Fail2Ban no prohíbe el intento fallido de inicio de sesión

Navega tus respuestas
4

Tengo un pequeño servidor que solo abre puertos son ssh, http y https. He instalado y configurado fail2ban para que, después de 3 intentos fallidos, alguien quede bloqueado durante 10 minutos (creo que es el error).

el inicio de sesión raíz está deshabilitado, pero las personas que intentan acceder a él no se bloquean.

cat /var/log/messages | grep ssh muestra como 50 intentos de este tipo: 

Jan 20 10:50:57 localhost sshd[28666]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57382;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:57 localhost sshd[28666]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57382;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:57 localhost sshd[28666]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57382;Name: root [preauth]
Jan 20 10:50:57 localhost sshd[28666]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:50:57 localhost sshd[28668]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57437;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:57 localhost sshd[28668]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57437;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:57 localhost sshd[28668]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57437;Name: root [preauth]
Jan 20 10:50:57 localhost sshd[28668]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:50:57 localhost sshd[28670]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57515;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:57 localhost sshd[28670]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57515;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:58 localhost sshd[28670]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57515;Name: root [preauth]
Jan 20 10:50:58 localhost sshd[28670]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]

Después de esto, probó con otro usuario, Oracle, que ni siquiera existe: 

Jan 20 10:50:58 localhost sshd[28672]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57584;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:58 localhost sshd[28672]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57584;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:58 localhost sshd[28672]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57584;Name: oracle [preauth]
Jan 20 10:50:58 localhost sshd[28672]: Invalid user oracle from 88.190.31.135
Jan 20 10:50:58 localhost sshd[28672]: input_userauth_request: invalid user oracle [preauth]
Jan 20 10:50:58 localhost sshd[28672]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 20 10:50:58 localhost sshd[28672]: pam_unix(sshd:auth): check pass; user unknown
Jan 20 10:50:58 localhost sshd[28672]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=sd-32510.dedibox.fr
Jan 20 10:51:00 localhost sshd[28672]: Failed password for invalid user oracle from 88.190.31.135 port 57584 ssh2
Jan 20 10:51:00 localhost sshd[28672]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:51:00 localhost sshd[28674]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-58021;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:51:00 localhost sshd[28674]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-58021;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:51:00 localhost sshd[28674]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-58021;Name: oracle [preauth]
Jan 20 10:51:00 localhost sshd[28674]: Invalid user oracle from 88.190.31.135
Jan 20 10:51:00 localhost sshd[28674]: input_userauth_request: invalid user oracle [preauth]
Jan 20 10:51:00 localhost sshd[28674]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 20 10:51:00 localhost sshd[28674]: pam_unix(sshd:auth): check pass; user unknown
Jan 20 10:51:00 localhost sshd[28674]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=sd-32510.dedibox.fr
Jan 20 10:51:02 localhost sshd[28674]: Failed password for invalid user oracle from 88.190.31.135 port 58021 ssh2
Jan 20 10:51:02 localhost sshd[28674]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:51:02 localhost sshd[28676]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-59203;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:51:02 localhost sshd[28676]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-59203;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:51:03 localhost sshd[28676]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-59203;Name: oracle [preauth]
Jan 20 10:51:03 localhost sshd[28676]: Invalid user oracle from 88.190.31.135
Jan 20 10:51:03 localhost sshd[28676]: input_userauth_request: invalid user oracle [preauth]
Jan 20 10:51:03 localhost sshd[28676]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 20 10:51:03 localhost sshd[28676]: pam_unix(sshd:auth): check pass; user unknown
Jan 20 10:51:03 localhost sshd[28676]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=sd-32510.dedibox.fr
Jan 20 10:51:04 localhost sshd[28676]: Failed password for invalid user oracle from 88.190.31.135 port 59203 ssh2
Jan 20 10:51:04 localhost sshd[28676]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:51:04 localhost sshd[28678]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-59651;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:51:04 localhost sshd[28678]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-59651;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]

Después de eso: /var/log/fail2ban 

2012-01-20 10:51:04,701 fail2ban.actions: WARNING [ssh-iptables] Ban 88.190.31.135

Me pregunto por qué no sucedió esto cuando intentó acceder a mi servidor con la cuenta raíz. Apuesto a que hay una manera de cambiar el comportamiento de fail2bans aquí, pero ¿cómo?

información del sistema, en caso necesario: gentoo 3.2.0, openssh 5.9, iptables-1.4.12.1, fail2ban-0.8.6

    
pregunta Baarn 20.01.2012 - 15:08
fuente

1 respuesta

6

En tu segundo ejemplo, verás authentication failure , y eso es lo que Fail2Ban estaba tecleando.

Como ejemplo de la configuración actual de instalación nueva en Ubuntu (/etc/fail2ban/filter.d/sshd.conf: 

failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
        ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
        ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
        ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
        ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
        ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers$
        ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
        ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
        ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
        ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$

Si desea deshacerse de los intentos de la cuenta raíz, tendrá que agregar una línea que coincida con una línea de los inicios de sesión de raíz. 

Jan 20 10:50:57 localhost sshd[28668]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57437;Name: root [preauth]
Jan 20 10:50:57 localhost sshd[28668]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]

Formatee una expresión regular para que coincida con una de esas líneas, ya sea cuando alguien intente autenticarse como root o cuando alguien se desconecte durante la pre-autenticación.

Ejemplo: 

^%(__prefix_line)s.+Name: root \[preauth\]\s*$
    
respondido por el Jeff Ferland 20.01.2012 - 16:19
fuente

Lea otras preguntas en las etiquetas

Certificaciones de seguridad web [cerrado] ¿Se puede arrancar desde un troyano un CD de Linux recién descargado?