Discussioni sulla computer security
 

[log con righe lunghe] regola fail2ban non funzionante

BIG Umberto 18 Lug 2017 14:20
In questi giorni ho riattivato la connessione ssh in wan al mio serverino
(raspberry 3 con jessie) che uso per alcuni ciappini, in quanto necessitavo di
usarlo
fuori casa.
Premesso che quando usavo rasperry B, con wheezy la cosa funzionava...

Chi mi spiega perché le regole 11 e 12 (che sono identiche per prova) non
funzionano?



$ fail2ban-regex -v /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

Running tests
=============

Use failregex ******* : /etc/fail2ban/filter.d/sshd.conf
Use log ******* : /var/log/auth.log


Results
=======

Failregex: 3 total
|- #) [# of hits] regular expression
| 1) [0] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
)?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
| 2) [0] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
)?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*(?:error: PAM: )?User not known to the underlying authentication
module for .* from <HOST>\s*$
| 3) [0] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
)?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*Failed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?:
ssh\d*)?$
| 4) [0] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
)?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*ROOT LOGIN REFUSED.* FROM <HOST>\s*$
| 5) [0] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
)?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$
| 6) [0] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
)?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*User .+ from <HOST> not allowed because not listed in AllowUsers$
| 7) [0] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
)?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*authentication failure; logname=\S* uid=\S* euid=\S* tty=\S*
ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
| 8) [0] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
)?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*refused connect from \S+ \(<HOST>\)\s*$
| 9) [0] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
)?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
| 10) [0] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
)?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*User .+ from <HOST> not allowed because none of user's groups are
listed in AllowGroups\s*$
| 11) [0] Bad protocol version identification .* from <HOST>\s*$
| 12) [0] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
)?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*Bad protocol version identification .* from <HOST>\s*$
| 13) [3] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
)?(?:@vserver_\S+
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
\d+ \S+\])?\s*Did not receive identification string from <HOST>\s*$
| 208.93.152.122 Mon Jul 17 17:28:54 2017
| 208.93.152.122 Mon Jul 17 17:29:05 2017
| 154.47.32.66 Tue Jul 18 00:51:06 2017
`-


$ cat /var/log/auth.log | grep "Bad protocol version identification .* from"
Jul 17 05:16:42 sshd[32672]: Bad protocol version identification
'\026\003\001\002' from 153.125.238.211 port 51446
Jul 17 05:16:43 sshd[32673]: Bad protocol version identification '\026\003\001'
from 153.125.238.211 port 51928
Jul 17 06:06:31 sshd[1004]: Bad protocol version identification '\026\003\001'
from 45.58.136.98 port 47218
Jul 17 17:29:05 sshd[11311]: Bad protocol version identification '\026\003'
from 208.93.152.122 port 39622
Jul 17 17:29:05 sshd[11312]: Bad protocol version identification
'\026\003\001\002' from 208.93.152.122 port 40760
Jul 17 17:29:06 sshd[11313]: Bad protocol version identification
'\026\003\001\002' from 208.93.152.122 port 41494
Jul 17 17:29:06 sshd[11314]: Bad protocol version identification
'\026\003\001\002' from 208.93.152.122 port 42510
Jul 17 17:29:06 sshd[11315]: Bad protocol version identification
'\026\003\001\002' from 208.93.152.122 port 43458
Jul 17 18:12:32 sshd[12534]: Bad protocol version identification
'\200g\001\003\001' from 200.38.62.219 port 38743


$ cat /var/log/auth.log | grep "Did not receive identification string from"
Jul 17 17:28:54 sshd[11309]: Did not receive identification string from
208.93.152.122
Jul 17 17:29:05 sshd[11310]: Did not receive identification string from
208.93.152.122
Jul 18 00:51:06 sshd[19337]: Did not receive identification string from
154.47.32.66


--
+---------------------------------------------------------------------------+
| Sappi che la mia spocchiosita' depressiva con pulsione |
| all'autodemolizione e' allo stu***** di menti brillanti del mondo della |
| psichiatria. Hanno promesso di spiegarmi che cosa ho detto. |
+-----#17--------------------Campagna contro le pubblicita` i*****te.---------+
BIG Umberto 18 Lug 2017 14:35
BIG Umberto in data 14:20, martedì 18 luglio 2017, nel gruppo
it.comp.sicurezza.varie ha scritto:

> In questi giorni ho riattivato la connessione ssh in wan al mio serverino
> (raspberry 3 con jessie) che uso per alcuni ciappini, in quanto necessitavo
> di usarlo fuori casa.
> Premesso che quando usavo rasperry B, con wheezy la cosa funzionava...
>
> Chi mi spiega perché le regole 11 e 12 (che sono identiche per prova) non
> funzionano?

> 11) [0] Bad protocol version
> | identification .* from <HOST>\s*$ 12) [0] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+
> | )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+
> | )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?
\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
> | \d+ \S+\])?\s*Bad protocol version identification .* from <HOST>\s*$ 13)
> | [3] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\]
> | )?(?:@vserver_\S+
> | )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?
\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
> | \d+ \S+\])?\s*Did not receive identification string from <HOST>\s*$
> | 208.93.152.122 Mon Jul 17 17:28:54 2017
> | 208.93.152.122 Mon Jul 17 17:29:05 2017
> | 154.47.32.66 Tue Jul 18 00:51:06 2017
> `-

Deve essere cambiato qualcosa...
| 11) [9] Bad protocol version identification .* from <HOST>\s.+$
^^^
Con il "piú" anziché "asterisco", alla fine della stringa funziona...


> $ cat /var/log/auth.log | grep "Bad protocol version identification .* from"
> Jul 17 05:16:42 sshd[32672]: Bad protocol version identification
> '\026\003\001\002' from 153.125.238.211 port 51446


--
+---------------------------------------------------------------------------+
|I puristi ritengono inopportuno utilizzare driver proprietari sutto Linux, |
|i masochisti amano utilizzare driver Windows sotto Linux... Twisted Evil |
+-----#19--------------------Campagna contro le pubblicita` i*****te.---------+

Links
Giochi online
Dizionario sinonimi
Leggi e codici
Ricette
Testi
Webmatica
Hosting gratis
   
 

Discussioni sulla computer security | Tutti i gruppi | it.comp.sicurezza.varie | Notizie e discussioni sicurezza varie | Sicurezza varie Mobile | Servizio di consultazione news.