LINUX.ORG.RU
ФорумGeneral

fail2ban на Cent OS валит ошибки, не могу разобраться.

 , , ,


0

1

кусок лога fail2ban 

# tail /var/log/fail2ban.log
2015-09-09 13:00:24,459 fail2ban.filter [1953]: WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported
2015-09-09 13:00:24,459 fail2ban.filter [1953]: WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported
2015-09-09 13:00:25,461 fail2ban.filter [1953]: WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported
2015-09-09 13:00:27,464 fail2ban.filter [1953]: WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported
2015-09-09 13:00:27,465 fail2ban.filter [1953]: WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported
2015-09-09 13:00:28,467 fail2ban.filter [1953]: WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported
2015-09-09 13:00:28,468 fail2ban.filter [1953]: WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported
2015-09-09 13:00:29,469 fail2ban.filter [1953]: WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported
2015-09-09 13:00:29,571 fail2ban.actions[1953]: WARNING [asterisk-iptables] Ban 62.210.250.141
2015-09-09 13:00:29,872 fail2ban.filter [1953]: WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported

установлен asterisk, для него имеется такой конфиг (если честно, то грешу на него)

cat /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban filter for asterisk authentication failures
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\[\d+\])

iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?

failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s hacking attempt detected '<HOST>'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$

ignoreregex =


# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog

Подскажите куда копать?

Пауза при загрузке ~10 секунд.
Сервер исходящей почты для php mail()

fail2ban-regex asterisk.log filter.d/asterisk.conf

похоже у вас в в логах ipv6 адрес, а fail2ban его не поддерживает (ваша версия)

arto ★★
()
Ответ на: комментарий от Turbid

ipv6 выключил тут /etc/sysconfig/network-scripts/ifcfg-eth0 

DEVICE=eth0
HWADDR=00:00:00:00:00:00
TYPE=Ethernet
UUID=9c9eb1eb-875a-49c7-b109-16524beb9335
ONBOOT=no
NM_CONTROLLED=yes
BOOTPROTO=dhcp
IPV6INIT=no

и тут: /etc/sysconfig/network-scripts/ifcfg-eth1 

DEVICE="eth1"
BOOTPROTO="static"
BROADCAST="XXX.XXX.XXX.XXX"
DNS1="XXX.XXX.XXX.XXX"
GATEWAY="XXX.XXX.XXX.XXX"
HWADDR="00:00:00:00:00:00"
IPADDR="XXX.XXX.XXX.XXX"
IPV6INIT="no"
IPV6_AUTOCONF="no"
NETMASK="255.255.255.224"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"
UUID="49c5b1a4-425c-47a2-a802-92b10d515628"

кусок лога: 

tail /var/log/fail2ban.log
2015-09-09 17:30:20,607 fail2ban.filter [1905]: WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported
2015-09-09 17:30:20,607 fail2ban.filter [1905]: WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported
2015-09-09 17:30:21,610 fail2ban.filter [1905]: WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported
2015-09-09 17:30:24,614 fail2ban.filter [1905]: WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported
2015-09-09 17:30:24,614 fail2ban.filter [1905]: WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported
2015-09-09 17:30:24,615 fail2ban.filter [1905]: WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported
2015-09-09 17:30:25,617 fail2ban.filter [1905]: WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported
2015-09-09 17:30:26,052 fail2ban.actions[1905]: WARNING [asterisk-iptables] Ban 62.210.250.141
2015-09-09 17:30:26,798 fail2ban.filter [1905]: WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported
2015-09-09 17:37:17,001 fail2ban.filter [1905]: WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported

kotbykot
() автор топика
Ответ на: комментарий от Turbid

tail /var/log/asterisk/security 

[2015-09-09 10:05:20] SECURITY[1789] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="1441764320-736428",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0xb7613acc",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/36930",UsingPassword="0",SessionTV="1441764320-736425"
[2015-09-09 10:05:40] SECURITY[1789] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="1441764340-783272",Severity="Informational",Service="SIP",EventVersion="1",AccountID="778",SessionID="0xb760cc54",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5062",Challenge="610a01f2"
[2015-09-09 10:05:41] SECURITY[1789] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="1441764341-415821",Severity="Informational",Service="SIP",EventVersion="1",AccountID="778",SessionID="0xb760cc54",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5062",UsingPassword="1"
[2015-09-09 10:05:58] SECURITY[1789] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="1441764358-265934",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0xb7613acc",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/36932",UsingPassword="0",SessionTV="1441764358-265930"
[2015-09-09 10:05:58] SECURITY[1789] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="1441764358-706104",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x8eaea2c",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/36934",UsingPassword="0",SessionTV="1441764358-706101"
[2015-09-09 10:06:01] SECURITY[1789] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="1441764361-689025",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0xb7613acc",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/36936",UsingPassword="0",SessionTV="1441764361-688994"
[2015-09-09 10:06:04] SECURITY[1789] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="1441764364-104574",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0xb7613acc",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/36938",UsingPassword="0",SessionTV="1441764364-104569"
[2015-09-09 10:07:11] SECURITY[1789] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="1441764431-927222",Severity="Informational",Service="SIP",EventVersion="1",AccountID="778",SessionID="0xb760cc54",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5062",Challenge="1e0c7495"
[2015-09-09 10:07:11] SECURITY[1789] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="1441764431-995960",Severity="Informational",Service="SIP",EventVersion="1",AccountID="778",SessionID="0xb760cc54",LocalAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5060",RemoteAddress="IPV4/UDP/XXX.XXX.XXX.XXX/5062",UsingPassword="1"
[2015-09-09 10:07:23] SECURITY[1789] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="1441764443-226592",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0xb7613acc",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/36940",UsingPassword="0",SessionTV="1441764443-226586"

tail /var/log/asterisk/full 

[2015-09-09 18:39:01] VERBOSE[2255][C-00000000] app_macro.c:   == Spawn extension (macro-hangupcall, s, 4) exited non-zero on 'SIP/777-00000000' in macro 'hangupcall'
[2015-09-09 18:39:01] VERBOSE[2255][C-00000000] pbx.c:   == Spawn extension (macro-dialout-trunk, h, 1) exited non-zero on 'SIP/777-00000000'
[2015-09-09 18:39:01] VERBOSE[2255][C-00000000] app_macro.c:   == Spawn extension (macro-dialout-trunk, s, 22) exited non-zero on 'SIP/777-00000000' in macro 'dialout-trunk'
[2015-09-09 18:39:01] VERBOSE[2255][C-00000000] pbx.c:   == Spawn extension (XXXXXXX, XXXXXXX, 6) exited non-zero on 'SIP/777-00000000'
[2015-09-09 18:39:01] VERBOSE[2258][C-00000000] app_mixmonitor.c:   == MixMonitor close filestream (mixed)
[2015-09-09 18:39:01] VERBOSE[2258][C-00000000] app_mixmonitor.c:   == End MixMonitor Recording SIP/777-00000000
[2015-09-09 18:39:47] NOTICE[1875][C-00000001] chan_sip.c: Failed to authenticate device 103<sip:103@XXX.XXX.XXX.XXX>;tag=0acf105c
[2015-09-09 18:41:09] NOTICE[2520] manager.c: 200.72.182.234 tried to authenticate with nonexistent user 'manager'
[2015-09-09 18:41:09] NOTICE[2520] manager.c: 200.72.182.234 failed to authenticate as 'manager'
[2015-09-09 18:45:25] NOTICE[1875][C-00000002] chan_sip.c: Failed to authenticate device 140<sip:140@XXX.XXX.XXX.XXX>;tag=d72600a9

kotbykot
() автор топика
Ответ на: комментарий от kotbykot

tail /var/log/asterisk/security

Это точно тот момент, который коррелируется по времени с событиями «WARNING Unable to find a corresponding IP address for ::1: [Errno -9] Address family for hostname not supported» ?

Turbid ★★★★★
()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.
Пауза при загрузке ~10 секунд.
General
Сервер исходящей почты для php mail()