"sudo service fail2ban status" = "What?"

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2
View previous topic :: View next topic  
Author Message
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2971
Location: Germany
PostPosted: Sun Feb 05, 2023 12:39    Post subject: Reply with quote
I have tested further the regex is not quite correct
maybe just a copy and paste error, no idea i don't use openvpn

new regex:

Code:
# Fail2Ban filter for selected OpenVPN rejections
#
#

[Definition]

# Example messages (other matched messages not seen in the testing server's logs):
# Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
# Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed

failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
            ^ <HOST>:\d+ Connection reset, restarting
            ^ <HOST>:\d+ TLS Auth Error
            <HOST>:\d+ TLS Error: TLS handshake failed$
            ^ <HOST>:\d+ VERIFY ERROR

ignoreregex =


Code:
root@DD-WRT:/opt/etc/fail2ban/filter.d# echo "Feb  5 $(date | cut -d " " -f 5) DD-WRT-HOST daemon.err openvpn[32361]: 95.90.233.246:80 TLS Error: TLS handshake failed" >> /var/log/messages
root@DD-WRT:/opt/etc/fail2ban/filter.d# echo "Feb  5 $(date | cut -d " " -f 5) DD-WRT-HOST daemon.err openvpn[32361]: 95.90.233.246:80 TLS Error: TLS handshake failed" >> /var/log/messages
root@DD-WRT:/opt/etc/fail2ban/filter.d# echo "Feb  5 $(date | cut -d " " -f 5) DD-WRT-HOST daemon.err openvpn[32361]: 95.90.233.246:80 TLS Error: TLS handshake failed" >> /var/log/messages
root@DD-WRT:/opt/etc/fail2ban/filter.d# echo "Feb  5 $(date | cut -d " " -f 5) DD-WRT-HOST daemon.err openvpn[32361]: 95.90.233.246:80 TLS Error: TLS handshake failed" >> /var/log/messages
root@DD-WRT:/opt/etc/fail2ban/filter.d# echo "Feb  5 $(date | cut -d " " -f 5) DD-WRT-HOST daemon.err openvpn[32361]: 95.90.233.246:80 TLS Error: TLS handshake failed" >> /var/log/messages
root@DD-WRT:/opt/etc/fail2ban/filter.d#


Code:
root@DD-WRT:/opt/etc/fail2ban/filter.d# cat /opt/var/log//fail2ban.log | tail
2023-02-05 13:30:05,603 fail2ban.jail           [11240]: INFO    Jail 'openvpn' started
2023-02-05 13:30:26,876 fail2ban.filter         [11240]: INFO    [openvpn] Found 95.90.233.246 - 2023-02-05 13:30:26
2023-02-05 13:30:28,082 fail2ban.filter         [11240]: INFO    [openvpn] Found 95.90.233.246 - 2023-02-05 13:30:27
2023-02-05 13:30:28,688 fail2ban.filter         [11240]: INFO    [openvpn] Found 95.90.233.246 - 2023-02-05 13:30:28
2023-02-05 13:30:29,293 fail2ban.filter         [11240]: INFO    [openvpn] Found 95.90.233.246 - 2023-02-05 13:30:29
2023-02-05 13:30:30,499 fail2ban.filter         [11240]: INFO    [openvpn] Found 95.90.233.246 - 2023-02-05 13:30:29
2023-02-05 13:30:30,827 fail2ban.actions        [11240]: NOTICE  [openvpn] Ban 95.90.233.246



Code:
root@DD-WRT:/opt/etc/fail2ban/filter.d# fail2ban-client status openvpn
Status for the jail: openvpn
|- Filter
|  |- Currently failed:   5
|  |- Total failed:   5
|  `- File list:   /tmp/var/log/messages
`- Actions
   |- Currently banned:   1
   |- Total banned:   1
   `- Banned IP list:   95.90.233.246
root@DD-WRT:/opt/etc/fail2ban/filter.d# fail2ban-client unban 95.90.233.246
1


Code:
root@DD-WRT:/opt/etc/fail2ban/filter.d# fail2ban-regex /var/log/messages /opt/etc/fail2ban/filter.d/openvpn.local --print-all-missed

Running tests
=============

Use   failregex filter file : openvpn, basedir: /opt/etc/fail2ban
Use         log file : /var/log/messages
Use         encoding : UTF-8


Results
=======

Failregex: 5 total
|-  #) [# of hits] regular expression
|   4) [5] <HOST>:\d+ TLS Error: TLS handshake failed$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [5] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 5 lines, 0 ignored, 5 matched, 0 missed
[processed in 0.05 sec]

root@DD-WRT:/opt/etc/fail2ban/filter.d#




then have fun with the rest, which must also be adjusted ...

I'm out, I do not use openvpn and I have already done more than enough
Back to top View user's profile Send private message
Sponsor
atomicamp
DD-WRT User


Joined: 16 Apr 2018
Posts: 107
Location: Milwaukee, WI
PostPosted: Thu Feb 09, 2023 18:30    Post subject: Reply with quote
ho1Aetoo wrote:
no clue what you are doing

Your log indicates that you have misconfigured the log path for fail2ban.


and this is now also the last thing I write about it:
(since I am going to sleep now)


Code:
root@DD-WRT:~# cd /opt
root@DD-WRT:/opt# wget http://bin.entware.net/armv7sf-k3.2/installer/generic.sh
Connecting to bin.entware.net (188.114.96.3:80)
saving to 'generic.sh'
generic.sh           100% |********************************|  2765  0:00:00 ETA
'generic.sh' saved
root@DD-WRT:/opt# ls
generic.sh
root@DD-WRT:/opt# chmod +x generic.sh
root@DD-WRT:/opt# ./generic.sh
root@DD-WRT:/opt# opkg install fail2ban
root@DD-WRT:/opt# mkdir -p /opt/var/lib/fail2ban/
root@DD-WRT:/opt# cp /opt/etc/fail2ban/jail.conf /opt/etc/fail2ban/jail.local
root@DD-WRT:/opt# vi /opt/etc/fail2ban/jail.local


Quote:
[openvpn]
port = 1194
protocol = udp
filter = openvpn
logpath = /tmp/var/log/messages


Code:
root@DD-WRT:/opt# mkdir -p /opt/etc/fail2ban/jail.d/
root@DD-WRT:/opt# vi /opt/etc/fail2ban/jail.d/openvpn.conf


Quote:
[openvpn]
enabled = true


Code:
root@DD-WRT:/opt# vi /opt/etc/fail2ban/filter.d/openvpn.local


Code:
# Fail2Ban filter for selected OpenVPN rejections
#
#

[Definition]

# Example messages (other matched messages not seen in the testing server's logs):
# Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
# Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed

failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
            ^ <HOST>:\d+ Connection reset, restarting
            ^ <HOST>:\d+ TLS Auth Error
            ^ <HOST>:\d+ TLS Error: TLS handshake failed$
            ^ <HOST>:\d+ VERIFY ERROR

ignoreregex =


Code:
root@DD-WRT:/opt# /opt/etc/init.d/S95fail2ban start
 Starting fail2ban-server...              done.

root@DD-WRT:/opt# ps | grep fail
 5537 root     65252 S    {fail2ban-server} /opt/bin/python3 /opt/bin/fail2ban-server -xf start
 5550 root      1428 S    grep fail
root@DD-WRT:/opt# cat /opt/var/log/fail2ban.log
2023-02-04 22:08:35,003 fail2ban.server         [5537]: INFO    --------------------------------------------------
2023-02-04 22:08:35,004 fail2ban.server         [5537]: INFO    Starting Fail2ban v0.11.2
2023-02-04 22:08:35,007 fail2ban.observer       [5537]: INFO    Observer start...
2023-02-04 22:08:35,020 fail2ban.database       [5537]: INFO    Connected to fail2ban persistent database '/opt/var/lib/fail2ban/fail2ban.sqlite3'
2023-02-04 22:08:35,029 fail2ban.database       [5537]: WARNING New database created. Version '4'
2023-02-04 22:08:35,032 fail2ban.jail           [5537]: INFO    Creating new jail 'openvpn'
2023-02-04 22:08:35,048 fail2ban.jail           [5537]: INFO    Jail 'openvpn' uses poller {}
2023-02-04 22:08:35,050 fail2ban.jail           [5537]: INFO    Initiated 'polling' backend
2023-02-04 22:08:35,088 fail2ban.filter         [5537]: INFO      maxRetry: 5
2023-02-04 22:08:35,090 fail2ban.filter         [5537]: INFO      findtime: 600
2023-02-04 22:08:35,091 fail2ban.actions        [5537]: INFO      banTime: 600
2023-02-04 22:08:35,091 fail2ban.filter         [5537]: INFO      encoding: UTF-8
2023-02-04 22:08:35,093 fail2ban.filter         [5537]: INFO    Added logfile: '/tmp/var/log/messages' (pos = 0, hash = ff47fa5c92dbe3fa84e8dcc0d61c6795169502c9)
2023-02-04 22:08:35,103 fail2ban.jail           [5537]: INFO    Jail 'openvpn' started
root@DD-WRT:/opt#


You are a godsend and a great asset to this community! I followed these steps all the way through again, and it worked. You were right, I had my [openvpn] log location misconfigured. This was a great deal of help! I can't thank you enough good sir! Thank you!
_________________
DanRanRocks - Tech Tutorials by Dan Ran

https://github.com/danrancan
dan@danran.rockst
My Blog https://danran.rocks
Join me on key base! and Add me on Keybase

Current Linksys WRT3200acm Firmware "DD-WRT v3.0-r51140 std (12/31/22)
Back to top View user's profile Send private message Visit poster's website
atomicamp
DD-WRT User


Joined: 16 Apr 2018
Posts: 107
Location: Milwaukee, WI
PostPosted: Thu Feb 09, 2023 18:34    Post subject: Reply with quote
ho1Aetoo wrote:
also you have sshd enabled, you know it's for the openssh server that you have to install and configure separately?


Does sshd in fail2ban not use dropbear? Must I use openssh for fail2ban to block my ssh port?
_________________
DanRanRocks - Tech Tutorials by Dan Ran

https://github.com/danrancan
dan@danran.rockst
My Blog https://danran.rocks
Join me on key base! and Add me on Keybase

Current Linksys WRT3200acm Firmware "DD-WRT v3.0-r51140 std (12/31/22)
Back to top View user's profile Send private message Visit poster's website
atomicamp
DD-WRT User


Joined: 16 Apr 2018
Posts: 107
Location: Milwaukee, WI
PostPosted: Thu Feb 09, 2023 18:40    Post subject: Reply with quote
ho1Aetoo wrote:

then have fun with the rest, which must also be adjusted ...
I'm out, I do not use openvpn and I have already done more than enough


Thanks a ton for all of this! But what exactly is "the rest"? I'm not sure I'm seeing what else needs to be adjusted. I know you've put a lot of time into this, but might you be able to push a hint in my direction? Really appreciate it my friend!
_________________
DanRanRocks - Tech Tutorials by Dan Ran

https://github.com/danrancan
dan@danran.rockst
My Blog https://danran.rocks
Join me on key base! and Add me on Keybase

Current Linksys WRT3200acm Firmware "DD-WRT v3.0-r51140 std (12/31/22)
Back to top View user's profile Send private message Visit poster's website
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2971
Location: Germany
PostPosted: Fri Feb 10, 2023 7:19    Post subject: Reply with quote
atomicamp wrote:
ho1Aetoo wrote:
also you have sshd enabled, you know it's for the openssh server that you have to install and configure separately?


Does sshd in fail2ban not use dropbear? Must I use openssh for fail2ban to block my ssh port?



sshd uses openssh regex filter and openssh is not dropbear
if you want to use dropbear you have to enable the dropbear jail and adjust the logpath.

and if you have a look at the dropbear regex filter then you know why it can't work with an openssh filter.


Quote:
# Fail2Ban filter for dropbear
#
# NOTE: The regex below is ONLY intended to work with a patched
# version of Dropbear as described here:
# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
# ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
#
# The standard Dropbear output doesn't provide enough information to
# ban all types of attack. The Dropbear patch adds IP address
# information to the 'exit before auth' message which is always
# produced for any form of non-successful login. It is that message
# which this file matches.
#
# More information: http://bugs.debian.org/546913

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = dropbear

prefregex = ^%(__prefix_line)s<F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$

failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$

ignoreregex =

# DEV Notes:
#
# The first two regexs here match the unmodified dropbear messages. It isn't
# possible to match the source of the 'exit before auth' messages from dropbear
# as they don't include the "from <HOST>" bit.
#
# The second last failregex line we need to match with the modified dropbear.
#
# For the second regex the following apply:
#
# http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c
# http://svn.dd-wrt.com/changeset/16642#file64
#
# http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c
#
# Author: Francis Russell
# Zak B. Elep


I can't tell you if the regex works, you have to test it yourself.

Above I gave you some useful hints how to test the regex.
(since I don't use openvpn myself I took an entry from your syslog and simply wrote it via echo into my syslog etc.)

atomicamp wrote:
ho1Aetoo wrote:

then have fun with the rest, which must also be adjusted ...
I'm out, I do not use openvpn and I have already done more than enough


Thanks a ton for all of this! But what exactly is "the rest"? I'm not sure I'm seeing what else needs to be adjusted. I know you've put a lot of time into this, but might you be able to push a hint in my direction? Really appreciate it my friend!


I have only tested and changed one line


Code:
-            ^ <HOST>:\d+ TLS Error: TLS handshake failed$
+            <HOST>:\d+ TLS Error: TLS handshake failed$


again i don't use openvpn, so i don't have an openvpn process that writes messages to my syslog.

the rest of the openvpn log entries you have to check yourself and adjust the regex filter yourself.

you want to use it and get it running, your job.
Back to top View user's profile Send private message
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum