Originally Posted by
Maccro
... I'm not sure how to get it to detect 'attacks'. Any idea how I would do that? ...
yes i did install syslog-ng and fail2ban in order to be able to detect attacks
and banning attacking ip-addresses.
for me this works with dropbear and vsftpd
i'm using this configuration:
syslog-ng config file:
Code:
################################################################################
# Syslog-ng configuration for WL700g
# /opt/etc/syslog-ng/syslog-ng.conf
#
###############################################################################
# tiwag's active filters and logs
#
options { long_hostnames(off); sync(0); };
#source src { pipe("/proc/kmsg");unix-stream("/dev/log"); internal(); };
source src { file("/proc/kmsg");unix-stream("/dev/log"); internal(); };
source net { udp(); };
destination mysyslog {
file("/opt/var/log/syslog-ng.log"
owner("root")
group("root")
perm(0640)
template("{$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC}{PRI:$PRIORITY}{FAC:$FACILITY}{PRG:$PROGRAM}{{{ $MESSAGE }}}\n")
);
};
destination authwarnlog {
file("/opt/var/log/authwarn.log"
owner("root")
group("root")
perm(0640)
template("{$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC}{PRI:$PRIORITY}{FAC:$FACILITY}{PRG:$PROGRAM}{{{ $MESSAGE }}}\n")
);
};
destination vsftpdlog { file("/opt/var/log/vsftpd.log"); };
destination dropbearlog { file("/opt/var/log/dropbear.log"); };
destination cronlog { file("/opt/var/log/cron.log"); };
filter f_ni_syslog-ng { not ( level(info) and program(syslog-ng) ); };
filter f_ni_thttpd { not ( level(info) and program(thttpd) ); };
filter f_ni_vsftpd { not ( level(info) and program(vsftpd) ); };
filter f_vsftpd { ( program(vsftpd) ); };
filter f_dropbear { ( program(dropbear) ); };
filter f_authwarn { ( ( ( level(info) or level(warning)
) and program(dropbear)
)
or ( ( level(warning)
) and program(vsftpd)
)
); };
filter f_ni_cron { not ( level(info) and facility(cron) ); };
filter f_cron { program(cron); };
###############################################################################
# active logs
#
log { source(src);
filter(f_ni_vsftpd);
filter(f_ni_thttpd);
filter(f_ni_syslog-ng);
# filter(f_ni_cron);
destination(mysyslog); };
log { source(src);
filter(f_vsftpd);
destination(vsftpdlog); };
log { source(src);
filter(f_dropbear);
destination(dropbearlog); };
log { source(src);
filter(f_authwarn);
destination(authwarnlog); };
log { source(src);
filter(f_cron);
destination(cronlog); };
fail2ban config and filter files
Code:
###############################################################################
# Fail2Ban configuration file
# /opt/etc/fail2ban/jail.conf
#
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1
# "bantime" is the number of seconds that a host is banned.
#bantime = 1800
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 300
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto
###############################################################################
# enabled jails
#
[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
# sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath = /opt/var/log/authwarn.log
maxretry = 3
bantime = 1800
[dropbear-iptables]
enabled = true
filter = dropbear
action = iptables[name=DROPBEAR, port=ssh, protocol=tcp]
# sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath = /opt/var/log/authwarn.log
maxretry = 3
bantime = 1800
Code:
# Fail2Ban configuration file
# /opt/etc/fail2ban/filter.d/vsftpd.conf
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = {.*}{PRI:warning}{FAC:ftp}{PRG:vsftpd}{{{ vsftpd: .* FAIL LOGIN: Client \\"<HOST>\\" }}}$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Code:
# Fail2Ban configuration file
# /opt/etc/fail2ban/filter.d/dropbear.conf
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = {.*}{PRI:warning}{FAC:authpriv}{PRG:dropbear}{{{ dropbear\[[0-9]*\]: login attempt .* from <HOST>:.* }}}$
{.*}{PRI:info}{FAC:authpriv}{PRG:dropbear}{{{ dropbear\[[0-9]*\]: exit before auth \(user .* fails\): Disconnect received from IP <HOST>:.* }}}$
{.*}{PRI:info}{FAC:authpriv}{PRG:dropbear}{{{ dropbear\[[0-9]*\]: exit before auth: Timeout before auth from IP <HOST>:.* }}}$
{.*}{PRI:info}{FAC:authpriv}{PRG:dropbear}{{{ dropbear\[[0-9]*\]: exit before auth: Disconnect received from IP <HOST>:.* }}}$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
with this config i can detect attacks and ban the attacking ip-addresses very fine. but it was also necessary to patch dropbear in order to print the IP-addresses for any attack-attemps, where a known username was used.
see the attached files for the dropbear patch
brgds
Reply With Quote