Autor Thema: FHEM-Hacker mit fail2ban blocken  (Gelesen 11853 mal)

Offline JensS

  • Sr. Member
  • ****
  • Beiträge: 583
FHEM-Hacker mit fail2ban blocken
« am: 18 Februar 2018, 14:41:05 »
Um den Port von FHEM gegen Brute-Force-Angriffe abzusichern, habe ich eine Regel für fail2ban geschrieben. Anbei eine kurze Anleitung dazu. Nach 10 erfolglosen Anmeldeversuchen wird der User per iptables für 1 Tag (86400 Sekunden) geblockt.

1. sudo apt install fail2ban (fail2ban installieren)
2. sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local (eigene Konfiguration erstellen)
3.  Filter in neuer Datei erstellen: /etc/fail2ban/filter.d/fhem.conf
# Fail2ban filter for fhem

[INCLUDES]

before = common.conf

[Definition]

failregex = ^(.*?)Login denied (.*?)_<HOST>_

ignoreregex =

4. Eigenes jail in der Datei /etc/fail2ban/jail.local anfügen. Dabei den richtigen Port und den Pfad zum Log-Verzeichnis eintragen.
[fhem]
enabled  = true
port     = 8083
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
filter   = fhem
logpath  = /opt/fhem/log/fhem-20*
maxretry = 10
bantime = 86400

5. /etc/init.d/fail2ban restart ausführen

6. allowed-Instanz auf Loglevel 3 stellen attr allowed_WEB verbose 3

Gruß Jens

PS:
Du solltest vielleicht erwähnen das Deine Konfig ausschließlich mit einem aktuellen FHEM funktioniert. Update > 17.02.2018
« Letzte Änderung: 31 Oktober 2018, 09:18:17 von dirigent »
Debian auf APU2C4, HM-CFG-USB2, SIGNALduino, HM-ES-PMSw1-Pl, AB440S, AB440R, TFA 30.3121, TFA 30.3125, ITS-150, PIR-5000, configurable Firmata USB & LAN, 1-wire: DS-18B20, DS-18S20, DS-2408, DS-2413, diverse I2C-Komponenten
Gefällt mir Gefällt mir x 3 Hilfreich Hilfreich x 3 Liste anzeigen

Offline CoolTux

  • Developer
  • Hero Member
  • ****
  • Beiträge: 22935
Antw:FHEM-Hacker mit fail2ban blocken
« Antwort #1 am: 18 Februar 2018, 14:43:06 »
Du solltest vielleicht erwähnen das Deine Konfig ausschließlich mit einem aktuellen FHEM funktioniert. Update > 17.02.2018
Du musst nicht wissen wie es geht! Du musst nur wissen wo es steht, wie es geht.
Support me to buy new test hardware for development: https://paypal.me/pools/c/8gULisr9BT
FHEM GitHub: https://github.com/fhem/
kein Support für cfg Editierer

Offline vbs

  • Hero Member
  • *****
  • Beiträge: 2366
Antw:FHEM-Hacker mit fail2ban blocken
« Antwort #2 am: 18 Februar 2018, 15:12:01 »
Wann benutzt man denn fail2ban in Verbindung mit FHEM? Doch nur wenn man FHEM direkt am Inet hängen hat, oder?

Offline Tom111

  • Sr. Member
  • ****
  • Beiträge: 531
  • Das Ziel ist das Ziel :D
Antw:FHEM-Hacker mit fail2ban blocken
« Antwort #3 am: 18 Februar 2018, 15:43:44 »
4. Eigenes jail in /etc/fail2ban/jail.local anfügen.
[fhem]
enabled  = true
port     = 8083
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
filter   = fhem
logpath  = /opt/fhem/log/fhem-20*
maxretry = 10
bantime = 86400


Wenn du schreibst "anfügen", dann fehlt ja folgender Code in der Liste:
# Fail2ban filter for fhem

[INCLUDES]

before = common.conf

[Definition]

failregex = ^(.*?)Login denied by (.*?)_<HOST>_

ignoreregex =

Oder meintest du "ersetzen" ??

Gruß
Tom
FHEM 5.9 auf Raspberry Pi - 3B+ - Stretch-4.19.86+ | CUL868 CC1101 - USB - Lite module - V3 FW 1.67
Fritz!Box 7490 OS 07.01 / Fritz!Dect200 / Fritz!Powerline 546E
FS20ST-4/ FS20 DI-5/ FS20LS/ FS20 PIRI-2-KU/ FS20 TFK/ FS20S4A/FS20 SU-3/FS20 S20-3
HMS100TF/FHT80TF-2/ASH2200/S300TH/MiLight-Bridge V

Offline JensS

  • Sr. Member
  • ****
  • Beiträge: 583
Antw:FHEM-Hacker mit fail2ban blocken
« Antwort #4 am: 18 Februar 2018, 15:57:45 »
Habe die Beschreibung etwas konkretisiert.
Debian auf APU2C4, HM-CFG-USB2, SIGNALduino, HM-ES-PMSw1-Pl, AB440S, AB440R, TFA 30.3121, TFA 30.3125, ITS-150, PIR-5000, configurable Firmata USB & LAN, 1-wire: DS-18B20, DS-18S20, DS-2408, DS-2413, diverse I2C-Komponenten
Zustimmung Zustimmung x 1 Liste anzeigen

Offline Tom111

  • Sr. Member
  • ****
  • Beiträge: 531
  • Das Ziel ist das Ziel :D
Antw:FHEM-Hacker mit fail2ban blocken
« Antwort #5 am: 18 Februar 2018, 17:19:44 »
Hab das ganze jetzt mal so eingerichtet wie du es geschrieben hast.
Leider passiert nicht viel wenn ich versuche mich ein Dutzend mal mit falschem Passwort anzumelden.
Es wird nichts geblockt und ich kann mich danach ganz normal anmelden.  :-\
FHEM 5.9 auf Raspberry Pi - 3B+ - Stretch-4.19.86+ | CUL868 CC1101 - USB - Lite module - V3 FW 1.67
Fritz!Box 7490 OS 07.01 / Fritz!Dect200 / Fritz!Powerline 546E
FS20ST-4/ FS20 DI-5/ FS20LS/ FS20 PIRI-2-KU/ FS20 TFK/ FS20S4A/FS20 SU-3/FS20 S20-3
HMS100TF/FHT80TF-2/ASH2200/S300TH/MiLight-Bridge V

Offline JensS

  • Sr. Member
  • ****
  • Beiträge: 583
Antw:FHEM-Hacker mit fail2ban blocken
« Antwort #6 am: 18 Februar 2018, 17:29:40 »
Missglückte Anmeldungen vom lokalen Netzwerk werden per default ignoriert (sh. ignoreip in jail.local).
Versuche es mal von außen.
Gruß Jens
Debian auf APU2C4, HM-CFG-USB2, SIGNALduino, HM-ES-PMSw1-Pl, AB440S, AB440R, TFA 30.3121, TFA 30.3125, ITS-150, PIR-5000, configurable Firmata USB & LAN, 1-wire: DS-18B20, DS-18S20, DS-2408, DS-2413, diverse I2C-Komponenten
Gefällt mir Gefällt mir x 1 Liste anzeigen

Offline Tom111

  • Sr. Member
  • ****
  • Beiträge: 531
  • Das Ziel ist das Ziel :D
Antw:FHEM-Hacker mit fail2ban blocken
« Antwort #7 am: 18 Februar 2018, 18:47:36 »
Missglückte Anmeldungen vom lokalen Netzwerk werden per default ignoriert (sh. ignoreip in jail.local).
Versuche es mal von außen.
Gruß Jens
Das habe ich getan!
FHEM 5.9 auf Raspberry Pi - 3B+ - Stretch-4.19.86+ | CUL868 CC1101 - USB - Lite module - V3 FW 1.67
Fritz!Box 7490 OS 07.01 / Fritz!Dect200 / Fritz!Powerline 546E
FS20ST-4/ FS20 DI-5/ FS20LS/ FS20 PIRI-2-KU/ FS20 TFK/ FS20S4A/FS20 SU-3/FS20 S20-3
HMS100TF/FHT80TF-2/ASH2200/S300TH/MiLight-Bridge V

Offline Tom111

  • Sr. Member
  • ****
  • Beiträge: 531
  • Das Ziel ist das Ziel :D
Antw:FHEM-Hacker mit fail2ban blocken
« Antwort #8 am: 18 Februar 2018, 19:39:21 »
Laut Log funktioniert alles, aber wie ich bereits erwähnt habe komme ich immer noch rein in FHEM mit der geblockten IP.
The IP 81.169.xxx.xxx has just been banned by Fail2Ban after
3 attempts against fhem.\n\n
Here are more information about 81.169.xxx.xxx:\n
`/usr/bin/whois 81.169.xxx.xxx`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban root@localhost returned 7f00
FHEM 5.9 auf Raspberry Pi - 3B+ - Stretch-4.19.86+ | CUL868 CC1101 - USB - Lite module - V3 FW 1.67
Fritz!Box 7490 OS 07.01 / Fritz!Dect200 / Fritz!Powerline 546E
FS20ST-4/ FS20 DI-5/ FS20LS/ FS20 PIRI-2-KU/ FS20 TFK/ FS20S4A/FS20 SU-3/FS20 S20-3
HMS100TF/FHT80TF-2/ASH2200/S300TH/MiLight-Bridge V

Offline JensS

  • Sr. Member
  • ****
  • Beiträge: 583
Antw:FHEM-Hacker mit fail2ban blocken
« Antwort #9 am: 18 Februar 2018, 19:43:11 »
Was sagt denn "fail2ban-client status fhem" und "iptables -S" sowie "/var/log/fail2ban.log"?
Ist der richtige Port eingetragen?
« Letzte Änderung: 18 Februar 2018, 19:57:31 von dirigent »
Debian auf APU2C4, HM-CFG-USB2, SIGNALduino, HM-ES-PMSw1-Pl, AB440S, AB440R, TFA 30.3121, TFA 30.3125, ITS-150, PIR-5000, configurable Firmata USB & LAN, 1-wire: DS-18B20, DS-18S20, DS-2408, DS-2413, diverse I2C-Komponenten

Offline Tom111

  • Sr. Member
  • ****
  • Beiträge: 531
  • Das Ziel ist das Ziel :D
Antw:FHEM-Hacker mit fail2ban blocken
« Antwort #10 am: 18 Februar 2018, 19:58:03 »
Was meinst du mit "fail2ban-client status fhem"?


iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-fhem-udp
-N fail2ban-ip-blacklist
-N fail2ban-ssh
-A INPUT -p tcp -j fail2ban-ip-blacklist
-A INPUT -p udp -m multiport --dports 8083 -j fail2ban-fhem-udp
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-fhem-udp -s 81.169.xxx.xxx/32 -j DROP
-A fail2ban-fhem-udp -j RETURN
-A fail2ban-ip-blacklist -j RETURN
-A fail2ban-ssh -j RETURN

/var/log/fail2ban.log
2018-02-18 15:46:43,852 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2018-02-18 15:46:43,855 fail2ban.jail   : INFO   Creating new jail 'ssh'
2018-02-18 15:46:43,856 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2018-02-18 15:46:43,923 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2018-02-18 15:46:43,926 fail2ban.filter : INFO   Set maxRetry = 6
2018-02-18 15:46:43,930 fail2ban.filter : INFO   Set findtime = 600
2018-02-18 15:46:43,932 fail2ban.actions: INFO   Set banTime = 600
2018-02-18 15:46:44,129 fail2ban.jail   : INFO   Jail 'ssh' started
2018-02-18 16:15:33,525 fail2ban.server : INFO   Stopping all jails
2018-02-18 16:15:34,256 fail2ban.jail   : INFO   Jail 'ssh' stopped
2018-02-18 16:15:34,258 fail2ban.server : INFO   Exiting Fail2ban
2018-02-18 16:15:46,815 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2018-02-18 16:15:46,818 fail2ban.jail   : INFO   Creating new jail 'ssh'
2018-02-18 16:15:46,829 fail2ban.jail   : INFO   Jail 'ssh' uses Gamin
2018-02-18 16:15:46,980 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2018-02-18 16:15:46,983 fail2ban.filter : INFO   Set maxRetry = 6
2018-02-18 16:15:46,987 fail2ban.filter : INFO   Set findtime = 600
2018-02-18 16:15:46,989 fail2ban.actions: INFO   Set banTime = 600
2018-02-18 16:15:47,179 fail2ban.jail   : INFO   Creating new jail 'fhem'
2018-02-18 16:15:47,180 fail2ban.jail   : INFO   Jail 'fhem' uses Gamin
2018-02-18 16:15:47,188 fail2ban.filter : INFO   Added logfile = /opt/fhem/log/fhem-2018-02.log
2018-02-18 16:15:47,191 fail2ban.filter : INFO   Set maxRetry = 10
2018-02-18 16:15:47,196 fail2ban.filter : INFO   Set findtime = 600
2018-02-18 16:15:47,199 fail2ban.actions: INFO   Set banTime = 86400
2018-02-18 16:15:47,272 fail2ban.jail   : INFO   Creating new jail 'ip-blacklist'
2018-02-18 16:15:47,273 fail2ban.jail   : INFO   Jail 'ip-blacklist' uses Gamin
2018-02-18 16:15:47,278 fail2ban.filter : INFO   Added logfile = /etc/fail2ban/ip.blacklist
2018-02-18 16:15:47,280 fail2ban.filter : INFO   Set maxRetry = 0
2018-02-18 16:15:47,283 fail2ban.filter : INFO   Set findtime = 15552000
2018-02-18 16:15:47,285 fail2ban.actions: INFO   Set banTime = -1
2018-02-18 16:15:47,326 fail2ban.jail   : INFO   Jail 'ssh' started
2018-02-18 16:15:47,373 fail2ban.jail   : INFO   Jail 'fhem' started
2018-02-18 16:15:47,404 fail2ban.jail   : INFO   Jail 'ip-blacklist' started
2018-02-18 16:15:47,504 fail2ban.actions.action: ERROR  printf %b "Subject: [Fail2Ban] fhem: started
Date: `date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To: root@localhost\n
Hi,\n
The jail fhem has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban root@localhost returned 7f00
2018-02-18 17:04:18,686 fail2ban.actions: WARNING [fhem] Ban 81.169.xxx.xxx
2018-02-18 17:04:18,837 fail2ban.actions.action: ERROR  printf %b "Subject: [Fail2Ban] fhem: banned 81.169.xxx.xxx
Date: `date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To: root@localhost\n
Hi,\n
The IP 81.169.xxx.xxx has just been banned by Fail2Ban after
11 attempts against fhem.\n\n
Here are more information about 81.169.xxx.xxx:\n
`/usr/bin/whois 81.169.xxx.xxx`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban root@localhost returned 7f00
2018-02-18 17:15:18,549 fail2ban.server : INFO   Stopping all jails
2018-02-18 17:15:18,667 fail2ban.actions: WARNING [fhem] Unban 81.169.xxx.xxx
2018-02-18 17:15:18,728 fail2ban.actions.action: ERROR  printf %b "Subject: [Fail2Ban] fhem: stopped
Date: `date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To: root@localhost\n
Hi,\n
The jail fhem has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban root@localhost returned 7f00
2018-02-18 17:15:19,187 fail2ban.jail   : INFO   Jail 'fhem' stopped
2018-02-18 17:15:20,158 fail2ban.jail   : INFO   Jail 'ip-blacklist' stopped
2018-02-18 17:15:20,564 fail2ban.jail   : INFO   Jail 'ssh' stopped
2018-02-18 17:15:20,576 fail2ban.server : INFO   Exiting Fail2ban
2018-02-18 17:15:31,029 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2018-02-18 17:15:31,032 fail2ban.jail   : INFO   Creating new jail 'ssh'
2018-02-18 17:15:31,044 fail2ban.jail   : INFO   Jail 'ssh' uses Gamin
2018-02-18 17:15:31,207 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2018-02-18 17:15:31,210 fail2ban.filter : INFO   Set maxRetry = 6
2018-02-18 17:15:31,214 fail2ban.filter : INFO   Set findtime = 600
2018-02-18 17:15:31,217 fail2ban.actions: INFO   Set banTime = 600
2018-02-18 17:15:31,417 fail2ban.jail   : INFO   Creating new jail 'fhem'
2018-02-18 17:15:31,418 fail2ban.jail   : INFO   Jail 'fhem' uses Gamin
2018-02-18 17:15:31,424 fail2ban.filter : INFO   Added logfile = /opt/fhem/log/fhem-2018-02.log
2018-02-18 17:15:31,427 fail2ban.filter : INFO   Set maxRetry = 10
2018-02-18 17:15:31,432 fail2ban.filter : INFO   Set findtime = 600
2018-02-18 17:15:31,435 fail2ban.actions: INFO   Set banTime = 86400
2018-02-18 17:15:31,509 fail2ban.jail   : INFO   Creating new jail 'ip-blacklist'
2018-02-18 17:15:31,510 fail2ban.jail   : INFO   Jail 'ip-blacklist' uses Gamin
2018-02-18 17:15:31,515 fail2ban.filter : INFO   Added logfile = /etc/fail2ban/ip.blacklist
2018-02-18 17:15:31,517 fail2ban.filter : INFO   Set maxRetry = 0
2018-02-18 17:15:31,520 fail2ban.filter : INFO   Set findtime = 15552000
2018-02-18 17:15:31,522 fail2ban.actions: INFO   Set banTime = -1
2018-02-18 17:15:31,554 fail2ban.jail   : INFO   Jail 'ssh' started
2018-02-18 17:15:31,610 fail2ban.jail   : INFO   Jail 'fhem' started
2018-02-18 17:15:31,692 fail2ban.jail   : INFO   Jail 'ip-blacklist' started
2018-02-18 17:15:31,721 fail2ban.actions.action: ERROR  printf %b "Subject: [Fail2Ban] fhem: started
Date: `date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To: root@localhost\n
Hi,\n
The jail fhem has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban root@localhost returned 7f00
2018-02-18 19:02:43,002 fail2ban.actions: WARNING [fhem] Ban 81.169.xxx.xxx
2018-02-18 19:02:43,116 fail2ban.actions.action: ERROR  printf %b "Subject: [Fail2Ban] fhem: banned 81.169.xxx.xxx
Date: `date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To: root@localhost\n
Hi,\n
The IP 81.169.xxx.xxx has just been banned by Fail2Ban after
10 attempts against fhem.\n\n
Here are more information about 81.169.xxx.xxx:\n
`/usr/bin/whois 81.169.xxx.xxx`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban root@localhost returned 7f00
2018-02-18 19:16:48,176 fail2ban.actions: WARNING [fhem] Ban 77.182.xx.xx
2018-02-18 19:16:48,288 fail2ban.actions.action: ERROR  printf %b "Subject: [Fail2Ban] fhem: banned 77.182.xx.xx
Date: `date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To: root@localhost\n
Hi,\n
The IP 77.182.xx.xx has just been banned by Fail2Ban after
10 attempts against fhem.\n\n
Here are more information about 77.182.xx.xx:\n
`/usr/bin/whois 77.182.xx.xx`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban root@localhost returned 7f00
2018-02-18 19:19:21,901 fail2ban.server : INFO   Stopping all jails
2018-02-18 19:19:22,474 fail2ban.actions: WARNING [fhem] Unban 81.169.xxx.xxx
2018-02-18 19:19:22,500 fail2ban.actions: WARNING [fhem] Unban 77.182.xx.xx
2018-02-18 19:19:22,561 fail2ban.actions.action: ERROR  printf %b "Subject: [Fail2Ban] fhem: stopped
Date: `date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To: root@localhost\n
Hi,\n
The jail fhem has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban root@localhost returned 7f00
2018-02-18 19:19:22,562 fail2ban.jail   : INFO   Jail 'fhem' stopped
2018-02-18 19:19:23,426 fail2ban.jail   : INFO   Jail 'ip-blacklist' stopped
2018-02-18 19:19:24,339 fail2ban.jail   : INFO   Jail 'ssh' stopped
2018-02-18 19:19:24,344 fail2ban.server : INFO   Exiting Fail2ban
2018-02-18 19:19:34,338 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2018-02-18 19:19:34,342 fail2ban.jail   : INFO   Creating new jail 'ssh'
2018-02-18 19:19:34,354 fail2ban.jail   : INFO   Jail 'ssh' uses Gamin
2018-02-18 19:19:34,502 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2018-02-18 19:19:34,505 fail2ban.filter : INFO   Set maxRetry = 6
2018-02-18 19:19:34,509 fail2ban.filter : INFO   Set findtime = 600
2018-02-18 19:19:34,511 fail2ban.actions: INFO   Set banTime = 600
2018-02-18 19:19:34,700 fail2ban.jail   : INFO   Creating new jail 'fhem'
2018-02-18 19:19:34,700 fail2ban.jail   : INFO   Jail 'fhem' uses Gamin
2018-02-18 19:19:34,706 fail2ban.filter : INFO   Added logfile = /opt/fhem/log/fhem-2018-02.log
2018-02-18 19:19:34,709 fail2ban.filter : INFO   Set maxRetry = 2
2018-02-18 19:19:34,713 fail2ban.filter : INFO   Set findtime = 600
2018-02-18 19:19:34,715 fail2ban.actions: INFO   Set banTime = 86400
2018-02-18 19:19:34,774 fail2ban.jail   : INFO   Creating new jail 'ip-blacklist'
2018-02-18 19:19:34,775 fail2ban.jail   : INFO   Jail 'ip-blacklist' uses Gamin
2018-02-18 19:19:34,780 fail2ban.filter : INFO   Added logfile = /etc/fail2ban/ip.blacklist
2018-02-18 19:19:34,783 fail2ban.filter : INFO   Set maxRetry = 0
2018-02-18 19:19:34,787 fail2ban.filter : INFO   Set findtime = 15552000
2018-02-18 19:19:34,789 fail2ban.actions: INFO   Set banTime = -1
2018-02-18 19:19:34,834 fail2ban.jail   : INFO   Jail 'ssh' started
2018-02-18 19:19:34,945 fail2ban.jail   : INFO   Jail 'fhem' started
2018-02-18 19:19:34,973 fail2ban.jail   : INFO   Jail 'ip-blacklist' started
2018-02-18 19:19:35,002 fail2ban.actions.action: ERROR  printf %b "Subject: [Fail2Ban] fhem: started
Date: `date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To: root@localhost\n
Hi,\n
The jail fhem has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban root@localhost returned 7f00
2018-02-18 19:19:37,015 fail2ban.actions: WARNING [fhem] Ban 77.182.xx.xx
2018-02-18 19:19:37,145 fail2ban.actions.action: ERROR  printf %b "Subject: [Fail2Ban] fhem: banned 77.182.xx.xx
Date: `date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To: root@localhost\n
Hi,\n
The IP 77.182.xx.xx has just been banned by Fail2Ban after
11 attempts against fhem.\n\n
Here are more information about 77.182.xx.xx:\n
`/usr/bin/whois 77.182.xx.xx`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban root@localhost returned 7f00
2018-02-18 19:20:39,265 fail2ban.actions: WARNING [fhem] Ban 81.169.xxx.xxx
2018-02-18 19:20:39,383 fail2ban.actions.action: ERROR  printf %b "Subject: [Fail2Ban] fhem: banned 81.169.xxx.xxx
Date: `date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To: root@localhost\n
Hi,\n
The IP 81.169.xxx.xxx has just been banned by Fail2Ban after
2 attempts against fhem.\n\n
Here are more information about 81.169.xxx.xxx:\n
`/usr/bin/whois 81.169.xxx.xxx`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban root@localhost returned 7f00
2018-02-18 19:20:42,389 fail2ban.actions: WARNING [fhem] 81.169.xxx.xxx already banned
2018-02-18 19:31:26,531 fail2ban.server : INFO   Stopping all jails
2018-02-18 19:31:27,211 fail2ban.actions: WARNING [fhem] Unban 77.182.xx.xx
2018-02-18 19:31:27,235 fail2ban.actions: WARNING [fhem] Unban 81.169.xxx.xxx
2018-02-18 19:31:27,304 fail2ban.actions.action: ERROR  printf %b "Subject: [Fail2Ban] fhem: stopped
Date: `date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To: root@localhost\n
Hi,\n
The jail fhem has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban root@localhost returned 7f00
2018-02-18 19:31:27,306 fail2ban.jail   : INFO   Jail 'fhem' stopped
2018-02-18 19:31:28,008 fail2ban.jail   : INFO   Jail 'ip-blacklist' stopped
2018-02-18 19:31:28,901 fail2ban.jail   : INFO   Jail 'ssh' stopped
2018-02-18 19:31:28,910 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2018-02-18 19:31:28,914 fail2ban.jail   : INFO   Creating new jail 'ssh'
2018-02-18 19:31:28,915 fail2ban.jail   : INFO   Jail 'ssh' uses Gamin
2018-02-18 19:31:28,922 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2018-02-18 19:31:28,926 fail2ban.filter : INFO   Set maxRetry = 2
2018-02-18 19:31:28,932 fail2ban.filter : INFO   Set findtime = 600
2018-02-18 19:31:28,936 fail2ban.actions: INFO   Set banTime = 600
2018-02-18 19:31:29,032 fail2ban.jail   : INFO   Creating new jail 'fhem'
2018-02-18 19:31:29,033 fail2ban.jail   : INFO   Jail 'fhem' uses Gamin
2018-02-18 19:31:29,038 fail2ban.filter : INFO   Added logfile = /opt/fhem/log/fhem-2018-02.log
2018-02-18 19:31:29,040 fail2ban.filter : INFO   Set maxRetry = 2
2018-02-18 19:31:29,043 fail2ban.filter : INFO   Set findtime = 600
2018-02-18 19:31:29,045 fail2ban.actions: INFO   Set banTime = 86400
2018-02-18 19:31:29,089 fail2ban.jail   : INFO   Creating new jail 'ip-blacklist'
2018-02-18 19:31:29,089 fail2ban.jail   : INFO   Jail 'ip-blacklist' uses Gamin
2018-02-18 19:31:29,093 fail2ban.filter : INFO   Added logfile = /etc/fail2ban/ip.blacklist
2018-02-18 19:31:29,095 fail2ban.filter : INFO   Set maxRetry = 0
2018-02-18 19:31:29,098 fail2ban.filter : INFO   Set findtime = 15552000
2018-02-18 19:31:29,100 fail2ban.actions: INFO   Set banTime = -1
2018-02-18 19:31:29,134 fail2ban.jail   : INFO   Jail 'ssh' started
2018-02-18 19:31:29,172 fail2ban.jail   : INFO   Jail 'fhem' started
2018-02-18 19:31:29,250 fail2ban.actions.action: ERROR  printf %b "Subject: [Fail2Ban] fhem: started
Date: `date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To: root@localhost\n
Hi,\n
The jail fhem has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban root@localhost returned 7f00
2018-02-18 19:31:29,262 fail2ban.jail   : INFO   Jail 'ip-blacklist' started
2018-02-18 19:35:54,582 fail2ban.actions: WARNING [fhem] Ban 81.169.xxx.xxx
2018-02-18 19:35:54,703 fail2ban.actions.action: ERROR  printf %b "Subject: [Fail2Ban] fhem: banned 81.169.xxx.xxx
Date: `date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To: root@localhost\n
Hi,\n
The IP 81.169.xxx.xxx has just been banned by Fail2Ban after
3 attempts against fhem.\n\n
Here are more information about 81.169.xxx.xxx:\n
`/usr/bin/whois 81.169.xxx.xxx`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban root@localhost returned 7f00
2018-02-18 19:47:45,193 fail2ban.server : INFO   Stopping all jails
2018-02-18 19:47:45,585 fail2ban.actions: WARNING [fhem] Unban 81.169.xxx.xxx
2018-02-18 19:47:45,647 fail2ban.actions.action: ERROR  printf %b "Subject: [Fail2Ban] fhem: stopped
Date: `date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To: root@localhost\n
Hi,\n
The jail fhem has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban root@localhost returned 7f00
2018-02-18 19:47:45,648 fail2ban.jail   : INFO   Jail 'fhem' stopped
2018-02-18 19:47:46,488 fail2ban.jail   : INFO   Jail 'ip-blacklist' stopped
2018-02-18 19:47:47,418 fail2ban.jail   : INFO   Jail 'ssh' stopped
2018-02-18 19:47:47,427 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2018-02-18 19:47:47,431 fail2ban.jail   : INFO   Creating new jail 'ssh'
2018-02-18 19:47:47,432 fail2ban.jail   : INFO   Jail 'ssh' uses Gamin
2018-02-18 19:47:47,441 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2018-02-18 19:47:47,446 fail2ban.filter : INFO   Set maxRetry = 2
2018-02-18 19:47:47,459 fail2ban.filter : INFO   Set findtime = 600
2018-02-18 19:47:47,464 fail2ban.actions: INFO   Set banTime = 600
2018-02-18 19:47:47,573 fail2ban.jail   : INFO   Creating new jail 'fhem'
2018-02-18 19:47:47,574 fail2ban.jail   : INFO   Jail 'fhem' uses Gamin
2018-02-18 19:47:47,578 fail2ban.filter : INFO   Added logfile = /opt/fhem/log/fhem-2018-02.log
2018-02-18 19:47:47,580 fail2ban.filter : INFO   Set maxRetry = 2
2018-02-18 19:47:47,588 fail2ban.filter : INFO   Set findtime = 600
2018-02-18 19:47:47,590 fail2ban.actions: INFO   Set banTime = 86400
2018-02-18 19:47:47,646 fail2ban.jail   : INFO   Creating new jail 'ip-blacklist'
2018-02-18 19:47:47,646 fail2ban.jail   : INFO   Jail 'ip-blacklist' uses Gamin
2018-02-18 19:47:47,650 fail2ban.filter : INFO   Added logfile = /etc/fail2ban/ip.blacklist
2018-02-18 19:47:47,653 fail2ban.filter : INFO   Set maxRetry = 0
2018-02-18 19:47:47,660 fail2ban.filter : INFO   Set findtime = 15552000
2018-02-18 19:47:47,663 fail2ban.actions: INFO   Set banTime = -1
2018-02-18 19:47:47,696 fail2ban.jail   : INFO   Jail 'ssh' started
2018-02-18 19:47:47,716 fail2ban.jail   : INFO   Jail 'fhem' started
2018-02-18 19:47:47,757 fail2ban.jail   : INFO   Jail 'ip-blacklist' started
2018-02-18 19:47:47,825 fail2ban.actions.action: ERROR  printf %b "Subject: [Fail2Ban] fhem: started
Date: `date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To: root@localhost\n
Hi,\n
The jail fhem has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban root@localhost returned 7f00
2018-02-18 19:48:12,866 fail2ban.actions: WARNING [fhem] Ban 81.169.xxx.xxx
2018-02-18 19:48:12,956 fail2ban.actions.action: ERROR  printf %b "Subject: [Fail2Ban] fhem: banned 81.169.xxx.xxx
Date: `date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To: root@localhost\n
Hi,\n
The IP 81.169.xxx.xxx has just been banned by Fail2Ban after
3 attempts against fhem.\n\n
Here are more information about 81.169.xxx.xxx:\n
`/usr/bin/whois 81.169.xxx.xxx`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban root@localhost returned 7f00
2018-02-18 19:48:15,961 fail2ban.actions: WARNING [fhem] 81.169.xxx.xxx already banned
FHEM 5.9 auf Raspberry Pi - 3B+ - Stretch-4.19.86+ | CUL868 CC1101 - USB - Lite module - V3 FW 1.67
Fritz!Box 7490 OS 07.01 / Fritz!Dect200 / Fritz!Powerline 546E
FS20ST-4/ FS20 DI-5/ FS20LS/ FS20 PIRI-2-KU/ FS20 TFK/ FS20S4A/FS20 SU-3/FS20 S20-3
HMS100TF/FHT80TF-2/ASH2200/S300TH/MiLight-Bridge V

Offline CoolTux

  • Developer
  • Hero Member
  • ****
  • Beiträge: 22935
Antw:FHEM-Hacker mit fail2ban blocken
« Antwort #11 am: 18 Februar 2018, 20:23:56 »
klappt doch super. Er blockt zu mindestens. Ok falsches Protokoll, udp statt tcp, aber immer hin.
Du musst nicht wissen wie es geht! Du musst nur wissen wo es steht, wie es geht.
Support me to buy new test hardware for development: https://paypal.me/pools/c/8gULisr9BT
FHEM GitHub: https://github.com/fhem/
kein Support für cfg Editierer

Offline Tom111

  • Sr. Member
  • ****
  • Beiträge: 531
  • Das Ziel ist das Ziel :D
Antw:FHEM-Hacker mit fail2ban blocken
« Antwort #12 am: 18 Februar 2018, 20:34:36 »
klappt doch super. Er blockt zu mindestens. Ok falsches Protokoll, udp statt tcp, aber immer hin.
Gar nichts blockt er,.... was ist falsch und wo muss ich was ändern?
FHEM 5.9 auf Raspberry Pi - 3B+ - Stretch-4.19.86+ | CUL868 CC1101 - USB - Lite module - V3 FW 1.67
Fritz!Box 7490 OS 07.01 / Fritz!Dect200 / Fritz!Powerline 546E
FS20ST-4/ FS20 DI-5/ FS20LS/ FS20 PIRI-2-KU/ FS20 TFK/ FS20S4A/FS20 SU-3/FS20 S20-3
HMS100TF/FHT80TF-2/ASH2200/S300TH/MiLight-Bridge V

Offline CoolTux

  • Developer
  • Hero Member
  • ****
  • Beiträge: 22935
Antw:FHEM-Hacker mit fail2ban blocken
« Antwort #13 am: 18 Februar 2018, 20:46:39 »
Natürlich blockt er, schau Dir doch das iptables Regelwerk an.
-N fail2ban-fhem-udp
-A INPUT -p tcp -j fail2ban-ip-blacklist
-A INPUT -p udp -m multiport --dports 8083 -j fail2ban-fhem-udp
-A fail2ban-fhem-udp -s 81.169.xxx.xxx/32 -j DROP
-A fail2ban-fhem-udp -j RETURN
-A fail2ban-ip-blacklist -j RETURN

Einzig irgend so ein Schlaumeier war der Meinung das FHEM über das udp Protokoll mit Port 8083 kommuniziert.
Hier ist übrigens Dein gebanntes IP-Subnetz
-A fail2ban-fhem-udp -s 81.169.xxx.xxx/32 -j DROP

Nimm mal den Unsinn hier raus
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
« Letzte Änderung: 18 Februar 2018, 20:49:24 von CoolTux »
Du musst nicht wissen wie es geht! Du musst nur wissen wo es steht, wie es geht.
Support me to buy new test hardware for development: https://paypal.me/pools/c/8gULisr9BT
FHEM GitHub: https://github.com/fhem/
kein Support für cfg Editierer
Informativ Informativ x 1 Liste anzeigen

Offline Tom111

  • Sr. Member
  • ****
  • Beiträge: 531
  • Das Ziel ist das Ziel :D
Antw:FHEM-Hacker mit fail2ban blocken
« Antwort #14 am: 18 Februar 2018, 20:50:25 »
Einzig irgend so ein Schlaumeier war der Meinung das FHEM über das udp Protokoll mit Port 8083 kommuniziert.
Hier ist übrigens Dein gebanntes IP-Subnetz
-A fail2ban-fhem-udp -s 81.169.xxx.xxx/32 -j DROP

Wenn fail2ban blockt, wieso kann ich mich dann immer noch mit der selben IP anmelden???
FHEM 5.9 auf Raspberry Pi - 3B+ - Stretch-4.19.86+ | CUL868 CC1101 - USB - Lite module - V3 FW 1.67
Fritz!Box 7490 OS 07.01 / Fritz!Dect200 / Fritz!Powerline 546E
FS20ST-4/ FS20 DI-5/ FS20LS/ FS20 PIRI-2-KU/ FS20 TFK/ FS20S4A/FS20 SU-3/FS20 S20-3
HMS100TF/FHT80TF-2/ASH2200/S300TH/MiLight-Bridge V