web-dev-qa-db-ja.com

Fail2Banは失敗したrootログイン試行を禁止しません

開いているポートのみがssh、http、httpsの小さなサーバーがあります。私はfail2banをインストールしてセットアップし、3回失敗した後、誰かが10分間ブロックされるようにしました(これは私が考えているデフォルトです)。

rootログインは無効になりますが、アクセスしようとするユーザーはブロックされません。

cat /var/log/messages | grep sshは、そのような50回の試行を示しています。

Jan 20 10:50:57 localhost sshd[28666]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57382;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:57 localhost sshd[28666]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57382;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:57 localhost sshd[28666]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57382;Name: root [preauth]
Jan 20 10:50:57 localhost sshd[28666]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:50:57 localhost sshd[28668]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57437;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:57 localhost sshd[28668]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57437;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:57 localhost sshd[28668]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57437;Name: root [preauth]
Jan 20 10:50:57 localhost sshd[28668]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:50:57 localhost sshd[28670]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57515;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:57 localhost sshd[28670]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57515;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:58 localhost sshd[28670]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57515;Name: root [preauth]
Jan 20 10:50:58 localhost sshd[28670]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]

この後、彼は別のユーザーであるOracleを試してみましたが、これも存在しません。

Jan 20 10:50:58 localhost sshd[28672]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57584;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:58 localhost sshd[28672]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57584;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:58 localhost sshd[28672]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57584;Name: Oracle [preauth]
Jan 20 10:50:58 localhost sshd[28672]: Invalid user Oracle from 88.190.31.135
Jan 20 10:50:58 localhost sshd[28672]: input_userauth_request: invalid user Oracle [preauth]
Jan 20 10:50:58 localhost sshd[28672]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 20 10:50:58 localhost sshd[28672]: pam_unix(sshd:auth): check pass; user unknown
Jan 20 10:50:58 localhost sshd[28672]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=sd-32510.dedibox.fr
Jan 20 10:51:00 localhost sshd[28672]: Failed password for invalid user Oracle from 88.190.31.135 port 57584 ssh2
Jan 20 10:51:00 localhost sshd[28672]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:51:00 localhost sshd[28674]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-58021;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:51:00 localhost sshd[28674]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-58021;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:51:00 localhost sshd[28674]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-58021;Name: Oracle [preauth]
Jan 20 10:51:00 localhost sshd[28674]: Invalid user Oracle from 88.190.31.135
Jan 20 10:51:00 localhost sshd[28674]: input_userauth_request: invalid user Oracle [preauth]
Jan 20 10:51:00 localhost sshd[28674]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 20 10:51:00 localhost sshd[28674]: pam_unix(sshd:auth): check pass; user unknown
Jan 20 10:51:00 localhost sshd[28674]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=sd-32510.dedibox.fr
Jan 20 10:51:02 localhost sshd[28674]: Failed password for invalid user Oracle from 88.190.31.135 port 58021 ssh2
Jan 20 10:51:02 localhost sshd[28674]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:51:02 localhost sshd[28676]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-59203;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:51:02 localhost sshd[28676]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-59203;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:51:03 localhost sshd[28676]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-59203;Name: Oracle [preauth]
Jan 20 10:51:03 localhost sshd[28676]: Invalid user Oracle from 88.190.31.135
Jan 20 10:51:03 localhost sshd[28676]: input_userauth_request: invalid user Oracle [preauth]
Jan 20 10:51:03 localhost sshd[28676]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 20 10:51:03 localhost sshd[28676]: pam_unix(sshd:auth): check pass; user unknown
Jan 20 10:51:03 localhost sshd[28676]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=sd-32510.dedibox.fr
Jan 20 10:51:04 localhost sshd[28676]: Failed password for invalid user Oracle from 88.190.31.135 port 59203 ssh2
Jan 20 10:51:04 localhost sshd[28676]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:51:04 localhost sshd[28678]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-59651;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:51:04 localhost sshd[28678]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-59651;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]

その後: /var/log/fail2ban

2012-01-20 10:51:04,701 fail2ban.actions: WARNING [ssh-iptables] Ban 88.190.31.135

彼がrootアカウントでサーバーにアクセスしようとしたのに、なぜこれが起こらなかったのでしょうか。ここでfail2bansの動作を変更する方法はあると思いますが、どうやって?

システム情報、必要な場合:gentoo 3.2.0、openssh 5.9、iptables-1.4.12.1、fail2ban-0.8.6

linuxfirewallsssh
4
Baarn

2番目の例では、authentication failureが表示されます。これが、Fail2Banが入力したものです。

Ubuntuの現在の新規インストール構成の例として(/etc/fail2ban/filter.d/sshd.conf:

failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <Host>\s*$
        ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <Host>\s*$
        ^%(__prefix_line)sFailed (?:password|publickey) for .* from <Host>(?: port \d*)?(?: ssh\d*)?$
        ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <Host>\s*$
        ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <Host>\s*$
        ^%(__prefix_line)sUser .+ from <Host> not allowed because not listed in AllowUsers$
        ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<Host>(?:\s+user=.*)?\s*$
        ^%(__prefix_line)srefused connect from \S+ \(<Host>\)\s*$
        ^%(__prefix_line)sAddress <Host> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
        ^%(__prefix_line)sUser .+ from <Host> not allowed because none of user's groups are listed in AllowGroups\s*$

Rootアカウントの試行を取り除きたい場合は、rootログインの行と一致する行を追加する必要があります。

Jan 20 10:50:57 localhost sshd[28668]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57437;Name: root [preauth]
Jan 20 10:50:57 localhost sshd[28668]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]

これらの行の1つに一致するように正規表現をフォーマットします-誰かがrootとして認証を試みるとき、または誰かが事前認証中に切断したとき。

例:

^%(__prefix_line)s.+Name: root \[preauth\]\s*$
6
Jeff Ferland