FHEM-Hacker mit fail2ban blocken

Begonnen von JensS, 18 Februar 2018, 14:41:05

Vorheriges Thema - Nächstes Thema

Frank_Huber

Hier:
https://forum.fhem.de/index.php/topic,92423

- protokollieren der fehlgeschlagenen Logins: es wird nicht mehr im allowed Instanz sondern uebergreifend protolliert. Bei zwei allowed Instanzen fuer das gleiche FHEMWEB sagt einer immer nein, und das wurde bisher protokolliert, ab jetzt nur dann, falls keiner OK sagt.

Gesendet von meinem Doogee S60 mit Tapatalk


pillepalle12

Hallo zusammen,
funktioniert bei Euch das fail2ban Script noch?
Ich habe seit dem neuen allowed wieder diverse Anmeldeversuche von dubiosen IPs, die normalerweise immer nach 2 falsch -Versuchen blockiert wurden.

LG

Wernieman

Ein Optimierungsvorschlag:
Setze Dir loieber ein HTTP-Proxy (nginx oder apache) mit Authentifizierung davor. Dann klappt es auch wieder mit fail2ban und hat eine erhöhte Sicherheit ...
- Bitte um Input für Output
- When there is a Shell, there is a Way
- Wann war Dein letztes Backup?

Wie man Fragen stellt: https://tty1.net/smart-questions_de.html

CBSnake

FHEM auf Debian 10, HM-Wlan, JeeLink-Wlan, Wlanduino, ConBee, TP-Link Steckdose, GHoma Steckdosen, Shelly Steckdosen


Tom111

Wie kriege ich es am besten hin dass fail2ban am ersten jeden Monats neu startet?
FHEM 5.9 auf Raspberry Pi - 3B+ - Stretch-5.10.88+ | CUL868 CC1101 - USB - Lite module - V3 FW 1.67
Fritz!Box 7490 OS 07.29 / Fritz!Dect200 / Fritz!Powerline 546E
FS20ST-4/ FS20 DI-5/ FS20LS/ FS20 PIRI-2-KU/ FS20 TFK/ FS20S4A/FS20 SU-3/FS20 S20-3
HMS100TF/FHT80TF-2/ASH2200/S300TH/MiLight-Bridge V

vbs

Machst du mMn am besten per Cronjob. Aber warum willst du das, wenn ich fragen darf?

Tom111

Zitat von: vbs am 01 Januar 2019, 12:23:11
Machst du mMn am besten per Cronjob. Aber warum willst du das, wenn ich fragen darf?
Ja, du darfst fragen :)
Da das fhem-LOG jeden Monat neu erstellt wird, also von fhem-2018-12.log nach fhem-2019-01.log wechselt, sucht fail2ban weiterhin im alten LOG, also in fhem-2018-12.log, wenn ich allerdings fail2ban neu starte, so nimmt er dann die aktuell LOG, also fhem-2019-01.log.
Da ich mich aber mit Linux nicht so gut auskenne und Cronjob noch nie angewandt habe, habe ich hier mal lieber diese Frage eingestellt. :)
FHEM 5.9 auf Raspberry Pi - 3B+ - Stretch-5.10.88+ | CUL868 CC1101 - USB - Lite module - V3 FW 1.67
Fritz!Box 7490 OS 07.29 / Fritz!Dect200 / Fritz!Powerline 546E
FS20ST-4/ FS20 DI-5/ FS20LS/ FS20 PIRI-2-KU/ FS20 TFK/ FS20S4A/FS20 SU-3/FS20 S20-3
HMS100TF/FHT80TF-2/ASH2200/S300TH/MiLight-Bridge V

Tom111

#68
wäre das richtig:
1 * 1 1-12 *  ???

oder reicht das:
1 * 1 * *
FHEM 5.9 auf Raspberry Pi - 3B+ - Stretch-5.10.88+ | CUL868 CC1101 - USB - Lite module - V3 FW 1.67
Fritz!Box 7490 OS 07.29 / Fritz!Dect200 / Fritz!Powerline 546E
FS20ST-4/ FS20 DI-5/ FS20LS/ FS20 PIRI-2-KU/ FS20 TFK/ FS20S4A/FS20 SU-3/FS20 S20-3
HMS100TF/FHT80TF-2/ASH2200/S300TH/MiLight-Bridge V

vbs

Nicht ganz:
http://cron.schlitt.info/index.php?cron=1+*+1+1-12+*&iterations=10&test=Test

Probier mal sowas:
http://cron.schlitt.info/index.php?cron=30+0+1+*+*&iterations=10&test=Test

Ich denke, man bekommt es auch mit dem client hin, ihn dazu zu bringen, das neue Log zu lesen. Da muss man evtl. nicht den ganzen Prozess neu starten:
https://www.fail2ban.org/wiki/index.php/Commands

Tom111

#70
1 0 1 1-12 *
scheint richtig zu sein! :)

So, habs eingetragen, muss jetzt nur bis Februar warten. :)
FHEM 5.9 auf Raspberry Pi - 3B+ - Stretch-5.10.88+ | CUL868 CC1101 - USB - Lite module - V3 FW 1.67
Fritz!Box 7490 OS 07.29 / Fritz!Dect200 / Fritz!Powerline 546E
FS20ST-4/ FS20 DI-5/ FS20LS/ FS20 PIRI-2-KU/ FS20 TFK/ FS20S4A/FS20 SU-3/FS20 S20-3
HMS100TF/FHT80TF-2/ASH2200/S300TH/MiLight-Bridge V

Maui

Mir scheint ich bin zu blöd. Nach Anleitung erster Post gemacht, kriege aber jail2ban nicht zum Laufen.
Ohne fhem jail läuft es. Füge ich ans Ende der jail.local den Text ein und starte neu, kriege ich einen Haufen FMs.
Jan 09 11:16:40 raspberrypi fail2ban[13833]: Starting authentication failure monitor: fail2banWARNING 'enabled' not defined in 'fhem'. Using default one: 'false'
Jan 09 11:16:40 raspberrypi fail2ban[13833]: WARNING 'logpath' not defined in 'fhem'. Using default one: '/var/log/messages'
Jan 09 11:16:40 raspberrypi fail2ban[13833]: WARNING 'filter' not defined in 'fhem'. Using default one: ''
Jan 09 11:16:40 raspberrypi fail2ban[13833]: ERROR  Failed during configuration: Bad value substitution:
Jan 09 11:16:40 raspberrypi fail2ban[13833]: section: [fhem]
Jan 09 11:16:40 raspberrypi fail2ban[13833]: option : action
Jan 09 11:16:40 raspberrypi fail2ban[13833]: key    : port
Jan 09 11:16:40 raspberrypi fail2ban[13833]: rawval : ", protocol="%(protocol)s", chain="%(chain)s"]
Jan 09 11:16:40 raspberrypi fail2ban[13833]: failed!
Jan 09 11:16:40 raspberrypi systemd[1]: Started LSB: Start/stop fail2ban.

Wernieman

Was hast Du denn in der Jail genau reingeschrieben?

Bitte um Input für Output
- Bitte um Input für Output
- When there is a Shell, there is a Way
- Wann war Dein letztes Backup?

Wie man Fragen stellt: https://tty1.net/smart-questions_de.html

Maui

In der fhem.conf
# Fail2ban filter for fhem

[INCLUDES]

before = common.conf

[Definition]

failregex = ^(.*?)Login denied (.*?)_<HOST>_

ignoreregex =


jail.local
pi@raspberrypi:~ $ cat /etc/fail2ban/jail.local
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# Comments: use '#' for comment lines and ';' for inline comments
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
maxretry = 3

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#            If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#            If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external libraries.
# auto:      will try to use the following backends, in order:
#            pyinotify, gamin, polling.
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
#   warn when reverse DNS lookups are performed, or ignore all hostnames in logs
#
# yes:   if a hostname is encountered, a reverse DNS lookup will be performed.
# warn:  if a hostname is encountered, a reverse DNS lookup will be performed,
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
usedns = warn

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

#
# Name of the sender for mta actions
sendername = Fail2Ban

# Email address of the sender
sender = fail2ban@localhost

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

[dropbear]

enabled  = false
port     = ssh
filter   = dropbear
logpath  = /var/log/auth.log
maxretry = 6

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

enabled  = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter   = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port     = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6

[xinetd-fail]

enabled   = false
filter    = xinetd-fail
port      = all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2


[ssh-ddos]

enabled  = false
port     = ssh
filter   = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6


# Here we use blackhole routes for not requiring any additional kernel support
# to store large volumes of banned IPs

[ssh-route]

enabled = false
filter = sshd
action = route
logpath = /var/log/sshd.log
maxretry = 6

# Here we use a combination of Netfilter/Iptables and IPsets
# for storing large volumes of banned IPs
#
# IPset comes in two versions. See ipset -V for which one to use
# requires the ipset package and kernel support.
[ssh-iptables-ipset4]

enabled  = false
port     = ssh
filter   = sshd
banaction = iptables-ipset-proto4
logpath  = /var/log/sshd.log
maxretry = 6

[ssh-iptables-ipset6]

enabled  = false
port     = ssh
filter   = sshd
banaction = iptables-ipset-proto6
logpath  = /var/log/sshd.log
maxretry = 6


#
# HTTP servers
#

[apache]

enabled  = false
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = false
port      = http,https
filter    = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6

[apache-noscript]

enabled  = false
port     = http,https
filter   = apache-noscript
logpath  = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled  = false
port     = http,https
filter   = apache-overflows
logpath  = /var/log/apache*/*error.log
maxretry = 2

[apache-modsecurity]

enabled  = false
filter   = apache-modsecurity
port     = http,https
logpath  = /var/log/apache*/*error.log
maxretry = 2

[apache-nohome]

enabled  = false
filter   = apache-nohome
port     = http,https
logpath  = /var/log/apache*/*error.log
maxretry = 2

# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.

[php-url-fopen]

enabled = false
port    = http,https
filter  = php-url-fopen
logpath = /var/www/*/logs/access_log

# A simple PHP-fastcgi jail which works with lighttpd.
# If you run a lighttpd server, then you probably will
# find these kinds of messages in your error_log:
#   ALERT – tried to register forbidden variable 'GLOBALS'
#   through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')

[lighttpd-fastcgi]

enabled = false
port    = http,https
filter  = lighttpd-fastcgi
logpath = /var/log/lighttpd/error.log

# Same as above for mod_auth
# It catches wrong authentifications

[lighttpd-auth]

enabled = false
port    = http,https
filter  = suhosin
logpath = /var/log/lighttpd/error.log

[nginx-http-auth]

enabled = false
filter  = nginx-http-auth
port    = http,https
logpath = /var/log/nginx/error.log

# Monitor roundcube server

[roundcube-auth]

enabled  = false
filter   = roundcube-auth
port     = http,https
logpath  = /var/log/roundcube/userlogins


[sogo-auth]

enabled  = false
filter   = sogo-auth
port     = http, https
# without proxy this would be:
# port    = 20000
logpath  = /var/log/sogo/sogo.log


#
# FTP servers
#

[vsftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


[proftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


[pure-ftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = pure-ftpd
logpath  = /var/log/syslog
maxretry = 6


[wuftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/syslog
maxretry = 6


#
# Mail servers
#

[postfix]

enabled  = false
port     = smtp,ssmtp,submission
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = false
port     = smtp,ssmtp,submission
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = false
port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = false
port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter   = postfix-sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = /var/log/mail.log

[dovecot]

enabled = false
port    = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter  = dovecot
logpath = /var/log/mail.log

# To log wrong MySQL access attempts add to /etc/my.cnf:
# log-error=/var/log/mysqld.log
# log-warning = 2
[mysqld-auth]

enabled  = false
filter   = mysqld-auth
port     = 3306
logpath  = /var/log/mysqld.log


# DNS Servers


# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# };
#
# in your named.conf to provide proper logging

# !!! WARNING !!!
#   Since UDP is connection-less protocol, spoofing of IP and imitation
#   of illegal actions is way too simple.  Thus enabling of this filter
#   might provide an easy way for implementing a DoS against a chosen
#   victim. See
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
#   Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled  = false
#port     = domain,953
#protocol = udp
#filter   = named-refused
#logpath  = /var/log/named/security.log

[named-refused-tcp]

enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log

[freeswitch]

enabled  = false
filter   = freeswitch
logpath  = /var/log/freeswitch.log
maxretry = 10
action   = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp]
           iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp]

[ejabberd-auth]

enabled  = false
filter   = ejabberd-auth
port     = xmpp-client
protocol = tcp
logpath  = /var/log/ejabberd/ejabberd.log


# Multiple jails, 1 per protocol, are necessary ATM:
# see https://github.com/fail2ban/fail2ban/issues/37
[asterisk-tcp]

enabled  = false
filter   = asterisk
port     = 5060,5061
protocol = tcp
logpath  = /var/log/asterisk/messages

[asterisk-udp]

enabled  = false
filter   = asterisk
port     = 5060,5061
protocol = udp
logpath  = /var/log/asterisk/messages


# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]

enabled  = false
filter   = recidive
logpath  = /var/log/fail2ban.log
action   = iptables-allports[name=recidive]
           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 5

# See the IMPORTANT note in action.d/blocklist_de.conf for when to
# use this action
#
# Report block via blocklist.de fail2ban reporting service API
# See action.d/blocklist_de.conf for more information
[ssh-blocklist]

enabled  = false
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"]
           blocklist_de[email="%(sender)s", apikey="xxxxxx", service="%(filter)s"]
logpath  = /var/log/sshd.log
maxretry = 20


# consider low maxretry and a long bantime
# nobody except your own Nagios server should ever probe nrpe
[nagios]
enabled  = false
filter   = nagios
action   = iptables[name=Nagios, port=5666, protocol=tcp]
           sendmail-whois[name=Nagios, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"]
logpath  = /var/log/messages     ; nrpe.cfg may define a different log_facility
maxretry = 1

[fhem]
enabled  = true
port     = 8083
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
filter   = fhem
logpath  = /opt/fhem/log/fhem-20*
maxretry = 10
bantime = 86400


Tom111

sind die Berechtigungen bzw Gruppe und Eigentümer der "jail.local" die gleichen wie bei "jail.conf"!?
Die "fhem.conf" auch kontrollieren!
FHEM 5.9 auf Raspberry Pi - 3B+ - Stretch-5.10.88+ | CUL868 CC1101 - USB - Lite module - V3 FW 1.67
Fritz!Box 7490 OS 07.29 / Fritz!Dect200 / Fritz!Powerline 546E
FS20ST-4/ FS20 DI-5/ FS20LS/ FS20 PIRI-2-KU/ FS20 TFK/ FS20S4A/FS20 SU-3/FS20 S20-3
HMS100TF/FHT80TF-2/ASH2200/S300TH/MiLight-Bridge V