Forums

Claus
Claus
Offline
Resolved
0 votes
Hi

I have installed Attack Detector and I don't now if it's will work
is there a way I can see if it is working, I can see this in the log

warning: unknown[91.200.12.129]: SASL LOGIN authentication failed: authentication failure
Oct 12 20:11:15 myxxxxxx postfix/smtpd[1935]: lost connection after AUTH from unknown[91.200.12.129]
Oct 12 20:11:15 myxxxxxx postfix/smtpd[1935]: disconnect from unknown[91.200.12.129]

and maybe this is how to see if it's working ?

Claus
Thursday, October 12 2017, 06:18 PM
Like
1
Share this post:
Responses (6)
  • Accepted Answer

    Saturday, October 14 2017, 06:38 PM - #Permalink
    Resolved
    1 votes
    ipset is not a service. It is part of the iptables firewall. With fail2ban/app-attack-detector there is no need to save the sets as fail2ban will rebuild them each time it starts from its own database.

    If you want to save your own sets you can with something like:
    ipset save blocklist > /usr/src/ipset_blocklist.save
    sed -i 's/create/create -exist/g' /usr/src/ipset_blocklist.save
    sed -i 's/add/add -exist/g' /usr/src/ipset_blocklist.save
    You can then restore it with:
    ipset restore ipset_blocklist.save
    File names are up to you. This example saves a set called "blocklist".

    If you want to load an ipset set on boot up, it is best to force the loading of the module by adding a file /etc/sysconfig/modules/ip_set.modules and in it put:
    modprobe ip_set
    or the restore may fail if ClearOS tries to run it before ipset has loaded (this is a current bug in app-attack-detector which will be fixed in 7.4 where they force ip_set to load as part of the firewall start up). You may need to make the file executable.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, October 12 2017, 09:21 PM - #Permalink
    Resolved
    0 votes
    Have a look in /var/log/fail2ban.log for detection (generally the "info" messages) and bans ("warning" messages). The postfix-sasl jail should pick up the first but won't ban until it gets 5 attempts in an hour, but these are manually configurable.
    The reply is currently minimized Show
  • Accepted Answer

    Claus
    Claus
    Offline
    Friday, October 13 2017, 07:29 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    Have a look in /var/log/fail2ban.log for detection (generally the "info" messages) and bans ("warning" messages). The postfix-sasl jail should pick up the first but won't ban until it gets 5 attempts in an hour, but these are manually configurable.


    Hi

    Yes I can see that but I also think I could see some in iptabels the drop ip that is in the
    log for fan2ban, but if I run iptabels -L I can't see any drop lines with the ip's in fan2ban log

    Claus
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, October 14 2017, 08:58 AM - #Permalink
    Resolved
    0 votes
    Sometime this year ClearOS started moving over to ipset blocking because it gets round problems with firewall restarting. For big blocks it is way more efficient but the downside is that it is harder to see what is going on. My set up is non-standard so I can't give you the exact answer, but do an "iptables -nvL" and if you don't have any f2b chains near the bottom then you are probably using ipset. From the listing, have a look at the top of the INPUT chain (or do an "iptables -nvL INPUT") and you will see a bunch of rules with "match-set" in them. Note the set name which follows then do an "ipset list set_name" and you see the IP's in that list. This is what is being blocked. You can also test if an IP is in the list with "ipset test set_name IP_address".

    Have a look at "man ipset" to see the different ipset commands available/
    The reply is currently minimized Show
  • Accepted Answer

    Claus
    Claus
    Offline
    Saturday, October 14 2017, 06:09 PM - #Permalink
    Resolved
    1 votes
    Hi

    Thank you I have find out it is working now with your help
    but I can't restart ipset service like I can restart firewall
    is this not on ClearOS 7,3?
    and if it is not how can I install it, I have save the ipset and want it to restore when reboot
    I have move my block ip networks from iptabels to ipset I think this is the way to go
    I have make this 2 rules in iptables and it is working
    iptables -I INPUT -m set --match-set myset-network src -j DROP
    iptables -I FORWARD -m set --match-set myset-network src -j DROP

    and put the block ip network in myset-network in ipset

    Claus
    The reply is currently minimized Show
  • Accepted Answer

    Claus
    Claus
    Offline
    Saturday, October 14 2017, 06:51 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    ipset is not a service. It is part of the iptables firewall. With fail2ban/app-attack-detector there is no need to save the sets as fail2ban will rebuild them each time it starts from its own database.

    If you want to save your own sets you can with something like:
    ipset save blocklist > /usr/src/ipset_blocklist.save
    sed -i 's/create/create -exist/g' /usr/src/ipset_blocklist.save
    sed -i 's/add/add -exist/g' /usr/src/ipset_blocklist.save
    You can then restore it with:
    ipset restore ipset_blocklist.save
    File names are up to you. This example saves a set called "blocklist".

    If you want to load an ipset set on boot up, it is best to force the loading of the module by adding a file /etc/sysconfig/modules/ip_set.modules and in it put:
    modprobe ip_set
    or the restore may fail if ClearOS tries to run it before ipset has loaded (this is a current bug in app-attack-detector which will be fixed in 7.4 where they force ip_set to load as part of the firewall start up). You may need to make the file executable.



    Thank you again for a quick answers, I will then wait for the Clearos 7,4 is coming out I don't reboot very often
    I will use the ipset restore for now and see how it will work with 7,4

    Claus
    The reply is currently minimized Show
Your Reply