Koozali.org: home of the SME Server
Contribs.org Forums => Koozali SME Server 10.x Contribs => Topic started by: holck on January 15, 2022, 11:30:22 AM
-
Apparently, malware writers have found ways to live with and circumvent fail2ban. Here are a few examples from my server, showing in the first column the IP-address, and in the second column the time of the attack.
Attacks from subnets instead of single IPs:
163.123.141.100 - 2022-01-12 15:30:20
163.123.141.100 - 2022-01-12 15:38:57
163.123.141.101 - 2022-01-12 12:00:22
163.123.141.101 - 2022-01-12 12:06:41
163.123.141.104 - 2022-01-12 23:21:35
163.123.141.104 - 2022-01-12 23:22:58
163.123.141.105 - 2022-01-12 19:30:27
163.123.141.105 - 2022-01-12 19:35:25
163.123.141.106 - 2022-01-12 14:31:15
163.123.141.106 - 2022-01-12 14:33:52
163.123.141.107 - 2022-01-12 18:00:26
163.123.141.107 - 2022-01-12 18:03:15
163.123.141.108 - 2022-01-12 21:21:42
163.123.141.108 - 2022-01-12 21:28:07
163.123.141.109 - 2022-01-12 12:30:23
163.123.141.109 - 2022-01-12 12:33:46
163.123.141.109 - 2022-01-12 12:40:24
163.123.141.109 - 2022-01-12 12:40:24
163.123.141.110 - 2022-01-12 20:02:08
163.123.141.110 - 2022-01-12 20:02:45
163.123.141.110 - 2022-01-12 20:12:10
163.123.141.110 - 2022-01-12 20:12:10
163.123.141.111 - 2022-01-12 17:00:32
163.123.141.111 - 2022-01-12 17:02:58
163.123.141.112 - 2022-01-12 22:51:28
163.123.141.112 - 2022-01-12 22:53:46
163.123.141.114 - 2022-01-12 16:01:02
163.123.141.114 - 2022-01-12 16:04:58
163.123.141.116 - 2022-01-12 13:31:06
163.123.141.116 - 2022-01-12 13:33:44
163.123.141.119 - 2022-01-12 19:00:30
163.123.141.119 - 2022-01-12 19:07:35
163.123.141.120 - 2022-01-12 17:31:41
163.123.141.120 - 2022-01-12 17:35:04
163.123.141.121 - 2022-01-12 12:59:24
163.123.141.121 - 2022-01-12 13:01:54
163.123.141.122 - 2022-01-12 15:01:09
163.123.141.122 - 2022-01-12 15:03:00
163.123.141.123 - 2022-01-12 21:51:24
163.123.141.123 - 2022-01-12 21:55:23
163.123.141.124 - 2022-01-12 23:51:16
163.123.141.124 - 2022-01-12 23:55:25
163.123.141.125 - 2022-01-12 11:32:03
163.123.141.125 - 2022-01-12 11:43:35
163.123.141.125 - 2022-01-12 11:46:18
163.123.141.125 - 2022-01-12 11:46:19
163.123.141.126 - 2022-01-12 14:00:28
163.123.141.126 - 2022-01-12 14:03:13
"Lazy" attacks: make a try, wait a little, make a try ...
178.176.175.178 - 2022-01-09 17:07:41
178.176.175.178 - 2022-01-09 17:07:48
178.176.175.178 - 2022-01-09 17:07:54
178.176.175.178 - 2022-01-09 17:07:54
178.176.175.178 - 2022-01-10 20:21:11
178.176.175.178 - 2022-01-10 20:21:16
178.176.175.178 - 2022-01-12 08:51:03
178.176.175.178 - 2022-01-12 08:51:05
178.176.175.178 - 2022-01-12 08:51:08
178.176.175.178 - 2022-01-12 08:51:08
178.176.175.178 - 2022-01-13 17:55:04
178.176.175.178 - 2022-01-13 17:55:05
178.176.175.178 - 2022-01-13 17:55:13
178.176.175.178 - 2022-01-13 17:55:13
178.176.175.178 - 2022-01-14 22:20:16
178.176.175.178 - 2022-01-14 22:20:20
178.176.175.178 - 2022-01-14 22:20:22
178.176.175.178 - 2022-01-14 22:20:22
Also, it's obvious from the log files, that attackers are able to coordinate attacks from different IP-addresses.
I'll be glad to hear what other in this forum are doing to prevent this.
Jesper, Denmark
-
I created a jail for '91Portscan' and customized '90Recidive' and '05IgnoreIP'
https://github.com/mmccarn/smeserver/tree/42efa28d38e11a477f2f4a460d1a54d005241fb5/templates-custom/etc/fail2ban/jail.conf
My current settings:
* recidive looks for 3 attacks over 3 days and bans offenders for 21 days
* portscan looks for 4 attacks over 3 days and bans offenders for 21 days
# config show fail2ban
fail2ban=service
BanTime=259200
FindTime=43200
IgnoreIP=[REDACTED]
Mail=disabled
MailRecipient=mmccarn@REDACTED]
MaxRetry=2
PortscanBanTime=1814400
PortscanFindTime=259200
PortscanMaxRetry=4
RecidiveBanTime=1814400
RecidiveFindTime=259200
RecidiveMaxRetry=3
status=enabled
There is fail2ban work for banning entire subnets, but I couldn't get it to work when I last worked on this (3 years ago / SME 9.2 / fail2ban-09.6-1)
-
Jesper,
Frustratingly security is a continual war and nothing stands still. Just have to roll with it.
Mike,
we could look at integrating those mods? Can you open a bug?
Where did you get stuck on subnets?
-
Where did you get stuck on subnets?
I found my notes on fail2ban-subnets on the wiki "talk" page: https://wiki.koozali.org/Talk:Fail2ban
From that page, it looks I got it to a point where I got no obvious error messages, but I couldn't figure out how to verify that it actually works. I have ~5 months of fail2ban daemon logs - none of those show any evidence that any subnet has ever been blocked. I also have /var/log/fail2ban-subnets.log from 2017_08_18 through 2022_01_20; every log entry is basically "fail2ban-subnets.py: INFO started with an analysis over 16 weeks"
fail2ban Portscan: NFR: Portscan Jail (https://bugs.koozali.org/show_bug.cgi?id=10422)
fail2ban Recidive: no bug at this time
fail2ban Subnets: no bug at this time
-
I found my notes on fail2ban-subnets on the wiki "talk" page: https://wiki.koozali.org/Talk:Fail2ban
Roger - got it.
Blimey that script is a bit kludgy, and I can barely read python, let alone write it!
So the normal process for F2B (correct me if I am wrong)
Read/Execute jail.conf
Read/Execute filter on log file
Read/Execute action smeserver-iptables with results
The problem here is the subnet python script tries to execute iptables itself - not good. It could almost be a totally standalone system.
So trying to work this through.
First - we don't need .local dirs - just use the existing ones.
We don't need the action script. We need to use the smeserver-iptables one.
The fail2ban-subnets.py file should really parse the required fail2ban logs, find the requisite subnets and write them to a subnet log which can then be processed by the filter file and F2B itself for banning by the smeserver-iptables action(I think) - that can be done on a cron with the script in say /usr/local/bin
Currently when it runs it doesn't really do anything as it is trying to add to a iptable that does not exist and that is because SME handles the tables itself, as above.
So it never gets past the initial logger message:
logger.info("started with an analysis over %s" % human_readable_time(findtime))
I also can't see where else it actually logs the guilty subnets!!
Anyway, the filter script should have a filter that takes the subnets in the log and then adds them via the smeserver-iptables action.
Currently the filter just tells you what is in the subnet.log file - it does nothing really! Check say the recidive filter or similar for comparison.
So IMHO it really needs some rewriting. I could probably do it in perl (I already have some other perl subnet stuff kicking about), but not python :roll:
Further reading:
https://github.com/fail2ban/fail2ban/issues/927
https://unix.stackexchange.com/questions/181114/how-can-i-teach-fail2ban-to-detect-and-block-attacks-from-a-whole-network-block
https://github.com/fail2ban/fail2ban/issues/2261
(Not sure if you meant this on the wiki!!:)
Test
cd ~/addons/fail2ban-subnets
perl fail2ban-subnets.py << with perl ?? !!
Let me know your thoughts - be interested to look at this if we can get something workable, but note it can be dangerous if you ban a big range!!
I can't do much else myself right now as I have been off work with my gammy back for over a week and so I'm waaaaaaaaay behind. But happy to look at anything you might conjure up.
E&OE :-)
-
i have recently updated the smeserver fail2ban iptable script to accept subnet and not only ip. this could help in using this strategy …