Package: fail2ban
Version: 0.8.6-3
Followup-For: Bug #620760
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Dear Maintainer,
The issue (looking in /var/log/dropbear instead of /var/log/auth.log) still
exists in this version of fail2ban. In addition, the
issues with the regexps are misleading.
The comments in /etc/fail2ban/filter.d/dropbear.conf say:
# The standard Dropbear output doesn't provide enough information to
# ban all types of attack. The Dropbear patch adds IP address
# information to the 'exit before auth' message which is always
# produced for any form of non-successful login
However, that doesn't take into account the fact that dropbear forks per
connection. If you look at the following excerpts from my
/var/log/auth.log you can see the ip is listed on one line, and the
'exit before auth' line is on a different line, but with the same PID.
Jun 14 17:29:35 bminton dropbear[12820]: Child connection from
78.129.132.12:46967
Jun 14 17:29:37 bminton dropbear[12820]: Login attempt for nonexistent user
from 78.129.132.12:46967
Jun 14 17:29:37 bminton dropbear[12820]: Exit before auth: Disconnect received
Jun 14 17:29:37 bminton dropbear[12821]: Child connection from
78.129.132.12:47087
Jun 14 17:29:39 bminton dropbear[12821]: Login attempt for nonexistent user
from 78.129.132.12:47087
Jun 14 17:29:39 bminton dropbear[12821]: Exit before auth: Disconnect received
Jun 14 17:29:40 bminton dropbear[12822]: Child connection from
78.129.132.12:47182
Jun 14 17:29:41 bminton dropbear[12822]: Login attempt for nonexistent user
from 78.129.132.12:47182
Jun 14 17:29:41 bminton dropbear[12822]: Exit before auth: Disconnect received
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (x86_64)
Kernel: Linux 3.0.24-std251-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages fail2ban depends on:
ii lsb-base 4.1+Debian7
ii python 2.7.3~rc2-1
ii python-central 0.6.17
Versions of packages fail2ban recommends:
ii iptables 1.4.13-1.1
ii python-gamin 0.1.10-4
ii whois 5.0.16
Versions of packages fail2ban suggests:
ii bsd-mailx [mailx] 8.1.2-0.20111106cvs-1
- -- Configuration Files:
/etc/fail2ban/jail.conf changed:
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
maxretry = 3
backend = auto
destemail = root@localhost
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s",
protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s",
logpath=%(logpath)s, chain="%(chain)s"]
action = %(action_)s
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
[dropbear]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
[pam-generic]
enabled = false
filter = pam-generic
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
[ssh-ddos]
enabled = false
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
[apache]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-multiport]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-noscript]
enabled = false
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-overflows]
enabled = false
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
[vsftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
maxretry = 6
[proftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[pure-ftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = pure-ftpd
logpath = /var/log/auth.log
maxretry = 6
[wuftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6
[postfix]
enabled = false
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
[couriersmtp]
enabled = false
port = smtp,ssmtp
filter = couriersmtp
logpath = /var/log/mail.log
[courierauth]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log
[sasl]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/mail.log
[dovecot]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log
[named-refused-tcp]
enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEAREDAAYFAk/bN0AACgkQ2/alund99IdPfgCghBr1JnkTSwCyTF+p+SH9b4r8
510AoLkWKJx5Ixv+TzxzJFGLBI9vaxee
=meEx
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
