Plantages de fail2ban

Melchisedech · December 4, 2020, 12:29pm

Bonjour,

Régulièrement, mon fail2ban me génère des erreurs de ce genre (je mets tout depuis le reload du firewall pour plus de clarté).

2020-12-03 15:19:59,357 fail2ban.server         [942]: INFO    Reload all jails
2020-12-03 15:19:59,358 fail2ban.server         [942]: INFO    Reload jail 'sshd'
2020-12-03 15:19:59,359 fail2ban.filter         [942]: INFO      maxLines: 1
2020-12-03 15:19:59,362 fail2ban.server         [942]: INFO    Jail sshd is not a JournalFilter instance
2020-12-03 15:19:59,362 fail2ban.filter         [942]: INFO      encoding: UTF-8
2020-12-03 15:19:59,363 fail2ban.filter         [942]: INFO      maxRetry: 10
2020-12-03 15:19:59,363 fail2ban.filter         [942]: INFO      findtime: 600
2020-12-03 15:19:59,364 fail2ban.actions        [942]: INFO      banTime: 600
2020-12-03 15:19:59,364 fail2ban.transmitter    [942]: ERROR   Jail 'sshd-ddos' skipped, because of wrong configuration: Unable to read the filter 'sshd-ddos'
2020-12-03 15:19:59,365 fail2ban.server         [942]: INFO    Reload jail 'nginx-http-auth'
2020-12-03 15:19:59,366 fail2ban.filter         [942]: INFO      encoding: UTF-8
2020-12-03 15:19:59,367 fail2ban.filter         [942]: INFO      maxRetry: 10
2020-12-03 15:19:59,367 fail2ban.filter         [942]: INFO      findtime: 600
2020-12-03 15:19:59,368 fail2ban.actions        [942]: INFO      banTime: 600
2020-12-03 15:19:59,369 fail2ban.server         [942]: INFO    Reload jail 'postfix'
2020-12-03 15:19:59,370 fail2ban.server         [942]: INFO    Jail postfix is not a JournalFilter instance
2020-12-03 15:19:59,370 fail2ban.filter         [942]: INFO      encoding: UTF-8
2020-12-03 15:19:59,370 fail2ban.filter         [942]: INFO      maxRetry: 10
2020-12-03 15:19:59,371 fail2ban.filter         [942]: INFO      findtime: 600
2020-12-03 15:19:59,371 fail2ban.actions        [942]: INFO      banTime: 600
2020-12-03 15:19:59,372 fail2ban.server         [942]: INFO    Reload jail 'dovecot'
2020-12-03 15:19:59,373 fail2ban.datedetector   [942]: INFO      date pattern `''`: `{^LN-BEG}TAI64N`
2020-12-03 15:19:59,374 fail2ban.server         [942]: INFO    Jail dovecot is not a JournalFilter instance
2020-12-03 15:19:59,374 fail2ban.filter         [942]: INFO      encoding: UTF-8
2020-12-03 15:19:59,375 fail2ban.filter         [942]: INFO      maxRetry: 10
2020-12-03 15:19:59,375 fail2ban.filter         [942]: INFO      findtime: 600
2020-12-03 15:19:59,376 fail2ban.actions        [942]: INFO      banTime: 600
2020-12-03 15:19:59,377 fail2ban.transmitter    [942]: ERROR   Jail 'postfix-sasl' skipped, because of wrong configuration: Unable to read the filter 'postfix-sasl'
2020-12-03 15:19:59,377 fail2ban.server         [942]: INFO    Reload jail 'recidive'
2020-12-03 15:19:59,378 fail2ban.server         [942]: INFO    Jail recidive is not a JournalFilter instance
2020-12-03 15:19:59,379 fail2ban.filter         [942]: INFO      encoding: UTF-8
2020-12-03 15:19:59,379 fail2ban.filter         [942]: INFO      maxRetry: 10
2020-12-03 15:19:59,379 fail2ban.filter         [942]: INFO      findtime: 86400
2020-12-03 15:19:59,380 fail2ban.actions        [942]: INFO      banTime: 604800
2020-12-03 15:19:59,381 fail2ban.server         [942]: INFO    Reload jail 'pam-generic'
2020-12-03 15:19:59,382 fail2ban.filter         [942]: INFO      encoding: UTF-8
2020-12-03 15:19:59,383 fail2ban.filter         [942]: INFO      maxRetry: 10
2020-12-03 15:19:59,383 fail2ban.filter         [942]: INFO      findtime: 600
2020-12-03 15:19:59,384 fail2ban.actions        [942]: INFO      banTime: 600
2020-12-03 15:19:59,385 fail2ban.server         [942]: INFO    Reload jail 'nextcloud'
2020-12-03 15:19:59,386 fail2ban.filter         [942]: INFO      encoding: UTF-8
2020-12-03 15:19:59,386 fail2ban.filter         [942]: INFO      maxRetry: 5
2020-12-03 15:19:59,387 fail2ban.filter         [942]: INFO      findtime: 600
2020-12-03 15:19:59,387 fail2ban.actions        [942]: INFO      banTime: 600
2020-12-03 15:19:59,388 fail2ban.server         [942]: INFO    Reload jail 'rainloop'
2020-12-03 15:19:59,389 fail2ban.filter         [942]: INFO      encoding: UTF-8
2020-12-03 15:19:59,390 fail2ban.filter         [942]: INFO      maxRetry: 3
2020-12-03 15:19:59,390 fail2ban.filter         [942]: INFO      findtime: 600
2020-12-03 15:19:59,391 fail2ban.actions        [942]: INFO      banTime: 600
2020-12-03 15:19:59,392 fail2ban.server         [942]: INFO    Reload jail 'yunohost'
2020-12-03 15:19:59,393 fail2ban.filter         [942]: INFO      encoding: UTF-8
2020-12-03 15:19:59,393 fail2ban.filter         [942]: INFO      maxRetry: 10
2020-12-03 15:19:59,394 fail2ban.filter         [942]: INFO      findtime: 600
2020-12-03 15:19:59,395 fail2ban.actions        [942]: INFO      banTime: 600
2020-12-03 15:19:59,396 fail2ban.server         [942]: INFO    Jail 'sshd' reloaded
2020-12-03 15:19:59,396 fail2ban.server         [942]: INFO    Jail 'nginx-http-auth' reloaded
2020-12-03 15:19:59,396 fail2ban.server         [942]: INFO    Jail 'postfix' reloaded
2020-12-03 15:19:59,397 fail2ban.server         [942]: INFO    Jail 'dovecot' reloaded
2020-12-03 15:19:59,397 fail2ban.server         [942]: INFO    Jail 'recidive' reloaded
2020-12-03 15:19:59,397 fail2ban.server         [942]: INFO    Jail 'pam-generic' reloaded
2020-12-03 15:19:59,397 fail2ban.server         [942]: INFO    Jail 'nextcloud' reloaded
2020-12-03 15:19:59,398 fail2ban.server         [942]: INFO    Jail 'rainloop' reloaded
2020-12-03 15:19:59,398 fail2ban.server         [942]: INFO    Jail 'yunohost' reloaded
2020-12-03 15:19:59,407 fail2ban.server         [942]: INFO    Reload finished.
2020-12-04 00:13:49,071 fail2ban.filter         [942]: INFO    [postfix] Found 89.33.193.212 - 2020-12-04 00:13:49
2020-12-04 09:23:05,191 fail2ban.filter         [942]: INFO    [postfix] Found 89.33.193.21 - 2020-12-04 09:23:05
2020-12-04 12:04:13,608 fail2ban.actions        [942]: NOTICE  [recidive] Unban 112.85.42.187
2020-12-04 12:04:13,632 fail2ban.utils          [942]: Level 39 b55013e0 -- exec: iptables -w -n -L INPUT | grep -q 'f2b-recidive[ \t]'
2020-12-04 12:04:13,633 fail2ban.utils          [942]: ERROR   b55013e0 -- returned 1
2020-12-04 12:04:13,633 fail2ban.CommandAction  [942]: ERROR   Invariant check failed. Trying to restore a sane environment
2020-12-04 12:04:13,662 fail2ban.utils          [942]: Level 39 b555a1a0 -- exec: iptables -w -D INPUT -p tcp -j f2b-recidive
iptables -w -F f2b-recidive
iptables -w -X f2b-recidive
2020-12-04 12:04:13,663 fail2ban.utils          [942]: ERROR   b555a1a0 -- stderr: "iptables v1.8.2 (nf_tables): Chain 'f2b-recidive' does not exist"
2020-12-04 12:04:13,663 fail2ban.utils          [942]: ERROR   b555a1a0 -- stderr: "Try `iptables -h' or 'iptables --help' for more information."
2020-12-04 12:04:13,663 fail2ban.utils          [942]: ERROR   b555a1a0 -- stderr: 'iptables: No chain/target/match by that name.'
2020-12-04 12:04:13,663 fail2ban.utils          [942]: ERROR   b555a1a0 -- returned 1
2020-12-04 12:04:13,686 fail2ban.utils          [942]: Level 39 b55013e0 -- exec: iptables -w -n -L INPUT | grep -q 'f2b-recidive[ \t]'
2020-12-04 12:04:13,686 fail2ban.utils          [942]: ERROR   b55013e0 -- returned 1
2020-12-04 12:04:13,687 fail2ban.CommandAction  [942]: CRITICAL Unable to restore environment
2020-12-04 12:04:13,687 fail2ban.actions        [942]: ERROR   Failed to execute unban jail 'recidive' action 'iptables-allports' info 'ActionInfo({'ip': '112.85.42.187', 'family': 'inet4', 'ip-rev': '187.42.85.112.', 'ip-host': None, 'fid': '112.85.42.187', 'failures': 10, 'time': 1607008548.522979, 'matches': '2020-11-27 07:09:45,342 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-27 07:23:55,794 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-27 07:46:01,663 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-27 08:29:17,780 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-27 08:51:22,242 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-27 09:21:45,973 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-27 10:15:02,234 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-27 10:55:38,640 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-27 11:13:10,158 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-27 12:04:12,253 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187', 'restored': 1, 'F-*': {'matches': [['', '2020-11-27 07:09:45,342', ' fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187'], '2020-11-27 07:23:55,794 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187', '2020-11-27 07:46:01,663 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187', '2020-11-27 08:29:17,780 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187', '2020-11-27 08:51:22,242 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187', '2020-11-27 09:21:45,973 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187', '2020-11-27 10:15:02,234 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187', '2020-11-27 10:55:38,640 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187', '2020-11-27 11:13:10,158 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187', '2020-11-27 12:04:12,253 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187'], 'failures': 10, 'ip4': '112.85.42.187'}, 'ipmatches': 'Dec  1 18:58:36 monYunohost sshd[18571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1 18:58:39 monYunohost sshd[18571]: Failed password for root from 112.85.42.187 port 36444 ssh2\nDec  1 18:58:44 monYunohost sshd[18571]: Failed password for root from 112.85.42.187 port 36444 ssh2\nDec  1 18:58:48 monYunohost sshd[18571]: Failed password for root from 112.85.42.187 port 36444 ssh2\nDec  1 19:00:56 monYunohost sshd[20314]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1 19:00:59 monYunohost sshd[20314]: Failed password for root from 112.85.42.187 port 46219 ssh2\nDec  1 19:01:03 monYunohost sshd[20314]: Failed password for root from 112.85.42.187 port 46219 ssh2\nDec  1 19:01:05 monYunohost sshd[20314]: Failed password for root from 112.85.42.187 port 46219 ssh2\nDec  1 19:04:31 monYunohost sshd[22933]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1 19:04:33 monYunohost sshd[22933]: Failed password for root from 112.85.42.187 port 53522 ssh2\nDec  1 19:26:58 monYunohost sshd[7619]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1 19:27:00 monYunohost sshd[7619]: Failed password for root from 112.85.42.187 port 44022 ssh2\nDec  1 19:27:03 monYunohost sshd[7619]: Failed password for root from 112.85.42.187 port 44022 ssh2\nDec  1 19:27:05 monYunohost sshd[7619]: Failed password for root from 112.85.42.187 port 44022 ssh2\nDec  1 19:28:10 monYunohost sshd[8500]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1 19:28:13 monYunohost sshd[8500]: Failed password for root from 112.85.42.187 port 29874 ssh2\nDec  1 19:28:17 monYunohost sshd[8500]: Failed password for root from 112.85.42.187 port 29874 ssh2\nDec  1 19:28:20 monYunohost sshd[8500]: Failed password for root from 112.85.42.187 port 29874 ssh2\nDec  1 19:36:37 monYunohost sshd[14747]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1 19:36:39 monYunohost sshd[14747]: Failed password for root from 112.85.42.187 port 26089 ssh2\nDec  1 20:45:31 monYunohost sshd[29468]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1 20:45:33 monYunohost sshd[29468]: Failed password for root from 112.85.42.187 port 60974 ssh2\nDec  1 20:45:36 monYunohost sshd[29468]: Failed password for root from 112.85.42.187 port 60974 ssh2\nDec  1 20:45:40 monYunohost sshd[29468]: Failed password for root from 112.85.42.187 port 60974 ssh2\nDec  1 20:49:06 monYunohost sshd[30589]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1 20:49:08 monYunohost sshd[30589]: Failed password for root from 112.85.42.187 port 15822 ssh2\nDec  1 20:49:10 monYunohost sshd[30589]: Failed password for root from 112.85.42.187 port 15822 ssh2\nDec  1 20:49:13 monYunohost sshd[30589]: Failed password for root from 112.85.42.187 port 15822 ssh2\nDec  1 20:51:26 monYunohost sshd[31514]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1 20:51:28 monYunohost sshd[31514]: Failed password for root from 112.85.42.187 port 24893 ssh2\nDec  1 21:07:06 monYunohost sshd[5528]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1 21:07:08 monYunohost sshd[5528]: Failed password for root from 112.85.42.187 port 55626 ssh2\nDec  1 21:07:11 monYunohost sshd[5528]: Failed password for root from 112.85.42.187 port 55626 ssh2\nDec  1 21:07:16 monYunohost sshd[5528]: Failed password for root from 112.85.42.187 port 55626 ssh2\nDec  1 21:08:15 monYunohost sshd[5544]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1 21:08:17 monYunohost sshd[5544]: Failed password for root from 112.85.42.187 port 30400 ssh2\nDec  1 21:08:19 monYunohost sshd[5544]: Failed password for root from 112.85.42.187 port 30400 ssh2\nDec  1 21:08:22 monYunohost sshd[5544]: Failed password for root from 112.85.42.187 port 30400 ssh2\nDec  1 21:14:13 monYunohost sshd[8922]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1 21:14:15 monYunohost sshd[8922]: Failed password for root from 112.85.42.187 port 11155 ssh2\nDec  1 22:43:21 monYunohost sshd[1545]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1 22:43:23 monYunohost sshd[1545]: Failed password for root from 112.85.42.187 port 51326 ssh2\nDec  1 22:43:25 monYunohost sshd[1545]: Failed password for root from 112.85.42.187 port 51326 ssh2\nDec  1 22:43:29 monYunohost sshd[1545]: Failed password for root from 112.85.42.187 port 51326 ssh2\nDec  1 22:47:59 monYunohost sshd[1695]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1 22:48:02 monYunohost sshd[1695]: Failed password for root from 112.85.42.187 port 51506 ssh2\nDec  1 22:48:06 monYunohost sshd[1695]: Failed password for root from 112.85.42.187 port 51506 ssh2\nDec  1 22:48:08 monYunohost sshd[1695]: Failed password for root from 112.85.42.187 port 51506 ssh2\nDec  1 22:50:20 monYunohost sshd[1747]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1 22:50:21 monYunohost sshd[1747]: Failed password for root from 112.85.42.187 port 64503 ssh2', 'ipjailmatches': '2020-11-22 13:28:11,707 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 14:30:22,970 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 14:46:36,924 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 15:03:04,907 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 15:21:42,448 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 15:47:31,761 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 16:04:57,471 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 16:19:59,359 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 16:34:58,601 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 16:49:35,841 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 17:04:13,375 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 17:18:40,847 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 17:34:24,229 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 17:49:53,509 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 18:03:45,915 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 18:16:34,297 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 18:29:21,987 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 18:42:13,158 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 18:54:50,255 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 19:07:42,578 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 19:20:32,871 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 19:33:19,232 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 19:46:04,913 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 19:59:08,662 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 20:13:56,600 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 20:26:25,700 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 20:39:08,009 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 20:51:58,351 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 21:04:22,627 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 21:17:58,358 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 21:30:41,486 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 21:43:19,167 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 21:57:06,363 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 22:10:56,788 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 22:23:47,170 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 22:38:44,971 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 22:53:46,982 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 23:06:46,715 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 23:19:19,864 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-22 23:32:17,185 fail2ban.actions        [946]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-27 07:09:45,342 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-27 07:23:55,794 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-27 07:46:01,663 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-27 08:29:17,780 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-27 08:51:22,242 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-27 09:21:45,973 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-27 10:15:02,234 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-27 10:55:38,640 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-27 11:13:10,158 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187\n2020-11-27 12:04:12,253 fail2ban.actions        [930]: NOTICE  [sshd] Ban 112.85.42.187', 'ipfailures': 890, 'ipjailfailures': 60})': Error unbanning 112.85.42.187

Outre les erreurs, je ne comprends même pas pourquoi des tentatives sont possibles sur autant de port, sachant que la commande sudo yunohost firewall reload me renvoit :

Success! Firewall reloaded
opened_ports: 
  - 25
  - 53
  - 80
  - 443
  - 587
  - 993
  - 2912
  - 5222
  - 5269
  - 5353
  - 48200
  - 50007

J’ai l’impression que le firewall ne fonctionne tout simplement pas (je parlerai de mon /var/log/nginx/access.log dans un prochain sujet, quand ce problème sera réglé).

Que puis-je faire pour régler ce problème ? Merci d’avance.

Aleks · December 5, 2020, 3:26pm

Pour les erreurs comme Jail 'sshd-ddos' skipped, because of wrong configuration: Unable to read the filter 'sshd-ddos', ce sera résolu en 4.1 (ça ne pose pas réellement de problème)
Par contre je ne comprends pas trop pourquoi iptables renvoie une erreur en disant que f2b-recidive n’existe pas, à moins qu’il y ai un autre truc sur ton système qui manipule les règles iptables comme une grosse brute…

De quelles “tentatives sur autant de port” tu parles ? Il n’est pas vraiment question de port dans le log dont tu parles …

Melchisedech · December 5, 2020, 10:03pm

Oui, ça tu me l’as déjà dit dans un autre sujet. J’ai juste voulu laisser une séquence entière du log depuis le démarrage jusqu’au plantage.

Je ne sais pas non plus. Je n’ai rien installé manuellement, je suis toujours passé par l’interface web d’admin. En SSH, j’ai juste chiffré un DD externe (monté en /home) et suivi le tuto de Yunohost pour améliorer la sécurité en SSH (changement de port, authentification par clé, etc.). Et les plantages avaient déjà lieu avant.

C’est bien caché dans la trop longue dernière ligne du log. Je t’en remets ci-dessous l’extrait pertinent réarrangé :

18:58:36 monYunohost sshd[18571]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1
18:58:39 monYunohost sshd[18571]: Failed password for root from 112.85.42.187 port 36444 ssh2\nDec  1
18:58:44 monYunohost sshd[18571]: Failed password for root from 112.85.42.187 port 36444 ssh2\nDec  1
18:58:48 monYunohost sshd[18571]: Failed password for root from 112.85.42.187 port 36444 ssh2\nDec  1
19:00:56 monYunohost sshd[20314]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1
19:00:59 monYunohost sshd[20314]: Failed password for root from 112.85.42.187 port 46219 ssh2\nDec  1
19:01:03 monYunohost sshd[20314]: Failed password for root from 112.85.42.187 port 46219 ssh2\nDec  1
19:01:05 monYunohost sshd[20314]: Failed password for root from 112.85.42.187 port 46219 ssh2\nDec  1
19:04:31 monYunohost sshd[22933]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1
19:04:33 monYunohost sshd[22933]: Failed password for root from 112.85.42.187 port 53522 ssh2\nDec  1
19:26:58 monYunohost sshd[7619]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1
19:27:00 monYunohost sshd[7619]: Failed password for root from 112.85.42.187 port 44022 ssh2\nDec  1
19:27:03 monYunohost sshd[7619]: Failed password for root from 112.85.42.187 port 44022 ssh2\nDec  1
19:27:05 monYunohost sshd[7619]: Failed password for root from 112.85.42.187 port 44022 ssh2\nDec  1
19:28:10 monYunohost sshd[8500]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1
19:28:13 monYunohost sshd[8500]: Failed password for root from 112.85.42.187 port 29874 ssh2\nDec  1
19:28:17 monYunohost sshd[8500]: Failed password for root from 112.85.42.187 port 29874 ssh2\nDec  1
19:28:20 monYunohost sshd[8500]: Failed password for root from 112.85.42.187 port 29874 ssh2\nDec  1
19:36:37 monYunohost sshd[14747]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1
19:36:39 monYunohost sshd[14747]: Failed password for root from 112.85.42.187 port 26089 ssh2\nDec  1
20:45:31 monYunohost sshd[29468]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1
20:45:33 monYunohost sshd[29468]: Failed password for root from 112.85.42.187 port 60974 ssh2\nDec  1
20:45:36 monYunohost sshd[29468]: Failed password for root from 112.85.42.187 port 60974 ssh2\nDec  1
20:45:40 monYunohost sshd[29468]: Failed password for root from 112.85.42.187 port 60974 ssh2\nDec  1
20:49:06 monYunohost sshd[30589]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1
20:49:08 monYunohost sshd[30589]: Failed password for root from 112.85.42.187 port 15822 ssh2\nDec  1
20:49:10 monYunohost sshd[30589]: Failed password for root from 112.85.42.187 port 15822 ssh2\nDec  1
20:49:13 monYunohost sshd[30589]: Failed password for root from 112.85.42.187 port 15822 ssh2\nDec  1
20:51:26 monYunohost sshd[31514]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1
20:51:28 monYunohost sshd[31514]: Failed password for root from 112.85.42.187 port 24893 ssh2\nDec  1
21:07:06 monYunohost sshd[5528]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1
21:07:08 monYunohost sshd[5528]: Failed password for root from 112.85.42.187 port 55626 ssh2\nDec  1
21:07:11 monYunohost sshd[5528]: Failed password for root from 112.85.42.187 port 55626 ssh2\nDec  1
21:07:16 monYunohost sshd[5528]: Failed password for root from 112.85.42.187 port 55626 ssh2\nDec  1
21:08:15 monYunohost sshd[5544]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1
21:08:17 monYunohost sshd[5544]: Failed password for root from 112.85.42.187 port 30400 ssh2\nDec  1
21:08:19 monYunohost sshd[5544]: Failed password for root from 112.85.42.187 port 30400 ssh2\nDec  1
21:08:22 monYunohost sshd[5544]: Failed password for root from 112.85.42.187 port 30400 ssh2\nDec  1
21:14:13 monYunohost sshd[8922]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1
21:14:15 monYunohost sshd[8922]: Failed password for root from 112.85.42.187 port 11155 ssh2\nDec  1
22:43:21 monYunohost sshd[1545]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1
22:43:23 monYunohost sshd[1545]: Failed password for root from 112.85.42.187 port 51326 ssh2\nDec  1
22:43:25 monYunohost sshd[1545]: Failed password for root from 112.85.42.187 port 51326 ssh2\nDec  1
22:43:29 monYunohost sshd[1545]: Failed password for root from 112.85.42.187 port 51326 ssh2\nDec  1
22:47:59 monYunohost sshd[1695]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1
22:48:02 monYunohost sshd[1695]: Failed password for root from 112.85.42.187 port 51506 ssh2\nDec  1
22:48:06 monYunohost sshd[1695]: Failed password for root from 112.85.42.187 port 51506 ssh2\nDec  1
22:48:08 monYunohost sshd[1695]: Failed password for root from 112.85.42.187 port 51506 ssh2\nDec  1
22:50:20 monYunohost sshd[1747]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.187  user=root\nDec  1

Comme tu peux le voir, les tentatives de connextion ont lieu sur des ports fermés selon le pare-feu de Yunohost…

Aleks · December 5, 2020, 10:19pm

C’est parce que le port mentionné n’est pas le port côté serveur (qui lui est 22, classiquement) mais le port côté client (eh oui on en parle beaucoup moins souvent, mais le client aussi se connecte avec un port, qui lui n’est pas vraiment important et est choisi de manière un peu aléatoire même si ça dépends du contexte)

Par contre là on devrait voir que l’IP 112.85.42.187 devrait se faire bannir… Si ce n’est pas le cas, j’imagine que c’est lié au problème de jail qui n’existe pas … Visiblement fail2ban essaye de rétablir la jail (c.f. les messages d’erreur en regardant + attentivement) mais n’y arrive pas …

Naivement je tenterais de redémarrer fail2ban, et vérifier que iptables-save mentionne bien des jails comme “f2b-recidive” ou autres trucs commencant par f2b

Melchisedech · December 5, 2020, 10:45pm

Ah ben oui, c’est vrai. En plus en lisant attentivement le log on comprend bien que le port est lié à l’adresse du client et pas du serveur. Merci pour cette piqûre de rappel !

Ah ben alors c’est très simple : iptables-save ne me renvoie rien qui commence par f2b :

# Generated by xtables-save v1.8.2 on Sat Dec  5 22:40:53 2020
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:vpnclient_in - [0:0]
:vpnclient_out - [0:0]
:vpnclient_fwd - [0:0]
-A INPUT -i 202 -j vpnclient_in
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5269 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 50007 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 48200 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2912 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p udp -m udp --dport 50007 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A FORWARD -o 202 -j vpnclient_fwd
-A OUTPUT -o 202 -j vpnclient_out
-A vpnclient_in -p icmp -j ACCEPT
-A vpnclient_in -s 10.0.0.0/8 -j ACCEPT
-A vpnclient_in -s 172.16.0.0/12 -j ACCEPT
-A vpnclient_in -s 192.168.0.0/16 -j ACCEPT
-A vpnclient_in -s 169.254.0.0/16 -j ACCEPT
-A vpnclient_in -p tcp -m tcp --dport 22 -j ACCEPT
-A vpnclient_in -p tcp -m tcp --dport 443 -j ACCEPT
-A vpnclient_in -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A vpnclient_in -j DROP
-A vpnclient_out -d 185.233.100.14/32 -p udp -m udp --dport 1194 -j ACCEPT
-A vpnclient_out -d 185.233.100.6/32 -p udp -m udp --dport 1194 -j ACCEPT
-A vpnclient_out -d 185.233.100.100/32 -p udp -m udp --dport 53 -j ACCEPT
-A vpnclient_out -d 185.233.100.101/32 -p udp -m udp --dport 53 -j ACCEPT
-A vpnclient_out -d 10.0.0.0/8 -j ACCEPT
-A vpnclient_out -d 172.16.0.0/12 -j ACCEPT
-A vpnclient_out -d 192.168.0.0/16 -j ACCEPT
-A vpnclient_out -d 169.254.0.0/16 -j ACCEPT
-A vpnclient_out -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A vpnclient_out -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A vpnclient_out -j DROP
-A vpnclient_fwd -j DROP
COMMIT
# Completed on Sat Dec  5 22:40:53 2020

J’ai auparavant redémarré fail2ban. Tu en penses quoi ?

Aleks · December 5, 2020, 11:13pm

Hmben yep c’est pas ouf …

Melchisedech · December 6, 2020, 10:17pm

Ça me l’a refait cet après-midi. Tu as une idée de ce que je peux tenter pour résoudre le problème ? Est-ce que je peux, par exemple, rajouter manuellement ce qui manque à partir d’un fichier de conf quelconque de Yunohost ? Est-ce que l’application VPN pourrait être la cause de ces manques ?

system · December 21, 2020, 10:17pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.