openmediavault-fail2ban first version now available for testing
-
- OMV 1.0
- pr_bond
-
-
-
I don't why my Fail2Ban is keep ban my subnet router ip.
Everything is working though.Code
Alles anzeigenStatus |- Number of jail: 5 `- Jail list: nginx-404, owncloud, apache-noscript, ssh, proftp Status for the jail: nginx-404 |- filter | |- File list: /var/log/nginx/access.log /var/log/nginx/openmediavault-webgui_access.log /var/log/nginx/6d535d5a-81ad-401e-aa01-eb0723e5f168-access.log | |- Currently failed: 0 | `- Total failed: 24 `- action |- Currently banned: 1 | `- IP list: 192.168.1.3 `- Total banned: 2
-
Because i think Fai2ban see in log files "/var/log/nginx/access.log /var/log/nginx/openmediavault-webgui_access.log /var/log/nginx/6d535d5a-81ad-401e-aa01-eb0723e5f168-access.log" fail auth from 192.168.1.3
This is for test ?
Inspect your files and delete the line or add 192.168.1.3 to IgnoreIpTo unban :
root:/# fail2ban-client get nginx-404 actionunban 192.168.1.3 -
-
restart the service
root:/# service fail2ban restart
or
root:/# fail2ban-client stop
root:/# fail2ban-client startor
root:/# fail2ban-client reloadNow, it's good ?
-
I used these commands, clear the log, restart OMV, still same error:
fail2ban-client get nginx-404 actionunban 192.168.1.3
fail2ban-client stop
fail2ban-client startCode
Alles anzeigentatus |- Number of jail: 5 `- Jail list: nginx-404, owncloud, apache-noscript, ssh, proftp Status for the jail: nginx-404 |- filter | |- File list: /var/log/nginx/access.log /var/log/nginx/openmediavault-webgui_access.log /var/log/nginx/6d535d5a-81ad-401e-aa01-eb0723e5f168-access.log | |- Currently failed: 0 | `- Total failed: 24 `- action |- Currently banned: 1 | `- IP list: 192.168.1.3 `- Total banned: 1
Code
Alles anzeigenHi, The IP 192.168.1.3 has just been banned by Fail2Ban after 16 attempts against nginx-404. Here are more information about 192.168.1.3: Lines containing IP:192.168.1.3 in /var/log/nginx*/*access*.log var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:57:51 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:57:56 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:01 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:06 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:11 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:16 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:21 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:24 -0400] "GET /extjs/packages/ext-theme-gray/resources/images/sizer/sw-handle.gif HTTP/1.1" 200 116 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:25 -0400] "GET /extjs/packages/ext-theme-gray/resources/images/sizer/se-handle.gif HTTP/1.1" 200 114 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:25 -0400] "GET /extjs/packages/ext-theme-gray/resources/images/sizer/nw-handle.gif HTTP/1.1" 200 114 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:25 -0400] "GET /extjs/packages/ext-theme-gray/resources/images/sizer/s-handle.gif HTTP/1.1" 200 494 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:25 -0400] "GET /extjs/packages/ext-theme-gray/resources/images/sizer/ne-handle.gif HTTP/1.1" 200 128 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:25 -0400] "GET /extjs/packages/ext-theme-gray/resources/images/sizer/e-handle.gif HTTP/1.1" 200 753 "https://192.168.1.97:8443/extjs
-
EDIT: I add my customized port to nginix-404 jail, then the autoban is stop.
i.e. http,https,[customized port]Code
Alles anzeigenStatus |- Number of jail: 5 `- Jail list: nginx-404, owncloud, apache-noscript, ssh, proftp Status for the jail: nginx-404 |- filter | |- File list: /var/log/nginx/access.log /var/log/nginx/openmediavault-webgui_access.log /var/log/nginx/6d535d5a-81ad-401e-aa01-eb0723e5f168-access.log | |- Currently failed: 0 | `- Total failed: 24 `- action |- Currently banned: 1 | `- IP list: 192.168.1.3 `- Total banned: 1
Code
Alles anzeigenHi, The IP 192.168.1.3 has just been banned by Fail2Ban after 16 attempts against nginx-404. Here are more information about 192.168.1.3: Lines containing IP:192.168.1.3 in /var/log/nginx*/*access*.log /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:57:51 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:57:56 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:01 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:06 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:11 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:16 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:21 -0400] "POST /rpc.php HTTP/1.1" 200 42 "https://192.168.1.97:8443/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:24 -0400] "GET /extjs/packages/ext-theme-gray/resources/images/sizer/sw-handle.gif HTTP/1.1" 200 116 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:25 -0400] "GET /extjs/packages/ext-theme-gray/resources/images/sizer/se-handle.gif HTTP/1.1" 200 114 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:25 -0400] "GET /extjs/packages/ext-theme-gray/resources/images/sizer/nw-handle.gif HTTP/1.1" 200 114 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:25 -0400] "GET /extjs/packages/ext-theme-gray/resources/images/sizer/s-handle.gif HTTP/1.1" 200 494 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:25 -0400] "GET /extjs/packages/ext-theme-gray/resources/images/sizer/ne-handle.gif HTTP/1.1" 200 128 "https://192.168.1.97:8443/extjs/packages/ext-theme-gray/resources/ext-theme-gray-all.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" /var/log/nginx/openmediavault-webgui_access.log:::ffff:192.168.1.3 - - [08/Aug/2015:12:58:25 -0400] "GET /extjs/packages/ext-theme-gray/resources/images/sizer/e-handle.gif HTTP/1.1" 200 753 "https://192.168.1.97:8443/extjs
-
Is it possible to unban IPs?
-
Add it to your Fail2Ban exception list in OMV web gui & clear out your log.
-
Thanks!
It is possible to cinfigure fail2ban, that I only get an email at actually an IP is banned and not when server is started (I get mails like "The jail nginx-404 has been started successfully.")
-
@Bambuleee
> Is it possible to unban IPs?
Yes manualy like : iptables -D fail2ban-XXXX -s IP -j DROP
Change XXX and IP
You need to clean your log file, if you don't want to be reban ...To see iptables rules :
iptables -L -n>It is possible to cinfigure fail2ban, that I only get an email at actually an IP is banned and not when server is started (I get mails like "The jail nginx-404 has been started successfully.")
"server" is started in same time as your host, and when your host run a lot of time, you don't receice email server is started beacause it is ever started ....You can check your inbox mail where you restart fail2ban service :
Root# service fail2ban restart -
I install fail2ban 1.1.4
I got error message when I click "Service" - "Fail2ban"Zitat錯誤 #4000:
exception 'OMVException' with message 'Failed to execute command 'fail2ban-client status 2>&1': ERROR Unable to contact server. Is it running?' in /usr/share/openmediavault/engined/rpc/fail2ban.inc:368
Stack trace:
#0 [internal function]: OMVRpcServiceFail2ban->getStats(NULL, Array)
#1 /usr/share/php/openmediavault/rpcservice.inc(125): call_user_func_array(Array, Array)
#2 /usr/share/php/openmediavault/rpc.inc(79): OMVRpcServiceAbstract->callMethod('getStats', NULL, Array)
#3 /usr/sbin/omv-engined(500): OMVRpc::exec('Fail2Ban', 'getStats', NULL, Array, 1)
#4 {main}And Fail2Ban show red cycle in Service tab.
I must use "/etc/init.d/fail2ban restart" command to restart fail2ban. -
When enabled I get the following error from daily cronjob,
Code/etc/cron.daily/logrotate:error: error running non-shared postrotate script for /var/log/fail2ban.log of '/var/log/fail2ban.log 'run-parts: /etc/cron.daily/logrotate exited with return code 1
The fail2ban plugin is enabled but obviously not running, does the plugin actually start the service? (solved this by starting the service manually)
-
It is possible to cinfigure fail2ban, that I only get an email at actually an IP is banned and not when server is started (I get mails like "The jail nginx-404 has been started successfully.")
I've reduced the e-mails I get by editing these files:
/etc/fail2ban/action.d/sendmail.conf
/etc/fail2ban/action.d/sendmail-buffered.conf
/etc/fail2ban/action.d/sendmail-whois.conf
/etc/fail2ban/action.d/sendmail-whois-lines.conf -
Do not start service when apply save button on setting tab ( do not appear the apply warning), but start when change anything on jails tab and push the save button (in this case appears the apply warning).
Perhaps some bug in latest OMV ( see my spec. on my signature).
-
Trying to create a subsonic jail but it doesn't seem to work...
can someone give a tip?Thanx
-
Hello,
There is no plugin for OpenVPN.
I have added one but there is no protocol option in the GUI so I have to edit the fail2ban file manually.
1) Create a file
/etc/fail2ban/filter.d/openvpn.conf
[Definition]
failregex = <HOST>:\d{1,5} TLS Auth Error
<HOST>:\d{1,5} VERIFY ERROR:
<HOST>:\d{1,5} TLS Error: TLS handshake failed
<HOST>:\d{1,5} [ECONNREFUSED]: Connection refusedI have added the rule "<HOST>:\d{1,5} [ECONNREFUSED]: Connection refused" to what I saw on Internet because on my tests with a wrong key I had that error.
2) Edit the file/etc/fail2ban/jail.conf
The line protocol = udp is not there. When it is not there the rule doesn't work.
I have to add the line manually (Only the field is missing when I configure a jail). I have taken the port 1294 instead of 1194
[OpenVPN]
enabled = yes
protocol = udp
port = 1294
filter = openvpn
logpath = /var/log/openvpn.log
bantime = -1
maxretry = 33) After that, I must restart the service fail2bal
service fail2ban stop
service fail2ban startIs it possible to add the rule automatically in fail2ban (or to add the option to chose the protocol)?
Thank you
Marc -
The general steps are:
1) Figure out in what file it is logging failures.
2) Create a regular expression based on the failures.
3) Create a filter file with the above regular expression.
4) Enter the information in the plugin.From your post it's impossible to tell what you've done so far.
-
Are those steps documented somewhere and I missed it
Jetzt mitmachen!
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!