Fail2Ban non mette al bando il tentativo di login di root fallito

Naviga le tue risposte
4

Ho un piccolo server che solo le porte aperte sono ssh, http e https. Ho fail2ban installato e configurato in modo che dopo 3 tentativi falliti qualcuno venga bloccato per 10 minuti (questo è il default credo).

il login root è disabilitato ma le persone che cercano di accedervi non vengono bloccate.

cat /var/log/messages | grep ssh mostra come 50 di tali tentativi: 

Jan 20 10:50:57 localhost sshd[28666]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57382;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:57 localhost sshd[28666]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57382;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:57 localhost sshd[28666]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57382;Name: root [preauth]
Jan 20 10:50:57 localhost sshd[28666]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:50:57 localhost sshd[28668]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57437;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:57 localhost sshd[28668]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57437;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:57 localhost sshd[28668]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57437;Name: root [preauth]
Jan 20 10:50:57 localhost sshd[28668]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:50:57 localhost sshd[28670]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57515;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:57 localhost sshd[28670]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57515;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:58 localhost sshd[28670]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57515;Name: root [preauth]
Jan 20 10:50:58 localhost sshd[28670]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]

Dopo questo ha provato un altro utente, Oracle, che nemmeno esiste: 

Jan 20 10:50:58 localhost sshd[28672]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57584;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:58 localhost sshd[28672]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57584;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:58 localhost sshd[28672]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57584;Name: oracle [preauth]
Jan 20 10:50:58 localhost sshd[28672]: Invalid user oracle from 88.190.31.135
Jan 20 10:50:58 localhost sshd[28672]: input_userauth_request: invalid user oracle [preauth]
Jan 20 10:50:58 localhost sshd[28672]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 20 10:50:58 localhost sshd[28672]: pam_unix(sshd:auth): check pass; user unknown
Jan 20 10:50:58 localhost sshd[28672]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=sd-32510.dedibox.fr
Jan 20 10:51:00 localhost sshd[28672]: Failed password for invalid user oracle from 88.190.31.135 port 57584 ssh2
Jan 20 10:51:00 localhost sshd[28672]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:51:00 localhost sshd[28674]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-58021;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:51:00 localhost sshd[28674]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-58021;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:51:00 localhost sshd[28674]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-58021;Name: oracle [preauth]
Jan 20 10:51:00 localhost sshd[28674]: Invalid user oracle from 88.190.31.135
Jan 20 10:51:00 localhost sshd[28674]: input_userauth_request: invalid user oracle [preauth]
Jan 20 10:51:00 localhost sshd[28674]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 20 10:51:00 localhost sshd[28674]: pam_unix(sshd:auth): check pass; user unknown
Jan 20 10:51:00 localhost sshd[28674]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=sd-32510.dedibox.fr
Jan 20 10:51:02 localhost sshd[28674]: Failed password for invalid user oracle from 88.190.31.135 port 58021 ssh2
Jan 20 10:51:02 localhost sshd[28674]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:51:02 localhost sshd[28676]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-59203;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:51:02 localhost sshd[28676]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-59203;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:51:03 localhost sshd[28676]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-59203;Name: oracle [preauth]
Jan 20 10:51:03 localhost sshd[28676]: Invalid user oracle from 88.190.31.135
Jan 20 10:51:03 localhost sshd[28676]: input_userauth_request: invalid user oracle [preauth]
Jan 20 10:51:03 localhost sshd[28676]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 20 10:51:03 localhost sshd[28676]: pam_unix(sshd:auth): check pass; user unknown
Jan 20 10:51:03 localhost sshd[28676]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=sd-32510.dedibox.fr
Jan 20 10:51:04 localhost sshd[28676]: Failed password for invalid user oracle from 88.190.31.135 port 59203 ssh2
Jan 20 10:51:04 localhost sshd[28676]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:51:04 localhost sshd[28678]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-59651;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:51:04 localhost sshd[28678]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-59651;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]

Dopodiché: /var/log/fail2ban 

2012-01-20 10:51:04,701 fail2ban.actions: WARNING [ssh-iptables] Ban 88.190.31.135

Mi chiedo perché questo non è accaduto mentre tentava di accedere al mio server con l'account di root? Scommetto che c'è un modo per cambiare il comportamento di fail2bans qui, ma come?

informazioni di sistema, se necessario: gentoo 3.2.0, openssh 5.9, iptables-1.4.12.1, fail2ban-0.8.6

    
posta Baarn 20.01.2012 - 15:08
fonte

1 risposta

6

Nel tuo secondo esempio, vedrai authentication failure , ed è ciò che Fail2Ban stava inserendo.

Come esempio della configurazione di installazione corrente su Ubuntu (/etc/fail2ban/filter.d/sshd.conf: 

failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
        ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
        ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
        ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
        ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
        ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers$
        ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
        ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
        ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
        ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$

Se vuoi eliminare i tentativi dell'account di root, dovrai aggiungere una linea che corrisponda a una linea da accessi di root. 

Jan 20 10:50:57 localhost sshd[28668]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57437;Name: root [preauth]
Jan 20 10:50:57 localhost sshd[28668]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]

Formatta un'espressione regolare in modo che corrisponda a una di quelle linee - ogni volta che qualcuno cerca di autenticare come root o in qualsiasi momento qualcuno si disconnette durante la fase di pre-autorizzazione.

Esempio: 

^%(__prefix_line)s.+Name: root \[preauth\]\s*$
    
risposta data 20.01.2012 - 16:19
fonte

Leggi altre domande sui tag

Sito elencato come violato da un gruppo di hacker Certificazioni Web Security [chiuso]