web-dev-qa-db-fra.com

Que sont les entrées du journal iptables "renvoyé NNN" de fail2ban? (Fail2ban n'interdit pas)

Dans mon fail2ban.log il y a quelques entrées dont je ne comprends pas la signification (et que je n'ai pas trouvé autour de moi) ... J'ai plusieurs "prisons" et j'en ai créé une qui interdit les IP lorsque ils essaient de se connecter au serveur Web à la recherche de scripts, je suppose .... Voici quelques entrées d'une adresse IP donnée (désolé pour le long journal):

user@computer:/var/log$ cat Apache2/access.log.1 |grep 58.218.199.147
58.218.199.147 - - [27/Mar/2011:09:03:37 +0200] "GET http://www.mtajp.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [27/Mar/2011:11:32:16 +0200] "GET http://ppcfinder.net/judge.php HTTP/1.1" 404 432 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [27/Mar/2011:11:34:57 +0200] "GET http://98.126.15.13/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [27/Mar/2011:14:04:08 +0200] "GET http://58.218.199.147:7182/judge.php HTTP/1.1" 404 432 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [27/Mar/2011:19:02:37 +0200] "GET http://www.shopsline.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [27/Mar/2011:21:33:17 +0200] "GET http://98.126.64.106/judge123.php HTTP/1.1" 404 435 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [28/Mar/2011:14:59:49 +0200] "GET http://www.racross.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [28/Mar/2011:17:28:32 +0200] "GET http://98.126.64.106/judge123.php HTTP/1.1" 404 435 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [29/Mar/2011:00:58:17 +0200] "GET http://www.racross.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [29/Mar/2011:05:00:53 +0200] "GET http://www.mtajp.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [29/Mar/2011:09:57:48 +0200] "GET http://www.shopsline.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [29/Mar/2011:12:40:06 +0200] "GET http://www.mtajp.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [29/Mar/2011:15:01:01 +0200] "GET http://www.infodownload.info/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.204.110 - - [29/Mar/2011:15:28:42 +0200] "GET http://58.218.199.147:7182/judge.php HTTP/1.1" 404 432 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [29/Mar/2011:20:01:14 +0200] "GET http://www.cjpjp.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [29/Mar/2011:22:31:50 +0200] "GET http://www.travelimgusa.com/ip.php HTTP/1.1" 404 429 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [30/Mar/2011:01:00:05 +0200] "GET http://98.126.15.13/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [30/Mar/2011:03:31:05 +0200] "GET http://www.infodownload.info/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [30/Mar/2011:11:02:43 +0200] "GET http://piceducation.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [30/Mar/2011:13:33:24 +0200] "GET http://ppcfinder.net/judge.php HTTP/1.1" 404 432 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [30/Mar/2011:16:01:04 +0200] "GET http://www.shopsline.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [30/Mar/2011:21:04:31 +0200] "GET http://www.racross.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [31/Mar/2011:04:35:55 +0200] "GET http://www.racross.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [31/Mar/2011:12:03:43 +0200] "GET http://www.mtajp.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [31/Mar/2011:14:34:40 +0200] "GET http://www.eduju.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [31/Mar/2011:19:36:04 +0200] "GET http://58.218.204.110:7182/judge.php HTTP/1.1" 404 432 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [31/Mar/2011:22:05:48 +0200] "GET http://ppcfinder.net/judge.php HTTP/1.1" 404 432 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [01/Apr/2011:03:11:14 +0200] "GET http://58.218.199.147:7182/judge.php HTTP/1.1" 404 432 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [01/Apr/2011:09:52:09 +0200] "GET http://www.travelimgusa.com/ip.php HTTP/1.1" 404 429 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [01/Apr/2011:12:15:59 +0200] "GET http://www.racross.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [01/Apr/2011:14:39:47 +0200] "GET http://piceducation.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [01/Apr/2011:17:06:09 +0200] "GET http://www.shopsline.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [01/Apr/2011:20:45:50 +0200] "GET http://www.cjpjp.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [01/Apr/2011:23:11:21 +0200] "GET http://www.seektwo.com/proxy-1.php HTTP/1.1" 404 434 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [02/Apr/2011:01:37:16 +0200] "GET http://www.infodownload.info/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [02/Apr/2011:10:25:15 +0200] "GET http://98.126.64.106/judge123.php HTTP/1.1" 404 435 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [02/Apr/2011:12:51:45 +0200] "GET http://58.218.204.110:7182/judge.php HTTP/1.1" 404 432 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [02/Apr/2011:15:18:07 +0200] "GET http://www.racross.com/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [02/Apr/2011:17:43:43 +0200] "GET http://www.travelimgusa.com/ip.php HTTP/1.1" 404 429 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [02/Apr/2011:22:35:49 +0200] "GET http://www.infodownload.info/proxyheader.php HTTP/1.1" 404 438 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Pour éviter cela, j'ai créé une prison personnalisée dans /etc/fail2ban/jail.local:

[Apache-404-slowattackers]
enabled = true
port = http,https
filter = Apache-404-slowattackers
logpath = /var/log/Apache*/*access.log
bantime = 344000
findtime = 172800
maxretry = 12

Et c'est/etc/fail2ban/filter.d/Apache-404-slowattackers.conf

[Definition]
failregex = (?P<Host>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+ 404 [0-9]+ "
ignoreregex =

(identique au filtre /etc/fail2ban/filter.d/Apache-404.conf par défaut)

Fail2ban interdit certaines adresses IP lorsqu'elles fonctionnent avec certains filtres, mais pas avec mon filtre personnalisé. Quelques lignes de /var/log/fail2ban.log:

2011-03-31 20:46:29,982 fail2ban.jail   : INFO   Jail 'Apache-404' started
[...]
2011-03-31 20:46:30,922 fail2ban.jail   : INFO   Jail 'courierauth' started
2011-03-31 20:46:31,026 fail2ban.jail   : INFO   Jail 'Apache-404-slowattackers' started
2011-03-31 20:46:31,038 fail2ban.actions.action: ERROR  iptables -N fail2ban-Apache-404-slowattackers
iptables -A fail2ban-Apache-404-slowattackers -j RETURN
iptables -I INPUT -p tcp -m multiport --dports http,https -j fail2ban-Apache-404-slowattackers returned 200
2011-04-01 21:39:16,558 fail2ban.actions: WARNING [Apache-404] Ban 211.75.185.152
2011-04-01 22:09:17,245 fail2ban.actions: WARNING [Apache-404] Unban 211.75.185.152
2011-04-02 15:18:08,544 fail2ban.actions: WARNING [Apache-404-slowattackers] Ban 58.218.199.147
2011-04-02 15:18:08,684 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-Apache-404-slowattackers returned 100
2011-04-02 15:18:08,685 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2011-04-02 15:18:08,698 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports http,https -j fail2ban-Apache-404-slowattackers
iptables -F fail2ban-Apache-404-slowattackers
iptables -X fail2ban-Apache-404-slowattackers returned 200
2011-04-02 15:18:08,712 fail2ban.actions.action: ERROR  iptables -N fail2ban-Apache-404-slowattackers
iptables -A fail2ban-Apache-404-slowattackers -j RETURN
iptables -I INPUT -p tcp -m multiport --dports http,https -j fail2ban-Apache-404-slowattackers returned 200
2011-04-02 15:18:08,721 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-Apache-404-slowattackers returned 100
2011-04-02 15:18:08,722 fail2ban.actions.action: CRITICAL Unable to restore environment
2011-04-02 23:20:50,480 fail2ban.actions: WARNING [courierauth] Ban 84.225.81.193
2011-04-02 23:50:50,777 fail2ban.actions: WARNING [courierauth] Unban 84.225.81.193
2011-04-03 03:23:58,876 fail2ban.actions: WARNING [courierauth] Ban 74.143.34.38
2011-04-03 03:53:59,155 fail2ban.actions: WARNING [courierauth] Unban 74.143.34.38

Comme vous pouvez le constater, quelque chose échoue lorsque j'essaie d'interdire une attaque contre mon filtre personnalisé (de telles attaques sont donc détectées mais pas correctement interdites, je ne sais pas pourquoi).

Donc, mes questions seraient:

  • S'agit-il d'un problème de fail2ban ou de iptables?
  • Que signifient ces erreurs? ... et ... comment peuvent-elles être évitées?
  • Qu'est-ce que je fais mal ou comment pourrais-je corriger ce comportement?

EDIT:

Ceci est peut-être utile pour répondre à la question (ou pas), mais iptables -L ne montre aucune trace de mon Apache-404-slowattackers, alors que d'autres prisons sont présentes:

user@computer:~$ Sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-courierauth  tcp  --  anywhere             anywhere            multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s 
fail2ban-Apache  tcp  --  anywhere             anywhere            multiport dports www,https 
fail2ban-sasl  tcp  --  anywhere             anywhere            multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s 
fail2ban-postfix  tcp  --  anywhere             anywhere            multiport dports smtp,ssmtp 
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh 
fail2ban-couriersmtp  tcp  --  anywhere             anywhere            multiport dports smtp,ssmtp 
fail2ban-Apache-overflows  tcp  --  anywhere             anywhere            multiport dports www,https 
fail2ban-Apache-multiport  tcp  --  anywhere             anywhere            multiport dports www,https 
fail2ban-ssh-ddos  tcp  --  anywhere             anywhere            multiport dports ssh 
fail2ban-Apache-404  tcp  --  anywhere             anywhere            multiport dports www,https 
fail2ban-pam-generic  tcp  --  anywhere             anywhere            
fail2ban-Apache-noscript  tcp  --  anywhere             anywhere            multiport dports www,https 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-Apache (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-Apache-404 (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-Apache-multiport (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-Apache-noscript (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-Apache-overflows (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-courierauth (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-couriersmtp (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-pam-generic (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-postfix (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-sasl (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-ssh-ddos (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

Cela donne-t-il un indice supplémentaire?

iptablesfail2ban
4
luri

Je pense avoir trouvé pourquoi il échouait, mais, comme une prime a été fixée, j'attendrai qu'elle se termine avant d'écrire la réponse, offrant ainsi à d'autres utilisateurs d'essayer de répondre à la question ... (@Moderators: Is ça va? Que devrais-je faire autrement?)

Modifier:

Comme personne n'a répondu, je vais noter ce que j'ai découvert. Il y avait deux problèmes avec ma configuration (une sur ma configuration et une sur fail2ban elle-même):

1.- Si j'essaye

Sudo iptables -N fail2ban-Apache-404-slowattackers

qui est la commande fail2ban questions, je reçois le message suivant:

iptables v1.4.4: chain name `fail2ban-Apache-404-slowattackers' too long (must be under 30 chars)

Si cela avait été connecté à fail2ban.log, j'aurais su ce qui n'allait pas (mais ce n'était pas enregistré). Donc, changer le nom de mon filtre personnalisé en un nom plus court (par exemple, Apache-404-slowatt) a fonctionné, car le nom de la chaîne iptable devient inférieur à 30 caractères.

2.- Il y a un script (apparemment) défectueux fail2ban qui apparemment "tourne trop vite", alors j'ai trouvé ne solution de contournement .

Quote: J'ai eu plusieurs ERREUR fail2ban.action.action au démarrage/redémarrage. Il semble qu'il y ait eu une condition de "race" avec iptables. J'ai résolu le problème complètement sur mon système en éditant /usr/bin/fail2ban-client et en ajoutant un time.sleep(0.1):

def __processCmd(self, cmd, showRet = True):
    beautifier = Beautifier()
    for c in cmd:
        time.sleep(0.1)
        beautifier.setInputCmd(c)
3
luri

Je n'utilise jamais fail2ban, mais cette page vous aidera peut-être:

http://oschgan.com/drupal/index.php?q=node/52

1
pepoluan