Fail2ban/Logwatch : doutes à propos de Bans:Unbans

Support Debian
#1

Salut,

J’ai un doute concernant mes logs fail2ban. J’ai configuré une filtre pour éviter les scanners apache-w00tw00t.

[code] --------------------- fail2ban-messages Begin ------------------------

Banned services with Fail2Ban: Bans:Unbans
apache-w00tw00t: [ 4:3 ]

---------------------- fail2ban-messages End -------------------------

--------------------- httpd Begin ------------------------

Requests with error response codes
400 Bad Request
/w00tw00t.at.ISC.SANS.DFind:): 3 Time(s)
/w00tw00t.at.ISC.SANS.test0:): 1 Time(s)

---------------------- httpd End -------------------------
[/code]

Que signifie Unbans ? Il ne devrait pas plutôt être à 0 ?

Pourquoi le serveur renvoie des erreurs 400 à chaque tentative de scan, exactement comme avant l’ajout du filtre fail2ban ?

Le log journalier indique 3 tentatives de scans DFind alors que j’ai paramètré un maxretry à 1 avec un ban de 24h.

Le failregex de mon /etc/fail2ban/filter.d/apache-w00w00t.conf est le suivant :

Et dans mon jail.conf :

[apache-w00tw00t]
enabled  = true
filter   = apache-w00tw00t
action   = iptables-allports[name=w00tw00t]
logpath  = /var/log/apache2/error.log
maxretry = 1
bantime  = 86400
#2

Salut

As tu testé cette dernière avant …

#3

Je viens d’installer et de reconfigurer fail2ban proprement.

#4

Voilà, on dirait que je n’ai plus d’unbans mais le filtre laisse passer certains scans w00tw00t. J’ai changé de filtre et il est peut être trop général, je devrais peut être tester comme avant la présence de la chaîne w00tw00t dans la requête faite au serveur ?

Le filtre :

Logwatch

[code] --------------------- fail2ban-messages Begin ------------------------

Banned services with Fail2Ban: Bans:Unbans
apache-w00tw00t: [ 3:0 ]

---------------------- fail2ban-messages End -------------------------

--------------------- httpd Begin ------------------------

Requests with error response codes
400 Bad Request
/w00tw00t.at.ISC.SANS.DFind:): 3 Time(s)
/w00tw00t.at.ISC.SANS.MSlog:): 1 Time(s)
/w00tw00t.at.ISC.SANS.test0:): 2 Time(s)
404 Not Found
//jmx-console/HtmlAdaptor: 1 Time(s)

---------------------- httpd End ------------------------- [/code]

fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-w00tw00t.conf

[code]/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import md5

Running tests

Use regex file : /etc/fail2ban/filter.d/apache-w00tw00t.conf
Use log file : /var/log/apache2/error.log

Results

Failregex
|- Regular expressions:
| [1] [[]client []] (client sent HTTP/1.1 request without hostname|Invalid method in request|request failed: URI too long|erroneous characters after protocol string)
|
`- Number of matches:
[1] 12 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary

Addresses found:
[1]
62.73.5.250 (Thu Nov 15 14:42:30 2012)
62.73.5.250 (Thu Nov 15 14:42:30 2012)
178.32.72.125 (Thu Nov 15 17:06:44 2012)
216.245.200.53 (Thu Nov 15 19:02:54 2012)
46.105.104.215 (Thu Nov 15 19:08:40 2012)
86.35.242.58 (Thu Nov 15 23:51:51 2012)
176.31.53.130 (Fri Nov 16 01:42:53 2012)
86.35.242.58 (Fri Nov 16 08:18:12 2012)
5.39.60.201 (Fri Nov 16 09:21:01 2012)
37.59.135.203 (Fri Nov 16 11:13:15 2012)
88.84.210.234 (Fri Nov 16 11:38:37 2012)
176.31.26.179 (Fri Nov 16 23:59:17 2012)

Date template hits:
588 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 12

However, look at the above section ‘Running tests’ which could contain important
information.
[/code]

#5

Salut,

[quote=“Arg”]le filtre laisse passer certains scans w00tw00t. J’ai changé de filtre et il est peut être trop général, je devrais peut être tester comme avant la présence de la chaîne w00tw00t dans la requête faite au serveur ?
[/quote]

Un peu trop général, effectivement … :083

[quote]# cat /etc/fail2ban/filter.d/apache-w00tw00t.conf

[Definition]

Option: failregex

Notes.: regex to match the w00tw00t scan messages in the logfile. The

host must be matched by a group named “host”. The tag “” can

be used for standard IP/hostname matching.

Values: TEXT

failregex = [[]client []] (client sent HTTP/1.1 request without hostname|Invalid method in request|request failed: URI too long|erroneous characters after protocol string)
^ -."GET /w00tw00t.at.ISC.SANS.DFind:).".*
^ -."GET /w00tw00t.".*
.[client .w00tw00t.
^ -.“GET /w00tw00t.at.ISC.SANS.DFind:).".
^ -."GET /w00tw00t.at.ISC.SANS.MSlog:).”.*
^ -."GET /w00tw00t.at.ISC.SANS.test0:).".*
^ -."GET /w00tw00t.at.ISC.SANS.test:).".*
^ -."GET /w00tw00t.at.ISC.SANS.test1:).".*
^ -."GET /w00tw00t.at.blackhats.romanian.anti-sec:).".*
^ -."GET [\w{1,3} \w{1,3} \d{1,2} \d{1,2}:\d{1,2}:\d{1,2} \d{1,4}] [error] [client Ton_IP] File does not exist: /.{1,20}/(w00tw00t|wootwoot|WootWoot|WooTWooT).{1,250}.".*

Option: ignoreregex

Notes.: regex to ignore. If this regex matches, the line is ignored.

Values: TEXT

ignoreregex =

[/quote]

Au fur et à mesure de tes découvertes, à toi de peaufiner ces dernières … :wink:

#6

Ah, oui en effet !

Merci pour les exemples, ça à l’air de bien marcher !