[Eisfair] bfb / journalctl: initfile[31363]: /usr/bin/in.grep: 16:04:19: No such file or directory
Rolf Bensch
azubi at bensch-net.de
Sa Mai 11 15:21:49 CEST 2024
Hallo Marcus,
Am 11.05.24 um 08:46 schrieb Marcus Röckrath:
> Hallo Rolf,
> ...
>
> 1. Lösche mal den if-Block in /zsr/local/brute_force_blocking/initfile, der
> /etc/init.d/functions inkludiert; beginnt mit
>
> if [ -n /etc/init.d/functions ]
erledigt
> 2. Sichere mal /usr/bin/grep und füge dann in /usr/bin/grep folgende Zeile
> hinzu:
>
> echo $(date +"%b %d %H:%M:%S" ; echo "${@}") >> /tmp/greplog
erledigt
Darüber hinaus:
> Falls aktiviert bitte folgende Optionen mal ausschalten:
>
> BFB_RESTART_ON_UNBLOCK
root at eis64-2 (/)# grep RESTART /etc/config.d/brute_force_blocking
BFB_RESTART_ON_UNBLOCK='no' # restart BFB after deblock blocked ip
> BFB_SEND_ATTACKER_TO_TWITTER
root at eis64-2 (/)# grep SEND_ATTACKER /etc/config.d/brute_force_blocking
BFB_SEND_ATTACKER_TO_TWITTER='no' # send attacker ip to BFB-Twitteraccount for
> Das loggt nun die Parameter jedes grep-Aufruf mit Zeitstempel
> nach /tmp/greplog.
>
> Vielleicht können wir zusammen mit aktivierten Traces eine Einengng
> bekommen.
Das liefert erwartungsgemäß ziemlich viel Output. journalctl -b -f liefert im 10-Sekunden Takt:
May 11 14:43:33 eis64-2 initfile[3236]: /usr/bin/in.grep: 13:30:01: No such file or directory
May 11 14:43:33 eis64-2 initfile[3236]: /usr/bin/in.grep: write error: Broken pipe
May 11 14:43:33 eis64-2 initfile[3254]: /usr/bin/in.grep: 13:45:01: No such file or directory
May 11 14:43:33 eis64-2 initfile[3254]: /usr/bin/in.grep: write error: Broken pipe
May 11 14:43:33 eis64-2 initfile[3272]: /usr/bin/in.grep: 14:00:01: No such file or directory
May 11 14:43:33 eis64-2 initfile[3272]: /usr/bin/in.grep: write error: Broken pipe
May 11 14:43:33 eis64-2 initfile[3290]: /usr/bin/in.grep: 14:01:05: No such file or directory
May 11 14:43:33 eis64-2 initfile[3290]: /usr/bin/in.grep: write error: Broken pipe
May 11 14:43:33 eis64-2 initfile[3308]: /usr/bin/in.grep: 14:09:45: No such file or directory
May 11 14:43:33 eis64-2 initfile[3308]: /usr/bin/in.grep: write error: Broken pipe
May 11 14:43:33 eis64-2 initfile[3326]: /usr/bin/in.grep: 14:15:01: No such file or directory
May 11 14:43:33 eis64-2 initfile[3326]: /usr/bin/in.grep: write error: Broken pipe
May 11 14:43:33 eis64-2 initfile[3345]: /usr/bin/in.grep: 14:30:01: No such file or directory
May 11 14:43:33 eis64-2 initfile[3345]: /usr/bin/in.grep: write error: Broken pipe
May 11 14:43:33 eis64-2 initfile[3362]: /usr/bin/in.grep: 14:43:16: No such file or directory
May 11 14:43:33 eis64-2 initfile[3362]: /usr/bin/in.grep: write error: Broken pipe
May 11 14:43:33 eis64-2 initfile[3398]: /usr/bin/in.grep: write error: Broken pipe
der zugehörige Output in /tmp/greplog s.u..
Über die Anzahl "No such file or directory" (=8) wird "Failed keyboard-interactive|Invalid user..." verdächtig.
root at eis64-2 (/)# grep -n "Failed keyboard-interactive|Invalid user" /usr/local/brute_force_blocking/*
/usr/local/brute_force_blocking/brute_force_blocking:1928: tail -n500 $authlog |awk '$4~/'$SERVERNAME'/&&$1~/^'$MONAT'/&&$2~/^'$TAG'/&&$3~/^'$ZEIT'/'|grep -E "Failed keyboard-interactive....
/usr/local/brute_force_blocking/brute_force_blocking:1933: tail -n150 $authlog |grep $grepheute |grep -E "Failed keyboard-interactive|Invalid user|illegal user|Failed publickey|ad password...
/usr/local/brute_force_blocking/brute_force_blocking:1999: ANZAHL=`grep -a $IPN $authlog | grep -v "$grepheute" |grep -E "Failed keyboard-interactive|Invalid user|illegal user|Failed...
debug_mode hatte ich gestern aktiviert entsprechend sind hier die Zeilen 1928 und 1999 relevant.
Habe dann mal, nach und nach, die 3 Zeilen in brute_force_blocking (wärend der Service lief) auskommentiert, die Meldungen laufen weiter. Und weil ich noch nicht einmal ein kleines Latinum habe: könnt ihr etwas erkennen?
Grüße
Rolf
May 11 14:43:32 2918 <version> /var/install/packages/apache2
May 11 14:43:33 2969 <version> /var/install/packages/apache2
May 11 14:43:33 3016 <version> /var/install/packages/apache2
May 11 14:43:33 3024 /brute_force_blocking
May 11 14:43:33 8849 May.11.14:4
May 11 14:43:33 8849 May.11.14:4
May 11 14:43:33 8849 May.11.14:4
May 11 14:43:33 8849 -Eq [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ /usr/local/brute_force_blocking/atackingips
May 11 14:43:33 8849 May.11.14:4
May 11 14:43:33 8849 May.11.14:4
May 11 14:43:33 8849 May.11.14:4
May 11 14:43:33 8849 SSH-DENY
May 11 14:43:33 8849 -Eo SRC=[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}
May 11 14:43:33 8849 May.11.14:4
May 11 14:43:33 8849 Connection closed by
May 11 14:43:33 8849 -Eo by ([a-f0-9\.]+\.+)+[a-f0-9]+|by ([a-f0-9:]+:+)+[a-f0-9]+
May 11 14:43:33 3177 -an Bad packet length /var/log/messages
May 11 14:43:33 3177 May.11.14:4
May 11 14:43:33 3188 -an Received disconnect from /var/log/messages
May 11 14:43:33 3188 May.11.14:4
May 11 14:43:33 3199 -an Unable to negotiate with /var/log/messages
May 11 14:43:33 3199 May.11.14:4
May 11 14:43:33 8849 Received disconnect from
May 11 14:43:33 8849 -Eo [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}
May 11 14:43:33 3224 -a May 11 /var/log/messages
May 11 14:43:33 3224 Received disconnect from 11 13:30:01
May 11 14:43:33 3223 -q Accepted
May 11 14:43:33 3223 -a 11 13:30:01 /var/log/messages
May 11 14:43:33 3242 -a May 11 /var/log/messages
May 11 14:43:33 3242 Received disconnect from 11 13:45:01
May 11 14:43:33 3223 -q Accepted
May 11 14:43:33 3223 -a 11 13:45:01 /var/log/messages
May 11 14:43:33 3260 -a May 11 /var/log/messages
May 11 14:43:33 3260 Received disconnect from 11 14:00:01
May 11 14:43:33 3223 -q Accepted
May 11 14:43:33 3223 -a 11 14:00:01 /var/log/messages
May 11 14:43:33 3278 -a May 11 /var/log/messages
May 11 14:43:33 3278 Received disconnect from 11 14:01:05
May 11 14:43:33 3223 -q Accepted
May 11 14:43:33 3223 -a 11 14:01:05 /var/log/messages
May 11 14:43:33 3296 -a May 11 /var/log/messages
May 11 14:43:33 3296 Received disconnect from 11 14:09:45
May 11 14:43:33 3223 -q Accepted
May 11 14:43:33 3223 -a 11 14:09:45 /var/log/messages
May 11 14:43:33 3314 -a May 11 /var/log/messages
May 11 14:43:33 3314 Received disconnect from 11 14:15:01
May 11 14:43:33 3223 -q Accepted
May 11 14:43:33 3223 -a 11 14:15:01 /var/log/messages
May 11 14:43:33 3332 -a May 11 /var/log/messages
May 11 14:43:33 3332 Received disconnect from 11 14:30:01
May 11 14:43:33 3223 -q Accepted
May 11 14:43:33 3223 -a 11 14:30:01 /var/log/messages
May 11 14:43:33 3350 -a May 11 /var/log/messages
May 11 14:43:33 3350 Received disconnect from 11 14:43:16
May 11 14:43:33 3223 -q Accepted
May 11 14:43:33 3223 -a 11 14:43:16 /var/log/messages
May 11 14:43:33 3368 -a May 11 /var/log/messages
May 11 14:43:33 3368 Received disconnect from 192.168.0.132
May 11 14:43:33 3223 -q Accepted
May 11 14:43:33 3223 -a 192.168.0.132 /var/log/messages
May 11 14:43:33 3386 -a May 11 /var/log/messages
May 11 14:43:33 3386 Received disconnect from 192.168.0.211
May 11 14:43:33 3223 -q Accepted
May 11 14:43:33 3223 -a 192.168.0.211 /var/log/messages
May 11 14:43:33 3404 -a May 11 /var/log/messages
May 11 14:43:33 3404 Received disconnect from 192.168.100.210
May 11 14:43:33 3223 -q Accepted
May 11 14:43:33 3223 -a 192.168.100.210 /var/log/messages
May 11 14:43:33 3422 -a May 11 /var/log/messages
May 11 14:43:33 3422 Received disconnect from 32778:11
May 11 14:43:33 3223 -a 32778:11 /var/log/messages
May 11 14:43:33 3223 -q Accepted
May 11 14:43:33 3440 -a May 11 /var/log/messages
May 11 14:43:33 3440 Received disconnect from 37884:11
May 11 14:43:33 3223 -a 37884:11 /var/log/messages
May 11 14:43:33 3223 -q Accepted
May 11 14:43:33 3458 -a May 11 /var/log/messages
May 11 14:43:33 3458 Received disconnect from 38658:11
May 11 14:43:33 3223 -a 38658:11 /var/log/messages
May 11 14:43:33 3223 -q Accepted
May 11 14:43:33 3476 -a May 11 /var/log/messages
May 11 14:43:33 3476 Received disconnect from 38660:11
May 11 14:43:33 3223 -a 38660:11 /var/log/messages
May 11 14:43:33 3223 -q Accepted
May 11 14:43:33 3494 -a May 11 /var/log/messages
May 11 14:43:33 3494 Received disconnect from 38662:11
May 11 14:43:33 3223 -a 38662:11 /var/log/messages
May 11 14:43:33 3223 -q Accepted
May 11 14:43:33 3512 -a May 11 /var/log/messages
May 11 14:43:33 3512 Received disconnect from 38664:11
May 11 14:43:33 3223 -a 38664:11 /var/log/messages
May 11 14:43:33 3223 -q Accepted
May 11 14:43:33 3530 -a May 11 /var/log/messages
May 11 14:43:33 3530 Received disconnect from 38666:11
May 11 14:43:33 3223 -a 38666:11 /var/log/messages
May 11 14:43:33 3223 -q Accepted
May 11 14:43:33 3548 -a May 11 /var/log/messages
May 11 14:43:33 3548 Received disconnect from 38668:11
May 11 14:43:33 3223 -a 38668:11 /var/log/messages
May 11 14:43:33 3223 -q Accepted
May 11 14:43:33 8849 -Eq [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ /usr/local/brute_force_blocking/atackingips
May 11 14:43:33 3618 <version> /var/install/packages/apache2
May 11 14:43:33 8849 May.11.14:4
May 11 14:43:33 8849 May.11.14:4
May 11 14:43:33 8849 May.11.14:4
May 11 14:43:33 8849 Failed keyboard-interactive|Invalid user|illegal user|Failed publickey|ad password attempt|Authentication failure|ailed password|nonexistent user|kex_exchange_identification|banner exchange: Connection
May 11 14:43:33 3661 -a dropbear.14340 /var/log/messages
May 11 14:43:33 3661 May.11.14:4
May 11 14:43:33 3661 -Eo [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}
May 11 14:43:33 3680 -a dropbear.14340 /var/log/messages
May 11 14:43:33 3680 May.11.14:4
May 11 14:43:34 3680 -Ev HTTP|disconnect
May 11 14:43:34 3680 -Eo ([0-9\.]+\.+)+[0-9]+|([a-f0-9:]+:+)+[a-f0-9]+
May 11 14:43:34 3661 [a-zA-Z]
May 11 14:43:34 3661 -qv :
May 11 14:43:34 3748 <version> /var/install/packages/apache2
May 11 14:43:34 3760 -a a.root-servers.net. /var/log/messages
May 11 14:43:34 3760 -v May.11.14:4
May 11 14:43:34 3760 Failed keyboard-interactive|Invalid user|illegal user|Failed publickey|nonexistent user|Authentication failure|ailed password|ad password attempt|kex_exchange_identification|banner exchange: Connection
May 11 14:43:34 3812 <version> /var/install/packages/apache2
May 11 14:43:34 3824 -a b.root-servers.net. /var/log/messages
May 11 14:43:34 3824 -v May.11.14:4
May 11 14:43:34 3824 Failed keyboard-interactive|Invalid user|illegal user|Failed publickey|nonexistent user|Authentication failure|ailed password|ad password attempt|kex_exchange_identification|banner exchange: Connection
May 11 14:43:34 3876 <version> /var/install/packages/apache2
May 11 14:43:34 3888 -a c.root-servers.net. /var/log/messages
May 11 14:43:34 3888 -v May.11.14:4
May 11 14:43:34 3888 Failed keyboard-interactive|Invalid user|illegal user|Failed publickey|nonexistent user|Authentication failure|ailed password|ad password attempt|kex_exchange_identification|banner exchange: Connection
May 11 14:43:34 3940 <version> /var/install/packages/apache2
May 11 14:43:34 3952 -a d.root-servers.net. /var/log/messages
May 11 14:43:34 3952 -v May.11.14:4
May 11 14:43:34 3952 Failed keyboard-interactive|Invalid user|illegal user|Failed publickey|nonexistent user|Authentication failure|ailed password|ad password attempt|kex_exchange_identification|banner exchange: Connection
May 11 14:43:34 4004 <version> /var/install/packages/apache2
May 11 14:43:34 4016 -a e.root-servers.net. /var/log/messages
May 11 14:43:34 4016 -v May.11.14:4
May 11 14:43:34 4016 Failed keyboard-interactive|Invalid user|illegal user|Failed publickey|nonexistent user|Authentication failure|ailed password|ad password attempt|kex_exchange_identification|banner exchange: Connection
May 11 14:43:34 4068 <version> /var/install/packages/apache2
May 11 14:43:34 4080 -a f.root-servers.net. /var/log/messages
May 11 14:43:34 4080 -v May.11.14:4
May 11 14:43:34 4080 Failed keyboard-interactive|Invalid user|illegal user|Failed publickey|nonexistent user|Authentication failure|ailed password|ad password attempt|kex_exchange_identification|banner exchange: Connection
May 11 14:43:34 4132 <version> /var/install/packages/apache2
May 11 14:43:34 4145 -a g.root-servers.net. /var/log/messages
May 11 14:43:34 4145 -v May.11.14:4
May 11 14:43:34 4145 Failed keyboard-interactive|Invalid user|illegal user|Failed publickey|nonexistent user|Authentication failure|ailed password|ad password attempt|kex_exchange_identification|banner exchange: Connection
May 11 14:43:34 4198 <version> /var/install/packages/apache2
Mehr Informationen über die Mailingliste Eisfair