AJUTOR ! Fail2ban rule sa blocheze automat ce genereaza failban OSCAM

[crovte]

Salutare , stie cineva cum pot adauga un "rule" in fail2ban (ubuntu) in functie de ce genereaza FAILBAN din oscam (/var/log/oscam/oscamuser.log) ?

Multumesc !

[zildan]

Vezi sa nu se intre de mai multe ori cu acelasi user !

[Duster]

Salut, am facut eu de ceva vreme ...

in fisierul /etc/fail2ban/jail.conf bagi asta

Code:

[oscam-tcp]
enabled   = true
filter    = oscam
port      = 12200
protocol  = tcp
logpath   = /var/log/oscam/oscamuser.log
banaction = iptables-allports
findtime  = 1800
bantime   = 36000

bineinteles schimbi portul si logpath daca difera.

jar in folderul /etc/fail2ban/filter.d creezi un fisier oscam.conf si bagi asta in fisier

Code:

# Fail2Ban configuration file
#
# Author: Bust3D
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the oscam user failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
#          After modifying or adding new expressions test with command,
#          fail2ban-regex /path/to/your/oscam.log /etc/fail2ban/filter.d/oscam1.conf
# Values:  TEXT
#
failregex = (.)*(plain|encrypted) (.)*-client <HOST> rejected \((no such user|unknown user)\)$
            (.)*(plain|encrypted) (.)*-client <HOST> rejected \(disabled account\)$
            (.)*(plain|encrypted) (.)*-client <HOST> rejected \(invalid access\)$
	    (.)*duplicate user '(.)*' from <HOST> (.)*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Aici am facut sa recunoasca user necunoscut , conturi blocate si utilizatori duplicate.

Sper sa va fie de folos.

Sarbatori fericite :P

[crovte]

Salut , am facut cum mi-ai recomandat , dar se pare ca tot intra IP-ul ce vreau sa il blochez
la fail2ban-client status oscam-tcp am 0 ip-uri blocate
Status for the jail: oscam-tcp
|- filter
| |- File list: /var/log/oscam/oscamuser.log
| |- Currently failed: 0
| `- Total failed: 0
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0

iar la iptables -S in ssh imi da singurele linii legate de oscam :
-A INPUT -p tcp -j fail2ban-oscam-tcp
-A fail2ban-oscam-tcp -j RETURN
ai idee de ce as putea incerca ? am verificat si oscamuser.log si contine intr-adevar log de la useri

[crovte]

Multumesc Bust3d pt ajutor , problema fiind la oscam.log , nu oscamuser.log
Deci config-ul arata asa acum :

[oscam-tcp]
enabled = true
filter = oscam
port = 12200
protocol = tcp
logpath = /var/log/oscam/oscam.log
banaction = iptables-allports
findtime = 1800
bantime = 36000

[piccolo08]

Bos...

Inviato dal mio SM-G935F utilizzando Tapatalk