Fail2Ban dropbear가 다시 감지되지 않습니다. 인증 실패

tag-icon tag-icon raspberry-pi raspbian fail2ban
Fail2Ban dropbear가 다시 감지되지 않습니다. 인증 실패

래트비안 제시

편집 : 일부 클라이언트에서 작동 중입니다.

다른 Rasberry Pi의 로그가 작동 중이며 이제 로그에 올바른 항목이 표시됩니다.

Jul 22 04:02:21 <HOSTNAME> dropbear[2462]: Bad password attempt for
'user' from 192.168.1.154:39594

하지만 Mac에서 시도하면 다음과 같은 결과가 나타납니다.

Jul 22 04:29:27 <HOSTNAME> dropbear[3026]: Bad password attempt for 'user' from fe80::109b:c195:be5d:6e5e%eth0:63395

어떤 이유로 IPV6 주소를 사용하려고 합니다.

여기에서 비슷한 스레드를 찾을 수 있습니다.Fail2Ban dropbear 인증이 실패했습니다.

나는 이 작업을 수행했지만 백업(관련 없음)에서 복원해야 했지만 해당 백업에는 이에 대한 수정 사항이 포함되지 않았습니다. 복구 후 drop Bear를 다시 설치하고 FAIL2BAN을 재구성했는데 정규식이 다시 변경된 것 같습니다. 지난번에는 대문자 대 소문자 B가 원인이었는데 이번에는 아니었고, 아래에서 볼 수 있듯이 지금 실행하고 있는 Fail2ban 버전에서는 해당 문제가 해결된 것 같습니다. 하지만 여전히 자동차 고장 문제는 해결되지 않습니다.

확인 로그 오류

dropbear[740]: Bad password attempt for 'username' from 192.168.1.171:62556

현재 필터

# Fail2Ban filter for dropbear
#
# NOTE: The regex below is ONLY intended to work with a patched
# version of Dropbear as described here:
# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
#            ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
#
# The standard Dropbear output doesn't provide enough information to
# ban all types of attack.  The Dropbear patch adds IP address
# information to the 'exit before auth' message which is always
# produced for any form of non-successful login. It is that message
# which this file matches.
#
# More information: http://bugs.debian.org/546913

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = dropbear

failregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
            ^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
            ^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$

ignoreregex =

# DEV Notes:
#
# The first two regexs here match the unmodified dropbear messages. It isn't
# possible to match the source of the 'exit before auth' messages from dropbear
# as they don't include the "from <HOST>" bit.
#
# The second last failregex line we need to match with the modified dropbear.
#
# For the second regex the following apply:
#
# http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c
# http://svn.dd-wrt.com/changeset/16642#file64

Fail2banjail.conf

# [SECTION_NAME]
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

[dropbear]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

Fail2Ban 감옥.로컬

#local ssh rule set

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
bantime = 900
banaction = iptables-allports
findtime = 900
maxretry = 3

#dropbear ssh config

[dropbear]

enabled = true
port = ssh
filter = dropbear
logpath = /var/log/auth.log
bantime = 900
banaction = iptables-allports
findtime = 900
maxretry = 3

IPTABLEs -L 출력

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-dropbear  tcp  --  anywhere             anywhere            
fail2ban-ssh  tcp  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-dropbear (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

정규식을 실행할 때

fail2ban-regex "Nov 15 09:09:16 gw dropbear[16806]: Bad password attempt for 'root' from 104.223.180.34:3703" config/filter.d/dropbear.conf

Running tests
=============

Use   failregex line : config/filter.d/dropbear.conf
Traceback (most recent call last):
  File "/usr/bin/fail2ban-regex", line 430, in <module>
    fail2banRegex.readRegex(cmd_regex, 'fail') or sys.exit(-1)
  File "/usr/bin/fail2ban-regex", line 227, in readRegex
    'add%sRegex' % regextype.title())(regex.getFailRegex())
  File "/usr/share/fail2ban/server/filter.py", line 95, in addFailRegex
    raise e
server.failregex.RegexException: No 'host' group in 'config/filter.d/dropbear.conf'

답변1

Mac에서 IPV6을 사용하지 못하게 하려면 명령줄에서 이를 비활성화해야 합니다. GUI에 "구성되지 않음"으로 표시되어도 여전히 DHCP 서버에서 IPV6 주소를 가져옵니다. 내가 취한 단계는 다음과 같습니다.

1) Mac에서 IPV6 비활성화

networksetup -setv6off Wi-Fi $$ networksetup -setv6off Ethernet (-usesetv6automatic to enable)

2) 내 DHCP 서버(이 경우에는 failure2ban 및 dropbear를 설치한 상자)가 IPV6을 제공하지 않는지 확인하세요.

3) lixun 시스템(대상 시스템 또는 호스트)에서 IPV6을 비활성화해야 하는 경우

sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1 
=0 will enable

4) 결국 기본 Fail2ban 드롭 베어 필터로 돌아갔습니다. 잠재적인 오류 메시지 대소문자 차이를 포착하기 위해 마지막 게시물 이후 업데이트된 것으로 보입니다.

# Fail2Ban filter for dropbear
#
# NOTE: The regex below is ONLY intended to work with a patched
# version of Dropbear as described here:
# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
#            ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
#
# The standard Dropbear output doesn't provide enough information to
# ban all types of attack.  The Dropbear patch adds IP address
# information to the 'exit before auth' message which is always
# produced for any form of non-successful login. It is that message
# which this file matches.
#
# More information: http://bugs.debian.org/546913

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = dropbear

failregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
            ^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
            ^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$

ignoreregex =

# DEV Notes:
#
# The first two regexs here match the unmodified dropbear messages. It isn't
# possible to match the source of the 'exit before auth' messages from dropbear
# as they don't include the "from <HOST>" bit.
#
# The second last failregex line we need to match with the modified dropbear.
#
# For the second regex the following apply:
#
# http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c
# http://svn.dd-wrt.com/changeset/16642#file64

5) tables -L 명령을 사용하여 IP 테이블이 예상대로 작동하는지 확인합니다. 내 것과 비슷한 출력이 표시되어야 합니다(다른 규칙이 없다고 가정). rpi-update를 사용하여 커널을 업데이트해야 합니다.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-dropbear  tcp  --  anywhere             anywhere            
fail2ban-ssh  tcp  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-dropbear (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

관련 정보