Salut.
J'administre un serveur nextcloud 13 sous debian 9.3 avec Fail2ban v0.10.2 // iptables et autoreport vers
https://www.abuseipdb.com/https://www.abuseipdb.com/check/121.169.217.98 pour une des ip que j'ai automatiquement reporté
Je ne saisie pourquoi tu veux les logs de nextcloud qui sont bordéliques, pas fiables et qui change d'une version a une autre.
Je te copie mes fichiers de conf qui fonctionnent bien et qui eux utilisent les logs classiques.
/etc/fail2ban/fail2ban.local
[Definition]
# CRITICAL
# ERROR
# WARNING
# NOTICE
# INFO
# DEBUG
loglevel = INFO
logtarget = /var/log/fail2ban.log
syslogsocket = auto
socket = /var/run/fail2ban/fail2ban.sock
pidfile = /var/run/fail2ban/fail2ban.pid
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
dbpurgeage = 1d
/etc/fail2ban/jail.local
[INCLUDES]
before = paths-debian.conf
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.1.1/24
ignorecommand =
bantime = 36000
findtime = 360000
maxretry = 5
backend = auto
usedns = warn
logencoding = auto
enabled = false
filter = %(__name__)s
destemail = root@localhost
sender = root@localhost
mta = sendmail
protocol = tcp
chain = INPUT
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = iptables-multiport
banaction_allports = iptables-allports
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
[DEFAULT]
abuseipdb_my_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
abuseipdb = abuseipdb[abuseipdb_apikey="%(_abuseipdb_my_key)s"]
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
action = %(action_)s
logpath = /var/log/fail2ban.log
#updated reports code from february 2028
#3 Fraud Orders Fraudulent orders.
#4 DDoS Attack Participating in distributed denial-of-service (usually part of botnet).
#5 FTP Brute-Force
#6 Ping of Death Oversized IP packet.
#7 Phishing Phishing websites and/or email.
#8 Fraud VoIP
#9 Open Proxy Open proxy, open relay, or Tor exit node.
#10 Web Spam Comment/forum spam, HTTP referer spam, or other CMS spam.
#11 Email Spam Spam email content, infected attachments, phishing emails, and spoofed senders (typically via exploited host or SMTP server abu$
#12 Blog Spam CMS blog comment spam.
#13 VPN IP Conjunctive category.
#14 Port Scan Scanning for open ports and vulnerable services.
#15 Hacking
#16 SQL Injection Attempts at SQL injection.
#17 Spoofing
#18 Brute-Force Credential brute-force attacks on webpage logins and services like SSH, FTP, SIP, SMTP, RDP, etc. This category is seperate fro$
#19 Bad Web Bot Webpage scraping (for email addresses, content, etc) and crawlers that do not honor robots.txt. Excessive requests and user age$
#20 Exploited Host Host is likely infected with malware and being used for other attacks or to host malicious content. The host owner may not be a$
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
maxretry = 360
findtime = 120
action = iptables[name=HTTP, port=http, protocol=tcp]
abuseipdb[abuseipdb_category="4,22"]
[sshd]
enabled = true
port = 1:65535
filter = sshd
maxretry = 2
action = iptables[name=SSH, port=ssh, protocol=tcp]
abuseipdb[abuseipdb_category="14,18,22"]
[sshd-ddos]
enable = true
maxretry = 2
port = 1:65535
#logpath = /var/log/sshd.log
action = iptables[name=SSH, port=ssh, protocol=tcp]
abuseipdb[abuseipdb_category="14,18,22"]
[apache-auth]
enabled = true
port = http,https
logpath = %(apache_error_log)s
action = iptables[name=HTTP, port=http]
abuseipdb[abuseipdb_category="18"]
[apache-badbots]
port = http,https
logpath = %(apache_access_log)s
maxretry = 2
enabled = true
action = iptables[name=HTTP, port=http, protocol=tcp]
abuseipdb[abuseipdb_category="19"]
[apache-noscript]
port = http,https
logpath = %(apache_error_log)s
enabled = true
action = iptables[name=HTTP, port=http, protocol=tcp]
abuseipdb[abuseipdb_category="15"]
[apache-overflows]
enable = true
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
action = iptables[name=HTTP, port=http, protocol=tcp]
abuseipdb[abuseipdb_category="15"]
[apache-nohome]
enabled = true
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
action = iptables[name=HTTP, port=http, protocol=tcp]
abuseipdb[abuseipdb_category="15"]
[apache-botsearch]
enable = true
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
action = iptables[name=HTTP, port=http, protocol=tcp]
abuseipdb[abuseipdb_category="15,19"]
[apache-fakegooglebot]
enable = true
port = http,https
logpath = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
action = iptables[name=HTTP, port=http, protocol=tcp]
abuseipdb[abuseipdb_category="15,19"]
[apache-modsecurity]
enable = true
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
action = iptables[name=HTTP, port=http, protocol=tcp]
abuseipdb[abuseipdb_category="15,19,21"]
[apache-shellshock]
port = http,https
logpath = %(apache_error_log)s
maxretry = 1
enable = true
action = iptables[name=HTTP, port=http, protocol=tcp]
abuseipdb[abuseipdb_category="15,19,21"]
#EOF
/etc/fail2ban/action.d/abuseipdb.local
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = curl --tlsv1.2 --data 'key=<abuseipdb_apikey>' --data-urlencode 'comment=<matches>' --data 'ip=<ip>' --data 'category=<abuseipdb_category>'$
actionunban =
[Init]
abuseipdb_apikey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
quelque extrait du log de fail2ban
/var/log/fail2ban.log
2018-02-20 00:41:05,373 fail2ban.server [567]: INFO --------------------------------------------------
2018-02-20 00:41:05,374 fail2ban.server [567]: INFO Starting Fail2ban v0.10.2
2018-02-20 00:41:05,393 fail2ban.database [567]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-02-20 00:41:05,399 fail2ban.jail [567]: INFO Creating new jail 'sshd'
2018-02-20 00:41:05,442 fail2ban.jail [567]: INFO Jail 'sshd' uses pyinotify {}
2018-02-20 00:41:05,460 fail2ban.jail [567]: INFO Initiated 'pyinotify' backend
2018-02-20 00:41:05,464 fail2ban.filter [567]: INFO maxLines: 1
2018-02-20 00:41:05,514 fail2ban.server [567]: INFO Jail sshd is not a JournalFilter instance
2018-02-20 00:41:05,515 fail2ban.filter [567]: INFO encoding: UTF-8
2018-02-20 00:41:05,516 fail2ban.filter [567]: INFO Added logfile: '/var/log/auth.log' (pos = 278924, hash = 1d44d07664e2b0df8dd567058fecc9f$
2018-02-20 00:41:05,524 fail2ban.filter [567]: INFO findtime: 360000
2018-02-20 00:41:05,525 fail2ban.filter [567]: INFO maxRetry: 2
2018-02-20 00:41:05,525 fail2ban.actions [567]: INFO banTime: 36000
2018-02-20 00:41:05,526 fail2ban.jail [567]: INFO Creating new jail 'apache-auth'
2018-02-20 00:41:05,526 fail2ban.jail [567]: INFO Jail 'apache-auth' uses pyinotify {}
2018-02-20 00:41:05,537 fail2ban.jail [567]: INFO Initiated 'pyinotify' backend
2018-02-20 00:41:05,544 fail2ban.filter [567]: INFO encoding: UTF-8
2018-02-20 00:41:05,547 fail2ban.filter [567]: INFO Added logfile: '/var/log/apache2/error.log' (pos = 1295, hash = da06c7429d4ea5d953113867$
2018-02-20 00:41:05,548 fail2ban.filter [567]: INFO findtime: 360000
2018-02-20 00:41:05,548 fail2ban.filter [567]: INFO maxRetry: 5
2018-02-20 00:41:05,550 fail2ban.actions [567]: INFO banTime: 36000
2018-02-20 00:41:05,551 fail2ban.jail [567]: INFO Creating new jail 'apache-badbots'
2018-02-20 00:41:05,551 fail2ban.jail [567]: INFO Jail 'apache-badbots' uses pyinotify {}
2018-02-20 00:41:05,561 fail2ban.jail [567]: INFO Initiated 'pyinotify' backend
et la partie la plus explicite :
2018-02-20 00:41:05,901 fail2ban.jail [567]: INFO Jail 'sshd' started
2018-02-20 00:41:05,911 fail2ban.jail [567]: INFO Jail 'apache-auth' started
2018-02-20 00:41:05,917 fail2ban.jail [567]: INFO Jail 'apache-badbots' started
2018-02-20 00:41:05,919 fail2ban.jail [567]: INFO Jail 'apache-noscript' started
2018-02-20 00:41:05,921 fail2ban.jail [567]: INFO Jail 'apache-nohome' started
2018-02-20 00:41:05,923 fail2ban.jail [567]: INFO Jail 'proftpd' started
2018-02-20 00:41:05,927 fail2ban.jail [567]: INFO Jail 'pure-ftpd' started
2018-02-20 00:41:05,933 fail2ban.jail [567]: INFO Jail 'gssftpd' started
2018-02-20 00:41:05,946 fail2ban.jail [567]: INFO Jail 'wuftpd' started
2018-02-20 00:41:05,951 fail2ban.jail [567]: INFO Jail 'solid-pop3d' started
2018-02-20 00:41:05,959 fail2ban.jail [567]: INFO Jail 'exim' started
2018-02-20 00:41:05,964 fail2ban.jail [567]: INFO Jail 'exim-spam' started
2018-02-20 00:41:05,987 fail2ban.jail [567]: INFO Jail 'http-get-dos' started
2018-02-20 00:41:06,098 fail2ban.actions [567]: NOTICE [sshd] Restore Ban 113.194.xxx.xxx
2018-02-20 00:41:06,236 fail2ban.utils [567]: Level 39 7fa6afdd1048 -- exec: ['f2bV_matches=$0 \ncurl --tlsv1.2 --data \'key=xxxxxxxxxxxxxxxxxxxx
2018-02-20 00:41:06,236 fail2ban.utils [567]: ERROR 7fa6afdd1048 -- stderr: ' % Total % Received % Xferd Average Speed Time Time $
2018-02-20 00:41:06,236 fail2ban.utils [567]: ERROR 7fa6afdd1048 -- stderr: ' Dload Upload Total Spent $
2018-02-20 00:41:06,236 fail2ban.utils [567]: ERROR 7fa6afdd1048 -- stderr: ''
2018-02-20 00:41:06,236 fail2ban.utils [567]: ERROR 7fa6afdd1048 -- stderr: ' 0 0 0 0 0 0 0 0 --:--:-- --:--:--$
2018-02-20 00:41:06,236 fail2ban.utils [567]: ERROR 7fa6afdd1048 -- returned 6
2018-02-20 00:41:06,236 fail2ban.actions [567]: ERROR Failed to execute ban jail 'sshd' action 'abuseipdb' info 'ActionInfo({'fid': '113.194.1$
2018-02-20 00:41:06,313 fail2ban.actions [567]: NOTICE [sshd] Restore Ban 131.153.xxx.xxx
2018-02-20 00:41:06,391 fail2ban.utils [567]: Level 39 7fa6afdc6508 -- exec: ['f2bV_matches=$0 \ncurl --tlsv1.2 --data \'key=xxxxxxxxxxxxxxxxxxxxx
2018-02-20 00:41:06,391 fail2ban.utils [567]: ERROR 7fa6afdc6508 -- stderr: ' % Total % Received % Xferd Average Speed Time Time $
2018-02-20 00:41:06,391 fail2ban.utils [567]: ERROR 7fa6afdc6508 -- stderr: ' Dload Upload Total Spent $
2018-02-20 00:41:06,391 fail2ban.utils [567]: ERROR 7fa6afdc6508 -- stderr: ''
2018-02-20 00:41:06,391 fail2ban.utils [567]: ERROR 7fa6afdc6508 -- stderr: ' 0 0 0 0 0 0 0 0 --:--:-- --:--:--$
2018-02-20 00:41:06,391 fail2ban.utils [567]: ERROR 7fa6afdc6508 -- returned 6
2018-02-20 00:41:06,391 fail2ban.actions [567]: ERROR Failed to execute ban jail 'sshd' action 'abuseipdb' info 'ActionInfo({'fid': '131.xxx.xxx$
2018-02-20 00:41:06,396 fail2ban.actions [567]: NOTICE [sshd] Restore Ban 148.101.xxx.xxx
et enfin un petit
iptables -L
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:8443
ACCEPT tcp -- anywhere anywhere tcp dpts:ftp-data:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:webmin
ACCEPT tcp -- anywhere anywhere tcp dpt:loc-srv
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ns
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
ACCEPT udp -- anywhere anywhere udp dpt:loc-srv
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp spt:mysql dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp spt:urd dpt:urd
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain f2b-SSH (1 references)
target prot opt source destination
REJECT all -- 121.169.xxx.xxx anywhere reject-with icmp-port-unreachable
REJECT all -- xxx-xxx-21-170.speedconnect.net.br anywhere reject-with icmp-port-unreachable
REJECT all -- 167.249.xxx.xxx anywhere reject-with icmp-port-unreachable
REJECT all -- static.vnpt.vn anywhere reject-with icmp-port-unreachable
REJECT all -- static.customer-xxx-xxx-183-55.uninet-ide.com.mx anywhere reject-with icmp-port-unreachable
REJECT all -- xxx-xxx-153-117.dynamic-ip.hinet.net anywhere reject-with icmp-port-unreachable
REJECT all -- 49.156.xxx.xxx anywhere reject-with icmp-port-unreachable
REJECT all -- 103.99.xxx.xxx anywhere reject-with icmp-port-unreachable
REJECT all -- 5.188.xxx.xxx anywhere reject-with icmp-port-unreachable
REJECT all -- 103.89.xxx.xxx anywhere reject-with icmp-port-unreachable
REJECT all -- adsl-xxx-xxx.tricom.net anywhere reject-with icmp-port-unreachable
REJECT all -- 142.214.xxx.xxx.m.sta.codetel.net.do anywhere reject-with icmp-port-unreachable
Dernière modification par root@rkn (25-02-2018 03:30:01)
- If it works, dont update it.
- You don't know how, just do it, you will learn.
- Test, re-stest, test again, and maybe it will work.
- https://nextcloud.rkn.ovh/index.php/s/3yp93A7oNMPexcp