fail2ban funktioniert nicht richtig

curufinwe · 22.08.07, 22:01

Hallo,
ich wollte meinen VPS (Virtual Private Server) mit fail2ban etwas sicherer machen, doch leider funktioniert es nicht richtig. Auf dem VPS ist Debian Etch installiert und fail2ban 0.8.1.
fail2ban findet auch über auth.log heraus, dass sich jemand x Mal vergeblich versucht über ssh einzuloggen und erstellt auch eine iptables-Regel, doch nachdem die IP gesperrt wurde, kann man sich mit der gleichen IP immer noch über ssh anmelden. Wenn ich das Prinzip von fail2ban richtig verstanden habe, sollte dies aber für die nächsten 10 Minuten nicht mehr möglich sein, oder nicht?
An den fail2ban Konfigurationsdateien wurde nichts verändert.

Hier noch ein Auszug aus 'iptables -L':

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh,sftp 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
DROP       0    --  dyndsl-08X-X28-2XX-0X6.ewe-ip-backbone.de  anywhere            
RETURN     0    --  anywhere             anywhere

... und dem fail2ban.log:

Code:

2007-08-21 20:40:55,456 fail2ban.jail   : INFO   Using poller
2007-08-21 20:40:55,472 fail2ban.filter : INFO   Created Filter
2007-08-21 20:40:55,473 fail2ban.filter : INFO   Created FilterPoll
2007-08-21 20:40:55,474 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2007-08-21 20:40:55,476 fail2ban.filter : INFO   Set maxRetry = 6
2007-08-21 20:40:55,478 fail2ban.filter : INFO   Set findtime = 600
2007-08-21 20:40:55,480 fail2ban.actions: INFO   Set banTime = 600
2007-08-21 20:40:55,508 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2007-08-21 20:40:55,510 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2007-08-21 20:40:55,513 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
2007-08-21 20:40:55,514 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2007-08-21 20:40:55,516 fail2ban.actions.action: INFO   Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2007-08-21 20:56:16,756 fail2ban.actions: WARNING [ssh] Ban 8X.X28.2XX.X6
2007-08-21 21:01:58,831 fail2ban.actions: WARNING [ssh] 8X.X28.2XX.X6 already banned
2007-08-21 21:06:16,880 fail2ban.actions: WARNING [ssh] Unban 8X.X28.2XX.X6

Ich sollte vielleicht noch erwähnen, dass ssh nicht auf dem Standardport läuft, sondern auf einem >40000.

Ich bin für jede Hilfe dankbar fail2ban dazu zu überreden richtig zu arbeiten.

**/dev/null_Peter** · 23.08.07, 18:49

Hi,

zuerst einmal etwas grundsätzliches: Mit fail2ban machst du deinen Server keinesfalls sicherer! Du verhinderst lediglich, dass deine Logfiles unnütz aufgebläht werden. Ich weiß noch nicht einmal, ob sich die Spielmatzen ärgern, wenn sie nach 10 Versuchen nicht weiter kommen. Sind doch eh meistens Scripte, die da ablaufen. Die Sicherheit schaffst du (was ssh anbelangt) durch eine vernünftige Konfiguration des sshd. Dafür gibt es hier im Forum genügend Beispiele und Hinweise. Mein Tipp: konsequentes Nutzen von publik-keys und komplettes Deaktivieren des Einloggens mit Benutzername/Passwort.

Du schriebst, dass du die Konfiguration nicht verändert hast. Auch nicht die erforderlichen Anpassungen? Veränderten ssh-Port eingetragen?
Das mit der x-minütigen Sperre hast du richtig verstanden.

MfG Peter

curufinwe · 27.08.07, 18:57

Hallo,

zuerst einmal danke für deine Antwort! Dass fail2ban die Sicherheit kaum erhöht ist mir klar, aber ich will es dennoch an den Start bringen. Ich glaube kaum, dass jemand seine Skripte weiterlaufen lässt, wenn sie 10 Minuten lang nur ein Timeout bekommen. Das wäre ja Ressourcenverschwendung.
Ich habe nun in meiner "/etc/fail2ban/jail.local" mal in der Sektion "ssh" den port geändert und die action auskommentiert. Nun funktioniert das Ganze.

**nemesis77** · 05.11.07, 12:24

Also ich habe nach vielem hin und her und fail2ban installiert bekommen (auf vserver/Debian Sarge)
starten kann ich es auch.
Aber wenn ich versuche ob ich gebannt werde, passiert überhaupt nix.
In der log erscheint nix...geblockt werde ich nicht und eine Mail bekomme ich auch nicht....
Weiß nicht was ich falsch mache.
Wenn Ihr mir sagt, was Ihr braucht um mir zu helfen, gebe ich gern Auskunft

fail2ban scheint aber zu laufen. top meldet es und ich bekam folgende mail:

Hi,

The jail SSH has been started successfully.

Regards,

Fail2Ba

Bitte noobgerecht erklären. Danke

curufinwe · 05.11.07, 12:35

läuft ssh bei dir auf einem nichst-standardport? wenn ja, dann musst du das in der jail.conf/jail.local angeben unter "port =" im ssh-abschnitt angeben.

Code:

[ssh]

enabled = true
port    = 12345
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 4

das ist ein ausschnitt aus meiner jail.local. wie du siehst habe ich den port geändert, da ssh bei mir nicht auf einem standardport läuft.

falls das nichts hilft, poste bitte mal deine jail.local, bzw. falls diese nicht existiert die jail.conf und den inhalt der /var/log/fail2ban.log. und schreib vielleicht noch, was du für eine fail2ban version einsetzt.

grüße, johannes.

**nemesis77** · 05.11.07, 13:50

Danke erstmal für die Rückmeldung.
Doch ssh läuft auf Port 22.. hatte schonmal versucht den auf einen anderen Port zu legen, aber dann konnte ich mich nicht mehr einloggen.
Naja hier also die Ausgabe meiner fail2ban.log(ziemlich lang):

Code:

2007-11-05 10:38:47,482 fail2ban.jail   : INFO   Using poller
2007-11-05 10:38:47,571 fail2ban.filter : INFO   Created Filter
2007-11-05 10:38:47,571 fail2ban.filter : INFO   Created FilterPoll
2007-11-05 10:38:47,576 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2007-11-05 10:38:47,578 fail2ban.filter : INFO   Set maxRetry = 6
2007-11-05 10:38:47,581 fail2ban.filter : INFO   Set findtime = 600
2007-11-05 10:38:47,582 fail2ban.actions: INFO   Set banTime = 600
2007-11-05 10:38:47,619 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2007-11-05 10:38:47,623 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2007-11-05 10:38:47,625 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
2007-11-05 10:38:47,626 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2007-11-05 10:38:47,628 fail2ban.actions.action: INFO   Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2007-11-05 10:56:42,801 fail2ban.server : INFO   Exiting Fail2ban
2007-11-05 10:56:44,529 fail2ban.jail   : INFO   Using poller
2007-11-05 10:56:44,551 fail2ban.filter : INFO   Created Filter
2007-11-05 10:56:44,551 fail2ban.filter : INFO   Created FilterPoll
2007-11-05 10:56:44,554 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2007-11-05 10:56:44,557 fail2ban.filter : INFO   Set maxRetry = 6
2007-11-05 10:56:44,563 fail2ban.filter : INFO   Set findtime = 600
2007-11-05 10:56:44,565 fail2ban.actions: INFO   Set banTime = 172800
2007-11-05 10:56:44,600 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2007-11-05 10:56:44,601 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2007-11-05 10:56:44,605 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
2007-11-05 10:56:44,607 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2007-11-05 10:56:44,609 fail2ban.actions.action: INFO   Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2007-11-05 11:23:17,999 fail2ban.server : INFO   Exiting Fail2ban
2007-11-05 11:23:19,782 fail2ban.jail   : INFO   Using poller
2007-11-05 11:23:19,804 fail2ban.filter : INFO   Created Filter
2007-11-05 11:23:19,804 fail2ban.filter : INFO   Created FilterPoll
2007-11-05 11:23:19,806 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2007-11-05 11:23:19,808 fail2ban.filter : INFO   Set maxRetry = 3
2007-11-05 11:23:19,809 fail2ban.comm   : WARNING Invalid command: ['set', 'proftpd', 'failregex', 'proftpd: \\(pam_unix\\) authentication failure; .* rhost=<HOST>']
2007-11-05 11:35:00,030 fail2ban.server : INFO   Exiting Fail2ban
2007-11-05 12:58:56,827 fail2ban.jail   : INFO   Using poller
2007-11-05 12:58:56,851 fail2ban.filter : INFO   Created Filter
2007-11-05 12:58:56,851 fail2ban.filter : INFO   Created FilterPoll
2007-11-05 12:58:56,854 fail2ban.filter : INFO   Set maxRetry = 5
2007-11-05 12:58:56,857 fail2ban.filter : INFO   Set findtime = 600
2007-11-05 12:58:56,859 fail2ban.actions: INFO   Set banTime = 172800
2007-11-05 12:58:56,898 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2007-11-05 12:58:56,900 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2007-11-05 12:58:56,902 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2007-11-05 12:58:56,904 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2007-11-05 12:58:56,905 fail2ban.actions.action: INFO   Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2007-11-05 12:58:56,916 fail2ban.actions.action: INFO   Set actionBan = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here are more information about <ip>:\n
`/usr/bin/whois <ip>`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 12:58:56,919 fail2ban.actions.action: INFO   Set actionStop = echo -en "Subject: [Fail2Ban] <name>: stopped
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 12:58:56,921 fail2ban.actions.action: INFO   Set actionStart = echo -en "Subject: [Fail2Ban] <name>: started
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 12:58:56,923 fail2ban.actions.action: INFO   Set actionUnban = 
2007-11-05 12:58:56,926 fail2ban.actions.action: INFO   Set actionCheck = 
2007-11-05 12:58:56,932 fail2ban.jail   : INFO   Using poller
2007-11-05 12:58:56,935 fail2ban.filter : INFO   Created Filter
2007-11-05 12:58:56,935 fail2ban.filter : INFO   Created FilterPoll
2007-11-05 12:58:56,938 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2007-11-05 12:58:56,940 fail2ban.filter : INFO   Set maxRetry = 3
2007-11-05 12:58:56,942 fail2ban.filter : INFO   Set findtime = 600
2007-11-05 12:58:56,945 fail2ban.actions: INFO   Set banTime = 172800
2007-11-05 12:58:56,964 fail2ban.actions.action: INFO   Set actionBan = ipaction add deny tcp from <ip> to <localhost> <port>
2007-11-05 12:58:56,966 fail2ban.actions.action: INFO   Set actionStop = 
2007-11-05 12:58:56,967 fail2ban.actions.action: INFO   Set actionStart = 
2007-11-05 12:58:56,969 fail2ban.actions.action: INFO   Set actionUnban = ipaction delete `ipfw list | grep -i <ip> | awk '{print $1;}'`
2007-11-05 12:58:56,970 fail2ban.actions.action: INFO   Set actionCheck = 
2007-11-05 12:58:56,981 fail2ban.actions.action: INFO   Set actionBan = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here are more information about <ip>:\n
`/usr/bin/whois <ip>`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 12:58:56,986 fail2ban.actions.action: INFO   Set actionStop = echo -en "Subject: [Fail2Ban] <name>: stopped
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 12:58:56,988 fail2ban.actions.action: INFO   Set actionStart = echo -en "Subject: [Fail2Ban] <name>: started
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 12:58:56,991 fail2ban.actions.action: INFO   Set actionUnban = 
2007-11-05 12:58:56,992 fail2ban.actions.action: INFO   Set actionCheck = 
2007-11-05 12:58:57,002 fail2ban.jail   : INFO   Using poller
2007-11-05 12:58:57,003 fail2ban.filter : INFO   Created Filter
2007-11-05 12:58:57,003 fail2ban.filter : INFO   Created FilterPoll
2007-11-05 12:58:57,004 fail2ban.filter : INFO   Set maxRetry = 6
2007-11-05 12:58:57,009 fail2ban.filter : INFO   Set findtime = 600
2007-11-05 12:58:57,011 fail2ban.actions: INFO   Set banTime = 172800
2007-11-05 12:58:57,022 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2007-11-05 12:58:57,026 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2007-11-05 12:58:57,026 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2007-11-05 12:58:57,027 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2007-11-05 12:58:57,029 fail2ban.actions.action: INFO   Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2007-11-05 12:58:57,038 fail2ban.actions.action: INFO   Set actionBan = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here are more information about <ip>:\n
`/usr/bin/whois <ip>`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 12:58:57,042 fail2ban.actions.action: INFO   Set actionStop = echo -en "Subject: [Fail2Ban] <name>: stopped
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 12:58:57,044 fail2ban.actions.action: INFO   Set actionStart = echo -en "Subject: [Fail2Ban] <name>: started
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 12:58:57,045 fail2ban.actions.action: INFO   Set actionUnban = 
2007-11-05 12:58:57,047 fail2ban.actions.action: INFO   Set actionCheck = 
2007-11-05 12:58:57,052 fail2ban.jail   : INFO   Using poller
2007-11-05 12:58:57,052 fail2ban.filter : INFO   Created Filter
2007-11-05 12:58:57,055 fail2ban.filter : INFO   Created FilterPoll
2007-11-05 12:58:57,057 fail2ban.filter : INFO   Set maxRetry = 1
2007-11-05 12:58:57,059 fail2ban.filter : INFO   Set findtime = 600
2007-11-05 12:58:57,061 fail2ban.actions: INFO   Set banTime = 172800
2007-11-05 12:58:57,123 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2007-11-05 12:58:57,127 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2007-11-05 12:58:57,129 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
2007-11-05 12:58:57,131 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2007-11-05 12:58:57,132 fail2ban.actions.action: INFO   Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2007-11-05 12:58:57,140 fail2ban.actions.action: INFO   Set actionBan = echo `date`": <ip> (<failures> failures)" >> <tmpfile>
LINE=$( wc -l <tmpfile> | awk '{ print $1 }' )
if [ $LINE -eq <lines> ]; then
echo -en "Subject: [Fail2Ban] <name>: summary
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
These hosts have been banned by Fail2Ban.\n
`cat <tmpfile>`
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
rm <tmpfile>
fi
2007-11-05 12:58:57,143 fail2ban.actions.action: INFO   Set actionStop = if [ -f <tmpfile> ]; then
echo -en "Subject: [Fail2Ban] <name>: summary
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
These hosts have been banned by Fail2Ban.\n
`cat <tmpfile>`
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
rm <tmpfile>
fi
echo -en "Subject: [Fail2Ban] <name>: stopped
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 12:58:57,145 fail2ban.actions.action: INFO   Set actionStart = echo -en "Subject: [Fail2Ban] <name>: started
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Output will be buffered until <lines> lines are available.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 12:58:57,147 fail2ban.actions.action: INFO   Set actionUnban = 
2007-11-05 12:58:57,148 fail2ban.actions.action: INFO   Set actionCheck = 
2007-11-05 12:59:18,278 fail2ban.server : INFO   Exiting Fail2ban
2007-11-05 13:01:51,451 fail2ban.jail   : INFO   Using poller
2007-11-05 13:01:51,475 fail2ban.filter : INFO   Created Filter
2007-11-05 13:01:51,475 fail2ban.filter : INFO   Created FilterPoll
2007-11-05 13:01:51,481 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2007-11-05 13:01:51,483 fail2ban.filter : INFO   Set maxRetry = 5
2007-11-05 13:01:51,485 fail2ban.filter : INFO   Set findtime = 600
2007-11-05 13:01:51,487 fail2ban.actions: INFO   Set banTime = 172800
2007-11-05 13:01:51,528 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2007-11-05 13:01:51,531 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2007-11-05 13:01:51,533 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2007-11-05 13:01:51,534 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2007-11-05 13:01:51,535 fail2ban.actions.action: INFO   Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2007-11-05 13:01:51,550 fail2ban.actions.action: INFO   Set actionBan = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here are more information about <ip>:\n
`/usr/bin/whois <ip>`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 13:01:51,552 fail2ban.actions.action: INFO   Set actionStop = echo -en "Subject: [Fail2Ban] <name>: stopped
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 13:01:51,555 fail2ban.actions.action: INFO   Set actionStart = echo -en "Subject: [Fail2Ban] <name>: started
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 13:01:51,556 fail2ban.actions.action: INFO   Set actionUnban = 
2007-11-05 13:01:51,557 fail2ban.actions.action: INFO   Set actionCheck = 
2007-11-05 13:01:51,567 fail2ban.jail   : INFO   Using poller
2007-11-05 13:01:51,567 fail2ban.filter : INFO   Created Filter
2007-11-05 13:01:51,567 fail2ban.filter : INFO   Created FilterPoll
2007-11-05 13:01:51,568 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2007-11-05 13:01:51,573 fail2ban.filter : INFO   Set maxRetry = 3
2007-11-05 13:01:51,577 fail2ban.filter : INFO   Set findtime = 600
2007-11-05 13:01:51,578 fail2ban.actions: INFO   Set banTime = 172800
2007-11-05 13:01:51,595 fail2ban.actions.action: INFO   Set actionBan = ipaction add deny tcp from <ip> to <localhost> <port>
2007-11-05 13:01:51,600 fail2ban.actions.action: INFO   Set actionStop = 
2007-11-05 13:01:51,602 fail2ban.actions.action: INFO   Set actionStart = 
2007-11-05 13:01:51,603 fail2ban.actions.action: INFO   Set actionUnban = ipaction delete `ipfw list | grep -i <ip> | awk '{print $1;}'`
2007-11-05 13:01:51,606 fail2ban.actions.action: INFO   Set actionCheck = 
2007-11-05 13:01:51,616 fail2ban.actions.action: INFO   Set actionBan = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here are more information about <ip>:\n
`/usr/bin/whois <ip>`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 13:01:51,618 fail2ban.actions.action: INFO   Set actionStop = echo -en "Subject: [Fail2Ban] <name>: stopped
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 13:01:51,623 fail2ban.actions.action: INFO   Set actionStart = echo -en "Subject: [Fail2Ban] <name>: started
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 13:01:51,626 fail2ban.actions.action: INFO   Set actionUnban = 
2007-11-05 13:01:51,628 fail2ban.actions.action: INFO   Set actionCheck = 
2007-11-05 13:01:51,637 fail2ban.jail   : INFO   Using poller
2007-11-05 13:01:51,638 fail2ban.filter : INFO   Created Filter
2007-11-05 13:01:51,639 fail2ban.filter : INFO   Created FilterPoll
2007-11-05 13:01:51,640 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2007-11-05 13:01:51,645 fail2ban.filter : INFO   Set maxRetry = 6
2007-11-05 13:01:51,648 fail2ban.filter : INFO   Set findtime = 600
2007-11-05 13:01:51,649 fail2ban.actions: INFO   Set banTime = 172800
2007-11-05 13:01:51,663 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2007-11-05 13:01:51,664 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2007-11-05 13:01:51,666 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2007-11-05 13:01:51,670 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2007-11-05 13:01:51,672 fail2ban.actions.action: INFO   Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2007-11-05 13:01:51,682 fail2ban.actions.action: INFO   Set actionBan = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here are more information about <ip>:\n
`/usr/bin/whois <ip>`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 13:01:51,684 fail2ban.actions.action: INFO   Set actionStop = echo -en "Subject: [Fail2Ban] <name>: stopped
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 13:01:51,685 fail2ban.actions.action: INFO   Set actionStart = echo -en "Subject: [Fail2Ban] <name>: started
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 13:01:51,687 fail2ban.actions.action: INFO   Set actionUnban = 
2007-11-05 13:01:51,689 fail2ban.actions.action: INFO   Set actionCheck = 
2007-11-05 13:20:40,870 fail2ban.server : INFO   Exiting Fail2ban
2007-11-05 13:20:49,049 fail2ban.jail   : INFO   Using poller
2007-11-05 13:20:49,080 fail2ban.filter : INFO   Created Filter
2007-11-05 13:20:49,080 fail2ban.filter : INFO   Created FilterPoll
2007-11-05 13:20:49,086 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2007-11-05 13:20:49,090 fail2ban.filter : INFO   Set maxRetry = 5
2007-11-05 13:20:49,095 fail2ban.filter : INFO   Set findtime = 600
2007-11-05 13:20:49,101 fail2ban.actions: INFO   Set banTime = 172800
2007-11-05 13:20:49,153 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2007-11-05 13:20:49,156 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2007-11-05 13:20:49,160 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2007-11-05 13:20:49,168 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2007-11-05 13:20:49,170 fail2ban.actions.action: INFO   Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2007-11-05 13:20:49,185 fail2ban.actions.action: INFO   Set actionBan = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here are more information about <ip>:\n
`/usr/bin/whois <ip>`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 13:20:49,190 fail2ban.actions.action: INFO   Set actionStop = echo -en "Subject: [Fail2Ban] <name>: stopped
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 13:20:49,193 fail2ban.actions.action: INFO   Set actionStart = echo -en "Subject: [Fail2Ban] <name>: started
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 13:20:49,194 fail2ban.actions.action: INFO   Set actionUnban = 
2007-11-05 13:20:49,201 fail2ban.actions.action: INFO   Set actionCheck = 
2007-11-05 13:20:49,210 fail2ban.jail   : INFO   Using poller
2007-11-05 13:20:49,210 fail2ban.filter : INFO   Created Filter
2007-11-05 13:20:49,211 fail2ban.filter : INFO   Created FilterPoll
2007-11-05 13:20:49,216 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2007-11-05 13:20:49,218 fail2ban.filter : INFO   Set maxRetry = 3
2007-11-05 13:20:49,226 fail2ban.filter : INFO   Set findtime = 600
2007-11-05 13:20:49,227 fail2ban.actions: INFO   Set banTime = 172800
2007-11-05 13:20:49,251 fail2ban.actions.action: INFO   Set actionBan = ipaction add deny tcp from <ip> to <localhost> <port>
2007-11-05 13:20:49,253 fail2ban.actions.action: INFO   Set actionStop = 
2007-11-05 13:20:49,254 fail2ban.actions.action: INFO   Set actionStart = 
2007-11-05 13:20:49,255 fail2ban.actions.action: INFO   Set actionUnban = ipaction delete `ipfw list | grep -i <ip> | awk '{print $1;}'`
2007-11-05 13:20:49,257 fail2ban.actions.action: INFO   Set actionCheck = 
2007-11-05 13:20:49,267 fail2ban.actions.action: INFO   Set actionBan = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here are more information about <ip>:\n
`/usr/bin/whois <ip>`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 13:20:49,268 fail2ban.actions.action: INFO   Set actionStop = echo -en "Subject: [Fail2Ban] <name>: stopped
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 13:20:49,274 fail2ban.actions.action: INFO   Set actionStart = echo -en "Subject: [Fail2Ban] <name>: started
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 13:20:49,277 fail2ban.actions.action: INFO   Set actionUnban = 
2007-11-05 13:20:49,278 fail2ban.actions.action: INFO   Set actionCheck = 
2007-11-05 13:20:49,288 fail2ban.jail   : INFO   Using poller
2007-11-05 13:20:49,290 fail2ban.filter : INFO   Created Filter
2007-11-05 13:20:49,290 fail2ban.filter : INFO   Created FilterPoll
2007-11-05 13:20:49,296 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2007-11-05 13:20:49,299 fail2ban.filter : INFO   Set maxRetry = 6
2007-11-05 13:20:49,301 fail2ban.filter : INFO   Set findtime = 600
2007-11-05 13:20:49,305 fail2ban.actions: INFO   Set banTime = 172800
2007-11-05 13:20:49,323 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2007-11-05 13:20:49,333 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2007-11-05 13:20:49,334 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2007-11-05 13:20:49,336 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2007-11-05 13:20:49,342 fail2ban.actions.action: INFO   Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2007-11-05 13:20:49,349 fail2ban.actions.action: INFO   Set actionBan = echo -en "Subject: [Fail2Ban] <name>: banned <ip>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here are more information about <ip>:\n
`/usr/bin/whois <ip>`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 13:20:49,357 fail2ban.actions.action: INFO   Set actionStop = echo -en "Subject: [Fail2Ban] <name>: stopped
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 13:20:49,360 fail2ban.actions.action: INFO   Set actionStart = echo -en "Subject: [Fail2Ban] <name>: started
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
2007-11-05 13:20:49,362 fail2ban.actions.action: INFO   Set actionUnban = 
2007-11-05 13:20:49,365 fail2ban.actions.action: INFO   Set actionCheck =

hier meine jail.conf:

Code:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 611 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime  = 172800

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=MEINE MAIL@ADRESSE.tld, sender=fail2ban@mail.com]
logpath  = /var/log/auth.log
maxretry = 5

[proftpd-iptables]

enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=MEINE MAIL@ADRESSE.tld]
logpath  = /var/log/auth.log
maxretry = 6

# This jail forces the backend to "polling".

[sasl-iptables]

enabled  = false
filter   = sasl
backend  = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois[name=sasl, dest=you@mail.com]
logpath  = /var/log/mail.log

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled     = false
filter      = sshd
action      = hostsdeny
              sendmail-whois[name=SSH, dest=you@mail.com]
ignoreregex = for myuser from
logpath     = /var/log/sshd.log

# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled  = false
filter	 = apache-auth
action   = hostsdeny
logpath  = /var/log/apache*/*access.log
           /home/www/myhomepage/access.log
maxretry = 6

# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.

[postfix-tcpwrapper]

enabled  = false
filter   = postfix
action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
           sendmail[name=Postfix, dest=you@mail.com]
logpath  = /var/log/postfix.log
bantime  = 300

# Do not ban anybody. Just report information about the remote host.
# A notification is sent at most every 600 seconds (bantime).

[vsftpd-notification]

enabled  = false
filter   = vsftpd
action   = sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800

# Same as above but with banning the IP address.

[vsftpd-iptables]

enabled  = false
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled  = false
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
logpath  = /var/www/*/logs/access_log
bantime  = 172800
maxretry = 1

# Use shorewall instead of iptables.

[apache-shorewall]

enabled  = false
filter   = apache-noscript
action   = shorewall
           sendmail[name=Postfix, dest=you@mail.com]
logpath  = /var/log/apache2/error_log

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.

[ssh-ipfw]

enabled  = true
filter   = sshd
action   = ipfw[localhost=192.168.0.1]
           sendmail-whois[name="SSH,IPFW", dest=MEINE MAIL@Adresse.tld]
logpath  = /var/log/auth.log
ignoreip = 168.192.0.1

# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel lame-servers_file {
#         file "/var/log/named/lame-servers.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category lame-servers {
#         lame-servers_file;
#     };
# }
#
# in your named.conf to provide proper logging.
# This jail blocks UDP traffic for DNS requests.

[named-refused-udp]

enabled  = false
filter   = named-refused
action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
           sendmail-whois[name=Named, dest=you@mail.com]
logpath  = /var/log/named/lame-servers.log
ignoreip = 168.192.0.1

# This jail blocks TCP traffic for DNS requests.

[named-refused-tcp]

enabled  = false
filter   = named-refused
action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
           sendmail-whois[name=Named, dest=you@mail.com]
logpath  = /var/log/named/lame-servers.log
ignoreip = 168.192.0.1

Die Version die ich installiert habe ist: fail2ban (0.8.1-1~bpo31+1) [backports]

**nemesis77** · 07.11.07, 12:25

niemand ne Idee???

**nemesis77** · 10.11.07, 11:51

hat sich erledigt. funzt nun - obwohl ich nix verändert habe.

Kevinol · 14.10.09, 11:04

Zitat von /dev/null_Peter

Hi,

zuerst einmal etwas grundsätzliches: Mit fail2ban machst du deinen Server keinesfalls sicherer! Du verhinderst lediglich, dass deine Logfiles unnütz aufgebläht werden.

Zuerst einmal etwas grundsätzliches: Auf solche schwachsinnigen Kommentare von Leuten die denken Sie wissen alles besser und andere belehren zu müssen kann man wirklich verzichten.
Warum bitte soll fail2ban den Server nicht sicherer machen? Das ist absoluter Bullshit.
Ich verwende fail2ban auf einem Server wo mehrere Kunden gehostet sind. Fail2Ban bewirkt nun, dass z.B. bruteforce Attacken abgewehrt werden indem von einer IP Adresse ausgehend nicht einfach 500 verschiedene Benutzernamen/Passwort Kombinationen ausprobieren kann, da der Client nach 3 Loginversuchen über die Firewall geblockt wird.
Also halt dich bitte mit deinen schwachsinnigen Kommentaren zurück

**marce** · 14.10.09, 11:06

Und dafür hast Du Dich extra angemeldet und einen Uralt-Thread aus dem Keller ausgebuddelt?

Wow.

Und nein - fail2ban macht es nicht sicherer. Nur schwerer.

**gropiuskalle** · 14.10.09, 11:15

Ich verstehe den grundsätzlichen Ansatz der Einwände gegen fail2ban hier natürlich - andererseits: wenn ein Zugang "erschwert" wird, erhöht das doch durchaus die Sicherheit, oder? Welche Maßnahmen sichern ein System schon absolut?

Ich frag nur...

Edit: Wer allerdings glaubt, mit Dingern wie fail2ban allein Angriffe abwehren zu können, denkt selbstverständlich ziemlich naiv, schon klar. Aber jede Methode beinhaltet das Risiko, dass man sich fälschlicherweise in Sicherheit wiegt.

Kevinol · 14.10.09, 11:35

Zitat von marce

Und nein - fail2ban macht es nicht sicherer. Nur schwerer.

Das ist doch Korintenkackerei. Wenn es schwerer ist auf einen Server zu kommen ist er damit auch sicherer.
Ich frag mich wie man einen Standpunkt in Frage stellen kann und dann selber so einen dämlichen Widerspruch postet.
Und wenn Clients die Angriffe auf einen Server durchführen gleich zu Beginn geblockt werden ist er damit auch sicherer.
Da kannst du Bullshit labern wie du willst.

**marce** · 14.10.09, 11:43

Schon mal was von verteilten Angriffen gehört? Oder wenn die Login-Versuche nicht losballern sondern mit delay laufen? Dann schlägt dein f2b nicht an. Und das war's mit "sicher".

Es ist nämlich kein Widerspruch - sondern Realität.

Aber danke - willkommen auf meiner Blacklist.

-> Netiquette und gutes Benehmen gibt's eigentlich am Eingang oder in der Schule.

Kevinol · 14.10.09, 12:06

Zitat von marce

Schon mal was von verteilten Angriffen gehört? Oder wenn die Login-Versuche nicht losballern sondern mit delay laufen? Dann schlägt dein f2b nicht an. Und das war's mit "sicher".

Es ist nämlich kein Widerspruch - sondern Realität.

Aber danke - willkommen auf meiner Blacklist.

-> Netiquette und gutes Benehmen gibt's eigentlich am Eingang oder in der Schule.

So ist es also wenn man merkt, dass man falsch liegt, dann setzt man denjenigen der Recht hat einfach auf die Blacklist.

Und damit es vielleicht auch jemand wie du kapiert auch wenn ich, dass aufgrund deiner Postings mehr als bezweifle. Ich habe nie gesagt, dass fail2ban gegen alle Angriffe absichert!!! Ich habe nur dagegen Stellung bezogen, dass fail2ban den Server angeblich nicht sicherer macht.
Es gibt genug Angreifer die "ohne" delay und auch nur von einer IP aus angreifen. Und genau gegen diese Angriffe macht fail2ban den server sicherer.
Wenn man dann trotzdem behauptet, dass fail2ban den Server nicht sicherer macht ist es eben absoluter Bullshit.
fail2ban mag gegen viele Angriffe nichts ausrichten, aber es ist ein Mosaik-Steinchen von vielen die alle für sich den Server sicherer machen.
Aber das wirst du leider nie kapieren!
Es war übrigens auch nie davon die Rede, dass fail2ban den Server "sicher" macht sondern "sicherer" !!!!!!!!!

Rain_maker · 14.10.09, 14:17

Zitat von gropiuskalle

Edit: Wer allerdings glaubt, mit Dingern wie fail2ban allein Angriffe abwehren zu können, denkt selbstverständlich ziemlich naiv, schon klar. Aber jede Methode beinhaltet das Risiko, dass man sich fälschlicherweise in Sicherheit wiegt.

Manchmal machen solche Tools auch den Server vor dem Admin "sicher".

http://www.ossec.net/main/attacking-log-analysis-tools

Ist zwar schon etwas älter und die dort in einigen der "üblichen Verdächtigen" gefundenen Lücken wurden gefixt, aber dieser prinzipielle Angriffsvektor kommt eben damit immer automatisch hinzu.

"Complexity breeds bug"