Seite 1 von 1

Fail2ban - Iptables bannt nicht

Verfasst: 17. Okt 2016, 05:17
von Moon
Hallo,

ich habe ein schwerwiegendes Problem: Ich habe einige Ipadressen manuell per iptables -A INPUT -s ip -j REJECT gebannt. Jedoch greifen genau diese IPs immer wieder auf den Server zu uund werden erneut gebannt und tauchen damit auch wieder doppelt in den iptables auf. Warum koennen diese Ips immer noch den server attackieren?

REJECT all -- 221.229.172.104 anywhere reject-with icmp-p ort-unreachable


das ist ein iptables eintrag und ein e ip die mir besonder s zu schaffen macht.

hier ein auszug aus den fail2ban logs

Oct 16 07:33:11 server1 sshd[30469]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.229.172.104 user=root
Oct 16 07:33:13 server1 sshd[30469]: Failed password for root from 221.229.172.104 port 52079 ssh2
Oct 16 07:33:15 server1 sshd[30469]: Failed password for root from 221.229.172.104 port 52079 ssh2
Oct 16 07:33:17 server1 sshd[30469]: Failed password for root from 221.229.172.104 port 52079 ssh2

Danke fuer die hilfe

Re: Fail2ban - Iptables bannt nicht

Verfasst: 18. Okt 2016, 15:51
von Martin
Hi Moon,

ist es evtl. ein VServer, wo das Iptables-Modul im Kernel nicht drin ist oder vom Anbieter "umgebogen" wurde?

Kannst du einmal in der /etc/fail2ban/fail2ban.conf das Log-Level auf "4" (Debug) stellen, Fail2ban neu starten und dann in /var/log/fail2ban.log die Einträge zu der IP und IPtables posten?
Damit sollte der Grund gefunden werden.

Re: Fail2ban - Iptables bannt nicht

Verfasst: 18. Okt 2016, 23:39
von Moon
wenn ich beispielsweise mich selber banne durch falsche ssh passwort eingabe oder auch durch permanenten bann funktioniert das komischerweise ja. Habe das log level bearbeitet. schicke bei zeiten den log.

Re: Fail2ban - Iptables bannt nicht

Verfasst: 19. Okt 2016, 19:55
von Moon
: DEBUG Matched time template MONTH Day Hour:Minute:Second
2016-10-19 15:46:16,723 fail2ban.filter.datedetector[2327]: DEBUG Matched time template MONTH Day Hour:Minute:Second
2016-10-19 15:46:16,723 fail2ban.filter.datedetector[2327]: DEBUG Got time using template MONTH Day Hour:Minute:Second
2016-10-19 15:46:16,723 fail2ban.filter.datedetector[2327]: DEBUG Got time using template MONTH Day Hour:Minute:Second
2016-10-19 15:46:16,724 fail2ban.filter.datedetector[2327]: DEBUG Sorting the template list
2016-10-19 15:46:16,724 fail2ban.filter.datedetector[2327]: DEBUG Sorting the template list
2016-10-19 15:46:16,724 fail2ban.filter.datedetector[2327]: DEBUG Winning template: MONTH Day Hour:Minute:Second with 1926 hits
2016-10-19 15:46:16,724 fail2ban.filter.datedetector[2327]: DEBUG Winning template: MONTH Day Hour:Minute:Second with 1926 hits
2016-10-19 15:52:45,249 fail2ban.actions[2327]: WARNING [ssh] Unban 221.229.172.104
2016-10-19 15:52:45,249 fail2ban.actions.action[2327]: DEBUG iptables -n -L INPUT | grep -q 'fail2ban-ssh[ \t]'
2016-10-19 15:52:45,718 fail2ban.actions.action[2327]: DEBUG iptables -n -L INPUT | grep -q 'fail2ban-ssh[ \t]' returned successfully
2016-10-19 15:52:45,718 fail2ban.actions.action[2327]: DEBUG iptables -D fail2ban-ssh -s 221.229.172.104 -j REJECT --reject-with icmp-port-unreachable
2016-10-19 15:52:45,722 fail2ban.actions.action[2327]: DEBUG iptables -D fail2ban-ssh -s 221.229.172.104 -j REJECT --reject-with icmp-port-unreachable returned successfully
2016-10-19 15:52:45,722 fail2ban.actions.action[2327]: DEBUG Nothing to do
2016-10-19 15:53:11,539 fail2ban.filter [2327]: DEBUG Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var$
2016-10-19 15:53:11,540 fail2ban.filter.datedetector[2327]: DEBUG Matched time template MONTH Day Hour:Minute:Second
2016-10-19 15:53:11,540 fail2ban.filter.datedetector[2327]: DEBUG Got time using template MONTH Day Hour:Minute:Second
2016-10-19 15:53:11,540 fail2ban.filter.datedetector[2327]: DEBUG Sorting the template list
2016-10-19 15:53:11,540 fail2ban.filter.datedetector[2327]: DEBUG Winning template: MONTH Day Hour:Minute:Second with 1927 hits
2016-10-19 15:53:11,541 fail2ban.filter [2327]: DEBUG Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var$
2016-10-19 15:53:11,541 fail2ban.filter.datedetector[2327]: DEBUG Matched time template MONTH Day Hour:Minute:Second

2016-10-19 15:53:11,541 fail2ban.filter [2327]: DEBUG Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var$
2016-10-19 15:53:11,541 fail2ban.filter.datedetector[2327]: DEBUG Matched time template MONTH Day Hour:Minute:Second
2016-10-19 15:53:11,541 fail2ban.filter.datedetector[2327]: DEBUG Got time using template MONTH Day Hour:Minute:Second
2016-10-19 15:53:11,541 fail2ban.filter.datedetector[2327]: DEBUG Sorting the template list
2016-10-19 15:53:11,541 fail2ban.filter.datedetector[2327]: DEBUG Winning template: MONTH Day Hour:Minute:Second with 1927 hits
2016-10-19 15:53:13,842 fail2ban.filter [2327]: DEBUG Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var$
2016-10-19 15:53:13,842 fail2ban.filter.datedetector[2327]: DEBUG Matched time template MONTH Day Hour:Minute:Second
2016-10-19 15:53:13,842 fail2ban.filter.datedetector[2327]: DEBUG Got time using template MONTH Day Hour:Minute:Second
2016-10-19 15:53:13,843 fail2ban.filter [2327]: DEBUG Processing line with time:1476885193.0 and ip:221.229.172.104
2016-10-19 15:53:13,843 fail2ban.filter [2327]: DEBUG Found 221.229.172.104
2016-10-19 15:53:13,843 fail2ban.filter [2327]: DEBUG Total # of detected failures: 85. Current failures from 2 IPs (IP:count): 221.229.172.104:1, 185.93.185.239:2
2016-10-19 15:53:13,843 fail2ban.filter.datedetector[2327]: DEBUG Sorting the template list
2016-10-19 15:53:13,843 fail2ban.filter.datedetector[2327]: DEBUG Winning template: MONTH Day Hour:Minute:Second with 1928 hits
2016-10-19 15:53:13,843 fail2ban.filter [2327]: DEBUG Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var$
2016-10-19 15:53:13,844 fail2ban.filter.datedetector[2327]: DEBUG Matched time template MONTH Day Hour:Minute:Second
2016-10-19 15:53:13,844 fail2ban.filter.datedetector[2327]: DEBUG Got time using template MONTH Day Hour:Minute:Second
2016-10-19 15:53:13,844 fail2ban.filter.datedetector[2327]: DEBUG Sorting the template list
2016-10-19 15:53:13,844 fail2ban.filter.datedetector[2327]: DEBUG Winning template: MONTH Day Hour:Minute:Second with 1928 hits
2016-10-19 15:53:15,919 fail2ban.filter [2327]: DEBUG Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var$
2016-10-19 15:53:15,919 fail2ban.filter.datedetector[2327]: DEBUG Matched time template MONTH Day Hour:Minute:Second
2016-10-19 15:53:15,920 fail2ban.filter.datedetector[2327]: DEBUG Got time using template MONTH Day Hour:Minute:Second
2016-10-19 15:53:15,920 fail2ban.filter.datedetector[2327]: DEBUG Sorting the template list
2016-10-19 15:53:15,920 fail2ban.filter.datedetector[2327]: DEBUG Winning template: MONTH Day Hour:Minute:Second with 1929 hits
2016-10-19 15:53:15,920 fail2ban.filter [2327]: DEBUG Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var$
2016-10-19 15:53:15,920 fail2ban.filter.datedetector[2327]: DEBUG Matched time template MONTH Day Hour:Minute:Second
2016-10-19 15:53:15,920 fail2ban.filter.datedetector[2327]: DEBUG Got time using template MONTH Day Hour:Minute:Second
2016-10-19 15:53:15,921 fail2ban.filter [2327]: DEBUG Processing line with time:1476885195.0 and ip:221.229.172.104
2016-10-19 15:53:15,921 fail2ban.filter [2327]: DEBUG Found 221.229.172.104
2016-10-19 15:53:15,921 fail2ban.filter [2327]: DEBUG Total # of detected failures: 86. Current failures from 2 IPs (IP:count): 221.229.172.104:2, 185.93.185.239:2
2016-10-19 15:53:15,921 fail2ban.filter.datedetector[2327]: DEBUG Sorting the template list
2016-10-19 15:53:15,921 fail2ban.filter.datedetector[2327]: DEBUG Winning template: MONTH Day Hour:Minute:Second with 1929 hits
2016-10-19 15:53:18,604 fail2ban.filter [2327]: DEBUG Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var$
2016-10-19 15:53:18,604 fail2ban.filter.datedetector[2327]: DEBUG Matched time template MONTH Day Hour:Minute:Second
2016-10-19 15:53:18,604 fail2ban.filter.datedetector[2327]: DEBUG Got time using template MONTH Day Hour:Minute:Second
2016-10-19 15:53:18,605 fail2ban.filter.datedetector[2327]: DEBUG Sorting the template list
2016-10-19 15:53:18,605 fail2ban.filter.datedetector[2327]: DEBUG Winning template: MONTH Day Hour:Minute:Second with 1930 hits
2016-10-19 15:53:18,605 fail2ban.filter [2327]: DEBUG Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var$
2016-10-19 15:53:18,606 fail2ban.filter.datedetector[2327]: DEBUG Matched time template MONTH Day Hour:Minute:Second
2016-10-19 15:53:18,606 fail2ban.filter.datedetector[2327]: DEBUG Got time using template MONTH Day Hour:Minute:Second
2016-10-19 15:53:18,606 fail2ban.filter [2327]: DEBUG Processing line with time:1476885198.0 and ip:221.229.172.104
2016-10-19 15:53:18,606 fail2ban.filter [2327]: DEBUG Found 221.229.172.104
2016-10-19 15:53:18,606 fail2ban.filter [2327]: DEBUG Total # of detected failures: 87. Current failures from 2 IPs (IP:count): 221.229.172.104:3, 185.93.185.239:2
2016-10-19 15:53:18,606 fail2ban.filter.datedetector[2327]: DEBUG Sorting the template list
2016-10-19 15:53:18,606 fail2ban.filter.datedetector[2327]: DEBUG Winning template: MONTH Day Hour:Minute:Second with 1930 hits
2016-10-19 15:53:18,606 fail2ban.filter.datedetector[2327]: DEBUG Sorting the template list
2016-10-19 15:53:18,606 fail2ban.filter.datedetector[2327]: DEBUG Winning template: MONTH Day Hour:Minute:Second with 1930 hits
2016-10-19 15:53:18,960 fail2ban.filter [2327]: DEBUG Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var$
2016-10-19 15:53:18,960 fail2ban.filter.datedetector[2327]: DEBUG Matched time template MONTH Day Hour:Minute:Second
2016-10-19 15:53:18,961 fail2ban.filter.datedetector[2327]: DEBUG Got time using template MONTH Day Hour:Minute:Second
2016-10-19 15:53:18,961 fail2ban.filter.datedetector[2327]: DEBUG Matched time template MONTH Day Hour:Minute:Second
2016-10-19 15:53:18,961 fail2ban.filter.datedetector[2327]: DEBUG Got time using template MONTH Day Hour:Minute:Second
2016-10-19 15:53:18,962 fail2ban.filter [2327]: DEBUG Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var$
2016-10-19 15:53:18,962 fail2ban.filter.datedetector[2327]: DEBUG Sorting the template list
2016-10-19 15:53:18,963 fail2ban.filter.datedetector[2327]: DEBUG Winning template: MONTH Day Hour:Minute:Second with 1932 hits
2016-10-19 15:53:18,963 fail2ban.filter.datedetector[2327]: DEBUG Matched time template MONTH Day Hour:Minute:Second
2016-10-19 15:53:18,963 fail2ban.filter.datedetector[2327]: DEBUG Got time using template MONTH Day Hour:Minute:Second
2016-10-19 15:53:18,963 fail2ban.filter.datedetector[2327]: DEBUG Matched time template MONTH Day Hour:Minute:Second
2016-10-19 15:53:18,964 fail2ban.filter.datedetector[2327]: DEBUG Got time using template MONTH Day Hour:Minute:Second
2016-10-19 15:53:18,964 fail2ban.filter.datedetector[2327]: DEBUG Sorting the template list
2016-10-19 15:53:18,964 fail2ban.filter.datedetector[2327]: DEBUG Winning template: MONTH Day Hour:Minute:Second with 1932 hits
2016-10-19 15:53:32,796 fail2ban.filter [2327]: DEBUG Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var$
2016-10-19 15:53:32,797 fail2ban.filter.datedetector[2327]: DEBUG Matched time template MONTH Day Hour:Minute:Second
2016-10-19 15:53:32,797 fail2ban.filter.datedetector[2327]: DEBUG Got time using template MONTH Day Hour:Minute:Second
2016-10-19 15:53:32,797 fail2ban.filter [2327]: DEBUG Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/auth.log pathname=/var$
2016-10-19 15:53:32,798 fail2ban.filter.datedetector[2327]: DEBUG Sorting the template list
2016-10-19 15:53:32,798 fail2ban.filter.datedetector[2327]: DEBUG Matched time template MONTH Day Hour:Minute:Second
2016-10-19 15:53:32,798 fail2ban.filter.datedetector[2327]: DEBUG Winning template: MONTH Day Hour:Minute:Second with 1933 hits
2016-10-19 15:53:32,798 fail2ban.filter.datedetector[2327]: DEBUG Got time using template MONTH Day Hour:Minute:Second

.
.
.

2016-10-19 15:55:25,739 fail2ban.filter [2327]: DEBUG Processing line with time:1476885325.0 and ip:221.229.172.104
2016-10-19 15:55:25,739 fail2ban.filter [2327]: DEBUG Found 221.229.172.104
2016-10-19 15:55:25,739 fail2ban.filter [2327]: DEBUG Total # of detected failures: 92. Current failures from 2 IPs (IP:count): 221.229.172.104:4, 185.93.185.239:2
2016-10-19 15:55:25,739 fail2ban.filter.datedetector[2327]: DEBUG Sorting the template list
2016-10-19 15:55:25,739 fail2ban.filter.datedetector[2327]: DEBUG Winning template: MONTH Day Hour:Minute:Second with 1946 hits
2016-10-19 15:55:26,241 fail2ban.actions[2327]: WARNING [ssh] Ban 221.229.172.104
2016-10-19 15:55:26,242 fail2ban.actions.action[2327]: DEBUG iptables -n -L INPUT | grep -q 'fail2ban-ssh[ \t]'
2016-10-19 15:55:26,245 fail2ban.actions.action[2327]: DEBUG iptables -n -L INPUT | grep -q 'fail2ban-ssh[ \t]' returned successfully
2016-10-19 15:55:26,242 fail2ban.actions.action[2327]: DEBUG iptables -n -L INPUT | grep -q 'fail2ban-ssh[ \t]'
2016-10-19 15:55:26,245 fail2ban.actions.action[2327]: DEBUG iptables -n -L INPUT | grep -q 'fail2ban-ssh[ \t]' returned successfully
2016-10-19 15:55:26,246 fail2ban.actions.action[2327]: DEBUG iptables -I fail2ban-ssh 1 -s 221.229.172.104 -j REJECT --reject-with icmp-port-unreachable
2016-10-19 15:55:26,248 fail2ban.actions.action[2327]: DEBUG iptables -I fail2ban-ssh 1 -s 221.229.172.104 -j REJECT --reject-with icmp-port-unreachable returned successfully
2016-10-19 15:55:26,248 fail2ban.actions.action[2327]: DEBUG
2016-10-19 15:55:26,248 fail2ban.actions.action[2327]: DEBUG Nothing to do
2016-10-19 15:55:26,248 fail2ban.actions.action[2327]: DEBUG printf %b "Subject: [Fail2Ban] ssh: banned 221.229.172.104 from `uname -n`

in meinen iptables habe ich unabhängig das manuell eingefügt:

REJECT all -- 221.229.172.104 anywhere reject-with icmp-port-unreachable
REJECT all -- 221.228.0.0/14 anywhere reject-with icmp-port-unreachable

Re: Fail2ban - Iptables bannt nicht

Verfasst: 24. Okt 2016, 23:37
von Moon
keiner ne idee?

Re: Fail2ban - Iptables bannt nicht

Verfasst: 31. Okt 2016, 11:37
von Martin
Also die IP x.104 um 15:52 Uhr entsperrt und um 15:55 dann wieder gesperrt.
Den Meldungen nach, war die IP aber noch in iptables, bzw. die Sperrung mit:
iptables -I fail2ban-ssh 1 -s 221.229.172.104 -j REJECT --reject-with icmp-port-unreachable
war erfolgreich. Evtl. ist in der jail.conf falsche Ports drin?

Re: Fail2ban - Iptables bannt nicht

Verfasst: 1. Nov 2016, 10:11
von Moon
da haette halt nix gebannt werden muessen. die ist halt permanent von mit gebannt. ports sind richtig