Polskie Forum Użytkowników Debiana

Polski portal użytkowników dystrybucji Debian GNU/Linux, dyskusje, artykuły, nowości, blog, porady, pomoc.
https://www.debian.pl/

Problem z atakiem na serwer

https://www.debian.pl/viewtopic.php?t=31699

Strona 1 z 1

Problem z atakiem na serwer

: 18 listopada 2014, 20:04
autor: mic88
Witam,
Mam zainstalowany exim. Serwer jest pod atakiem bruteforce. Do tej pory tego typu ataki zabezpieczal Fail2Ban. Jednak tym razem nie działa. Tak jakby Fail2Ban zglupial i banowal nie to co trzeba. Czy znany jest Wam ten problem? Proszę o radę!

Log /var/log/exim/mainlog wygląd anastepujaco:
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
2014-11-18 21:36:43 login authenticator failed for s15431066.onlinehome-server.com (User) [74.xxx.xx.xxx]: 535 Incorrect authentication data (set_id=www)
fail2ban.log
2014-11-18 21:56:57,754 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:57,782 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:57,800 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:57,823 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:57,843 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:57,864 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:57,883 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:57,914 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:57,961 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:57,981 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
2014-11-18 21:56:58,007 fail2ban.filter [28319]: WARNING Determined IP using DNS Lookup: static-119-53-210-31.sadecehosting.net = ['31.210.53.119']
Edit: Może to pomoże: http://www.fail2ban.org/wiki/index.php/ ... _Addresses

: 18 listopada 2014, 20:12
autor: grzesiek
Nie używam fail2ban ale na moje oko to on rozwiązuje nazwę z logów a nie bierze adres a ten jest chyba celowo źle ustawiony w DNS.

Kod: Zaznacz cały

root@probook:~# dig static-119-53-210-31.sadecehosting.net

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> static-119-53-210-31.sadecehosting.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29072
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2


;; QUESTION SECTION:
;static-119-53-210-31.sadecehosting.net.	IN A


;; ANSWER SECTION:
static-119-53-210-31.sadecehosting.net.	3600 IN	A 31.210.53.119


;; AUTHORITY SECTION:
sadecehosting.net.	3600	IN	NS	ns1.sadecehosting.com.
sadecehosting.net.	3600	IN	NS	ns2.sadecehosting.com.


;; ADDITIONAL SECTION:
ns1.sadecehosting.com.	1800	IN	A	77.92.152.10
ns2.sadecehosting.com.	1800	IN	A	77.92.153.10


;; Query time: 150 msec
;; SERVER: 195.177.196.3#53(195.177.196.3)
;; WHEN: Tue Nov 18 20:11:48 2014
;; MSG SIZE  rcvd: 157

: 18 listopada 2014, 20:33
autor: mic88
Po tej zmianie konfiguracji http://www.fail2ban.org/wiki/index.php/ ... _Addresses jest ok. IPki z mainlog trafiają do IPtables Tylko dlaczego mimo to te same IPki nadal pojawija się w mainlog.

manlog
2014-11-18 22:30:54 SMTP command timeout on connection from s15429925.onlinehome-server.com (User) [74.208.47.121]
2014-11-18 22:30:54 SMTP command timeout on connection from s15429925.onlinehome-server.com (User) [74.208.47.121]
2014-11-18 22:30:54 SMTP command timeout on connection from s15429925.onlinehome-server.com (User) [74.208.47.121]
2014-11-18 22:30:54 SMTP command timeout on connection from s15429925.onlinehome-server.com (User) [74.208.47.121]
2014-11-18 22:30:54 SMTP command timeout on connection from s15429925.onlinehome-server.com (User) [74.208.47.121]


ipconfig
2014-11-18 22:23:41,578 fail2ban.actions[5200]: WARNING [exim] Ban 74.208.46.123
2014-11-18 22:23:41,584 fail2ban.actions[5200]: WARNING [exim] Ban 74.208.47.121
2014-11-18 22:23:41,590 fail2ban.actions[5200]: WARNING [exim] Ban 80.179.242.100
2014-11-18 22:23:41,598 fail2ban.actions[5200]: WARNING [exim] Ban 94.158.158.194
2014-11-18 22:23:41,604 fail2ban.actions[5200]: WARNING [exim] Ban 87.106.90.19
2014-11-18 22:23:41,610 fail2ban.actions[5200]: WARNING [exim] Ban 74.208.65.10
2014-11-18 22:25:55,788 fail2ban.actions[5200]: INFO [exim] 74.208.47.121 already banned
2014-11-18 22:27:05,878 fail2ban.actions[5200]: WARNING [exim] Ban 74.208.44.124
2014-11-18 22:27:05,885 fail2ban.actions[5200]: INFO [exim] 74.208.44.124 already banned

Edit: Ok już wiem wszystko: http://serverfault.com/questions/606377 ... ady-banned
Strefa czasowa UTC+02:00
Strona 1 z 1

Technologię dostarcza phpBB® Forum Software © phpBB Limited

Polski pakiet językowy dostarcza phpBB.pl