Fail2ban génère des milliers de lignes d'avertissements?

Support
1

Bonjour,
Je viens de remarquer que depuis le 6 mai, “fail2ban” génère inutilement des milliers de lignes de “warning” !
Ci-après un petit extrait
2020-05-10 17:25:01,279 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘apache’] has failed. Received UnknownJailException(‘apache’,)
2020-05-10 17:25:01,401 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘apache-mod-security’] has failed. Received UnknownJailException(‘apache-mod-security’,)
2020-05-10 17:25:01,538 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘apache-overflows’] has failed. Received UnknownJailException(‘apache-overflows’,)
2020-05-10 17:25:01,665 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘courierauth’] has failed. Received UnknownJailException(‘courierauth’,)
2020-05-10 17:25:01,786 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘ssh’] has failed. Received UnknownJailException(‘ssh’,)
2020-05-10 17:25:01,982 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘apache’] has failed. Received UnknownJailException(‘apache’,)
2020-05-10 17:25:02,034 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘php-url-fopen’] has failed. Received UnknownJailException(‘php-url-fopen’,)
2020-05-10 17:25:02,106 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘apache-mod-security’] has failed. Received UnknownJailException(‘apache-mod-security’,)
2020-05-10 17:25:02,158 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘vsftpd’] has failed. Received UnknownJailException(‘vsftpd’,)
2020-05-10 17:25:02,230 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘apache-overflows’] has failed. Received UnknownJailException(‘apache-overflows’,)
2020-05-10 17:25:02,281 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘apache-evasive’] has failed. Received UnknownJailException(‘apache-evasive’,)
2020-05-10 17:25:02,354 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘courierauth’] has failed. Received UnknownJailException(‘courierauth’,)
2020-05-10 17:25:02,405 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘apache-badbots’] has failed. Received UnknownJailException(‘apache-badbots’,)
2020-05-10 17:25:02,481 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘ssh’] has failed. Received UnknownJailException(‘ssh’,)
2020-05-10 17:25:02,529 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘named-refused-udp’] has failed. Received UnknownJailException(‘named-refused-udp’,)
2020-05-10 17:25:02,652 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘named-refused-tcp’] has failed. Received UnknownJailException(‘named-refused-tcp’,)
2020-05-10 17:25:02,730 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘php-url-fopen’] has failed. Received UnknownJailException(‘php-url-fopen’,)
2020-05-10 17:25:02,844 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘vsftpd’] has failed. Received UnknownJailException(‘vsftpd’,)
2020-05-10 17:25:02,955 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘apache-evasive’] has failed. Received UnknownJailException(‘apache-evasive’,)
2020-05-10 17:25:03,065 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘apache-badbots’] has failed. Received UnknownJailException(‘apache-badbots’,)
2020-05-10 17:25:03,179 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘named-refused-udp’] has failed. Received UnknownJailException(‘named-refused-udp’,)
2020-05-10 17:25:03,292 fail2ban.transmitter [4199]: WARNING Command [‘status’, ‘named-refused-tcp’] has failed. Received UnknownJailException(‘named-refused-tcp’,)

Est-ce que quelqu’un peut m’aider à résoudre ce souci ?
Par avance, merci.
Ricardo

Diagnostic ci-joint.
https://paste.yunohost.org/izowumixex

2

Bonjour,
Je me réponds à moi-même.
=> Tous ces messages sont causés par l’application MONITORIX !
Je l’ai désinstallé et tout est rentré dans l’ordre.
Cordialement.
Ricardo

3

Bonjour,

Je ne connais pas Monitorix mais ça me semble un problème de paramétrage avec la surveillance de jails qui n’existent pas. Avais-tu regardé le contenu de /etc/monitorix.conf?

4

Alors, j’ai ta solution (j’ai voulu le corriger la semaine dernière, c’est encore frais dans ma tête)

Le soucis, c’est que monitorix monitore plein de choses, dont les règles fail2ban les plus courantes, mais qui ne sont pas forcément celles activées sur ton serveur.

Pour lister les règles disponibles :
sudo fail2ban-client status | grep 'Jail list:' | sed 's/.*Jail list://' | sed 's/,//g'
Chez moi ça sort :
dovecot nextcloud nginx-http-auth pam-generic postfix postfix-sasl recidive sshd sshd-ddos yunohost

Une fois ça noté, j’ai fait un peu de tri pour que ce soit plus propre dans monitorix :

# FAIL2BAN graph
# -----------------------------------------------------------------------------
<fail2ban>
#        list = Security, Overload / Abuse
        list = YunoHost, Mail, Default, SSH, Apps
        <desc>
#                0 = [apache], [apache-mod-security], [apache-overflows], [courierauth], [ssh], [sshd], [pam-generic], [php-url-fopen], [vsftpd]
#                1 = [apache-evasive], [apache-badbots], [named-refused-udp], [named-refused-tcp]
                0 = [yunohost]
                1 = [postfix], [postfix-sasl], [dovecot]
                2 = [recidive], [pam-generic], [nginx-http-auth]
                3 = [sshd], [sshd-ddos]
                4 = [nextcloud]
        </desc>
        graphs_per_row = 2
        rigid = 0
        limit = 100
</fail2ban>

(J’ai laissé en commentaire les valeurs par défaut)

Et j’ai mis tout ça dans un fichier que j’ai créé :
/etc/monitorix/conf.d/monserveur.conf
(avec plein d’autres conf à moi, genre la liste des disques ou des process en particulier à monitorer)

Et pour finir : relancer monitorix :
sudo service monitorix restart
Je m’en vais de ce pas ouvrir un ticket dans l’appli pour voir si c’est faisable d’automatiser ça à l’installation.

1 Like
5

Should be fixed by https://github.com/YunoHost-Apps/monitorix_ynh/pull/18

6

Merci beaucoup pour votre réponse !
Mais je vais attendre avant de réinstaller Monitorix.
Cordialement.
Ricardo

7

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.