PDA

View Full Version : AJUTOR ! Fail2ban rule sa blocheze automat ce genereaza failban OSCAM



crovte
14-12-16, 18:39
Salutare , stie cineva cum pot adauga un "rule" in fail2ban (ubuntu) in functie de ce genereaza FAILBAN din oscam (/var/log/oscam/oscamuser.log) ?

Multumesc !

zildan
14-12-16, 19:34
Vezi sa nu se intre de mai multe ori cu acelasi user !

Duster
15-12-16, 04:02
Salut, am facut eu de ceva vreme ...

in fisierul /etc/fail2ban/jail.conf bagi asta



[oscam-tcp]
enabled = true
filter = oscam
port = 12200
protocol = tcp
logpath = /var/log/oscam/oscamuser.log
banaction = iptables-allports
findtime = 1800
bantime = 36000


bineinteles schimbi portul si logpath daca difera.

jar in folderul /etc/fail2ban/filter.d creezi un fisier oscam.conf si bagi asta in fisier



# Fail2Ban configuration file
#
# Author: Bust3D
#

[Definition]

# Option: failregex
# Notes.: regex to match the oscam user failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# After modifying or adding new expressions test with command,
# fail2ban-regex /path/to/your/oscam.log /etc/fail2ban/filter.d/oscam1.conf
# Values: TEXT
#
failregex = (.)*(plain|encrypted) (.)*-client <HOST> rejected \((no such user|unknown user)\)$
(.)*(plain|encrypted) (.)*-client <HOST> rejected \(disabled account\)$
(.)*(plain|encrypted) (.)*-client <HOST> rejected \(invalid access\)$
(.)*duplicate user '(.)*' from <HOST> (.)*$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =


Aici am facut sa recunoasca user necunoscut , conturi blocate si utilizatori duplicate.

Sper sa va fie de folos.

Sarbatori fericite :P

piccolo08
15-12-16, 15:39
Bos...

Inviato dal mio SM-G935F utilizzando Tapatalk

crovte
07-03-17, 09:59
Salut , am facut cum mi-ai recomandat , dar se pare ca tot intra IP-ul ce vreau sa il blochez
la fail2ban-client status oscam-tcp am 0 ip-uri blocate
Status for the jail: oscam-tcp
|- filter
| |- File list: /var/log/oscam/oscamuser.log
| |- Currently failed: 0
| `- Total failed: 0
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0

iar la iptables -S in ssh imi da singurele linii legate de oscam :
-A INPUT -p tcp -j fail2ban-oscam-tcp
-A fail2ban-oscam-tcp -j RETURN
ai idee de ce as putea incerca ? am verificat si oscamuser.log si contine intr-adevar log de la useri

crovte
08-03-17, 21:39
Multumesc Bust3d pt ajutor , problema fiind la oscam.log , nu oscamuser.log
Deci config-ul arata asa acum :

[oscam-tcp]
enabled = true
filter = oscam
port = 12200
protocol = tcp
logpath = /var/log/oscam/oscam.log
banaction = iptables-allports
findtime = 1800
bantime = 36000