Raspberry-Pi
Fail2Ban 沒有發現 dropbear 身份驗證失敗
樹莓派 Linux
$$ hostname $$4.9.36+ #1015 Thu Jul 6 16:07:57 BST 2017 armv6l GNU/Linux fail2ban 沒有發現 dropbear 身份驗證失敗。這適用於 openssh 沒有問題。我去了 dropbear 以減少記憶體使用量。
這是我的 auth.log 以顯示日誌記錄正在工作
dropbear[2640]: Bad password attempt for 'username' from 192.168.1.151:50780我的監獄.local
#dropbear shh config password [dropbear] enabled = true port = ssh filter = dropbear logpath = /var/log/auth.log bantime = 900 banaction = iptables-allports findtime = 900 maxretry = 3我的 dropbear.conf fail2ban 過濾器
[Definition] _daemon = dropbear # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # These match the unmodified dropbear messages. It isn't possible to # match the source of the 'exit before auth' messages from dropbear. # failregex = ^%(__prefix_line)slogin attempt for nonexistent user ('.*' )?from <HOST>:.*\s*$ ^%(__prefix_line)sbad password attempt for .+ from <HOST>:.*\s*$ # The only line we need to match with the modified dropbear. # NOTE: The failregex below is ONLY intended to work with a patched # version of Dropbear as described here: # http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches以及標準的 jail.config(這些選項應該被 .local 監獄覆蓋)
# in /etc/fail2ban/jail.local. # # Optionally you may override any other parameter (e.g. banaction, # action, port, logpath, etc) in that section within jail.local [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6 [dropbear] enabled = true port = ssh filter = sshd logpath = /var/log/dropbear maxretry = 6
正
dropbear.conf則表達式與以下條目不匹配auth.log:Bad password attempt for... /* auth.log */ bad password attempt for... /* dropbear.conf */如果您編輯
dropbear.conf以尊重大小寫,fail2ban 應該擷取記錄的身份驗證失敗。