Keyhelp und Fail2Ban Config

[Tobi7889]

Moin zusammen,

ich bin aktuell dabei mein System (Debian 12) ein wenig durchzuschauen und dabei ist mir aufgefallen, dass es ein paar Probleme mit Fail2Ban zu geben scheint.
Grundlegend werden SSH IPs massiv gebannt was ja gut ist, auch meine modsecurity Rules greifen korrekt.

Allerdings löst aktuell keine der kh-* Regeln aus.

Spannenderweise gibt es aber diverse Szenarien warum er (in meinen Augen) auslösen sollte:

Code: Select all

pam_unix(proftpd:auth): authentication failure

Code: Select all

warning: unknown[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: UGFzc3dvcmQ6, sasl_username=admin@XXXXXXXXXXX

Code: Select all

imap-login: Disconnected: Connection closed (auth failed, 1 attempts in 6 secs): user=<xxxxxxxxxxx@xxxxxxxxxx.de>, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.xxx, TLS: Connection closed, session=<tvcnWnsTfdrZ7wPm>

Die Logdateien sind voll von fehlerhaften Logins, auch innerhalb des Zeitraumes, welcher in der keyhelp.local konfiguriert ist.

Ich habe nun einmal eine eigene Datei angelegt mit folgenden Werten:

Code: Select all

[postfix-sasl]
enabled  = true
port     = smtp,ssmtp,smtps,submission,submissions
filter   = postfix-sasl
backend  = systemd
maxretry = 10
findtime = 600
bantime  = 1800  ; 30 Minuten

[postfix-sasl-long]
enabled  = true
port     = smtp,ssmtp,smtps,submission,submissions
filter   = postfix-sasl
backend  = systemd
maxretry = 50
findtime = 3600
bantime  = 86400  ; 1 Tag

Und einen Filter dazu gebaut:

Code: Select all

[Definition]
failregex = warning: unknown\[<HOST>\]: SASL LOGIN authentication failed: .*, sasl_username=.*

Damit wurden direkt diverse IPs ausgesperrt, die mir auch aufgefallen sind.

Meine Frage ist an dieser Stelle, ob die standard postfix.conf im Fail2Ban dieses Szenario nicht abdeckt oder ob es einen Fehler bei mir mit der keyhelp.local gibt? Weil an sich, greift es bei DoveCot und co ja offenbar auch nicht korrekt.

Darin ist eigentlich alles Standard und wie folgt definiert:

Code: Select all

# Mail server

[kh-postfix]
enabled  = true
port     = smtp,ssmtp,smtps,submission,submissions
filter   = postfix
backend  = systemd
maxretry = 6
findtime = 600
bantime = 30m

[kh-dovecot]
enabled  = true
port     = pop3,pop3s,imap,imaps,submission,submissions,sieve
filter   = dovecot
backend  = systemd
maxretry = 10
findtime = 600
bantime = 30m

In meinen Augen müsste es dann ja auch greifen, da ich nicht glaube dass der Standard Filter fehlerhafte Anmeldungen zulässt?

[Alexander]

Hallo,

was sagt der Fail2Ban Log, kurz nach dem Neustart von Fail2Ban, wenn er die einzelnen Jails aktiviert.

[Tobi7889]

Moin,

Code: Select all

2024-03-13 09:17:59,854 fail2ban.jail           [842246]: INFO    Creating new jail 'postfix-sasl'
2024-03-13 09:17:59,854 fail2ban.jail           [842246]: INFO    Jail 'postfix-sasl' uses systemd {}
2024-03-13 09:17:59,854 fail2ban.jail           [842246]: INFO    Initiated 'systemd' backend
2024-03-13 09:17:59,854 fail2ban.filter         [842246]: INFO      maxRetry: 10
2024-03-13 09:17:59,854 fail2ban.filter         [842246]: INFO      findtime: 600
2024-03-13 09:17:59,854 fail2ban.actions        [842246]: INFO      banTime: 1800
2024-03-13 09:17:59,854 fail2ban.filter         [842246]: INFO      encoding: UTF-8
2024-03-13 09:17:59,855 fail2ban.jail           [842246]: INFO    Creating new jail 'sshd-long'
2024-03-13 09:17:59,855 fail2ban.jail           [842246]: INFO    Jail 'sshd-long' uses pyinotify {}
2024-03-13 09:17:59,855 fail2ban.jail           [842246]: INFO    Initiated 'pyinotify' backend
2024-03-13 09:17:59,856 fail2ban.filter         [842246]: INFO      maxLines: 1
2024-03-13 09:17:59,856 fail2ban.filter         [842246]: INFO      maxRetry: 5
2024-03-13 09:17:59,856 fail2ban.filter         [842246]: INFO      findtime: 86400
2024-03-13 09:17:59,856 fail2ban.actions        [842246]: INFO      banTime: 604800
2024-03-13 09:17:59,856 fail2ban.filter         [842246]: INFO      encoding: UTF-8
2024-03-13 09:17:59,856 fail2ban.jail           [842246]: INFO    Creating new jail 'kh-postfix'
2024-03-13 09:17:59,856 fail2ban.jail           [842246]: INFO    Jail 'kh-postfix' uses systemd {}
2024-03-13 09:17:59,856 fail2ban.jail           [842246]: INFO    Initiated 'systemd' backend
2024-03-13 09:17:59,857 fail2ban.filtersystemd  [842246]: INFO    [kh-postfix] Added journal match for: '_SYSTEMD_UNIT=postfix.service'
2024-03-13 09:17:59,857 fail2ban.filter         [842246]: INFO      maxRetry: 6
2024-03-13 09:17:59,857 fail2ban.filter         [842246]: INFO      findtime: 600
2024-03-13 09:17:59,857 fail2ban.actions        [842246]: INFO      banTime: 1800
2024-03-13 09:17:59,857 fail2ban.filter         [842246]: INFO      encoding: UTF-8
2024-03-13 09:17:59,857 fail2ban.jail           [842246]: INFO    Creating new jail 'kh-dovecot'
2024-03-13 09:17:59,857 fail2ban.jail           [842246]: INFO    Jail 'kh-dovecot' uses systemd {}
2024-03-13 09:17:59,876 fail2ban.jail           [842246]: INFO    Initiated 'systemd' backend
2024-03-13 09:17:59,877 fail2ban.datedetector   [842246]: INFO      date pattern `''`: `{^LN-BEG}TAI64N`
2024-03-13 09:17:59,877 fail2ban.filtersystemd  [842246]: INFO    [kh-dovecot] Added journal match for: '_SYSTEMD_UNIT=dovecot.service'
2024-03-13 09:17:59,877 fail2ban.filter         [842246]: INFO      maxRetry: 10
2024-03-13 09:17:59,877 fail2ban.filter         [842246]: INFO      findtime: 600
2024-03-13 09:17:59,877 fail2ban.actions        [842246]: INFO      banTime: 1800
2024-03-13 09:17:59,877 fail2ban.filter         [842246]: INFO      encoding: UTF-8
2024-03-13 09:17:59,877 fail2ban.jail           [842246]: INFO    Creating new jail 'kh-ftp'
2024-03-13 09:17:59,877 fail2ban.jail           [842246]: INFO    Jail 'kh-ftp' uses systemd {}
2024-03-13 09:17:59,877 fail2ban.jail           [842246]: INFO    Initiated 'systemd' backend
2024-03-13 09:17:59,878 fail2ban.filtersystemd  [842246]: INFO    [kh-ftp] Added journal match for: '_SYSTEMD_UNIT=proftpd.service'
2024-03-13 09:17:59,878 fail2ban.filter         [842246]: INFO      maxRetry: 6
2024-03-13 09:17:59,878 fail2ban.filter         [842246]: INFO      findtime: 600
2024-03-13 09:17:59,878 fail2ban.actions        [842246]: INFO      banTime: 1800
2024-03-13 09:17:59,878 fail2ban.filter         [842246]: INFO      encoding: UTF-8
2024-03-13 09:17:59,878 fail2ban.jail           [842246]: INFO    Creating new jail 'proftpd-passive'
2024-03-13 09:17:59,878 fail2ban.jail           [842246]: INFO    Jail 'proftpd-passive' uses pyinotify {}
2024-03-13 09:17:59,879 fail2ban.jail           [842246]: INFO    Initiated 'pyinotify' backend
2024-03-13 09:17:59,879 fail2ban.filter         [842246]: INFO      maxRetry: 5
2024-03-13 09:17:59,880 fail2ban.filter         [842246]: INFO      findtime: 600
2024-03-13 09:17:59,880 fail2ban.actions        [842246]: INFO      banTime: 600
2024-03-13 09:17:59,880 fail2ban.filter         [842246]: INFO      encoding: UTF-8
2024-03-13 09:17:59,880 fail2ban.filter         [842246]: INFO    Added logfile: '/var/log/proftpd/proftpd.log' (pos = 0, hash = )
2024-03-13 09:17:59,880 fail2ban.jail           [842246]: INFO    Creating new jail 'kh-phpmyadmin'
2024-03-13 09:17:59,880 fail2ban.jail           [842246]: INFO    Jail 'kh-phpmyadmin' uses systemd {'journalflags': '1'}
2024-03-13 09:17:59,912 fail2ban.jail           [842246]: INFO    Initiated 'systemd' backend
2024-03-13 09:17:59,912 fail2ban.filtersystemd  [842246]: INFO    [kh-phpmyadmin] Added journal match for: 'SYSLOG_IDENTIFIER=phpMyAdmin'
2024-03-13 09:17:59,912 fail2ban.filter         [842246]: INFO      maxRetry: 3
2024-03-13 09:17:59,912 fail2ban.filter         [842246]: INFO      findtime: 600
2024-03-13 09:17:59,912 fail2ban.actions        [842246]: INFO      banTime: 1800
2024-03-13 09:17:59,912 fail2ban.filter         [842246]: INFO      encoding: UTF-8
2024-03-13 09:17:59,912 fail2ban.jail           [842246]: INFO    Creating new jail 'kh-roundcube'
2024-03-13 09:17:59,912 fail2ban.jail           [842246]: INFO    Jail 'kh-roundcube' uses systemd {'journalflags': '1'}
2024-03-13 09:17:59,913 fail2ban.jail           [842246]: INFO    Initiated 'systemd' backend
2024-03-13 09:17:59,914 fail2ban.filtersystemd  [842246]: INFO    [kh-roundcube] Added journal match for: 'SYSLOG_IDENTIFIER=roundcube'
2024-03-13 09:17:59,914 fail2ban.filter         [842246]: INFO      maxRetry: 5
2024-03-13 09:17:59,914 fail2ban.filter         [842246]: INFO      findtime: 600
2024-03-13 09:17:59,914 fail2ban.actions        [842246]: INFO      banTime: 1800
2024-03-13 09:17:59,914 fail2ban.filter         [842246]: INFO      encoding: UTF-8
2024-03-13 09:17:59,914 fail2ban.jail           [842246]: INFO    Creating new jail 'postfix-sasl-long'
2024-03-13 09:17:59,914 fail2ban.jail           [842246]: INFO    Jail 'postfix-sasl-long' uses systemd {}
2024-03-13 09:17:59,914 fail2ban.jail           [842246]: INFO    Initiated 'systemd' backend
2024-03-13 09:17:59,914 fail2ban.filter         [842246]: INFO      maxRetry: 50
2024-03-13 09:17:59,914 fail2ban.filter         [842246]: INFO      findtime: 3600
2024-03-13 09:17:59,914 fail2ban.actions        [842246]: INFO      banTime: 86400
2024-03-13 09:17:59,914 fail2ban.filter         [842246]: INFO      encoding: UTF-8
2024-03-13 09:17:59,914 fail2ban.jail           [842246]: INFO    Creating new jail 'test-apache-modsecurity'
2024-03-13 09:17:59,914 fail2ban.jail           [842246]: INFO    Jail 'test-apache-modsecurity' uses pyinotify {}
2024-03-13 09:17:59,915 fail2ban.jail           [842246]: INFO    Initiated 'pyinotify' backend
2024-03-13 09:17:59,915 fail2ban.filter         [842246]: INFO      maxRetry: 5
2024-03-13 09:17:59,915 fail2ban.filter         [842246]: INFO      findtime: 600
2024-03-13 09:17:59,915 fail2ban.actions        [842246]: INFO      banTime: 600
2024-03-13 09:17:59,915 fail2ban.filter         [842246]: INFO      encoding: UTF-8
2024-03-13 09:17:59,915 fail2ban.filter         [842246]: INFO    Added logfile: '/var/log/apache2/modsec_audit.log' (pos = 34871, hash = 049ddde389ce27efbaaba27b8fea274cb060b8a8)
2024-03-13 09:17:59,915 fail2ban.jail           [842246]: INFO    Creating new jail 'test-apache-modsecurity-long'
2024-03-13 09:17:59,916 fail2ban.jail           [842246]: INFO    Jail 'test-apache-modsecurity-long' uses pyinotify {}
2024-03-13 09:17:59,916 fail2ban.jail           [842246]: INFO    Initiated 'pyinotify' backend
2024-03-13 09:17:59,916 fail2ban.filter         [842246]: INFO      maxRetry: 20
2024-03-13 09:17:59,916 fail2ban.filter         [842246]: INFO      findtime: 3600
2024-03-13 09:17:59,916 fail2ban.actions        [842246]: INFO      banTime: 3600
2024-03-13 09:17:59,916 fail2ban.filter         [842246]: INFO      encoding: UTF-8
2024-03-13 09:17:59,916 fail2ban.filter         [842246]: INFO    Added logfile: '/var/log/apache2/modsec_audit.log' (pos = 34871, hash = 049ddde389ce27efbaaba27b8fea274cb060b8a8)
2024-03-13 09:17:59,916 fail2ban.jail           [842246]: INFO    Creating new jail 'apache-modsecurity-short'
2024-03-13 09:17:59,916 fail2ban.jail           [842246]: INFO    Jail 'apache-modsecurity-short' uses pyinotify {}
2024-03-13 09:17:59,917 fail2ban.jail           [842246]: INFO    Initiated 'pyinotify' backend
2024-03-13 09:17:59,918 fail2ban.filter         [842246]: INFO      maxRetry: 15
2024-03-13 09:17:59,918 fail2ban.filter         [842246]: INFO      findtime: 600
2024-03-13 09:17:59,918 fail2ban.actions        [842246]: INFO      banTime: 600
2024-03-13 09:17:59,918 fail2ban.filter         [842246]: INFO      encoding: UTF-8
2024-03-13 09:17:59,918 fail2ban.filter         [842246]: INFO    Added logfile: '/var/log/apache2/modsec_audit.log' (pos = 34871, hash = 049ddde389ce27efbaaba27b8fea274cb060b8a8)
2024-03-13 09:17:59,918 fail2ban.jail           [842246]: INFO    Creating new jail 'apache-modsecurity-long'
2024-03-13 09:17:59,918 fail2ban.jail           [842246]: INFO    Jail 'apache-modsecurity-long' uses pyinotify {}
2024-03-13 09:17:59,918 fail2ban.jail           [842246]: INFO    Initiated 'pyinotify' backend
2024-03-13 09:17:59,919 fail2ban.filter         [842246]: INFO      maxRetry: 30
2024-03-13 09:17:59,919 fail2ban.filter         [842246]: INFO      findtime: 3600
2024-03-13 09:17:59,919 fail2ban.actions        [842246]: INFO      banTime: 3600
2024-03-13 09:17:59,919 fail2ban.filter         [842246]: INFO      encoding: UTF-8
2024-03-13 09:17:59,919 fail2ban.filter         [842246]: INFO    Added logfile: '/var/log/apache2/modsec_audit.log' (pos = 34871, hash = 049ddde389ce27efbaaba27b8fea274cb060b8a8)
2024-03-13 09:17:59,928 fail2ban.jail           [842246]: INFO    Jail 'sshd' started
2024-03-13 09:17:59,929 fail2ban.jail           [842246]: INFO    Jail 'apache-badbots' started
2024-03-13 09:17:59,929 fail2ban.filtersystemd  [842246]: NOTICE  [postfix-sasl] Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2024-03-13 09:17:59,929 fail2ban.jail           [842246]: INFO    Jail 'postfix-sasl' started
2024-03-13 09:17:59,930 fail2ban.jail           [842246]: INFO    Jail 'sshd-long' started
2024-03-13 09:17:59,930 fail2ban.jail           [842246]: INFO    Jail 'kh-postfix' started
2024-03-13 09:17:59,931 fail2ban.jail           [842246]: INFO    Jail 'kh-dovecot' started
2024-03-13 09:17:59,931 fail2ban.jail           [842246]: INFO    Jail 'kh-ftp' started
2024-03-13 09:17:59,932 fail2ban.filtersystemd  [842246]: INFO    [kh-postfix] Jail is in operation now (process new journal entries)
2024-03-13 09:17:59,932 fail2ban.jail           [842246]: INFO    Jail 'proftpd-passive' started
2024-03-13 09:17:59,933 fail2ban.jail           [842246]: INFO    Jail 'kh-phpmyadmin' started
2024-03-13 09:17:59,936 fail2ban.jail           [842246]: INFO    Jail 'kh-roundcube' started
2024-03-13 09:17:59,936 fail2ban.filtersystemd  [842246]: NOTICE  [postfix-sasl-long] Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2024-03-13 09:17:59,937 fail2ban.jail           [842246]: INFO    Jail 'postfix-sasl-long' started
2024-03-13 09:17:59,937 fail2ban.jail           [842246]: INFO    Jail 'test-apache-modsecurity' started
2024-03-13 09:17:59,939 fail2ban.jail           [842246]: INFO    Jail 'test-apache-modsecurity-long' started
2024-03-13 09:17:59,940 fail2ban.jail           [842246]: INFO    Jail 'apache-modsecurity-short' started
2024-03-13 09:17:59,944 fail2ban.jail           [842246]: INFO    Jail 'apache-modsecurity-long' started
2024-03-13 09:17:59,949 fail2ban.filtersystemd  [842246]: INFO    [postfix-sasl] Jail is in operation now (process new journal entries)
2024-03-13 09:17:59,951 fail2ban.filtersystemd  [842246]: INFO    [postfix-sasl-long] Jail is in operation now (process new journal entries)
2024-03-13 09:17:59,952 fail2ban.filtersystemd  [842246]: INFO    [kh-dovecot] Jail is in operation now (process new journal entries)
2024-03-13 09:17:59,953 fail2ban.filtersystemd  [842246]: INFO    [sshd] Jail is in operation now (process new journal entries)
2024-03-13 09:17:59,955 fail2ban.filtersystemd  [842246]: INFO    [kh-phpmyadmin] Jail is in operation now (process new journal entries)
2024-03-13 09:17:59,955 fail2ban.filtersystemd  [842246]: INFO    [kh-roundcube] Jail is in operation now (process new journal entries)
2024-03-13 09:17:59,978 fail2ban.filtersystemd  [842246]: INFO    [kh-ftp] Jail is in operation now (process new journal entries)

[Ralph]

Meine Frage ist an dieser Stelle, ob die standard postfix.conf im Fail2Ban dieses Szenario nicht abdeckt oder ob es einen Fehler bei mir mit der keyhelp.local gibt? Weil an sich, greift es bei DoveCot und co ja offenbar auch nicht korrekt.

Code: Select all

[kh-postfix]
mode = aggressive

damit sollte der standard postfix filter strikter greifen - aber es gibt dementsprechend viele false/positive blockings ... der Modus kann zwar noch genauer spezifiziert werden, hat aber auch nicht wirklich gut funktioniert

Ich habe mir daher auch eine extra postfix-sasl.conf und eine postfix-rbl.conf gebaut weil beim Standard Postfix Filter im aggressive mode zu viele false/positives bei meinen Kunden zustande kamen ... den extra sasl filter habe ich momentan auf maxretry = 2 laufen (aufgrund der massiven Attacken) den Standard Postfix Filter auf maxretry = 5 und den extra postfix-rbl Filter auf maxretry = 1

[tab-kh]

Also es hilft definitiv

Code: Select all

journalmatch = _SYSTEMD_UNIT=postfix.service

durch

Code: Select all

journalmatch = _SYSTEMD_UNIT=postfix@-.service

zu ersetzen.

[Ralph]

Also es hilft definitiv

Code: Select all

journalmatch = _SYSTEMD_UNIT=postfix.service

durch

Code: Select all

journalmatch = _SYSTEMD_UNIT=postfix@-.service

zu ersetzen.

ouh, stimmt ... da hab ich ja gar nicht mehr dran gedacht

[Alexander]

Also es hilft definitiv

Code: Select all

journalmatch = _SYSTEMD_UNIT=postfix.service

durch

Code: Select all

journalmatch = _SYSTEMD_UNIT=postfix@-.service

zu ersetzen.

Fehler in den Fail2Ban Konfigurationsdateien wie es bei diesem den Anschein hat i.d.R. gern gleich bei den Fail2Ban Entwicklern melden:
https://github.com/fail2ban/fail2ban/issues/


Hat bei einem vergangenen Fall hier im Forum auch gut geklappt:
viewtopic.php?t=12811 -> https://github.com/fail2ban/fail2ban/issues/3622