server Linux ssh – fail2ban n'interdit pas les adresses ip

J'ai un problème avec fail2ban sur mon v-Server. J'ai installé tout comme expliqué dans un didacticiel, mais fail2ban ne bloque pas les adresses ip.

/etc/init.d/fail2ban status indique:

* Status of authentication failure monitor * fail2ban is running 

si je teste mon filter:

 fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf 

il y a des correspondances, mais aucune input dans mon iptables

 Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh fail2ban-default tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-SSH (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-default (1 references) target prot opt source destination 

C'est mon jail.conf:

 [ssh] enabled = true port = 22 filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 60 action = iptables[name=SSH, port=22, protocol=tcp] 

et voici mon /filter.d/sshd.conf

 [Definition] _daemon = sshd # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$ ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listd in AllowUsers$ ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$ ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listd in AllowGroups\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = 

et mon action: /action.d/iptables.conf

 [Definition] actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name> actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP [Init] name = default port = ssh protocol = tcp chain = INPUT 

J'ai déjà tout essayé et j'ai parcouru de nombreux forums, mais je ne peux pas find une erreur. Si j'essaye de me connecter avec un mauvais mot de passe, ne peux pas m'interdire et je peux continuer à ouvrir une session. Peut-il être que fail2ban n'a pas la permission d'écrire quelque chose dans les iptables?

Peut-être quelqu'un a-t-il une idée de ce qu'il faut faire? Merci

c'est ce qui se trouve dans auth.log

 Jul 24 18:04:13 sshd[12438]: Invalid user sfdsdf from 79.224.101.224 Jul 24 18:04:13 sshd[12438]: input_userauth_request: invalid user sfdsdf [preauth] Jul 24 18:04:16 sshd[12438]: pam_unix(sshd:auth): check pass; user unknown Jul 24 18:04:16 sshd[12438]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=p4fe065e0.dip.t-dialin.net Jul 24 18:04:19 sshd[12438]: Failed password for invalid user sfdsdf from 79.224.101.224 port 51188 ssh2 Jul 24 18:04:20 sshd[12438]: pam_unix(sshd:auth): check pass; user unknown Jul 24 18:04:22 sshd[12438]: Failed password for invalid user sfdsdf from 79.224.101.224 port 51188 ssh2 Jul 24 18:04:24 sshd[12438]: pam_unix(sshd:auth): check pass; user unknown Jul 24 18:04:26 sshd[12438]: Failed password for invalid user sfdsdf from 79.224.101.224 port 51188 ssh2 Jul 24 18:04:28 sshd[12438]: pam_unix(sshd:auth): check pass; user unknown Jul 24 18:04:30 sshd[12438]: Failed password for invalid user sfdsdf from 79.224.101.224 port 51188 ssh2 Jul 24 18:04:34 sshd[12438]: pam_unix(sshd:auth): check pass; user unknown Jul 24 18:04:36 sshd[12438]: Failed password for invalid user sfdsdf from 79.224.101.224 port 51188 ssh2 Jul 24 18:04:37 sshd[12438]: fatal: Read from socket failed: Connection reset by peer [preauth] Jul 24 18:04:37 sshd[12438]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=p4fe065e0.dip.t-dialin.net Jul 24 18:04:37 sshd[12438]: PAM service(sshd) ignoring max resortinges; 5 > 3 Jul 24 18:04:53 sshd[12440]: Invalid user blabla from 79.224.101.224 Jul 24 18:04:53 sshd[12440]: input_userauth_request: invalid user blabla [preauth] Jul 24 18:04:55 sshd[12440]: pam_unix(sshd:auth): check pass; user unknown Jul 24 18:04:55 sshd[12440]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=p4fe065e0.dip.t-dialin.net Jul 24 18:04:58 sshd[12440]: Failed password for invalid user blabla from 79.224.101.224 port 51194 ssh2 Jul 24 18:05:00 sshd[12440]: Connection closed by 79.224.101.224 [preauth] Jul 24 18:05:10 sshd[12442]: Invalid user hihi from 79.224.101.224 Jul 24 18:05:10 sshd[12442]: input_userauth_request: invalid user hihi [preauth] Jul 24 18:05:13 sshd[12442]: pam_unix(sshd:auth): check pass; user unknown Jul 24 18:05:13 sshd[12442]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=p4fe065e0.dip.t-dialin.net Jul 24 18:05:15 sshd[12442]: Failed password for invalid user hihi from 79.224.101.224 port 51195 ssh2 Jul 24 18:05:16 sshd[12442]: Connection closed by 79.224.101.224 [preauth] Jul 24 18:05:22 sshd[12444]: Connection closed by 79.224.101.224 [preauth] Jul 24 18:05:30 sshd[12446]: Invalid user hoho from 79.224.101.224 Jul 24 18:05:30 sshd[12446]: input_userauth_request: invalid user hoho [preauth] Jul 24 18:05:31 sshd[12446]: pam_unix(sshd:auth): check pass; user unknown Jul 24 18:05:31 sshd[12446]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=p4fe065e0.dip.t-dialin.net Jul 24 18:05:34 sshd[12446]: Failed password for invalid user hoho from 79.224.101.224 port 51198 ssh2 

Vous pouvez utiliser la command fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf pour valider si l'une de ces règles est en correspondance. Pour moi, ils ne le font pas et la raison en est que le format syslog ne correspond pas à ce qui est défini comme __prefix_line dans filters.d / common.conf.

Mes compétences regex aspirent, mais c'est très, vous pouvez réparer les choses.

Pour exécuter iptables avec n'importe quelle command autre que -L, il requirejs des privilèges root; Par conséquent, le démon doit s'exécuter en tant que root.

Vérifiez que c'est le cas.