Назад | Перейти на главную страницу

Почему fail2ban не запрещает эту атаку?

У меня установлен fail2ban, чтобы запретить попытки перебора пароля ssh. Существуют бизнес-требования, чтобы не отключать аутентификацию по паролю на этом компьютере.

fail2ban был установлен с использованием той же поваренной книги, которая эффективно запрещает атаки ssh на другие машины. Настроен ssh jail:

# service fail2ban status
fail2ban-server (pid  5480) is running...
WARNING 'pidfile' not defined in 'Definition'. Using default one: '/var/run/fail2ban/fail2ban.pid'
Status
|- Number of jail:  1
`- Jail list:       ssh

Блокировка пользователей вручную работает:

# fail2ban-client set ssh banip 103.41.124.46

Но, похоже, он никого не заблокировал автоматически:

# cat /var/log/fail2ban.log
2014-11-20 18:23:47,069 fail2ban.server [67569]: INFO    Exiting Fail2ban
2014-11-20 18:44:59,202 fail2ban.server [5480]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.14
2014-11-20 18:44:59,213 fail2ban.jail   [5480]: INFO    Creating new jail 'ssh'
2014-11-20 18:44:59,214 fail2ban.jail   [5480]: INFO    Jail 'ssh' uses poller
2014-11-20 18:44:59,249 fail2ban.jail   [5480]: INFO    Initiated 'polling' backend
2014-11-20 18:44:59,270 fail2ban.filter [5480]: INFO    Added logfile = /var/log/secure
2014-11-20 18:44:59,271 fail2ban.filter [5480]: INFO    Set maxRetry = 6
2014-11-20 18:44:59,272 fail2ban.filter [5480]: INFO    Set findtime = 600
2014-11-20 18:44:59,272 fail2ban.actions[5480]: INFO    Set banTime = 300
2014-11-20 18:44:59,431 fail2ban.jail   [5480]: INFO    Jail 'ssh' started
2014-11-21 11:09:37,447 fail2ban.actions[5480]: WARNING [ssh] Ban 103.41.124.46
2014-11-21 11:10:32,602 fail2ban.actions[5480]: WARNING [ssh] Ban 122.225.97.75
2014-11-21 11:14:37,899 fail2ban.actions[5480]: WARNING [ssh] Unban 103.41.124.46
2014-11-21 11:15:32,976 fail2ban.actions[5480]: WARNING [ssh] Unban 122.225.97.75
2014-11-21 11:30:06,295 fail2ban.comm   [5480]: WARNING Command ['ban', 'ssh', '189.203.240.89'] has failed. Received Exception('Invalid command',)
2014-11-21 11:30:33,966 fail2ban.actions[5480]: WARNING [ssh] Ban 189.203.240.89
2014-11-21 11:35:34,303 fail2ban.actions[5480]: WARNING [ssh] Unban 189.203.240.89

Например, это атака в /var/log/messages которые должны были быть пойманы и запрещены:

Nov 21 07:51:32 my_hostname sshd[51074]: Failed password for root from 122.225.109.219 port 1788 ssh2
Nov 21 07:51:34 my_hostname sshd[51072]: Failed password for root from 122.225.109.219 port 58285 ssh2
Nov 21 07:51:35 my_hostname sshd[51076]: Failed password for invalid user admin from 122.225.109.219 port 2221 ssh2
Nov 21 07:51:35 my_hostname sshd[51074]: Failed password for root from 122.225.109.219 port 1788 ssh2
Nov 21 07:51:37 my_hostname sshd[51072]: Failed password for root from 122.225.109.219 port 58285 ssh2
Nov 21 07:51:37 my_hostname sshd[51074]: Failed password for root from 122.225.109.219 port 1788 ssh2
Nov 21 07:51:38 my_hostname sshd[51076]: Failed password for invalid user admin from 122.225.109.219 port 2221 ssh2
Nov 21 07:51:38 my_hostname sshd[51084]: Failed password for root from 122.225.109.219 port 3501 ssh2
Nov 21 07:51:39 my_hostname sshd[51072]: Failed password for root from 122.225.109.219 port 58285 ssh2

Это также входит в систему /var/log/secure:

Nov 25 16:06:40 cluster-122-1413591380-db sshd[75769]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:06:46 cluster-122-1413591380-db sshd[75769]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:06:48 cluster-122-1413591380-db sshd[75778]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:06:55 cluster-122-1413591380-db sshd[75778]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:06:57 cluster-122-1413591380-db sshd[75780]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:03 cluster-122-1413591380-db sshd[75780]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:05 cluster-122-1413591380-db sshd[75793]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:12 cluster-122-1413591380-db sshd[75793]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:13 cluster-122-1413591380-db sshd[75797]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:21 cluster-122-1413591380-db sshd[75797]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:22 cluster-122-1413591380-db sshd[75803]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:28 cluster-122-1413591380-db sshd[75803]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:29 cluster-122-1413591380-db sshd[75809]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:36 cluster-122-1413591380-db sshd[75809]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root
Nov 25 16:07:38 cluster-122-1413591380-db sshd[75811]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.41  user=root

Вот мой jail.local:

# Fail2Ban configuration file.
#
# The configuration here inherits from /etc/fail2ban/jail.conf. Any setting
# omitted here will take it's value from that file
#
# Author: Yaroslav O. Halchenko <snip>
#
#

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8
findtime = 600
bantime  = 300
maxretry = 5

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

#
# JAILS
#

# Next jails can inherit from the configuration in /etc/fail2ban/jail.conf.
# Enable any defined in that file jail by including
#
# [SECTION_NAME]
# enabled = true
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local


[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 6

[ssh-iptables]

enabled = false

Почему не работает fail2ban? В качестве альтернативы, почему он не заблокировал указанного выше злоумышленника без моего вмешательства вручную?

Параметр logpath должен быть установлен на путь к файлу журнала, в который будут записываться попытки SSH. Итак, если это /var/log/messages, затем /var/log/secure явно неверно.

Изменить logpath параметр, чтобы быть правильным файлом.

В RHEL и CentOS ошибки аутентификации попадают в / var / log / messages или / var / log secure:

# cat /etc/rsyslog.conf | grep auth
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

По умолчанию sshd настроен с SyslogFacility, установленным на AUTH, который переходит в / var / log / messages. Если вы переопределите / etc / ssh / sshd_config следующим образом, вместо этого он перейдет в / var / log / secure:

SyslogFacility AUTHPRIV

Я работаю с машинами в облаке SoftLayer, и их базовая конфигурация образа изменилась с AUTHPRIV на AUTH где-то в прошлом году.

По умолчанию fail2ban имеет следующую тюрьму в /etc/fail2ban/jail.local:

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 6

Я рекомендую добавить вторую клетку в /etc/fail2ban/jail.local:

[ssh-log-messages]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/messages
maxretry = 6

После этого перезапустите fail2ban, чтобы вторая тюрьма вступила в силу:

service fail2ban restart

Альтернативный подход - расширить регулярное выражение sshd в /etc/fail2ban/filter.d/sshd.conf. Как в / var / log / secure, так и в / var / log / messages достаточно информации для запрета IP-адресов. К сожалению, fail2ban не может проанализировать все сообщения без добавления альтернативного регулярного выражения. Это оставлено как упражнение.