mirror of https://github.com/fail2ban/fail2ban
Merge: opensolaris docs/fixes, no 'sed -i' in hostsdeny, sshd regex tuneups
Origin: from https://github.com/jamesstout/fail2ban * 'OpenSolaris' of https://github.com/jamesstout/fail2ban: ENH: Removed unused log line BF: fail2ban.local needs section headers ENH: Use .local config files for logtarget and jail ENH+TST: ssh failure messages for OpenSolaris and OS X ENH: fail message matching for OpenSolaris and OS X ENH: extra daemon info regex ENH: actionunban back to a sed command Readme for config on Solaris create socket/pid dir if needed Extra patterns for Solaris change sed to perl for Solaris Conflicts: config/filter.d/sshd.confpull/217/merge
commit
2143cdff39
|
@ -0,0 +1,141 @@
|
|||
# vim:tw=80:ft=txt
|
||||
|
||||
README FOR SOLARIS INSTALLATIONS
|
||||
|
||||
By Roy Sigurd Karlsbakk <roy@karlsbakk.net>
|
||||
|
||||
ABOUT
|
||||
|
||||
This readme is meant for those wanting to install fail2ban on Solaris 10,
|
||||
OpenSolaris, OpenIndiana etc. To some degree it may as well be useful for
|
||||
users of older Solaris versions and Nexenta, but don't rely on it.
|
||||
|
||||
READ ME FIRST
|
||||
|
||||
If I use the term Solaris, I am talking about any Solaris dialect, that is, the
|
||||
official Sun/Oracle ones or derivates. If I describe an OS as
|
||||
"OpenSolaris-based", it means it's either OpenSolaris, OpenIndiana or one of the
|
||||
other, but /not/ the Nexenta family, since this only uses the OpenSolaris/
|
||||
IllumOS kernel and not the userland. If I say Solaris 10, I mean Solaris 10 and
|
||||
perhaps, if you're lucky and have some good gods on your side, it may also apply
|
||||
to Solaris 9 or even 8 and hopefully in the new Solaris 11 whenever that may be
|
||||
released. Quoted lines of code, settings et cetera are indented with two spaces.
|
||||
This does _not_ mean you should use that indentation, especially in config files
|
||||
where they can be harmful. Optional settings are prefixed with OPT: while
|
||||
required settings are prefixed with REQ:. If no prefix is found, regard it as a
|
||||
required setting.
|
||||
|
||||
INSTALLATION ON SOLARIS
|
||||
|
||||
The installation is straight forward on Solaris as well as on linux/bsd/etc.
|
||||
./setup.py install installs the general packages in /usr/bin on OpenSolaris-
|
||||
based distros or (at least on this box) under /usr/sfw/bin on Solaris 10. In
|
||||
the files/ directory you will find the file solaris-fail2ban.xml containing the
|
||||
Solaris service. To install this, run the following command as root (or with
|
||||
sudo):
|
||||
|
||||
svccfg import files/solaris-fail2ban.xml
|
||||
|
||||
This should normally without giving an error. If you get an error, deal with it,
|
||||
and please post any relevant info (or fixes?) to the fail2ban mailing list.
|
||||
Next install the service handler - copy the script in and allow it to be executed:
|
||||
|
||||
cp files/solaris-svc-fail2ban /lib/svc/method/svc-fail2ban
|
||||
chmod +x /lib/svc/method/svc-fail2ban
|
||||
|
||||
CONFIGURE SYSLOG
|
||||
|
||||
For some reason, a default Solaris installation does not log ssh login attempts,
|
||||
and since fail2ban works by monitoring logs, enabling this logging is rather
|
||||
important for it to work. To enable this, edit /etc/syslog.conf and add a line
|
||||
at the end:
|
||||
|
||||
auth.info /var/adm/auth.log
|
||||
|
||||
Save the file and exit, and run
|
||||
|
||||
touch /var/adm/auth.log
|
||||
|
||||
The Solaris system logger will _not_ create a non-existing file. Now, restart
|
||||
the system logger.
|
||||
|
||||
svcadm restart system-log
|
||||
|
||||
Try to ssh into localhost with ssh asdf@localhost and enter an invalid password.
|
||||
Make sure this is logged in the above file. When done, you may configure
|
||||
fail2ban.
|
||||
|
||||
FAIL2BAN CONFIGURATION
|
||||
|
||||
OPT: Create /etc/fail2ban/fail2ban.local containing:
|
||||
|
||||
# Fail2Ban main configuration file
|
||||
#
|
||||
# Comments: use '#' for comment lines and ';' for inline comments
|
||||
#
|
||||
# Changes: in most of the cases you should not modify this
|
||||
# file, but provide customizations in fail2ban.local file, e.g.:
|
||||
#
|
||||
# [Definition]
|
||||
# loglevel = 4
|
||||
#
|
||||
[Definition]
|
||||
|
||||
# Option: logtarget
|
||||
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
|
||||
# Only one log target can be specified.
|
||||
# If you change logtarget from the default value and you are
|
||||
# using logrotate -- also adjust or disable rotation in the
|
||||
# corresponding configuration file
|
||||
# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
|
||||
# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log
|
||||
#
|
||||
logtarget = /var/adm/fail2ban.log
|
||||
|
||||
|
||||
REQ: Create /etc/fail2ban/jail.local containing:
|
||||
|
||||
[ssh-tcpwrapper]
|
||||
|
||||
enabled = true
|
||||
filter = sshd
|
||||
action = hostsdeny
|
||||
sendmail-whois[name=SSH, dest=you@example.com]
|
||||
ignoreregex = for myuser from
|
||||
logpath = /var/adm/auth.log
|
||||
|
||||
Set the sendmail dest address to something useful or drop the line to stop it spamming you.
|
||||
Set 'myuser' to your username to avoid banning yourself or drop it.
|
||||
|
||||
START (OR RESTART) FAIL2BAN
|
||||
|
||||
Enable the fail2ban service with
|
||||
|
||||
svcadm enable fail2ban
|
||||
|
||||
When done, check that all services are running well
|
||||
|
||||
svcs -xv
|
||||
|
||||
GOTCHAS AND FIXMES
|
||||
|
||||
* It seems the installation may be starting fail2ban automatically. If this is
|
||||
done, fail2ban will not start, but no errors will be returned from svcs
|
||||
(above). Check if it's running with 'ps -ef | grep fail2ban' and manually kill
|
||||
the PID if it is. Re-enable fail2ban and try again
|
||||
|
||||
svcadm disable fail2ban
|
||||
svcadm enable fail2ban
|
||||
|
||||
* If svcs -xv says that fail2ban failed to start or svcs says it's in maintenance mode
|
||||
chcek /var/svc/log/network-fail2ban:default.log for clues.
|
||||
Check permissions on /var/adm, /var/adm/auth.log /var/adm/fail2ban.log and /var/run/fail2ban
|
||||
You may need to:
|
||||
|
||||
sudo mkdir /var/run/fail2ban
|
||||
|
||||
* Fail2ban adds lines like these to /etc/hosts.deny:
|
||||
|
||||
ALL: 1.2.3.4
|
||||
|
||||
wouldn't it be better to just block sshd?
|
|
@ -39,7 +39,7 @@ actionban = IP=<ip> &&
|
|||
# Tags: See jail.conf(5) man page
|
||||
# Values: CMD
|
||||
#
|
||||
actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file>
|
||||
actionunban = IP=<ip> && sed /ALL:\ $IP/d <file> > <file>.new && mv <file>.new <file>
|
||||
|
||||
[Init]
|
||||
|
||||
|
|
|
@ -27,6 +27,10 @@ __pid_re = (?:\[\d+\])
|
|||
# EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix)
|
||||
__daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?
|
||||
|
||||
# extra daemon info
|
||||
# EXAMPLE: [ID 800047 auth.info]
|
||||
__daemon_extra_re = (?:\[ID \d+ \S+\])
|
||||
|
||||
# Combinations of daemon name and PID
|
||||
# EXAMPLES: sshd[31607], pop(pam_unix)[4920]
|
||||
__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
|
||||
|
@ -42,5 +46,5 @@ __hostname = \S+
|
|||
#
|
||||
# [hostname] [vserver tag] daemon_id spaces
|
||||
# this can be optional (for instance if we match named native log files)
|
||||
__prefix_line = \s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*
|
||||
__prefix_line = \s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s*
|
||||
|
||||
|
|
|
@ -22,7 +22,7 @@ _daemon = sshd
|
|||
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||
# Values: TEXT
|
||||
#
|
||||
failregex = ^%(__prefix_line)s(?:error: PAM: )?[A|a]uthentication (?:failure|error) for .* from <HOST>\s*$
|
||||
failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>\s*$
|
||||
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
|
||||
^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
|
||||
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
|
||||
|
|
|
@ -17,8 +17,26 @@ fi
|
|||
|
||||
ENV="/usr/bin/env -i LANG=C PATH=/usr/local/bin:/usr/bin:/bin:/opt/sfw/bin:/usr/sfw/bin"
|
||||
|
||||
# get socket/pid conf and check dir exists
|
||||
# sock and pid default dirs are currently the same
|
||||
# mkdir if it doesn't exist
|
||||
SOCK_FILE=$(sed "/^\#/d" "$F2B_CONF" | grep "socket" | tail -1 | cut -d "=" -f2-)
|
||||
SOCK_DIR=$(dirname $SOCK_FILE)
|
||||
if [ -n "$SOCK_DIR" ]; then
|
||||
if [ ! -d "$SOCK_DIR" ]; then
|
||||
mkdir "$SOCK_DIR" || exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
case $1 in
|
||||
start)
|
||||
# remove any lingering sockets
|
||||
# don't quote the var for the -e test
|
||||
if [ -n "$SOCK_FILE" ]; then
|
||||
if [ -e $SOCK_FILE ]; then
|
||||
rm -f $SOCK_FILE || exit 1
|
||||
fi
|
||||
fi
|
||||
[ -f /etc/fail2ban.conf ] || touch /etc/fail2ban.conf
|
||||
echo "Starting fail2ban-server with $F2B_CONF"
|
||||
eval $ENV /usr/local/bin/fail2ban-client start &
|
||||
|
|
|
@ -13,7 +13,6 @@ Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM ::ffff:1.2.3.4
|
|||
#4
|
||||
Jul 20 14:42:11 localhost sshd[22708]: Invalid user ftp from 211.114.51.213
|
||||
|
||||
|
||||
#5 new filter introduced after looking at 44087D8C.9090407@bluewin.ch
|
||||
Mar 3 00:17:22 [sshd] User root from 210.188.220.49 not allowed because not listed in AllowUsers
|
||||
Feb 25 14:34:11 belka sshd[31607]: User root from ferrari.inescn.pt not allowed because not listed in AllowUsers
|
||||
|
@ -29,5 +28,21 @@ Oct 15 19:51:35 server sshd[7592]: Address 1.2.3.4 maps to 1234.bbbbbb.com, but
|
|||
#8 DenyUsers https://github.com/fail2ban/fail2ban/issues/47
|
||||
Apr 16 22:01:15 al-ribat sshd[5154]: User root from 46.45.128.3 not allowed because listed in DenyUsers
|
||||
|
||||
# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648020
|
||||
Nov 8 11:19:38 bar sshd[25427]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.6
|
||||
#9 OpenSolaris patch - pull https://github.com/fail2ban/fail2ban/pull/182
|
||||
Mar 29 05:59:23 dusky sshd[20878]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> from 205.186.180.55 port 42742 ssh2
|
||||
Mar 29 05:20:09 dusky sshd[19558]: [ID 800047 auth.info] Failed keyboard-interactive for james from 205.186.180.30 port 54520 ssh2
|
||||
|
||||
#10 OSX syslog error
|
||||
Apr 29 14:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from dusky via 192.168.1.201
|
||||
Apr 29 17:16:20 Jamess-iMac.local sshd[62312]: error: PAM: authentication error for james from n29.c07.mtsvc.net via 192.168.1.201
|
||||
Apr 29 20:11:08 Jamess-iMac.local sshd[63814]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> from 205.186.180.35 port 42742 ssh2
|
||||
Apr 29 20:12:08 Jamess-iMac.local sshd[63814]: [ID 800047 auth.info] Failed keyboard-interactive for james from 205.186.180.22 port 54520 ssh2
|
||||
Apr 29 20:13:08 Jamess-iMac.local sshd[63814]: Failed keyboard-interactive for james from 205.186.180.42 port 54520 ssh2
|
||||
Apr 29 20:14:08 Jamess-iMac.local sshd[63814]: Failed keyboard-interactive for <invalid username> from 205.186.180.44 port 42742 ssh2
|
||||
Apr 30 01:42:12 Jamess-iMac.local sshd[2554]: Failed keyboard-interactive/pam for invalid user jamedds from 205.186.180.77 port 33723 ssh2
|
||||
Apr 29 12:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication failure for james from 205.186.180.88 via 192.168.1.201
|
||||
Apr 29 13:53:38 Jamess-iMac.local sshd[47831]: error: PAM: Authentication failure for james from 205.186.180.99 via 192.168.1.201
|
||||
Apr 29 15:53:38 Jamess-iMac.local sshd[47831]: error: PAM: Authentication error for james from 205.186.180.100 via 192.168.1.201
|
||||
Apr 29 16:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.101 via 192.168.1.201
|
||||
Apr 29 17:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.102
|
||||
Apr 29 18:53:38 Jamess-iMac.local sshd[47831]: error: PAM: authentication error for james from 205.186.180.103
|
Loading…
Reference in New Issue