search

yakworks / docker-sftp

sftp with fail2ban and kubernetes support
https://hub.docker.com/r/yakworks/sftp/
MIT License
6 stars 5 forks source link

Don't see f2b banning #6

Closed causefx closed 2 years ago

causefx commented 4 years ago

As you can see it's matching...

root@sftp:/etc/fail2ban/filter.d# fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

Running tests
=============

Use   failregex filter file : sshd, basedir: /etc/fail2ban
Use         maxlines : 1
Use      datepattern : Default Detectors
Use         log file : /var/log/auth.log
Use         encoding : UTF-8

Results
=======

Failregex: 700 total
|-  #) [# of hits] regular expression
|   3) [233] ^Failed \S+ for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
|   6) [233] ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?\s*$
|  21) [234] ^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1401] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 1401 lines, 0 ignored, 700 matched, 701 missed
[processed in 0.37 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 701 lines

Yet nothing is even showing as failed.

root@sftp:/etc/fail2ban/filter.d# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:
root@sftp:/etc/fail2ban/filter.d# fail2ban-client get sshd logpath
Current monitored log file(s):
`- /var/log/auth.log
root@sftp:/etc/fail2ban/filter.d# fail2ban-client get sshd failregex
The following regular expression are defined:
|- [0]: ^[aA]uthentication (?:failure|error|failed) for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w))( via \S+)?\s*(?: \[preauth\])?\s*$
|- [1]: ^User not known to the underlying authentication module for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w))\s*(?: \[preauth\])?\s*$
|- [2]: ^Failed \S+ for invalid user (?P<user>(?P<cond_user>\S+)|(?:(?! from ).)*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w))(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
|- [3]: ^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w))(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
|- [4]: ^(?P<user>ROOT) LOGIN REFUSED.* FROM (?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w))\s*(?: \[preauth\])?\s*$
|- [5]: ^[iI](?:llegal|nvalid) user (?P<user>.*?) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w))(?: port \d+)?(?: on \S+(?: port \d+)?)?\s*$
|- [6]: ^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w)) not allowed because not listed in AllowUsers\s*(?: \[preauth\])?\s*$
|- [7]: ^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w)) not allowed because listed in DenyUsers\s*(?: \[preauth\])?\s*$
|- [8]: ^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w)) not allowed because not in any group\s*(?: \[preauth\])?\s*$
|- [9]: ^refused connect from \S+ \((?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w))\)\s*(?: \[preauth\])?\s*$
|- [10]: ^Received (?P<mlfforget>disconnect) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w))(?: port \d+)?(?: on \S+(?: port \d+)?)?:\s*3: .*: Auth fail(?: \[preauth\])?\s*$
|- [11]: ^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w)) not allowed because a group is listed in DenyGroups\s*(?: \[preauth\])?\s*$
|- [12]: ^User (?P<user>.+) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w)) not allowed because none of user's groups are listed in AllowGroups\s*(?: \[preauth\])?\s*$
|- [13]: ^pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=(?P<user>\S*)\s*rhost=(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w))\s.*(?: \[preauth\])?\s*$
|- [14]: ^(error: )?maximum authentication attempts exceeded for (?P<user>.*) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w))(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?: \[preauth\])?\s*$
|- [15]: ^User (?P<user>.+) not allowed because account is locked(?: \[preauth\])?\s*
|- [16]: ^(?P<mlfforget>Disconnecting): Too many authentication failures(?: for (?P<user>.+?))?(?: \[preauth\])?\s*
|- [17]: ^(?P<nofail>Received (?P<mlfforget>disconnect)) from (?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w)): 11:
|- [18]: ^(?P<nofail>Connection (?P<mlfforget>closed)) by (?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w))(?: \[preauth\])?\s*$
|- [19]: ^(?P<mlfforget>(?P<nofail>Accepted publickey)) for \S+ from (?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w))(?:\s|$)
`- [20]: ^(?P<nofail>Connection from) (?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|\[?(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):))\]?|(?P<dns>[\w\-.^_]*\w))
basejump commented 4 years ago

are you bypassing the kub-proxy and not running behind a load balancer?