Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Fail2ban et Gentoo release 2
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index French
View previous topic :: View next topic  
Author Message
nono67
n00b
n00b


Joined: 22 Nov 2012
Posts: 6

PostPosted: Thu Nov 22, 2012 8:11 am    Post subject: Fail2ban et Gentoo release 2 Reply with quote

Salut à tous,

Je gère un serveur dédié, je suis sous Gentoo Release 2 et j'essaie de faire fonctionner fail2ban, j'ai testé si fail2ban fonctionne et c'est ok pourtant lorsque je consulte mes logs de logwatch je constate ceci :

Quote:

--------------------- Named Begin ------------------------

**Unmatched Entries**
DNS format error from 173.239.19.118#53 resolving node1.quickparasolid.com/AAAA for client 127.0.0.1 invalid response: 36 Time(s)
client 94.23.208.173 query (cache) '10.2.11.8.in-addr.arpa/PTR/IN' denied: 22 Time(s)
client 94.23.208.173 query (cache) '101.5.76.180.in-addr.arpa/PTR/IN' denied: 12 Time(s)
client 94.23.208.173 query (cache) '103.5.76.180.in-addr.arpa/PTR/IN' denied: 20 Time(s)
client 94.23.208.173 query (cache) '107.5.76.180.in-addr.arpa/PTR/IN' denied: 8 Time(s)
client 94.23.208.173 query (cache) '110.5.76.180.in-addr.arpa/PTR/IN' denied: 26 Time(s)
etc....
---------------------- Named Begin End -------------------------

etc....

--------------------- SSHD Begin ------------------------

**Unmatched Entries**
reverse mapping checking getaddrinfo for ip223.hichina.com [223.4.171.218] failed - POSSIBLE BREAK-IN ATTEMPT! : 147 time(s)

---------------------- SSHD End -------------------------


Que dois je faire pour stopper toutes ces multiples requêtes de résolution de DNS (chaque jour j'en ai une liste interminable !) ainsi que la tentative effectué via SSH (147 fois) ? Voici ci-dessous mon fichier jail.conf. D'autre part, dans ce fichier jail.conf, quel path (logpath = /var/log/sshd.log) je dois mettre dans la section [ssh-iptables] et [proftpd-iptables], il n'y a pas de répertoire /var/log/ sous Gentoo Release 2 ?

Quote:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 617 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=mon@email.com, sender=fail2ban@mail.com]
logpath = /var/log/sshd.log
maxretry = 5

[proftpd-iptables]

enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=mon@email.com]
logpath = /var/log/proftpd/proftpd.log
maxretry = 6

# This jail forces the backend to "polling".

[sasl-iptables]

enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=you@mail.com]
logpath = /var/log/mail.log

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled = false
filter = sshd
action = hostsdeny
sendmail-whois[name=SSH, dest=you@mail.com]
ignoreregex = for myuser from
logpath = /var/log/sshd.log

# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled = false
filter = apache-auth
action = hostsdeny
logpath = /var/log/apache*/*error.log
/home/www/myhomepage/error.log
maxretry = 6

# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.

[postfix-tcpwrapper]

enabled = false
filter = postfix
action = hostsdeny[file=/not/a/standard/path/hosts.deny]
sendmail[name=Postfix, dest=you@mail.com]
logpath = /var/log/postfix.log
bantime = 300

# Do not ban anybody. Just report information about the remote host.
# A notification is sent at most every 600 seconds (bantime).

[vsftpd-notification]

enabled = false
filter = vsftpd
action = sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800

# Same as above but with banning the IP address.

[vsftpd-iptables]

enabled = false
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled = false
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
logpath = /var/www/*/logs/access_log
bantime = 172800
maxretry = 1

# Use shorewall instead of iptables.

[apache-shorewall]

enabled = false
filter = apache-noscript
action = shorewall
sendmail[name=Postfix, dest=you@mail.com]
logpath = /var/log/apache2/error_log

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.

[ssh-ipfw]

enabled = false
filter = sshd
action = ipfw[localhost=192.168.0.1]
sendmail-whois[name="SSH,IPFW", dest=you@mail.com]
logpath = /var/log/auth.log
ignoreip = 168.192.0.1

# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# }
#
# in your named.conf to provide proper logging.
# This jail blocks UDP traffic for DNS requests.

[named-refused-udp]

enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
sendmail-whois[name=Named, dest=you@mail.com]
logpath = /var/log/named/security.log
ignoreip = 168.192.0.1

# This jail blocks TCP traffic for DNS requests.

[named-refused-tcp]

enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
sendmail-whois[name=Named, dest=you@mail.com]
logpath = /var/log/named/security.log
ignoreip = 168.192.0.1


Je cru comprendre qu'il faut avoir Python pour faire fonctionner fail2ban, Python est-il installé d'office sur Gentoo Release 2 ? Comment savoir si Pyhton est opérationnel sur mon serveur ?

La gestion de serveur dédié n'étant pas mon métier, merci de votre patience avec moi :D

Merci pour votre aide.

Bruno
Back to top
View user's profile Send private message
xaviermiller
Administrator
Administrator


Joined: 23 Jul 2004
Posts: 5698
Location: ~Brussels - Belgique

PostPosted: Thu Nov 22, 2012 9:17 am    Post subject: Reply with quote

Bonjour,

Le "Gentoo à la sauce OVH" n'est pas supporté ici, car OVH a trop bricolé dans la version de base de Gentoo. Vois avec OVH si tu comptes rester sur ce système.

Sinon, à priori, Python devrait être installé car c'est un pré-requis pour Gentoo.
_________________
Kind regards,
Xavier Miller
Back to top
View user's profile Send private message
nono67
n00b
n00b


Joined: 22 Nov 2012
Posts: 6

PostPosted: Thu Nov 22, 2012 9:47 am    Post subject: Reply with quote

Merci pour ta réponse Xavier.

Je vais essayer de voir avec le support d'OVH mais je crains d'avance leur réponse : payer une infogérance pour faire fonctionner fail2ban :(
Back to top
View user's profile Send private message
xaviermiller
Administrator
Administrator


Joined: 23 Jul 2004
Posts: 5698
Location: ~Brussels - Belgique

PostPosted: Thu Nov 22, 2012 9:56 am    Post subject: Reply with quote

En attendant, voici un peu de documentation :
http://forum.ovh.com/showthread.php?t=35044
http://en.gentoo-wiki.com/wiki/Fail2ban
_________________
Kind regards,
Xavier Miller
Back to top
View user's profile Send private message
nono67
n00b
n00b


Joined: 22 Nov 2012
Posts: 6

PostPosted: Thu Nov 22, 2012 10:40 am    Post subject: Reply with quote

Encore merci Xavier mais sur ce post http://forum.ovh.com/showthread.php?t=35044 ils disent de rajouter

Quote:

auth.info;mail.none -/var/log/sshd.log

dans "/etc/syslog.conf"


Mais je n'ai pas de fichier syslog.conf dans /etc/syslog.conf :(

ou bien :

Quote:

Décommenter ces lignes dans /etc/sshd/sshd_config :

Code:
SyslogFacility AUTH
LogLevel INFO


Mais il n'y a pas de lignes "SyslogFacility AUTH" et "LogLevel INFO" dans /etc/sshd/sshd_config :(

Ce post date de 2008 et les infos ne sont peut-être plus à jour...
Back to top
View user's profile Send private message
xaviermiller
Administrator
Administrator


Joined: 23 Jul 2004
Posts: 5698
Location: ~Brussels - Belgique

PostPosted: Thu Nov 22, 2012 10:44 am    Post subject: Reply with quote

Je ne connais pas fail2ban, je laisse la main à d'autres ;)
_________________
Kind regards,
Xavier Miller
Back to top
View user's profile Send private message
nono67
n00b
n00b


Joined: 22 Nov 2012
Posts: 6

PostPosted: Thu Nov 22, 2012 1:30 pm    Post subject: Reply with quote

J'ai lu pas mal de chose sur le web concernant fail2ban, comme "utilisez fail2ban pour gérer le blacklistage des adresse IP, vous verrez c'est facile !" mais en pratique c'est pas si simple à mettre en oeuvre en fonction de la config de votre serveur !
Back to top
View user's profile Send private message
ibasaw
Tux's lil' helper
Tux's lil' helper


Joined: 27 Aug 2006
Posts: 130
Location: France

PostPosted: Thu Nov 22, 2012 2:45 pm    Post subject: Reply with quote

nono67 wrote:
Encore merci Xavier mais sur ce post http://forum.ovh.com/showthread.php?t=35044 ils disent de rajouter

Quote:

auth.info;mail.none -/var/log/sshd.log

dans "/etc/syslog.conf"


Mais je n'ai pas de fichier syslog.conf dans /etc/syslog.conf :(

ou bien :

Quote:

Décommenter ces lignes dans /etc/sshd/sshd_config :

Code:
SyslogFacility AUTH
LogLevel INFO


Mais il n'y a pas de lignes "SyslogFacility AUTH" et "LogLevel INFO" dans /etc/sshd/sshd_config :(

Ce post date de 2008 et les infos ne sont peut-être plus à jour...




tu fais un petit coup de
Code:
emerge app-admin/syslog-ng


je n'ai pas touché au fichier sshd_config pour faire fonctionner fail2ban

(si tu peux change ta release, celle de ovh ca n'apporte que des problèmes...)

contenu de mon sshd.conf dans filter.d
Code:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision$
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = sshd

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers$
            ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sreverse mapping checking getaddrinfo for .* \[<HOST>\] .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
         ^%(__prefix_line)sreverse mapping checking getaddrinfo for .* \[<HOST>\] failed - POSSIBLE BREAK-IN ATTEMPT!\s*$
            ^%(__prefix_line)sUser \S+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =


il faut évidemment lui indiquer les bons fichiers de log pour chaque agent, sinon il sera incapable de bloquer les requettes.

A++
Back to top
View user's profile Send private message
nono67
n00b
n00b


Joined: 22 Nov 2012
Posts: 6

PostPosted: Fri Nov 23, 2012 7:52 pm    Post subject: Reply with quote

Merci pour ta réponse ZuckBin.

Je m'aperçois que la Release 2 d'OVH est mal conçue, il y a quelques temps j'ai voulu installer des modules php pour faire fonctionner une application de paiement par carte bancaire mais j'ai pas pu en raison de mises à jour futures de la Release 2 qui ne prendraient pas en compte ces ajouts de modules :(

Aujourd'hui ça coinçe aussi pour fail2ban :( :(
Back to top
View user's profile Send private message
nox23
n00b
n00b


Joined: 15 Jul 2012
Posts: 30

PostPosted: Sun Nov 25, 2012 12:12 pm    Post subject: Reply with quote

la version de gentoo release 2 est (très ?) ancienne et les mises a jour ou install de logiciels ne sont pas les bienvenues :? :(
si tu veux tweaker ta gentoo je te conseille de faire une install propre de gentoo, là tu seras libre de faire ce que tu veux (install,mise a jour,config,...)
la release 2 est fait pour fonctionnner out of box et point barre.
si tu commences à tweaker la release 2 tu vas certainement péter des trucs :D
Back to top
View user's profile Send private message
nono67
n00b
n00b


Joined: 22 Nov 2012
Posts: 6

PostPosted: Tue Dec 17, 2013 10:12 am    Post subject: Reply with quote

Je ré-ouvre cet ancien thread car fail2ban ne fonctionne toujours pas sur mon serveur gentoo R2 : il est têtu le nono :lol:

J'ai essayé de connaitre le status de fail2ban en tapant /etc/init.d/fail2ban status et il m'indique qu'il est arrêté "status: stopped".

Je tape la commande /etc/init.d/fail2ban start et là il m'indique "Failed to start fail2ban".

Question : comment démarrer fail2ban ?

Est-ce qu'il y a quelqu'un parmi vous qui est arrivé à faire fonctionner fail2ban sur un serveur Gentoo R2 ?

Merci pour vos réponses.

Nono
Back to top
View user's profile Send private message
xaviermiller
Administrator
Administrator


Joined: 23 Jul 2004
Posts: 5698
Location: ~Brussels - Belgique

PostPosted: Tue Dec 17, 2013 10:21 am    Post subject: Reply with quote

Vois avec le support OVH.
_________________
Kind regards,
Xavier Miller
Back to top
View user's profile Send private message
El_Goretto
Advocate
Advocate


Joined: 29 May 2004
Posts: 2897
Location: Paris

PostPosted: Tue Dec 17, 2013 4:11 pm    Post subject: Reply with quote

Sérieux, c'était déjà un "OS" vieux et moisi en 2012, on arrive en 2014, ça ne s'est pas résolu automagiquement? :)
_________________
-PC: 2500K/P8Z68V, 8Go, R9-290, M4 256Go, MX100 512Go
-Home servers (hardened): µ-serv Gen8 G1610T ; NF9D-2700, 4Go ; DS61, i3 2100T, 16Go ; [µ-serv N40L]
-Réseau: ERL-3 + 3x switches GS108Tv2
-NAS: RN312
http://boycottsystemd.org/
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index French All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum