Bonjour,
J'ai debian 6.0.5 "squeeze" sur un Seagate Freeagent Dockstar.
fail2ban installé, démarre normalement, mais n'écrit rien sur
/var/log/fail2ban.log.
_______________________________________________
Une jail SSH est activée :
*root@debian:~# fail2ban-client -d*
WARNING 'findtime' not defined in 'ssh'. Using default value
['set', 'loglevel', 3]
['set', 'logtarget', '/var/log/fail2ban.log']
['add', 'ssh', 'polling']
['set', 'ssh', 'addlogpath', '/var/log/auth.log']
...
['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Failed
(?:password|publickey) for .* from <HOST>(?: port \\d*)?(?: ssh\\d*)?$']
...
['set', 'ssh', 'addaction', 'iptables-multiport']
['set', 'ssh', 'actionban', 'iptables-multiport', 'iptables -I
fail2ban-<name> 1 -s <ip> -j DROP']
...
['set', 'ssh', 'setcinfo', 'iptables-multiport', 'name', 'ssh']
['set', 'ssh', 'setcinfo', 'iptables-multiport', 'port', 'ssh']
['start', 'ssh']
________________________________________________
L'interprétation des logs lus dans /var/log/auth.log se fait bien :
*root@debian:~# fail2ban-regex /var/log/auth.log
/etc/fail2ban/filter.d/sshd.conf*
/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5
module is deprecated; use hashlib instead
import md5
...2013-02-19 11:03:31,253 fail2ban.server : INFO Changed logging target
to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2013-02-19 11:03:31,274 fail2ban.jail : INFO Creating new jail 'ssh'
2013-02-19 11:03:31,275 fail2ban.jail : INFO Jail 'ssh' uses poller
2013-02-19 11:03:31,303 fail2ban.filter : INFO Added logfile =
/var/log/auth.log
2013-02-19 11:03:31,309 fail2ban.filter : INFO Set maxRetry = 6
2013-02-19 11:03:31,320 fail2ban.filter : INFO Set findtime = 600
2013-02-19 11:03:31,325 fail2ban.actions: INFO Set banTime = 600
2013-02-19 11:03:31,655 fail2ban.jail : INFO Jail 'ssh' started
Running tests
Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file : /var/log/auth.log
...
118.192.2.50 (Tue Feb 19 05:28:49 2013)
118.192.2.50 (Tue Feb 19 05:28:53 2013)
118.192.2.50 (Tue Feb 19 05:28:58 2013)
...
*Success, the total number of match is 691*
_______________________________________________
Voilà le contenu de /var/log/fail2ban.log quand je restart :
2013-02-19 12:41:22,203 fail2ban.jail : INFO Jail 'ssh' stopped
2013-02-19 12:41:22,274 fail2ban.server : INFO Exiting Fail2ban
2013-02-19 12:41:24,634 fail2ban.server : INFO Changed logging target to
/var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2013-02-19 12:41:24,640 fail2ban.jail : INFO Creating new jail 'ssh'
2013-02-19 12:41:24,641 fail2ban.jail : INFO Jail 'ssh' uses poller
2013-02-19 12:41:24,809 fail2ban.filter : INFO Added logfile =
/var/log/auth.log
2013-02-19 12:41:24,816 fail2ban.filter : INFO Set maxRetry = 6
2013-02-19 12:41:24,826 fail2ban.filter : INFO Set findtime = 600
2013-02-19 12:41:24,831 fail2ban.actions: INFO Set banTime = 600
2013-02-19 12:41:25,456 fail2ban.jail : INFO Jail 'ssh' started
________________________________________________
Et pourtant les tentatives d'accès root par ssh ne sont pas mises dedans,
et ne sont pas bloquées par fail2ban ?
Où je dois regarder ? Merci !
