Nie jesteś zalogowany.
Jeśli nie posiadasz konta, zarejestruj je już teraz! Pozwoli Ci ono w pełni korzystać z naszego serwisu. Spamerom dziękujemy!
Prosimy o pomoc dla małej Julki — przekaż 1% podatku na Fundacji Dzieciom zdazyć z Pomocą.
Więcej informacji na dug.net.pl/pomagamy/.
Mam problem z konfiguracją fail2ban np. nie jestem banowany na 60s przy trzy krotnym błędnym wpisaniu hasło do ssh albo ftp.
# Fail2Ban configuration file. # # This file was composed for Debian systems from the original one # provided now under /usr/share/doc/fail2ban/examples/jail.conf # for additional examples. # # Comments: use '#' for comment lines and ';' for inline comments # # To avoid merges during upgrades DO NOT MODIFY THIS FILE # and rather provide your changes in /etc/fail2ban/jail.local # # The DEFAULT allows a global definition of the options. They ca$ # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fa$ # ban a host which matches an address in this list. Several addr$ # defined using space separator. ignoreip = 0.0.0.0 # External command that will take an tagged arguments to ignore,$ # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command <ip> ignorecommand = # "bantime" is the number of seconds that a host is banned. bantime = 60 # A host is banned if it has generated "maxretry" during the las$ # seconds. findtime = 60 maxretry = 3 # "backend" specifies the backend used to get files modification. # Available options are "pyinotify", "gamin", "polling" and "aut$ # This option can be overridden in each jail as well. # # pyinotify: requires pyinotify (a file alteration monitor) to be installed. # If pyinotify is not installed, Fail2ban will use auto. # gamin: requires Gamin (a file alteration monitor) to be installed. # If Gamin is not installed, Fail2ban will use auto. # polling: uses a polling algorithm which does not require external libraries. # auto: will try to use the following backends, in order: # pyinotify, gamin, polling. backend = auto # "usedns" specifies if jails should trust hostnames in logs, # warn when reverse DNS lookups are performed, or ignore all hostnames in logs # # yes: if a hostname is encountered, a reverse DNS lookup will be performed. # warn: if a hostname is encountered, a reverse DNS lookup will be performed, # but it will be logged as a warning. # no: if a hostname is encountered, will not be used for banning, # but it will be logged as info. usedns = warn # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = root@localhost # # ACTIONS # # Default banning action (e.g. iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport # email action. Since 0.8.1 upstream fail2ban uses sendmail # MTA for the mailing. Change mta configuration parameter to mail # if you want to revert to conventional 'mail'. mta = sendmail # Default protocol protocol = tcp # Specify chain where jumps would need to be added in iptables-* actions chain = INPUT # # Action shortcuts. To be used to define action parameter # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain$ # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(cha$ %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain$ # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", se$ # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_)s # # JAILS # # Next jails corresponds to the standard configuration in Fail2ban 0.6 which # was shipped in Debian. Enable any defined here jail by including # # [SECTION_NAME] # enabled = true # in /etc/fail2ban/jail.local. # # Optionally you may override any other parameter (e.g. banaction, # action, port, logpath, etc) in that section within jail.local [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 [dropbear] enabled = false port = ssh filter = dropbear logpath = /var/log/auth.log maxretry = 6 # Generic filter for pam. Has to be used with action which bans all ports # such as iptables-allports, shorewall [pam-generic] enabled = false # pam-generic filter can be customized to monitor specific subset of 'tty's filter = pam-generic # port actually must be irrelevant but lets leave it all for some possible uses port = all banaction = iptables-allports port = anyport logpath = /var/log/auth.log maxretry = 3 [xinetd-fail] enabled = false filter = xinetd-fail port = all banaction = iptables-multiport-log logpath = /var/log/daemon.log maxretry = 2 [ssh-ddos] enabled = false port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 3 # Here we use blackhole routes for not requiring any additional kernel support # to store large volumes of banned IPs # IPset comes in two versions. See ipset -V for which one to use # requires the ipset package and kernel support. [ssh-iptables-ipset4] enabled = false port = ssh filter = sshd banaction = iptables-ipset-proto4 logpath = /var/log/sshd.log maxretry = 6 [ssh-iptables-ipset6] enabled = false port = ssh filter = sshd banaction = iptables-ipset-proto6 logpath = /var/log/sshd.log maxretry = 6 # # HTTP servers # [apache] # # FTP servers # [vsftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = vsftpd logpath = /var/log/vsftpd.log # or overwrite it in jails.local to be # logpath = /var/log/auth.log # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats maxretry = 6 [proftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = proftpd logpath = /var/log/proftpd/proftpd.log maxretry = 3 [pure-ftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = pure-ftpd logpath = /var/log/syslog maxretry = 6 [wuftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = wuftpd logpath = /var/log/syslog maxretry = 3
Ostatnio edytowany przez tajwan (2016-01-22 16:52:58)
Offline
Masz domyślny port ssh 22? Czy jakiś inny?
jak inny to zmień:
port = ssh
na
port = *PORT*
Ostatnio edytowany przez noyo (2016-01-22 15:14:06)
Offline
To samo w przypadku ftp?
Offline
Jeśli masz inny port niż domyślny to w każdym przypadku.
Offline
[quote=tajwan]Mam problem z konfiguracją fail2ban np. nie jestem banowany na 60s przy trzy krotnym błędnym wpisaniu hasło do ssh albo ftp.
...[/quote]
Masz jakiegoś zabytkowego Linuxa 2.2 z Ipchains, że Tobie jest failban potrzebny?
Bo jeśli aktualny, to olej Fail2bana, i zainteresuj się celami hashlimit i recent i set w Iptables i Ipsecie.
Przykłady:
https://forums.gentoo.org/viewtopic-p-7081326.html#7081326
https://forum.dug.net.pl/viewtopic.php?pid=269383#p269383
Dużo skuteczniejsze to i bardziej niezawodne, niż Fail2ban.
Do tego w Proftpd masz mod-ban:
http://www.proftpd.org/docs/contrib/mod_ban.html
a w SSH masz opcję [b]MaxAuthTries[/b], czy [b]PermitRootLogin without-password[/b].
Tylko zanim coś zmienisz na serwerze, dokładnie przetestuj sobie w domu ustawienia, żeby jakiegoś przypału nie było.
Tu masz przykłady limitowania dostępu do portu SSH przez iptables.
http://www.nfire.eu/?m=articles&ms=print&article_id=34
Jak majstrujesz przy SSH, to wystaw sobie na innym porcie [b]Dropbear[/b]a albo [b]Webmin[/b]a, żebyś w razie czego nie został na lodzie.
Pozdro
Ostatnio edytowany przez Jacekalex (2016-01-22 21:20:12)
Offline
Nie mam zabytkowego linuksa tylko zwykłego stable 8.2. Webmin
Aktualnie zarzucono jego rozwijanie w niektórych dystrybucjach np. opartych na Debianie z braku chętnych do opieki, utrudniając aktualizację serwerów z Sarge do Etch z braku alternatywnego programu.
Na oficjalnych repozytoriach dostępna jest wersja 1.180 z dystrybucji Sarge (poprzedniej stabilnej). Można jej używać z nowszymi wersjami Debiana z pewnymi ograniczeniami albo pobrać najnowszy pakiet ze strony projektu[/quote]Ostatnio edytowany przez tajwan (2016-01-23 12:03:06)
NIGDY WIĘCEJ TESTING Z KTÓRYM SĄ SAME PROBLEMY !!!
Offline
Time (s) | Query |
---|---|
0.00010 | SET CHARSET latin2 |
0.00004 | SET NAMES latin2 |
0.00091 | SELECT u.*, g.*, o.logged FROM punbb_users AS u INNER JOIN punbb_groups AS g ON u.group_id=g.g_id LEFT JOIN punbb_online AS o ON o.ident='3.128.171.192' WHERE u.id=1 |
0.00121 | REPLACE INTO punbb_online (user_id, ident, logged) VALUES(1, '3.128.171.192', 1732508606) |
0.00046 | SELECT * FROM punbb_online WHERE logged<1732508306 |
0.00307 | DELETE FROM punbb_online WHERE ident='18.188.183.21' |
0.00029 | SELECT t.subject, t.closed, t.num_replies, t.sticky, f.id AS forum_id, f.forum_name, f.moderators, fp.post_replies, 0 FROM punbb_topics AS t INNER JOIN punbb_forums AS f ON f.id=t.forum_id LEFT JOIN punbb_forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id=3) WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.id=28162 AND t.moved_to IS NULL |
0.00030 | SELECT search_for, replace_with FROM punbb_censoring |
0.00215 | SELECT u.email, u.title, u.url, u.location, u.use_avatar, u.signature, u.email_setting, u.num_posts, u.registered, u.admin_note, p.id, p.poster AS username, p.poster_id, p.poster_ip, p.poster_email, p.message, p.hide_smilies, p.posted, p.edited, p.edited_by, g.g_id, g.g_user_title, o.user_id AS is_online FROM punbb_posts AS p INNER JOIN punbb_users AS u ON u.id=p.poster_id INNER JOIN punbb_groups AS g ON g.g_id=u.group_id LEFT JOIN punbb_online AS o ON (o.user_id=u.id AND o.user_id!=1 AND o.idle=0) WHERE p.topic_id=28162 ORDER BY p.id LIMIT 0,25 |
0.00536 | UPDATE punbb_topics SET num_views=num_views+1 WHERE id=28162 |
Total query time: 0.01389 s |