Fail2Ban 再次未检测到 dropbear 身份验证失败

Fail2Ban 再次未检测到 dropbear 身份验证失败

拉斯比安·杰西

编辑:它正在从一些客户那里工作

从另一个 Rasberry Pi 日志正在工作,现在在日志中获取正确的条目

Jul 22 04:02:21 <HOSTNAME> dropbear[2462]: Bad password attempt for
'user' from 192.168.1.154:39594

但是当我在 Mac 上尝试时,我得到了这个

Jul 22 04:29:27 <HOSTNAME> dropbear[3026]: Bad password attempt for 'user' from fe80::109b:c195:be5d:6e5e%eth0:63395

由于某种原因,它正在尝试使用 IPV6 地址。

我有一个类似的线程,可以在这里找到Fail2Ban 未获取 dropbear 身份验证失败

我确实得到了这个工作,但必须从备份(不相关)恢复,但是,该备份不包括我对此的修复。恢复后,我重新安装了 drop bear 并重新配置了fail2ban,但是,正则表达式似乎再次发生了变化。上次是大写字母与小写字母 B 才是罪魁祸首,但这次不是,正如您在下面看到的那样,这个问题似乎已在我现在运行的fail2ban 版本中得到解决。但它仍然没有解决汽车故障问题。

验证日志错误

dropbear[740]: Bad password attempt for 'username' from 192.168.1.171:62556

电流过滤器

# Fail2Ban filter for dropbear
#
# NOTE: The regex below is ONLY intended to work with a patched
# version of Dropbear as described here:
# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
#            ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
#
# The standard Dropbear output doesn't provide enough information to
# ban all types of attack.  The Dropbear patch adds IP address
# information to the 'exit before auth' message which is always
# produced for any form of non-successful login. It is that message
# which this file matches.
#
# More information: http://bugs.debian.org/546913

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = dropbear

failregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
            ^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
            ^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$

ignoreregex =

# DEV Notes:
#
# The first two regexs here match the unmodified dropbear messages. It isn't
# possible to match the source of the 'exit before auth' messages from dropbear
# as they don't include the "from <HOST>" bit.
#
# The second last failregex line we need to match with the modified dropbear.
#
# For the second regex the following apply:
#
# http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c
# http://svn.dd-wrt.com/changeset/16642#file64

Fail2ban 监狱.conf

# [SECTION_NAME]
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

[dropbear]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

Fail2Ban 监狱.local

#local ssh rule set

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
bantime = 900
banaction = iptables-allports
findtime = 900
maxretry = 3

#dropbear ssh config

[dropbear]

enabled = true
port = ssh
filter = dropbear
logpath = /var/log/auth.log
bantime = 900
banaction = iptables-allports
findtime = 900
maxretry = 3

IPTABLEs -L 输出

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-dropbear  tcp  --  anywhere             anywhere            
fail2ban-ssh  tcp  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-dropbear (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere      

当我运行正则表达式时

fail2ban-regex "Nov 15 09:09:16 gw dropbear[16806]: Bad password attempt for 'root' from 104.223.180.34:3703" config/filter.d/dropbear.conf

Running tests
=============

Use   failregex line : config/filter.d/dropbear.conf
Traceback (most recent call last):
  File "/usr/bin/fail2ban-regex", line 430, in <module>
    fail2banRegex.readRegex(cmd_regex, 'fail') or sys.exit(-1)
  File "/usr/bin/fail2ban-regex", line 227, in readRegex
    'add%sRegex' % regextype.title())(regex.getFailRegex())
  File "/usr/share/fail2ban/server/filter.py", line 95, in addFailRegex
    raise e
server.failregex.RegexException: No 'host' group in 'config/filter.d/dropbear.conf'

答案1

好吧,要阻止 Mac 使用 IPV6,我必须在命令行中禁用它。尽管在 GUI 中显示为“未配置”,但仍然从我的 DHCP 服务器获取 IPV6 地址。这是我采取的步骤。

1)在Mac上禁用IPV6

networksetup -setv6off Wi-Fi $$ networksetup -setv6off Ethernet (-usesetv6automatic to enable)

2) 确保我的 DHCP 服务器(在本例中是我安装fail2ban 和 dropbear 的盒子)不是服务 IPV6

3)如果需要在lixun机器(目标机或主机)上禁用IPV6

sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1 
=0 will enable

4)我最终回到了默认的fail2ban drop bear过滤器。自我上一篇文章以来,它似乎已更新以捕获潜在的错误消息大小写差异。

# Fail2Ban filter for dropbear
#
# NOTE: The regex below is ONLY intended to work with a patched
# version of Dropbear as described here:
# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
#            ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
#
# The standard Dropbear output doesn't provide enough information to
# ban all types of attack.  The Dropbear patch adds IP address
# information to the 'exit before auth' message which is always
# produced for any form of non-successful login. It is that message
# which this file matches.
#
# More information: http://bugs.debian.org/546913

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = dropbear

failregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
            ^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
            ^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$

ignoreregex =

# DEV Notes:
#
# The first two regexs here match the unmodified dropbear messages. It isn't
# possible to match the source of the 'exit before auth' messages from dropbear
# as they don't include the "from <HOST>" bit.
#
# The second last failregex line we need to match with the modified dropbear.
#
# For the second regex the following apply:
#
# http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c
# http://svn.dd-wrt.com/changeset/16642#file64

5) 使用tables -L 命令确保IP 表按预期工作,应该显示与我的类似的输出(假设您没有其他规则)。我必须使用 rpi-update 更新我的内核。

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-dropbear  tcp  --  anywhere             anywhere            
fail2ban-ssh  tcp  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-dropbear (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere 

相关内容