From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1MXBkx-0000mB-DF for garchives@archives.gentoo.org; Sat, 01 Aug 2009 10:24:03 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9D302E0364; Sat, 1 Aug 2009 10:24:01 +0000 (UTC) Received: from mail-ew0-f210.google.com (mail-ew0-f210.google.com [209.85.219.210]) by pigeon.gentoo.org (Postfix) with ESMTP id 42421E0364 for ; Sat, 1 Aug 2009 10:24:01 +0000 (UTC) Received: by ewy6 with SMTP id 6so220885ewy.34 for ; Sat, 01 Aug 2009 03:24:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type; bh=UEylMeeRvaanuIMegzZZco/la/+OXgcfHFkf/0K5xRQ=; b=beBFvbk5Cm8mBMkGhBxosqc8rpmuPt9cYON9aOQGHdd6LAl1rnf5Cg1LIbNaH+4DSa irMZlmykuS+VexDjkh5/9k8L6Fl/dbFqYfxFCnu9wey0Vr9EkpU508v3jz+gKWd493Zp eQfK1kXTdJOWNfUtWXE2sU2MYhwpzOJpMNadw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; b=K6boWDKBwwYNghrjaxiqEOKlhR18uQ8ijLnHSpd11V/JQNZw2xUbEKb9si8C94Ej6O /QGBUvlvlTtlw0VlzhqOUjbmwdJC5KYG7dUASPK/XM6Sysl3DME+6Be1mW+iF60RnaWr 6g7RuBOUvwrC33+vGAB0fTpA4YmqLyfwfccT8= Received: by 10.216.22.78 with SMTP id s56mr693936wes.100.1249122240226; Sat, 01 Aug 2009 03:24:00 -0700 (PDT) Received: from ?192.168.1.33? (82-171-39-62.ip.telfort.nl [82.171.39.62]) by mx.google.com with ESMTPS id t12sm11249956gvd.14.2009.08.01.03.23.57 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 01 Aug 2009 03:23:59 -0700 (PDT) Message-ID: <4A757751.5000000@gmail.com> Date: Sun, 02 Aug 2009 13:24:01 +0200 From: mrfroasty User-Agent: Thunderbird 2.0.0.22 (X11/20090728) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-server@lists.gentoo.org Reply-to: gentoo-server@lists.gentoo.org MIME-Version: 1.0 To: gentoo-server@lists.gentoo.org Subject: Re: [gentoo-server] iptables && fail2ban References: <10114659.21222086363221.JavaMail.gibbonsr@twix.insanity5902.no-ip.org> <4A7559A4.4090400@gmail.com> <279fbba40908010253p11603234x627e90407f0eacf9@mail.gmail.com> In-Reply-To: <279fbba40908010253p11603234x627e90407f0eacf9@mail.gmail.com> Content-Type: multipart/alternative; boundary="------------000104070003000809090801" X-Archives-Salt: 38d93cb9-6a52-47b9-ab29-84e272623677 X-Archives-Hash: 0840a47b4f3b8b9950c946cc4d4918d8 This is a multi-part message in MIME format. --------------000104070003000809090801 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Hell Kerin, Thanks for the pointer, I will take my time in searching for that "attacking-loganalysis". Actually we are talking about proftp deamon analysed using /var/log/auth.log. Here is the /var/log/auth.log that is suppose to trigger BAN on fail2ban: Jul 31 23:43:41 fileserver proftpd[28423]: fileserver.mzalendo.net (124.205.130.15[124.205.130.15]) - USER mysql (Login failed): Incorrect password. Jul 31 23:43:41 fileserver proftpd[28423]: fileserver.mzalendo.net (124.205.130.15[124.205.130.15]) - USER mysql (Login failed): Incorrect password. Jul 31 23:43:42 fileserver proftpd[28423]: fileserver.mzalendo.net (124.205.130.15[124.205.130.15]) - USER mysql (Login failed): Incorrect password. Jul 31 23:43:42 fileserver proftpd[28423]: fileserver.mzalendo.net (124.205.130.15[124.205.130.15]) - Maximum login attempts (3) exceeded, connection refused Jul 31 23:43:42 fileserver proftpd[28423]: fileserver.mzalendo.net (124.205.130.15[124.205.130.15]) - FTP session closed. And here is the filter using regular expression that actually confirms how it has been missed: fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/proftpd.conf|grep 124.205.130.15 Is it a normal routine that users have tweak those filters? GR mrfroasty Kerin Millar wrote: > 2009/8/2 mrfroasty : > >> Hello, >> >> I have setup iptables and fail2ban, but I am curios that this line of >> defense seem not to work and ban me if i do this: >> #wget ftp://mysql:xxxx@fileserver >> >> I have seen a script kido, doing that and firewall just didnt respond to >> him or atleast not on the logs that he had been banned when he tried that. >> The firewall does ban or respond if I do this: >> #wget ftp://foo:pass@fileserver >> >> Probably he could have been banned if used a different user, but not >> mysql...I am confused...any clue? :-D >> > > You haven't provide any pertinent background information (ftp daemon > in use, log message which is expected to trigger action, details of > the fail2ban filter and so forth), which makes it rather difficult to > take a view. My guess is that the particular filter you are using > contains a regex which matches log messages from the daemon which > convey only an invalid user, rather than an authentication failure in > general. If so, you would need to adjust the filter - or add an > additional one - so as to cover both cases. > > As a side note, do be careful when crafting the regular expressions > that form the basis of the filter. The slightest mistake can > potentially result in the tool being open to attack itself via log > injection. For more information on this topic, search for > "attacking-loganalysis.html" via Google and view the cached copy; the > original article seems to have disappeared from the ossec.net site. > > Cheers, > > --Kerin > > > -- Extra details: OSS:Gentoo Linux profile:x86 Hardware:msi geforce 8600GT asus p5k-se location:/home/muhsin language(s):C/C++,VB,VHDL,bash,PHP,SQL,HTML,CSS Typo:40WPM url:http://www.mzalendo.net --------------000104070003000809090801 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hell Kerin,

Thanks for the pointer, I will take my time in searching for that "attacking-loganalysis".
Actually we are talking about proftp deamon analysed using /var/log/auth.log.

Here is the /var/log/auth.log that is suppose to trigger BAN on fail2ban:

Jul 31 23:43:41 fileserver proftpd[28423]: fileserver.mzalendo.net (124.205.130.15[124.205.130.15]) - USER mysql (Login failed): Incorrect password.
Jul 31 23:43:41 fileserver proftpd[28423]: fileserver.mzalendo.net (124.205.130.15[124.205.130.15]) - USER mysql (Login failed): Incorrect password.
Jul 31 23:43:42 fileserver proftpd[28423]: fileserver.mzalendo.net (124.205.130.15[124.205.130.15]) - USER mysql (Login failed): Incorrect password.
Jul 31 23:43:42 fileserver proftpd[28423]: fileserver.mzalendo.net (124.205.130.15[124.205.130.15]) - Maximum login attempts (3) exceeded, connection refused
Jul 31 23:43:42 fileserver proftpd[28423]: fileserver.mzalendo.net (124.205.130.15[124.205.130.15]) - FTP session closed.

And here is the filter using regular expression=C2=A0 that actually confi= rms how it has been missed:

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/proftpd.conf|grep 124.205.130.15

Is it a normal routine that users have tweak those filters?

GR
mrfroasty



Kerin Millar wrote: 
2009/8/2 mrfroasty <mrfroasty@gmail.com>:
  
Hello,

I have setup iptables and fail2ban, but I am curios that this line of
defense seem not to work and ban me if i do this:
#wget ftp://mysql:xxxx@fileserver

I have seen a script kido, doing that and firewall just didnt respond to
him or atleast not on the logs that he had been banned when he tried that=
.
The firewall does ban or respond if I do this:
#wget ftp://foo:pass@fileserver

Probably he could have been banned if used a different user, but not
mysql...I am confused...any clue? :-D
    

You haven't provide any pertinent background information (ftp daemon
in use, log message which is expected to trigger action, details of
the fail2ban filter and so forth), which makes it rather difficult to
take a view. My guess is that the particular filter you are using
contains a regex which matches log messages from the daemon which
convey only an invalid user, rather than an authentication failure in
general. If so, you would need to adjust the filter - or add an
additional one - so as to cover both cases.

As a side note, do be careful when crafting the regular expressions
that form the basis of the filter. The slightest mistake can
potentially result in the tool being open to attack itself via log
injection. For more information on this topic, search for
"attacking-loganalysis.html" via Google and view the cached copy; the
original article seems to have disappeared from the ossec.net site.

Cheers,

--Kerin


  


--=20
Extra details:
OSS:Gentoo Linux
profile:x86
Hardware:msi geforce 8600GT asus p5k-se
location:/home/muhsin
language(s):C/C++,VB,VHDL,bash,PHP,SQL,HTML,CSS
Typo:40WPM
url:h=
ttp://www.mzalendo.net
--------------000104070003000809090801--