Re: [OpenIndiana-discuss] fail2ban for sshd
Oscar, Thanks for the tip. I'd have to figure out how to do the "__prefix_line" substitution using fail2ban-regex. I tried your filter and it caught all the ones that were missed before. Now I know if things slip through that it's not the fault of the filter. Gary On 04/24/2014 11:43 AM, Oscar del Rio wrote: On 04/24/14 06:43 AM, Gary Gendel wrote: Fail2ban seems to randomly miss ssh matches. I've been hacking at the filter but nothing I seem to do works. What regex are others using that works? The line that should catch the ones missed is: ^%(__prefix_line)s\[.*\] Failed (?:password|publickey|none|keyboard-interactive) for .* from \s*$ Did you test the rules with the "fail2ban-regex" command? The following works fine for us: failregex = (?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from ( via \S+)?\s*$ (?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$ Failed \S+ for .* from (?: port \d*)?(?: ssh\d*)?\s*$ ROOT LOGIN REFUSED.* FROM \s*$ [iI](?:llegal|nvalid) user .* from \s*$ Did not receive identification string from \s*$ User .+ from not allowed because not listed in AllowUsers\s*$ User .+ from not allowed because listed in DenyUsers\s*$ User .+ from not allowed because not in any group\s*$ refused connect from \S+ \(\)\s*$ User .+ from not allowed because a group is listed in DenyGroups\s*$ User .+ from not allowed because none of user's groups are listed in AllowGroups\s*$ ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] fail2ban for sshd
On 04/24/14 06:43 AM, Gary Gendel wrote: Fail2ban seems to randomly miss ssh matches. I've been hacking at the filter but nothing I seem to do works. What regex are others using that works? The line that should catch the ones missed is: ^%(__prefix_line)s\[.*\] Failed (?:password|publickey|none|keyboard-interactive) for .* from \s*$ Did you test the rules with the "fail2ban-regex" command? The following works fine for us: failregex = (?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from ( via \S+)?\s*$ (?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$ Failed \S+ for .* from (?: port \d*)?(?: ssh\d*)?\s*$ ROOT LOGIN REFUSED.* FROM \s*$ [iI](?:llegal|nvalid) user .* from \s*$ Did not receive identification string from \s*$ User .+ from not allowed because not listed in AllowUsers\s*$ User .+ from not allowed because listed in DenyUsers\s*$ User .+ from not allowed because not in any group\s*$ refused connect from \S+ \(\)\s*$ User .+ from not allowed because a group is listed in DenyGroups\s*$ User .+ from not allowed because none of user's groups are listed in AllowGroups\s*$ ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] [oi-dev] Hipster and custom illumos-gate
Sorry for the noise, I forgot to un-sticky the original hipster publisher: pkg -R /a set-publisher --non-sticky openindiana.org Just in case I've also redefined my (file-based) on-nightly repo as preferred (-P -g) and now the update went fast and onto my own gate build :) Thanks for the suggestions though, versions were probably pretty important too ;) //Jim - Исходное сообщение - От: Alexander Pyhalov Дата: Thursday, April 24, 2014 17:09 Тема: Re: [OpenIndiana-discuss] [oi-dev] Hipster and custom illumos-gate Копия (Cc): OpenIndiana Developer mailing list , Discussion list for OpenIndiana > On 04/24/2014 18:53, Jim Klimov wrote: > > So... based on this suggestion, the hipster illumos-gate > makefile, and some earlier list posts, I came up with this > change to my illumos.sh script: > > > > # To enable upgrades over `pkg info osnet-incorporation | grep > Branch:`> # Branch: 0.151.1 > > #export ONNV_BUILDNUM=152 > > #export ONNV_BUILDNUM=151.1.100 > > # http://openindiana.org/pipermail/userland-team/2013- > August/000261.html> # > http://comments.gmane.org/gmane.os.openindiana.devel/2906> > export PKGVERS_BRANCH=3014.0.4.24 > > export BRANCHID=3014.0.4.24 > > > > Some 47 minutes later I've got an incrementally-rebuilt > repository which cheerfully includes packages like > > > > SUNWcs 0.5.11-3014.0.4.24:20140424T130517Z > > > > > > However, a "pkg -R /a update" still insists on downloading new > hipster patches with the 0.5.11-2014.0.1.14459:20140423T191935Z > versions from the internet, rather than quickly installing the > newer and higher-versioned local equivalents. This happens also > if I use "-g" to specify a repo explicitly, and when I use a > file-based repo instead of its http service. > > > > I guess nowadays IPS tries to update same-named packages using > the same repo they were installed from specifically to avoid > conflicts like these? How should I go about overriding that > reasonable failsafe mechanism? ;) > > > > I think you should do something like > > pkg set-publisher --non-sticky openindiana.org > > and perhaps move you publisher upper in publisher list (pkg > set-publisher --search-after ...) > -- > Best regards, > Alexander Pyhalov, > system administrator of Computer Center of Southern Federal University > > ___ > OpenIndiana-discuss mailing list > OpenIndiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss -- ++ || | Климов Евгений, Jim Klimov | | технический директор CTO | | ЗАО "ЦОС и ВТ" JSC COS&HT | || | +7-903-7705859 (cellular) mailto:jimkli...@cos.ru | |CC:ad...@cos.ru,jimkli...@gmail.com | ++ | () ascii ribbon campaign - against html mail | | /\- against microsoft attachments | ++ ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] [oi-dev] Hipster and custom illumos-gate
On 04/24/2014 18:53, Jim Klimov wrote: So... based on this suggestion, the hipster illumos-gate makefile, and some earlier list posts, I came up with this change to my illumos.sh script: # To enable upgrades over `pkg info osnet-incorporation | grep Branch:` # Branch: 0.151.1 #export ONNV_BUILDNUM=152 #export ONNV_BUILDNUM=151.1.100 # http://openindiana.org/pipermail/userland-team/2013-August/000261.html # http://comments.gmane.org/gmane.os.openindiana.devel/2906 export PKGVERS_BRANCH=3014.0.4.24 export BRANCHID=3014.0.4.24 Some 47 minutes later I've got an incrementally-rebuilt repository which cheerfully includes packages like SUNWcs 0.5.11-3014.0.4.24:20140424T130517Z However, a "pkg -R /a update" still insists on downloading new hipster patches with the 0.5.11-2014.0.1.14459:20140423T191935Z versions from the internet, rather than quickly installing the newer and higher-versioned local equivalents. This happens also if I use "-g" to specify a repo explicitly, and when I use a file-based repo instead of its http service. I guess nowadays IPS tries to update same-named packages using the same repo they were installed from specifically to avoid conflicts like these? How should I go about overriding that reasonable failsafe mechanism? ;) I think you should do something like pkg set-publisher --non-sticky openindiana.org and perhaps move you publisher upper in publisher list (pkg set-publisher --search-after ...) -- Best regards, Alexander Pyhalov, system administrator of Computer Center of Southern Federal University ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] fail2ban for sshd
Hello Gary, I don't have an answer on your fail2ban issue, but if you aren't able to resolve it, I am doing exceedingly well with a product called "denyhost". http://denyhosts.sourceforge.net/ Jerry Kemp On 04/24/14 05:43 AM, Gary Gendel wrote: Fail2ban seems to randomly miss ssh matches. I've been hacking at the filter but nothing I seem to do works. What regex are others using that works? The line that should catch the ones missed is: ^%(__prefix_line)s\[.*\] Failed (?:password|publickey|none|keyboard-interactive) for .* from \s*$ But it missed the following sequence: ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] [oi-dev] Hipster and custom illumos-gate
So... based on this suggestion, the hipster illumos-gate makefile, and some earlier list posts, I came up with this change to my illumos.sh script: # To enable upgrades over `pkg info osnet-incorporation | grep Branch:` # Branch: 0.151.1 #export ONNV_BUILDNUM=152 #export ONNV_BUILDNUM=151.1.100 # http://openindiana.org/pipermail/userland-team/2013-August/000261.html # http://comments.gmane.org/gmane.os.openindiana.devel/2906 export PKGVERS_BRANCH=3014.0.4.24 export BRANCHID=3014.0.4.24 Some 47 minutes later I've got an incrementally-rebuilt repository which cheerfully includes packages like SUNWcs 0.5.11-3014.0.4.24:20140424T130517Z However, a "pkg -R /a update" still insists on downloading new hipster patches with the 0.5.11-2014.0.1.14459:20140423T191935Z versions from the internet, rather than quickly installing the newer and higher-versioned local equivalents. This happens also if I use "-g" to specify a repo explicitly, and when I use a file-based repo instead of its http service. I guess nowadays IPS tries to update same-named packages using the same repo they were installed from specifically to avoid conflicts like these? How should I go about overriding that reasonable failsafe mechanism? ;) Thanks, //Jim - Исходное сообщение - От: Alexander Pyhalov Дата: Thursday, April 24, 2014 13:39 Тема: Re: [oi-dev] Hipster and custom illumos-gate Кому (To): OpenIndiana Developer mailing list Копия (Cc): Jim Klimov , Discussion list for OpenIndiana > > Hi, Jim. > > On 04/24/2014 02:45, Jim Klimov wrote: > >After completing a build I am suddenly stuck > trying to install > > the newer illumos-gate packages into a new BE: their versioning > > (0.151.1.100 per my arbitrarily big choice) is less than Hipster's > > (2014.*, without even a leading zero which is auto-prepended > to the > > values I provide in illumos.sh)... Should I have to somehow enforce > > larger 2014.* version numbers, or is there a way (onu?) to override > > existing packages and force installation of their "namesakes" from > > the on-nightly repository regardless of the version numbers? > I think you should set PKGVERS_BRANCH to something greater than > 2014.0.N.N (e.g. 2014.1.0.0). > > > > >Also, leaping a bit ahead: would/should KVM > work in Hipster out > > of the box, including the case when Hipster itself is virtualized > > by a hypervisor, or would I need to compile some other patches > > into my illumos-gate? Specifically, I am interested in software > > emulation for the VM anyway (ARM Linux via QEMU)?.. And also, did > > anyone try (and succeed) to set up cross-compilation of Linux ARM > > programs running the process under illumos/OI/Hipster, whether in > > native illumos zones or in lx-branded ones, or should I look forward > > to necessarily running a Linux VM as well for that task? > > > > I tested the following patch from David: > http://www.ulx.cc/assets/source/104_interdiff.diff > It worked for me, but if I understand correctly it's just a > restoration > of Sun lx/lx26 work. I think you could easily use > components/illumos/illumos-gate component from oi-userland, but > you have > to apply necessary patches by hand. I'm going to add > patching support > (I mean usual oi-userland prep mechanism) for this component in > near > future. If you are going to use illumos-gate component, you'd > better to > bump BRANCHID so that your packages would be preferred. > > -- > Best regards, > Alexander Pyhalov, > system administrator of Computer Center of Southern Federal University -- ++ || | Климов Евгений, Jim Klimov | | технический директор CTO | | ЗАО "ЦОС и ВТ" JSC COS&HT | || | +7-903-7705859 (cellular) mailto:jimkli...@cos.ru | |CC:ad...@cos.ru,jimkli...@gmail.com | ++ | () ascii ribbon campaign - against html mail | | /\- against microsoft attachments | ++ ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] fail2ban for sshd
On Thu, Apr 24, 2014 at 5:43 AM, Gary Gendel wrote: > Fail2ban seems to randomly miss ssh matches. I've been hacking at the > filter but nothing I seem to do works. What regex are others using that > works? The line that should catch the ones missed is: > > A much easier way to manage this is never run sshd on port 22 when exposing to the Internet. Pick any nonstandard port and these drive by scans pretty much go away. -Chip ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] yahoo DMARC policy problem
Hello all, Posting this on behalf of Reg, since he couldn't get his message to the OI lists anymore. http://comments.gmane.org/gmane.os.illumos.general/2478 I myself am not sure what else may be done beside the changes that apparently already took place, at least in some of the lists. Since this problem is related to SPF setup, I guess the related SRS technologies that were made to enable re-sending of SPF-protected mail should be applicable...somehow... //Jim - Исходное сообщение - От: Reginald Beardsley Дата: Thursday, April 24, 2014 2:01 Тема: yahoo DMARC policy problem Кому (To): Jim Klimov > Jim, > > > Would you please bring up the issue on the OI mailing > list. The Illumos lists have solved it by rewriting the > From: line. If I post, it will trigger my being banned > because of the bounces :-( I still want to read even if I > can't reply. I tried emailing > listadm...@openindiana.org, but have not received a response. > > There's lots of information about the issue and ways to address > it on line. Every mailing list with yahoo mail users is > affected. I'm sure others will be affected > eventually. Let me know if you need more from me. > > Thanks, > Reg -- yahoo DMARC policy problem Reginald Beardsley lists.illumos.org> 2014-04-22 18:32:09 GMT Deirdré,Just in case you're not aware of it, yahoo has instituted a policy that makes it impossible for people using yahoo mail to participate in the illumos & openindiana mailing lists. I sent an email to the OI list admins about this, but have not received a response. From what I've read, some pretty simple changes to the mailing list configuration will resolve the problem. I recently setup a system for doing work on Illumos/OI but this leaves me in a "read only' mode which will make it impossible to contribute anything.I'd be grateful if you would raise the subject on the mailing lists. It seems probable that other services will follow suit, so I don't think changing my email will solve the problem for long.Thanks, Reg ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] fail2ban for sshd
Fail2ban seems to randomly miss ssh matches. I've been hacking at the filter but nothing I seem to do works. What regex are others using that works? The line that should catch the ones missed is: ^%(__prefix_line)s\[.*\] Failed (?:password|publickey|none|keyboard-interactive) for .* from \s*$ But it missed the following sequence: Apr 23 02:10:07 phoenix sshd[24164]: [ID 800047 auth.info] Failed password for from 94.23.167.219 port 47526 ssh2 Apr 23 02:10:07 phoenix last message repeated 1 time Apr 23 02:10:07 phoenix sshd[24164]: [ID 800047 auth.info] Connection closed by 94.23.167.219 Apr 23 02:10:10 phoenix sshd[24168]: [ID 800047 auth.info] Illegal user teamspeak from 94.23.167.219 Apr 23 02:10:10 phoenix sshd[24168]: [ID 800047 auth.info] input_userauth_request: illegal user teamspeak Apr 23 02:10:10 phoenix sshd[24168]: [ID 800047 auth.info] Failed password for from 94.23.167.219 port 56338 ssh2 Apr 23 02:10:11 phoenix sshd[24168]: [ID 800047 auth.info] Connection closed by 94.23.167.219 Apr 23 02:10:13 phoenix sshd[24176]: [ID 800047 auth.info] Illegal user git from 94.23.167.219 Apr 23 02:10:13 phoenix sshd[24176]: [ID 800047 auth.info] input_userauth_request: illegal user git Apr 23 02:10:13 phoenix sshd[24176]: [ID 800047 auth.info] Failed password for from 94.23.167.219 port 49509 ssh2 Apr 23 02:10:13 phoenix sshd[24176]: [ID 800047 auth.info] Connection closed by 94.23.167.219 Apr 23 02:10:16 phoenix sshd[24180]: [ID 800047 auth.info] Illegal user openvpn from 94.23.167.219 Apr 23 02:10:16 phoenix sshd[24180]: [ID 800047 auth.info] input_userauth_request: illegal user openvpn Apr 23 02:10:16 phoenix sshd[24180]: [ID 800047 auth.info] Failed password for from 94.23.167.219 port 40390 ssh2 Apr 23 02:10:16 phoenix sshd[24180]: [ID 800047 auth.info] Connection closed by 94.23.167.219 Apr 23 02:10:19 phoenix sshd[24184]: [ID 800047 auth.info] Illegal user scan from 94.23.167.219 Apr 23 02:10:19 phoenix sshd[24184]: [ID 800047 auth.info] input_userauth_request: illegal user scan Apr 23 02:10:19 phoenix sshd[24184]: [ID 800047 auth.info] Failed password for from 94.23.167.219 port 52773 ssh2 Apr 23 02:10:19 phoenix sshd[24184]: [ID 800047 auth.info] Connection closed by 94.23.167.219 Apr 23 02:10:22 phoenix sshd[24188]: [ID 800047 auth.info] Illegal user user1 from 94.23.167.219 Apr 23 02:10:22 phoenix sshd[24188]: [ID 800047 auth.info] input_userauth_request: illegal user user1 Apr 23 02:10:22 phoenix sshd[24188]: [ID 800047 auth.info] Failed password for from 94.23.167.219 port 51324 ssh2 Apr 23 02:10:22 phoenix sshd[24188]: [ID 800047 auth.info] Connection closed by 94.23.167.219 Apr 23 02:10:24 phoenix sshd[24192]: [ID 800047 auth.info] Illegal user dave from 94.23.167.219 Apr 23 02:10:24 phoenix sshd[24192]: [ID 800047 auth.info] input_userauth_request: illegal user dave Apr 23 02:10:24 phoenix sshd[24192]: [ID 800047 auth.info] Failed password for from 94.23.167.219 port 49466 ssh2 Apr 23 02:10:25 phoenix sshd[24192]: [ID 800047 auth.info] Connection closed by 94.23.167.219 Apr 23 02:10:27 phoenix sshd[24196]: [ID 800047 auth.info] Illegal user redmine from 94.23.167.219 Apr 23 02:10:27 phoenix sshd[24196]: [ID 800047 auth.info] input_userauth_request: illegal user redmine Apr 23 02:10:27 phoenix sshd[24196]: [ID 800047 auth.info] Failed password for from 94.23.167.219 port 51089 ssh2 Apr 23 02:10:27 phoenix sshd[24196]: [ID 800047 auth.info] Connection closed by 94.23.167.219 Apr 23 02:10:30 phoenix sshd[24200]: [ID 800047 auth.info] Illegal user test3 from 94.23.167.219 Apr 23 02:10:30 phoenix sshd[24200]: [ID 800047 auth.info] input_userauth_request: illegal user test3 Apr 23 02:10:30 phoenix sshd[24200]: [ID 800047 auth.info] Failed password for from 94.23.167.219 port 43856 ssh2 Apr 23 02:10:30 phoenix sshd[24200]: [ID 800047 auth.info] Connection closed by 94.23.167.219 Apr 23 02:10:33 phoenix sshd[24204]: [ID 800047 auth.info] Illegal user admin from 94.23.167.219 Apr 23 02:10:33 phoenix sshd[24204]: [ID 800047 auth.info] input_userauth_request: illegal user admin Apr 23 02:10:33 phoenix sshd[24204]: [ID 800047 auth.info] Failed password for from 94.23.167.219 port 43481 ssh2 Apr 23 02:10:33 phoenix sshd[24204]: [ID 800047 auth.info] Connection closed by 94.23.167.219 Apr 23 02:10:36 phoenix sshd[24208]: [ID 800047 auth.info] Illegal user admin1 from 94.23.167.219 Apr 23 02:10:36 phoenix sshd[24208]: [ID 800047 auth.info] input_userauth_request: illegal user admin1 Apr 23 02:10:36 phoenix sshd[24208]: [ID 800047 auth.info] Failed password for from 94.23.167.219 port 39561 ssh2 Apr 23 02:10:36 phoenix sshd[24208]: [ID 800047 auth.info] Connection closed by 94.23.167.219 Apr 23 02:10:38 phoenix sshd[24212]: [ID 800047 auth.info] User root not allowed because not listed in AllowUsers Apr 23 02:10:38 phoenix sshd[24212]: [ID 800047 auth.info] input_userauth_request: illegal user root Apr 23 02:10:38 phoenix sshd[24212]: [ID 8000
Re: [OpenIndiana-discuss] [oi-dev] Hipster and custom illumos-gate
Hi, Jim. On 04/24/2014 02:45, Jim Klimov wrote: After completing a build I am suddenly stuck trying to install the newer illumos-gate packages into a new BE: their versioning (0.151.1.100 per my arbitrarily big choice) is less than Hipster's (2014.*, without even a leading zero which is auto-prepended to the values I provide in illumos.sh)... Should I have to somehow enforce larger 2014.* version numbers, or is there a way (onu?) to override existing packages and force installation of their "namesakes" from the on-nightly repository regardless of the version numbers? I think you should set PKGVERS_BRANCH to something greater than 2014.0.N.N (e.g. 2014.1.0.0). Also, leaping a bit ahead: would/should KVM work in Hipster out of the box, including the case when Hipster itself is virtualized by a hypervisor, or would I need to compile some other patches into my illumos-gate? Specifically, I am interested in software emulation for the VM anyway (ARM Linux via QEMU)?.. And also, did anyone try (and succeed) to set up cross-compilation of Linux ARM programs running the process under illumos/OI/Hipster, whether in native illumos zones or in lx-branded ones, or should I look forward to necessarily running a Linux VM as well for that task? I tested the following patch from David: http://www.ulx.cc/assets/source/104_interdiff.diff It worked for me, but if I understand correctly it's just a restoration of Sun lx/lx26 work. I think you could easily use components/illumos/illumos-gate component from oi-userland, but you have to apply necessary patches by hand. I'm going to add patching support (I mean usual oi-userland prep mechanism) for this component in near future. If you are going to use illumos-gate component, you'd better to bump BRANCHID so that your packages would be preferred. -- Best regards, Alexander Pyhalov, system administrator of Computer Center of Southern Federal University ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss