raspbian Linux [호스트 이름] 4.9.36+ #1015 목요일 7월 6일 16:07:57 BST 2017 armv6l GNU/Linux
fall2ban은 dropbear 인증 실패를 감지하지 못했습니다. 이것은 문제 없이 openssh에서 작동합니다. 메모리 사용량을 줄이기 위해 dropbear로 이동했습니다.
이것은 로깅이 작동 중임을 보여주는 내 auth.log입니다.
dropbear[2640]: Bad password attempt for 'username' from 192.168.1.151:50780
내 지역 감옥
#dropbear shh config password
[dropbear]
enabled = true
port = ssh
filter = dropbear
logpath = /var/log/auth.log
bantime = 900
banaction = iptables-allports
findtime = 900
maxretry = 3
내 dropbear.conf failure2ban 필터
[Definition]
_daemon = dropbear
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
# These match the unmodified dropbear messages. It isn't possible to
# match the source of the 'exit before auth' messages from dropbear.
#
failregex = ^%(__prefix_line)slogin attempt for nonexistent user ('.*' )?from <HOST>:.*\s*$
^%(__prefix_line)sbad password attempt for .+ from <HOST>:.*\s*$
# The only line we need to match with the modified dropbear.
# NOTE: The failregex below is ONLY intended to work with a patched
# version of Dropbear as described here:
# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
및 표준 Jail 구성(이 옵션은 .local Jail로 재정의되어야 함)
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
[dropbear]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/dropbear
maxretry = 6
답변1
정규식 dropbear.conf은 다음 항목과 일치하지 않습니다 auth.log.
Bad password attempt for... /* auth.log */
bad password attempt for... /* dropbear.conf */
대소문자를 고려하여 편집하는 경우 dropbear.conf, fall2ban은 기록된 인증 실패를 포착해야 합니다.