From: René B. <rb...@ca...> - 2008-06-26 01:36:20
|
Earl Angus wrote: > I redid the steps you suggested and got better > results... it matched on one of the IPs but not the > other. I got an error message in fail2ban-regex... > [snip] > Let me clarify though that it actually has more than > one entry for both, more than maxretry = 5. > > The original sshd.conf will not work since the pattern > match is different from the default failregex > [snip] > Using the original sshd.conf, here is what the > failban-regex looks like. > > #######Original sshd.conf > > failregex = (?:error: PAM: )?Authentication failure > for .* from <HOST>\s*$ > Failed [-/\w]+ for .* from <HOST>(?: port > \d*)?(?: ssh\d*)?\s*$ > ROOT LOGIN REFUSED.* FROM <HOST>\s*$ > [iI](?:llegal|nvalid) user .* from > <HOST>\s*$ > User .+ from <HOST> not allowed because > not listed in AllowUsers\s*$ > User .+ from <HOST> not allowed because > none of user's groups are listed in AllowGroups\s*$ Yes, you were right, the required regex is missing... but I have it in the version I use, which is 0.8.2-SVN (I got it from the Subversion server on a recommendation by Cyril Jaquier). [snip] > I used a modified sshd.local with the following > failregex: > > failregex = sshd\(pam_unix\)\[\d+\]: authentication > failure; .* rhost=(?P<host>\S+) > > #### Ran fail2ban-regex with the following results: > > % fail2ban-regex /var/log/messages > /etc/fail2ban/filter.d/sshd.local > > > Running tests > ============= > > Use regex file : /etc/fail2ban/filter.d/sshd.local > Use log file : /var/log/messages > > > Results > ======= > > Failregex > |- Regular expressions: > | [1] sshd\(pam_unix\)\[\d+\]: authentication > failure; .* rhost=(?P<host>\S+) One note: fail2ban's regexes try to defend themselves against IP injection, they do this by anchoring the end of line. The regex on the newer version has that extra protection. > | > `- Number of matches: > [1] 27 match(es) > > Ignoreregex > |- Regular expressions: > | > `- Number of matches: > > Summary > ======= > > Addresses found: > [1] > 195.43.191.125 (Wed Jun 25 08:47:19 2008) > Traceback (most recent call last): > File > "/home/eangus/notes/fail2ban/fail2ban-0.8.1/fail2ban-regex", > line 382, in ? > if fail2banRegex.printStats(): > File > "/home/eangus/notes/fail2ban/fail2ban-0.8.1/fail2ban-regex", > line 309, in printStats > if ip[2]: > IndexError: list index out of range This probably is a bug on the version you have, it probably is corrected on the newer version. > #### I enabled ssh-iptables in jail.conf > > [ssh-iptables] > > enabled = true > filter = sshd > action = iptables[name=SSH, port=ssh, protocol=tcp] > # sendmail-whois[name=SSH, > dest=yo...@ma..., sender=fai...@ma...] > # logpath = /var/log/sshd.log > logpath = /var/log/messages > maxretry = 5 > bantime = 1800 > > #### Modified time for for all entries of the > offending ssh authentication failure in messages log > file to be 1 minute before actual time, then stopped > and started using fail2ban-client stop/start. I don't think modifying times will work, fail2ban could simply monitor the log for any new lines and don't care about your changes. But I'm not sure about the internal works. [snip] > % /usr/sbin/fail2ban-client stop > Shutdown successful > > % /usr/bin/fail2ban-client start > 2008-06-25 17:44:41,771 fail2ban.server : INFO > Starting Fail2ban > > % iptables -L > > Chain fail2ban-SSH (1 references) > target prot opt source destination > > DROP all -- lambda.tsnet.it anywhere > > RETURN all -- anywhere anywhere > > This IP was not caught... > > host=s01060004e289c9a2.ed.shawcable.net > > But when I run this manually using fail2ban-regex, I > get no error and even gets the IP address. [snip] The easiest way is to install the latest 0.8.2 version (not the 0.9 experimental), you get a regex in the default sshd configuration, and probably a correction to the 'index out of range' problem. Or you can wait, Cyril will see your message and probably give you better advice (he knows if there was a bug that shows what you are seeing). -- René Berber |