Problem z atakiem na serwer

Zagadnienia bezpieczeństwa w systemie
mic88
Posty: 8
Rejestracja: 27 maja 2014, 00:02

Problem z atakiem na serwer

Post autor: mic88 »

Witam,
Mam zainstalowany exim. Serwer jest pod atakiem bruteforce. Do tej pory tego typu ataki zabezpieczal Fail2Ban. Jednak tym razem nie działa. Tak jakby Fail2Ban zglupial i banowal nie to co trzeba. Czy znany jest Wam ten problem? Proszę o radę!

Log /var/log/exim/mainlog wygląd anastepujaco:
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
fail2ban.log
2014-11-18 21:56:57,754 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:57,782 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:57,800 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:57,823 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:57,843 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:57,864 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:57,883 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:57,914 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:57,961 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:57,981 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:58,007 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
Edit: Może to pomoże: http://www.fail2ban.org/wiki/index.php/ ... _Addresses
Awatar użytkownika
grzesiek
Junior Member
Posty: 932
Rejestracja: 06 stycznia 2008, 10:41
Lokalizacja: Białystok

Post autor: grzesiek »

Nie używam fail2ban ale na moje oko to on rozwiązuje nazwę z logów a nie bierze adres a ten jest chyba celowo źle ustawiony w DNS.

Kod: Zaznacz cały

root@probook:~# dig static-119-53-210-31.sadecehosting.net

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> static-119-53-210-31.sadecehosting.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29072
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2


;; QUESTION SECTION:
;static-119-53-210-31.sadecehosting.net.	IN A


;; ANSWER SECTION:
static-119-53-210-31.sadecehosting.net.	3600 IN	A 31.210.53.119


;; AUTHORITY SECTION:
sadecehosting.net.	3600	IN	NS	ns1.sadecehosting.com.
sadecehosting.net.	3600	IN	NS	ns2.sadecehosting.com.


;; ADDITIONAL SECTION:
ns1.sadecehosting.com.	1800	IN	A	77.92.152.10
ns2.sadecehosting.com.	1800	IN	A	77.92.153.10


;; Query time: 150 msec
;; SERVER: 195.177.196.3#53(195.177.196.3)
;; WHEN: Tue Nov 18 20:11:48 2014
;; MSG SIZE  rcvd: 157


mic88
Posty: 8
Rejestracja: 27 maja 2014, 00:02

Post autor: mic88 »

Po tej zmianie konfiguracji http://www.fail2ban.org/wiki/index.php/ ... _Addresses jest ok. IPki z mainlog trafiają do IPtables Tylko dlaczego mimo to te same IPki nadal pojawija się w mainlog.

manlog
2014-11-18 22:30:54 SMTP command timeout on connection from s15429925.onlinehome-server.com (User) [74.208.47.121]
2014-11-18 22:30:54 SMTP command timeout on connection from s15429925.onlinehome-server.com (User) [74.208.47.121]
2014-11-18 22:30:54 SMTP command timeout on connection from s15429925.onlinehome-server.com (User) [74.208.47.121]
2014-11-18 22:30:54 SMTP command timeout on connection from s15429925.onlinehome-server.com (User) [74.208.47.121]
2014-11-18 22:30:54 SMTP command timeout on connection from s15429925.onlinehome-server.com (User) [74.208.47.121]


ipconfig
2014-11-18 22:23:41,578 fail2ban.actions[5200]: WARNING [exim] Ban 74.208.46.123
2014-11-18 22:23:41,584 fail2ban.actions[5200]: WARNING [exim] Ban 74.208.47.121
2014-11-18 22:23:41,590 fail2ban.actions[5200]: WARNING [exim] Ban 80.179.242.100
2014-11-18 22:23:41,598 fail2ban.actions[5200]: WARNING [exim] Ban 94.158.158.194
2014-11-18 22:23:41,604 fail2ban.actions[5200]: WARNING [exim] Ban 87.106.90.19
2014-11-18 22:23:41,610 fail2ban.actions[5200]: WARNING [exim] Ban 74.208.65.10
2014-11-18 22:25:55,788 fail2ban.actions[5200]: INFO [exim] 74.208.47.121 already banned
2014-11-18 22:27:05,878 fail2ban.actions[5200]: WARNING [exim] Ban 74.208.44.124
2014-11-18 22:27:05,885 fail2ban.actions[5200]: INFO [exim] 74.208.44.124 already banned

Edit: Ok już wiem wszystko: http://serverfault.com/questions/606377 ... ady-banned
ODPOWIEDZ