine Mühen, mir Deine Configs hier zu zeigen!

Ich zeige Dir nachher, wie es bei mir ist, bin im Mom nicht an meinem PC, von dem ich den Server aus administriere...

Also: Wie meine Filter/Actions usw aussehen und was auf
Code: 
iptables -L -v
bei mir kommt.

Was mich persönlich jetzt ein wenig wundert, das Du bei Dir in der jail.local auch banactions drinstehen hast. Das ist bei mir nicht so. In der jail.local habe ich nur die Jails, die auf $Filter.conf verweisen, und die "Konsequenzen" daraus... Also wenn ein Filter anspringt, das die entsprechende Action dann die Massnahme einleitet...

SSH/SSH-DDoS sind ja mit 2 Referenzen aktiv auf diese Art und Weise. Deshalb will es mir ja nicht in den Kopf rein, warum bei den anderen Chains (0references) steht...

Werd ich nachher hier noch anfügen, wie ich oben schrieb :)
 
Guten Morgen,
ich verstehe sowieso nicht wo der Untersdchied von Jail.conf und Jail.local ist.
Die Standart Config von Fail2ban sieht ja so aus.

Code: 
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define 
# action_* variables. Can be overriden globally or per 
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
 
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section 
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME] 
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled = true
port	= ssh
filter	= sshd
logpath  = /var/log/auth.log
maxretry = 6

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter	= pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6

[xinetd-fail]

enabled   = false
filter    = xinetd-fail
port      = all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2


[ssh-ddos]

enabled = false
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = false
port	= http,https
filter	= apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = false
port	  = http,https
filter	  = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6

[apache-noscript]

enabled = false
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled = false
port    = http,https
filter  = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2

#
# FTP servers
#

[vsftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


[proftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


[wuftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled  = false
port	 = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = false
port	 = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = false
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = false
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath  = /var/log/mail.log


# DNS Servers


# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# };
#
# in your named.conf to provide proper logging

# !!! WARNING !!!
#   Since UDP is connectionless protocol, spoofing of IP and immitation
#   of illegal actions is way too simple.  Thus enabling of this filter
#   might provide an easy way for implementing a DoS against a chosen
#   victim. See
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
#   Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled  = false
#port     = domain,953
#protocol = udp
#filter   = named-refused
#logpath  = /var/log/named/security.log

[named-refused-tcp]

enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log

aber bei der jail.local soll man ja eine leere anfertigen ohne diese obersdten sachen wie bei mir und die Jails denn einfügen.Ich bin auch gerade dabei Fail2ban mit blocklist einzurichten bis jetzt hab ich noch paar Probleme das die Mails bei Blocklist.de ankommen.
 
wenn es hier rein um phpmyadmin geht hab ich da noch was gefunden

Code: 
# Fail2Ban configuration file
#
# Author: Dominic Derdau
# Website: www.erasel.net
# License: GPL
# You are free to Use this on other Sites if you link back to this Site.
# $Revision: 2.1.1 $
#
[Definition]
# Option:  failregex
# Notes.:  regex to match the "File does not exist" messages in the logfile. The
#          host must be matched by a group named "host". The tag "" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P\S+)
# Values:  TEXT
#
failregex = ^<HOST> .*\"GET.*phpmyadmin.*HTTP.*\".*404.*
#[[]client <HOST>[]] .*\"GET.*HTTP.*\" 404
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
#          standart search for favicon.ico  and robots.txt - this is often thrown and may do stupid mistakes
# Values:  TEXT
#
ignoreregex = .*(robots.txt|favicon.ico)


Code: 
[wordlist]
enabled = true
port    = http,https
filter  = wordlist
logpath = /var/www/vhosts/webseite.de/logs/access_log
maxretry = 1
bantime = 30
 
Guten Morgen checker,

*Scheiße, mal wieder alles umsonst geschrieben, weil es wieder zum Logout kam...

Naja, also auf Deine Frage, was der Unterschied zwischen Jail.conf und Jail.local ist kann ich sagen, das es funktionsmäßig keinen gibt. Der hintergrund ist, das bei einem f2b-Update die *.conf überschrieben werden und Dir somit Deine f2b-Configs zunichte machen.
Die *.local werden nicht angerührt, bleiben auch über Upgrades von f2b unberührt. Die locals haben eine höhere priorisierung und override die *.conf´s

Allerdings verstehe ich echt nicht, warum bei Dir in der Jail.local die banactions mit drinstehen. Hochinteressant. Bei mir gibts im
Code: 
/etc/fail2ban
- Ordner 4 Files...

Code: 
fail2ban.conf
fail2ban.local

Code: 
jail.conf
jail.local

...und 2 Ordner:

Code: 
action.d
filter.d

Die jail.local verweist also auf die Filter um in den Logfiles Verdächtiges aufzuspüren..., weiss wo die entsprechende action zum bannen vorhanden ist... Nur warum nicht gebannt wird...

Das Einzige, was ich mir noch vorstellen kann, ist den f2b nochmal zu stoppen, die Dienste zu starten und f2b wieder zu aktivieren... So werd ich es später angehen, denn in den Config-Dateien kann ich nichts Auffälliges finden, warum was nicht funktionieren sollte. :(

Die Dovecot zeig ich nachher. Du hattest gestern danach gefragt :)

PS. Den jail "sasl" kann man bei Verwendung von Dovecot rausmachen, da Dovecot sein eigenes Sasl besitzt was der jail "Dovecot" mit abdeckt.
 
Last edited by a moderator:
So... ich wollts eigentlich schon früher einstellen, aber hatte mich heut mal wieder etwas aufgehalten...

Hier ist erstmal meine komplette "jail.local":

Code: 
fail2ban # cat jail.local
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision$
#


# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.


[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 $IP-die-nicht-gebannt-werden-darf


# "bantime" is the number of seconds that a host is banned.
bantime  = 600


# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600


# "maxretry" is the number of failures before a host get banned.
maxretry = 3


# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.


[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
#          sendmail-whois[name=SSH, dest=meine@mail-adresse.tld]
logpath  = /var/log/auth.log
maxretry = 3


[ssh-ddos-iptables]

enabled  = true
filter   = sshd-ddos 
action   = iptables[name=SSH, port=ssh, protocol=tcp]
#          sendmail-whois[name=SSH, dest=meine@mail-adresse.tld]
logpath  = /var/log/auth.log
maxretry = 3


[postfix]

enabled  = true
filter   = postfix
action   = iptables-multiport[name=postfix, port="pop3,imap", protocol=tcp]
#          sendmail-whois[name=postfix, dest=meine@mail-adresse.tld]
logpath  = /var/log/mail.log
maxretry = 3


[dovecot]

enabled  = true
filter   = dovecot
action   = iptables-multiport[name=dovecot, port="pop3,imap", protocol=tcp]
#          sendmail-whois[name=dovecot, dest=meine@mail-adresse.tld]
logpath  = /var/log/mail.log
maxretry = 3


[apache-auth]

enabled  = true
filter   = apache-auth
action   = iptables-multiport[name=apache-auth, port="http,https", protocol=tcp]
#          sendmail-buffered[name=apache-auth, lines = 5, dest=meine@mail-adresse.tld]
logpath  = /var/log/apache2/access_log
bantime  = 1200
maxretry = 3


[apache-badbots]

enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=apache-badbots, port="http,https", protocol=tcp]
#          sendmail-buffered[name=apache-badbots, lines = 5, dest=meine@mail-adresse.tld]
logpath  = /var/log/apache2/access_log
bantime  = 86400
maxretry = 1


[apache-nohome]

enabled  = true
filter   = apache-nohome
action   = iptables-multiport[name=apache-nohome, port="http,https", protocol=tcp]
#          sendmail-buffered[name=apache-nohome, lines = 5, dest=meine@mail-adresse.tld]
logpath  = /var/log/apache2/access_log
bantime  = 86400
maxretry = 1


[apache-noscript]

enabled  = true
filter   = apache-noscript
action   = iptables-multiport[name=apache-noscript, port="http,https", protocol=tcp]
#          sendmail-buffered[name=apache-noscript, lines = 5, dest=meine@mail-adresse.tld]
logpath  = /var/log/apache2/access_log
bantime  = 86400
maxretry = 1


[apache-overflows]

enabled  = true
filter   = apache-overflows
action   = iptables-multiport[name=apache-overflows, port="http,https", protocol=tcp]
#          sendmail-buffered[name=apache-overflows, lines = 5, dest=meine@mail-adresse.tld]
logpath  = /var/log/apache2/access_log
bantime  = 86400
maxretry = 1


[apache-404block]

enabled  = true
filter   = apache-404block
action   = iptables-multiport[name=apache-404block, port="http,https", protocol=tcp]
#          sendmail-buffered[name=apache-404block, lines = 5, dest=meine@mail-adresse.tld]
logpath  = /var/log/apache2/access_log
bantime  = 86400
maxretry = 5




### Not used ###


# [proftpd-iptables]

# enabled  = false
# filter   = proftpd
# action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
#            sendmail-whois[name=ProFTPD, dest=you@example.com]
# logpath  = /var/log/proftpd/proftpd.log
# maxretry = 6


# This jail forces the backend to "polling".

# [sasl-iptables]
#
# enabled  = false
# filter   = sasl
# backend  = polling
# action   = iptables[name=sasl, port=smtp, protocol=tcp]
#            sendmail-whois[name=sasl, dest=you@example.com]
# logpath  = /var/log/mail.log


# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".

# [ssh-tcpwrapper]
#
# enabled     = false
# filter      = sshd
# action      = hostsdeny
#               sendmail-whois[name=SSH, dest=you@example.com]
# ignoreregex = for myuser from
# logpath     = /var/log/sshd.log


# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.

# [apache-tcpwrapper]
#
# enabled  = false
# filter   = apache-auth
# action   = hostsdeny
# logpath  = /var/log/apache*/*error.log
#            /home/www/myhomepage/error.log
# maxretry = 6


# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.

# [postfix-tcpwrapper]
#
# enabled  = false
# filter   = postfix
# action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
#            sendmail[name=Postfix, dest=you@example.com]
# logpath  = /var/log/postfix.log
# bantime  = 300


# Do not ban anybody. Just report information about the remote host.
# A notification is sent at most every 600 seconds (bantime).

# [vsftpd-notification]
#
# enabled  = false
# filter   = vsftpd
# action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
# logpath  = /var/log/vsftpd.log
# maxretry = 5
# bantime  = 1800


# Same as above but with banning the IP address.

# [vsftpd-iptables]
#
# enabled  = false
# filter   = vsftpd
# action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
#            sendmail-whois[name=VSFTPD, dest=you@example.com]
# logpath  = /var/log/vsftpd.log
# maxretry = 5
# bantime  = 1800


# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

# [apache-badbots]
#
# enabled  = false
# filter   = apache-badbots
# action   = iptables-multiport[name=BadBots, port="http,https"]
#            sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
# logpath  = /var/www/*/logs/access_log
# bantime  = 172800
# maxretry = 1


# Use shorewall instead of iptables.

# [apache-shorewall]
#
# enabled  = false
# filter   = apache-noscript
# action   = shorewall
#            sendmail[name=Postfix, dest=you@example.com]
# logpath  = /var/log/apache2/error_log


# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.

# [php-url-fopen]
#
# enabled = false
# port    = http,https
# filter  = php-url-fopen
# logpath = /var/www/*/logs/access_log
# maxretry = 1


# A simple PHP-fastcgi jail which works with lighttpd.
# If you run a lighttpd server, then you probably will
# find these kinds of messages in your error_log:
# ALERT – tried to register forbidden variable ‘GLOBALS’
# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
# This jail would block the IP 1.2.3.4.

# [lighttpd-fastcgi]
#
# enabled = false
# port    = http,https
# filter  = lighttpd-fastcgi
# adapt the following two items as needed
# logpath = /var/log/lighttpd/error.log
# maxretry = 2


# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.

# [ssh-ipfw]
#
# enabled  = false
# filter   = sshd
# action   = ipfw[localhost=192.168.0.1]
#            sendmail-whois[name="SSH,IPFW", dest=you@example.com]
# logpath  = /var/log/auth.log
# ignoreip = 168.192.0.1


# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# };
#
# in your named.conf to provide proper logging.
# This jail blocks UDP traffic for DNS requests.


# !!! WARNING !!!
#   Since UDP is connection-less protocol, spoofing of IP and imitation
#   of illegal actions is way too simple.  Thus enabling of this filter
#   might provide an easy way for implementing a DoS against a chosen
#   victim. See
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
#   Please DO NOT USE this jail unless you know what you are doing.

# [named-refused-udp]
#
# enabled  = false
# filter   = named-refused
# action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
#            sendmail-whois[name=Named, dest=you@example.com]
# logpath  = /var/log/named/security.log
# ignoreip = 168.192.0.1


# This jail blocks TCP traffic for DNS requests.

# [named-refused-tcp]
#
# enabled  = false
# filter   = named-refused
# action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
#           sendmail-whois[name=Named, dest=you@example.com]
# logpath  = /var/log/named/security.log
# ignoreip = 168.192.0.1

Dies hier ist die von Dir gewünschte Dovecot.conf (Filter)

Code: 
filter.d # cat dovecot.conf
# Fail2Ban configuration file for dovcot
#
# Author: Martin Waschbuesch
#
# $Revision$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = .*(?:pop3-login|imap-login):.*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Im filter.d-Ordner hab ich bei mir diese Filter (ausser den apache-404-Block) schon dringehabt:

Code: 
filter.d # ls
apache-404block.conf  apache-overflows.conf  dovecot.conf           named-refused.conf  pure-ftpd.conf  sshd.conf
apache-auth.conf      common.conf            dropbear.conf          pam-generic.conf    qmail.conf      vsftpd.conf
apache-badbots.conf   courierlogin.conf      exim.conf              php-url-fopen.conf  sasl.conf       webmin-auth.conf
apache-nohome.conf    couriersmtp.conf       gssftpd.conf           postfix.conf        sieve.conf      wuftpd.conf
apache-noscript.conf  cyrus-imap.conf        lighttpd-fastcgi.conf  proftpd.conf        sshd-ddos.conf  xinetd-fail.conf

Der Ordner action.d hat folgenden Inhalt bei mir:

Code: 
action.d # ls
complain.conf   ipfw.conf                    iptables.conf          mynetwatchman.conf         shorewall.conf
dshield.conf    iptables-allports.conf       mail-buffered.conf     sendmail-buffered.conf
dummy.conf      iptables-multiport-log.conf  mail-whois-lines.conf  sendmail-whois-lines.conf
hostsdeny.conf  iptables-multiport.conf      mail-whois.conf        sendmail-whois.conf
ipfilter.conf   iptables-new.conf            mail.conf              sendmail.conf

Hier, was iptables sagt:

Code: 
# iptables -L -v
Chain INPUT (policy ACCEPT 19687 packets, 11M bytes)
 pkts bytes target     prot opt in     out     source               destination         
   12   580 fail2ban-SSH  tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
   12   580 fail2ban-SSH  tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 21073 packets, 3663K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain fail2ban-SSH (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   24  1160 RETURN     all  --  any    any     anywhere             anywhere            
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain fail2ban-apache-404block (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain fail2ban-apache-auth (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain fail2ban-apache-badbots (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain fail2ban-apache-nohome (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain fail2ban-apache-noscript (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain fail2ban-apache-overflows (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain fail2ban-dovecot (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere            

Chain fail2ban-postfix (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  any    any     anywhere             anywhere

Und das raffe ich absolut mal nicht... :(

Edit:

Mir grade die
Code: 
/var/log/fail2ban.log
angeschaut... Also da scheint es bei jedem, meiner manuell hinzugefügten jails Fehler zu geben, nur warum... Und wie ich die wegbekomme. Ich bin nämlich nicht unbedingt der iptables-Programmierer...

Code: 
2012-10-02 20:43:01,512 fail2ban.actions.action: ERROR  iptables -N fail2ban-apache-badbots
iptables -A fail2ban-apache-badbots -j RETURN
iptables -I INPUT -p tcp -m multiport --dports http,https -j fail2ban-apache-badbots returned 100
2012-10-02 20:43:01,513 fail2ban.jail   : INFO   Jail 'apache-404block' started
2012-10-02 20:43:01,525 fail2ban.actions.action: ERROR  iptables -N fail2ban-postfix
iptables -A fail2ban-postfix -j RETURN
iptables -I INPUT -p tcp -m multiport --dports pop3,imap -j fail2ban-postfix returned 100
2012-10-02 20:43:01,533 fail2ban.actions.action: ERROR  iptables -N fail2ban-dovecot
iptables -A fail2ban-dovecot -j RETURN
iptables -I INPUT -p tcp -m multiport --dports pop3,imap -j fail2ban-dovecot returned 100
2012-10-02 20:43:01,540 fail2ban.actions.action: ERROR  iptables -N fail2ban-apache-auth
iptables -A fail2ban-apache-auth -j RETURN
iptables -I INPUT -p tcp -m multiport --dports http,https -j fail2ban-apache-auth returned 100
2012-10-02 20:43:01,548 fail2ban.actions.action: ERROR  iptables -N fail2ban-apache-nohome
iptables -A fail2ban-apache-nohome -j RETURN
iptables -I INPUT -p tcp -m multiport --dports http,https -j fail2ban-apache-nohome returned 100
2012-10-02 20:43:01,556 fail2ban.actions.action: ERROR  iptables -N fail2ban-apache-noscript
iptables -A fail2ban-apache-noscript -j RETURN
iptables -I INPUT -p tcp -m multiport --dports http,https -j fail2ban-apache-noscript returned 100
2012-10-02 20:43:01,564 fail2ban.actions.action: ERROR  iptables -N fail2ban-apache-overflows
iptables -A fail2ban-apache-overflows -j RETURN
iptables -I INPUT -p tcp -m multiport --dports http,https -j fail2ban-apache-overflows returned 100
2012-10-02 20:43:01,571 fail2ban.actions.action: ERROR  iptables -N fail2ban-apache-404block
iptables -A fail2ban-apache-404block -j RETURN
iptables -I INPUT -p tcp -m multiport --dports http,https -j fail2ban-apache-404block returned 100
 
Last edited by a moderator:
Hast du mal die IP-Tables-Regeln zum testen gelöscht:
Code: 
iptables -F
iptables -X
/etc/init.d/fail2ban restart
geht es dann?
Wenn nein, nimm mal nicht als action multiport, sondern nur iptables.
 
Hallo blocklist,

Danke für Deine Hilfe :) Doch leider funktioniert es immernoch nicht :( Habe es nach den von Dir benannten Vorschlägen probiert.

Vor fail2ban-restart:

Code: 
iptables -F
iptables -X

ausgeführt.

Habe es mit iptables statt iptables-multiport getestet. Hierbei ist der Fehlercode "200" statt "100", wenn ich mit iptables-multiport arbeite.

Vielleicht hilft ja noch der Inhalt meiner iptables.conf/iptables-multiport.conf...

iptables.conf

Code: 
action.d # cat iptables.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision$
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP

[Init]

# Defaut name of the chain
#
name = default

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
#
port = ssh

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT

iptables-multiport.conf

Code: 
action.d # cat iptables-multiport.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
# $Revision$
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP

[Init]

# Defaut name of the chain
#
name = default

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
#
port = ssh

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT

SSH/SSH-DDoS, die Standard-Jails von f2b gehen. Ist aber auch das Einzige. Filter scheinen auch zu arbeiten, denn versuche ich eine IP durch Nerven des Servers bannen zu lassen, bekomme ich eine Mail, das gebannt wurde, und es steht im fail2ban.log. Leider greift aber der Ban aufgrund FehlerCode-100 nicht und man kann den Server beliebig weiter nerven :((
 
Also die Fehlermeldung vom fail2ban.log sagen eigentlich, das ein Chain schon vorhanden ist, bzw. was sagt im aktuellen Zustand ein:

iptables -N fail2ban-dovecot

Du hast doch eine jail.conf und jail.local im Einsatz oder?
Mal die jail.local umbenannt, bzw. als .conf gemacht, das nur eine existiert, damit dann auch nur ein iptables-Chain angelegt wird...
In der .local hast du nicht zufällig zwei mal ein "[dovecot]"-Jail drin?
 
Code: 
iptables -N fail2ban-dovecot

Probiere ich heute aus, blocklist. Deine Idee mit den beiden Files: Jail.local/Jail.conf macht mir aber einen guten Eindruck! Ich habe die beiden Files: fail2ban.conf und jail.conf lediglich nur zu *.local kopiert und die local´s dann editiert.

Vielleicht ist es echt so, wie Du annimmst, das es daher Probleme gibt. Jedoch sind in der jail.conf nur ssh/ssh-ddos konfiguriert. Dennoch, ich werd das .conf - File ebenfalls mal bearbeiten und dort auskommentieren. Bzw. an eine andere Stelle zur Sicherheit hinkopieren. (Mache ich generell bei sehr aufwändigen Konfigurationen so, wie die vom Mailserver beispielsweise). Oder Die Apache-vhosts. Dafür habe ich unter /home/ einen Ordner angelegt mit Namen der Anwendungen, wohin ich Configs, wenn sie fertig sind, sichere. Mache ich Fehler dann irgendwo, kann ich das File nochmal "abgucken".

Aber nochmals, die Idee ist echt gut! Ich bin mir sicher, es liegt wiedermals an einer Klitzekleinen peniblen Pfennigfuchserei, das das bis jetzt nicht geht... Ist ja meistens so :o
 
So, hab nochmal alles ausprobiert...

Auf
Code: 
# iptables -N fail2ban-DOVECOT
iptables: Chain already exists.
;)

Jo, geben tut es ihn... Er funktioniert aber leider nicht :(

Und die fail2ban.local sowie jail.local habe ich beide gelöscht, jetzt nur die fail2ban.conf und jail.conf aktiv...

Hab die Configs gar nochmal überarbeitet, gechecked, das nichts zweimal drin ist (von den Jail-Beispielen) . Also diesen Fehler zu 99.9 % ;) auszuschließen....

Keine Ahnung. Ich frag morgen mal im gentoo-forum nach. Vielleicht wissen die ja weiter. Vielleicht liegt es am hardened-kernel. Auch noch eine "Idee". Nur dann würden die SSH-Jails ja nicht gehen :/

Oder hast Du noch eine andere "zündende" Idee?

Vielen Dank trotzdem für alle Anregungen und Hilfestellungen!!
 
@Neutrino 2003
PS. Den jail "sasl" kann man bei Verwendung von Dovecot rausmachen, da Dovecot sein eigenes Sasl besitzt was der jail "Dovecot" mit abdeckt.
Click to expand...


Es scheint wohl doch nicht von Dovecot mit abgedeckt zu werden denn heute nacht schlug Sasl-Iptables an
 
Last edited by a moderator:
Hallo checker,

Also ich habe bezüglich dessen etwas, ich meine sogar hier im Forum gelesen, von einem der wissentlich führenden Herrschaften, das darauf aufmerksam gemacht wurde, das Dovecot seine sasl-Auth selbst mitbringe/bzw. nicht extra für sasl eine FW-Regel (IPTables) angelegt werden müsse.

Ich lese aber jeden Tag Bände, weil ich halt auch noch einige Dinge in den Griff kriegen muss, weshalb ich dann öftersmal solche Themen streife, aber nicht komplett durchlese. Dennoch, es klang ziemlich eindeutig.

Kleiner Nachtrag:

http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL

Code: 
[B]smtpd_sasl_type = dovecot[/B]

# Can be an absolute path, or relative to $queue_directory
# Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below
smtpd_sasl_path = private/auth

Hatte ich mich also dochnicht getäuscht... Das liess mich echt mal nicht locker. Möglicherweise "hört" der eigentliche 'sasl'-Jail auf dem, wo auch dovecot 'hört'. Ist ja derselbe Port.

Bei mir gibts auch Neues: Der grund für den fehler mit meinen Nicht-laufenden Jails ist 'iptables-multiport'. Warum auch immer. (Vermute, das die 'hardened-Umgebung' dafür verantwortlich sein könnte. SeLinux ist noch eine Stufe höher und dort soll sowas noch gravierender vorkommen, was was 'einfach so' nicht funktioniert.)

Hab die Jails nun gesplittet, in 'http' / 'https' - So das ich mit den iptables auskomme. So scheint es zu gehen. F2B zeigt keine Fehler mehr und ich habe überall Referenzen in den Chains drinstehen.
 
Last edited by a moderator:
Nachtrag incl. Lösung des Problems:
Da sich die im letzten Post von mir beschriebene iptables-only-Variante als ebenso nicht 100%ige Blockmethode herausstellte... (einmal wurde nur per http geblocked, per https war es aber weiter möglich, zu 'nerven') ...hatte ich mich nochmal rangemacht und das Problem nun endgültig gelöst:

Es lag an einem Kernelparameter für die Multiport-Unterstützung für IP-Tables im Kernel.
-> target-match 'multiport'

Ist aber leider nicht zu sehen, solange man nicht die erweiterten IPTables-Optionen enabled. Da aber nicht mal die Bezeichnung "Advanced Corefilter-Options" in irgendwelchen HowTo´s im Netz auftaucht, war es eher Zufall das ich es gefunden habe.
Möchte es nur gerne hinterlassen haben, um vielleicht Anderen die Lösung des Problems zu vereinfachen. Wer manuelle kernel verwendet und iptables nutzen möchte, wird sich zwangsläufig damit 'beißen'...
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top