vjdj

malu jeśli można wiedzieć do czego służyły te dyski?

Generalnie strasznie dużo ludzi poleca te dyski Samsunga.

Osobiście korzystam z SanDiska i póki co daje rady.

Na pewno na koniec dnia rozliczacie kasę. Zgadzała Ci się kasa z tego dnia? Bo jak się zgadzała to nie powinieneś mieć żadnych problemów. Masz kontakt z tym ochroniarzem z całej sytuacji?

Blokował, ale dodałem regułę, strefa na freedns przeszła a na ovh nie. Nie mogę znaleść dlaczego nie chce przejść na ovh.

Da się gdzieś sprawdzić dlaczego secondary od ovh nie chce pobrać strefy z master?

Działa z freedns.42.pl, pobrało, jak miałem błedy to szło w free sprawdzić co nie tak, a ovh nie wiem gdzie szukać.

Nie mogę edytować posta, znaleźć opcji edytuj więc piszę jeden pod drugim.

Wystarczyło przeczytać dokumentację od vesty, zostawiam link dla innych:

http://vestacp.com/docs/#how-to-setup-vanity-nameservers

Zabawiłem się również z secondary dns od ovh. Mam jednak problem.

Dodałem domenę w panelu ovh DNS secondary.

Dodałem wpis:

ns2    A     213.251.188.141

intodns krzyczy mi:

DNS servers responded ERROR: One or more of your nameservers did not respond:
The ones that did not respond are:
213.251.188.141

Dzięki za odpowiedzi.

Można prosić o jakieś linki gdzie została opisana konfiguracja.

Zdaję sobie sprawę, że powinno być na tym samym ip. Póki co nie ma tam nic poważnego. Raczej nauka, zabawa. Zapoznam się z tym secondary dns od ovh

System Debian 8 plus panel jak w temacie VestaCP, całość siedzi na vps'ie z ovh.

Domyślnie wpsomniany panel tworzy dns'y w stylu:

ns1.localhost.ltd
ns2.localhost.ltd

Dodałem do strone www. Przy dodawaniu strony zaznaczyłem

Wsparcie dla DNS

Edytowałem dns'y:

ns1.localhost.ltd
ns2.localhost.ltd

na

ns1.strona1.pl
ns2.strona1.pl

Oraz dodałem rekordy:

ns1    A    150.150.150.150
ns2    A    150.150.150.150

Wszystko działa. Sprawdziłem na intodns, wynik:

Different subnets
WARNING: Not all of your nameservers are in different subnets

SOA MNAME entry WARNING: SOA MNAME (ns1.localhost.ltd) is not listed as a primary nameserver at your parent nameserver!

SOA record The SOA record is:
Primary nameserver: ns1.localhost.ltd
Hostmaster E-mail address: root.strona2.pl
Serial #: 2016010107 
Refresh: 7200 
Retry: 3600 
Expire: 1209600   2 weeks
Default TTL: 180

Nie podoba mi się:

Primary nameserver: ns1.localhost.ltd

Przystąpiłem do drugiej próby dodania kolejnej strony www.

Dodałem w panelu serwery nazw:

ns1.strona2.pl
ns2.strona2.pl

Dodałem stronę zaznaczając wsparcie dla dns www.strona2.pl dodałem wpisy a jak powyżej

Soa wygląda teraz dobrze:

SOA record The SOA record is:
Primary nameserver: ns1.strona2.pl
Hostmaster E-mail address: root.strona2.pl
Serial #: 2016010206 
Refresh: 7200 
Retry: 3600 
Expire: 1209600   2 weeks
Default TTL: 180

Ale mam błędy:

Name of nameservers are valid WARNING: At least one of your NS name does not seem a valid host name
The ones that do not seem valid:
no

Missing nameservers reported by parent FAIL: The following nameservers are listed at your nameservers as nameservers for your domain, but are not listed at the parent nameservers (see RFC2181 5.4.1). You need to make sure that these nameservers are working.If they are not working ok, you may have problems! 
no

Stealth NS records sent Stealth NS records were sent: 
no

Co robię nie tak? Jak prawidłowo dodać własne serwy nazw w tym panelu?

Jeśli o czymś zapomniałem poinformować dopiszę, proszę podać jakie informacje są jeszcze niezbędne do pomocy.

Strony oraz ip przykładowe.

Ten skan dowodu to u nich standard. Wydaje mi się nie ma się co dziwić. Pamiętaj, że spokojnie możesz ukryć zdjęcie, pesel.

Potrzebuje akumulatorki AA jakieś bardzo pojemne do dyktafonu. Cena jest mało znacząca.

 

Coś dobrego i bardzo wytrzymałego

sanyo eneloop

W jaki sposób opłaciłeś?

[...]

BlazingFast ma ping niski, Anty DDOS znów jest płatny.

 

[...]

 

 

Ze strony Blazingfast :

• DDoS Protection Included

Właśnie to jest problemem dostawców usług, że potencjalny klient nie potrafi do końca rozróżnić, zrozumieć pewnych rzeczy, ataków. Nie rozróżnia, czy atak jest na infrastrukturę czy aplikację. Potem dostaje po przysłowiowej d..... i zaraz serwerownia zła bo sobie z czymś tam nie poradziła.

Sam teraz śledzę temat pewnego forum, którego jestem bywalcem, nie informatyczne. Sytuacja wygląda tak (dla mnie), że na forum jest xxx botów zalogowanych i forum pada. Skrypt stary pewnie dziurawy jak sito, ale ktoś rzucił hasło ddos i już jadą serwerownię, są już na takim etapie że dojdzie do zmiany usługodawcy, ale się zdziwią jak przeniosą i będzie to samo. Jadą po usługodawcy, że nie potrafi zablokować ataku, ale tak naprawdę co on ma grzebać w kogoś dziurach jak problem całkiem innej natury.

Co do tematu, niewiele korzystałem z supportu ovh, ale z odpowiedzi które otrzymywałem płynęły konkretne informację, pomocne. Czas odpowiedzi również był przyzwoity, a korzystam raczej z ich budżetowych usług. Jestem tego świadomy i nie oczekuję jakieś specjalnej troski za tą cenę.

Domena u tego samego usługodawcy co hosting? Problem z dns'ami?

Nawet u podanego u Ciebie usługodawcy nie mieścisz się w budżecie z tym transferem.

Rzeczywiście to było problemem.

Dzięki za odpowiedź.

Fail2ban.log

2015-10-27 19:25:58,120 fail2ban.server [1856]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.13
2015-10-27 19:25:58,121 fail2ban.jail   [1856]: INFO    Creating new jail 'ssh'
2015-10-27 19:25:58,263 fail2ban.jail   [1856]: INFO    Jail 'ssh' uses pyinotify
2015-10-27 19:25:58,326 fail2ban.jail   [1856]: INFO    Initiated 'pyinotify' backend
2015-10-27 19:25:58,342 fail2ban.filter [1856]: INFO    Added logfile = /var/log/auth.log
2015-10-27 19:25:58,344 fail2ban.filter [1856]: INFO    Set maxRetry = 6
2015-10-27 19:25:58,345 fail2ban.filter [1856]: INFO    Set findtime = 600
2015-10-27 19:25:58,346 fail2ban.actions[1856]: INFO    Set banTime = 600
2015-10-27 19:25:58,401 fail2ban.jail   [1856]: INFO    Jail 'ssh' started
2015-10-27 19:31:53,948 fail2ban.server [1856]: INFO    Stopping all jails
2015-10-27 19:31:54,548 fail2ban.jail   [1856]: INFO    Jail 'ssh' stopped
2015-10-27 19:31:54,549 fail2ban.server [1856]: INFO    Exiting Fail2ban
2015-10-27 19:31:55,307 fail2ban.server [2070]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.13
2015-10-27 19:31:55,308 fail2ban.jail   [2070]: INFO    Creating new jail 'ssh'
2015-10-27 19:31:55,353 fail2ban.jail   [2070]: INFO    Jail 'ssh' uses pyinotify
2015-10-27 19:31:55,387 fail2ban.jail   [2070]: INFO    Initiated 'pyinotify' backend
2015-10-27 19:31:55,390 fail2ban.filter [2070]: INFO    Added logfile = /var/log/auth.log
2015-10-27 19:31:55,391 fail2ban.filter [2070]: INFO    Set maxRetry = 6
2015-10-27 19:31:55,392 fail2ban.filter [2070]: INFO    Set findtime = 600
2015-10-27 19:31:55,393 fail2ban.actions[2070]: INFO    Set banTime = 600
2015-10-27 19:31:55,447 fail2ban.jail   [2070]: INFO    Creating new jail 'sasl'
2015-10-27 19:31:55,447 fail2ban.jail   [2070]: INFO    Jail 'sasl' uses pyinotify
2015-10-27 19:31:55,458 fail2ban.jail   [2070]: INFO    Initiated 'pyinotify' backend
2015-10-27 19:31:55,468 fail2ban.filter [2070]: INFO    Added logfile = /var/log/mail.log
2015-10-27 19:31:55,470 fail2ban.filter [2070]: INFO    Set maxRetry = 3
2015-10-27 19:31:55,471 fail2ban.filter [2070]: INFO    Set findtime = 30
2015-10-27 19:31:55,471 fail2ban.actions[2070]: INFO    Set banTime = 600000
2015-10-27 19:31:55,480 fail2ban.jail   [2070]: INFO    Jail 'ssh' started
2015-10-27 19:31:55,488 fail2ban.jail   [2070]: INFO    Jail 'sasl' started
2015-10-28 08:52:05,882 fail2ban.server [2070]: INFO    Stopping all jails
2015-10-28 08:52:05,990 fail2ban.jail   [2070]: INFO    Jail 'sasl' stopped
2015-10-28 08:52:06,971 fail2ban.jail   [2070]: INFO    Jail 'ssh' stopped
2015-10-28 08:52:06,982 fail2ban.server [2070]: INFO    Exiting Fail2ban
2015-10-28 08:52:07,931 fail2ban.server [5292]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.13
2015-10-28 08:52:07,932 fail2ban.jail   [5292]: INFO    Creating new jail 'ssh'
2015-10-28 08:52:08,089 fail2ban.jail   [5292]: INFO    Jail 'ssh' uses pyinotify
2015-10-28 08:52:08,146 fail2ban.jail   [5292]: INFO    Initiated 'pyinotify' backend
2015-10-28 08:52:08,148 fail2ban.filter [5292]: INFO    Added logfile = /var/log/auth.log
2015-10-28 08:52:08,149 fail2ban.filter [5292]: INFO    Set maxRetry = 6
2015-10-28 08:52:08,151 fail2ban.filter [5292]: INFO    Set findtime = 600
2015-10-28 08:52:08,151 fail2ban.actions[5292]: INFO    Set banTime = 600
2015-10-28 08:52:08,197 fail2ban.jail   [5292]: INFO    Creating new jail 'sasl'
2015-10-28 08:52:08,197 fail2ban.jail   [5292]: INFO    Jail 'sasl' uses pyinotify
2015-10-28 08:52:08,209 fail2ban.jail   [5292]: INFO    Initiated 'pyinotify' backend
2015-10-28 08:52:08,211 fail2ban.filter [5292]: INFO    Added logfile = /var/log/mail.log
2015-10-28 08:52:08,212 fail2ban.filter [5292]: INFO    Set maxRetry = 3
2015-10-28 08:52:08,214 fail2ban.filter [5292]: INFO    Set findtime = 30
2015-10-28 08:52:08,214 fail2ban.actions[5292]: INFO    Set banTime = 600000
2015-10-28 08:52:08,224 fail2ban.jail   [5292]: INFO    Jail 'ssh' started
2015-10-28 08:52:08,231 fail2ban.jail   [5292]: INFO    Jail 'sasl' started

Banowanie ma być przez iptables. Jeśli dobrze zrozumiałem pytanie.

Dorzucam jeszcze jail.conf

# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# Comments: use '#' for comment lines and ';' for inline comments
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
maxretry = 3

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#            If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#            If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external libraries.
# auto:      will try to use the following backends, in order:
#            pyinotify, gamin, polling.
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
#   warn when reverse DNS lookups are performed, or ignore all hostnames in logs
#
# yes:   if a hostname is encountered, a reverse DNS lookup will be performed.
# warn:  if a hostname is encountered, a reverse DNS lookup will be performed,
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
usedns = warn

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

#
# Name of the sender for mta actions
sendername = Fail2Ban

# Email address of the sender
sender = fail2ban@localhost

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

[dropbear]

enabled  = false
port     = ssh
filter   = dropbear
logpath  = /var/log/auth.log
maxretry = 6

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

enabled  = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter   = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port     = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6

[xinetd-fail]

enabled   = false
filter    = xinetd-fail
port      = all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2


[ssh-ddos]

enabled  = false
port     = ssh
filter   = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6


# Here we use blackhole routes for not requiring any additional kernel support
# to store large volumes of banned IPs

[ssh-route]

enabled = false
filter = sshd
action = route
logpath = /var/log/sshd.log
maxretry = 6

# Here we use a combination of Netfilter/Iptables and IPsets
# for storing large volumes of banned IPs
#
# IPset comes in two versions. See ipset -V for which one to use
# requires the ipset package and kernel support.
[ssh-iptables-ipset4]

enabled  = false
port     = ssh
filter   = sshd
banaction = iptables-ipset-proto4
logpath  = /var/log/sshd.log
maxretry = 6

[ssh-iptables-ipset6]

enabled  = false
port     = ssh
filter   = sshd
banaction = iptables-ipset-proto6
logpath  = /var/log/sshd.log
maxretry = 6


#
# HTTP servers
#

[apache]

enabled  = false
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = false
port      = http,https
filter    = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6

[apache-noscript]

enabled  = false
port     = http,https
filter   = apache-noscript
logpath  = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled  = false
port     = http,https
filter   = apache-overflows
logpath  = /var/log/apache*/*error.log
maxretry = 2

[apache-modsecurity]

enabled  = false
filter   = apache-modsecurity
port     = http,https
logpath  = /var/log/apache*/*error.log
maxretry = 2

[apache-nohome]

enabled  = false
filter   = apache-nohome
port     = http,https
logpath  = /var/log/apache*/*error.log
maxretry = 2

# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.

[php-url-fopen]

enabled = false
port    = http,https
filter  = php-url-fopen
logpath = /var/www/*/logs/access_log

# A simple PHP-fastcgi jail which works with lighttpd.
# If you run a lighttpd server, then you probably will
# find these kinds of messages in your error_log:
#   ALERT – tried to register forbidden variable ‘GLOBALS’
#   through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')

[lighttpd-fastcgi]

enabled = false
port    = http,https
filter  = lighttpd-fastcgi
logpath = /var/log/lighttpd/error.log

# Same as above for mod_auth
# It catches wrong authentifications

[lighttpd-auth]

enabled = false
port    = http,https
filter  = suhosin
logpath = /var/log/lighttpd/error.log

[nginx-http-auth]

enabled = false
filter  = nginx-http-auth
port    = http,https
logpath = /var/log/nginx/error.log

# Monitor roundcube server

[roundcube-auth]

enabled  = false
filter   = roundcube-auth
port     = http,https
logpath  = /var/log/roundcube/userlogins


[sogo-auth]

enabled  = false
filter   = sogo-auth
port     = http, https
# without proxy this would be:
# port    = 20000
logpath  = /var/log/sogo/sogo.log


#
# FTP servers
#

[vsftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


[proftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


[pure-ftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = pure-ftpd
logpath  = /var/log/syslog
maxretry = 6


[wuftpd]

enabled  = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/syslog
maxretry = 6


#
# Mail servers
#

[postfix]

enabled  = false
port     = smtp,ssmtp,submission
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = false
port     = smtp,ssmtp,submission
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = false
port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = false
port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter   = postfix-sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = /var/log/mail.log

[dovecot]

enabled = false
port    = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter  = dovecot
logpath = /var/log/mail.log

# To log wrong MySQL access attempts add to /etc/my.cnf:
# log-error=/var/log/mysqld.log
# log-warning = 2
[mysqld-auth]

enabled  = false
filter   = mysqld-auth
port     = 3306
logpath  = /var/log/mysqld.log


# DNS Servers


# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# };
#
# in your named.conf to provide proper logging

# !!! WARNING !!!
#   Since UDP is connection-less protocol, spoofing of IP and imitation
#   of illegal actions is way too simple.  Thus enabling of this filter
#   might provide an easy way for implementing a DoS against a chosen
#   victim. See
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
#   Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled  = false
#port     = domain,953
#protocol = udp
#filter   = named-refused
#logpath  = /var/log/named/security.log

[named-refused-tcp]

enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log

[freeswitch]

enabled  = false
filter   = freeswitch
logpath  = /var/log/freeswitch.log
maxretry = 10
action   = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp]
           iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp]

[ejabberd-auth]

enabled  = false
filter   = ejabberd-auth
port     = xmpp-client
protocol = tcp
logpath  = /var/log/ejabberd/ejabberd.log


# Multiple jails, 1 per protocol, are necessary ATM:
# see https://github.com/fail2ban/fail2ban/issues/37
[asterisk-tcp]

enabled  = false
filter   = asterisk
port     = 5060,5061
protocol = tcp
logpath  = /var/log/asterisk/messages

[asterisk-udp]

enabled  = false
filter	 = asterisk
port     = 5060,5061
protocol = udp
logpath  = /var/log/asterisk/messages


# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]

enabled  = false
filter   = recidive
logpath  = /var/log/fail2ban.log
action   = iptables-allports[name=recidive]
           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 5

# See the IMPORTANT note in action.d/blocklist_de.conf for when to
# use this action
#
# Report block via blocklist.de fail2ban reporting service API
# See action.d/blocklist_de.conf for more information
[ssh-blocklist]

enabled  = false
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"]
           blocklist_de[email="%(sender)s", apikey="xxxxxx", service="%(filter)s"]
logpath  = /var/log/sshd.log
maxretry = 20


# consider low maxretry and a long bantime
# nobody except your own Nagios server should ever probe nrpe
[nagios]
enabled  = false
filter   = nagios
action   = iptables[name=Nagios, port=5666, protocol=tcp]
           sendmail-whois[name=Nagios, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"]
logpath  = /var/log/messages     ; nrpe.cfg may define a different log_facility
maxretry = 1

Dodatkowo przetestowałem na ssh błędne logowania i iptables działa.

Więc wydaje mi się, że problemem jest filtr dla tego typu błędu.

System Debian 8 Jessie + ispconfig.

Zrobione wszystko według: https://www.howtoforge.com/tutorial/perfect-server-debian-8-jessie-apache-bind-dovecot-ispconfig-3/

Niestety fail2ban nie blokuje ip po nie udanych próbach logowań.

Log: /var/log/mail.log

Wpisy typu:

Oct 28 06:10:33 aaaaaa postfix/smtpd[1413]: warning: unknown[xx.xx.xx.xx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 28 06:33:04 aaaaaa postfix/smtpd[2046]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 28 07:17:23 aaaaaa postfix/smtpd[3084]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 28 07:21:48 aaaaaa postfix/smtpd[3180]: warning: unknown[xx.xx.xx.xx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 28 08:01:43 aaaaaa postfix/smtpd[4022]: warning: unknown[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 28 08:33:00 aaaaaa postfix/smtpd[4761]: warning: unknown[xx.xx.xx.xx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

W jail.local dodałem:

[sasl]

enabled  = true
port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter   = postfix-sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = /var/log/mail.log
bantime = 600000
findtime = 30
maxretry = 3

Filter postfix-sasl:

# Fail2Ban filter for postfix authentication failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = postfix/smtpd

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$

# Author: Yaroslav Halchenko

Status:

root@aaaaaa:~# fail2ban-client status
Status
|- Number of jail:      2
`- Jail list:           sasl, ssh
root@aaaaaa:~#

Sprawdzenie poprawności działania

root@aaaaaa:~# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix-sasl.conf

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/postfix-sasl.conf
Use         log file : /var/log/mail.log


Results
=======

Failregex: 36 total
|-  #) [# of hits] regular expression
|   1) [36] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(??:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [1091] MONTH Day Hour:Minute:Second
`-

Lines: 1091 lines, 0 ignored, 36 matched, 1055 missed
Missed line(s): too many to print.  Use --print-all-missed to print all 1055 lines
root@aaaaaa:~#

Niestety adresy ip nie są blokowane

Co robię nie tak? Czego nie rozumiem jeśli uważam, że powinny być blokowane a nie są?

Też spojrzałem na stronie i widzę wszędzie 100.

Co ma cie na myśli z tą przepustowością?

Tak chodzi tylko o ping.

Generalnie z tego co również zacząłem szukać to widzę nie ma problemu do samego routera.

Co możecie zaproponować do monitorowania urządzeń wewnątrz sieci na kilku lokalizacja z centralizacją gdzieś danych zebranych.

Sprawa wygląda tak, że jest kilka lokalizacji w każdej z lokalizacji dostęp do internetu ze stałym adresem publicznym.

Obsługujące lokalizacje co by się nie działo zawsze twierdzą, że jak jest problem nie ma internetu.

Potrzebował bym jakiś program, który będzie pingował dane routery i sprawdzał czy wszystko ok. Jak ie odpowiada np. dostaje email, do tego jakieś statystyki czy coś.

Możecie coś zaproponować coś z bezpłatnych rozwiązań.

Co do samych lokalizacji, na każdej znajduje się serwer i podłączone do niego urządzenia. Interesowało by mnie również monitorowanie urządzeń wewnątrz sieci, ale to już drugorzędna sprawa.

Generalnie również chodzi o ping itp. o której dane urządzenie zostało włączone. Rozumiem, że w takim przypadku aplikacja na serwerze wewnętrznym, tylko chodzi żeby zebrać to ze wszystkich lokalizacji w jednym miejscu.

Umieściłem tutaj bo nie wiedziałem, do którego działu pasowało by to najlepiej.

Z tymi klasykami to różnie było, zależy jak się trafiło, osobiście nie narzekam.

Widzicie gdzieś jak transferu dla tych nowych serwerów bo nie widzę.

EvoBattle

Kontakt po Polsku przez standardowy formularz?

Polskie korzenie, czy Polscy pracownicy?