| [Mew2] | hey anyone here? | 00:19 |
|---|---|---|
| joeb3_ | [Mew2], just ask. someone will answer. | 00:22 |
| [Mew2] | Hey | 00:23 |
| [Mew2] | I setup fail2ban and it's not blocking ip's | 00:24 |
| [Mew2] | Ssh failed logins specifically is what I'm testing | 00:24 |
| [Mew2] | [ssh] = true in the config | 00:26 |
| * [Mew2] whistles | 00:45 | |
| joeb3_ | [Mew2], https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04 | 00:52 |
| joeb3_ | I'm checking that. | 00:52 |
| [Mew2] | joeb3_ thats the guide i followed, minus the email server parts | 00:54 |
| joeb3_ | [Mew2], did you try to connect 6 times? 18 passwords? | 00:58 |
| joeb3_ | [Mew2], also look at /var/log/fail2ban.log. It should show ssh is enabled, the max retry, and bantime. | 01:01 |
| [Mew2] | i connected 10 times | 01:01 |
| [Mew2] | can i pastebin this log and my config? | 01:02 |
| joeb3_ | yes | 01:03 |
| joeb3_ | [Mew2], http://imagebin.ca/v/2S86T61xuo2K | 01:06 |
| [Mew2] | ok so | 01:08 |
| [Mew2] | you were able to make a ban | 01:08 |
| [Mew2] | using my config? or a diff one | 01:08 |
| joeb3_ | [Mew2], that was a default install | 01:09 |
| [Mew2] | hmm | 01:09 |
| joeb3_ | are you connecting from a different machine? | 01:09 |
| [Mew2] | yes | 01:09 |
| [Mew2] | on which connection did it ban u? | 01:09 |
| [Mew2] | 7th? | 01:09 |
| joeb3_ | Yes. I typed the wrong password 18 times. | 01:09 |
| [Mew2] | using putty i hit a wrong username and it disconnects me | 01:10 |
| [Mew2] | i do this 10 times | 01:10 |
| [Mew2] | and it keeps going, never a ban | 01:10 |
| joeb3_ | Try a valid username, wrong password. | 01:10 |
| [Mew2] | i dont have a password | 01:10 |
| [Mew2] | using key auth | 01:10 |
| [Mew2] | i tried this with and without the key, never a ban | 01:12 |
| JanC | there also is a time limit | 01:13 |
| [Mew2] | i did it within about 2 minutes | 01:14 |
| [Mew2] | hmm | 01:15 |
| joeb3_ | [Mew2], what does iptables -S show? | 01:19 |
| [Mew2] | let me pastebin it, sec | 01:20 |
| joeb3_ | Let me try with ufw | 01:28 |
| [Mew2] | k | 01:29 |
| joeb3_ | Still works with ufw. | 01:31 |
| [Mew2] | ok | 01:31 |
| [Mew2] | maybe im not testing this properly? | 01:31 |
| joeb3_ | do you see the "authentication failed" messages in /var/log/auth.log? | 01:32 |
| joeb3_ | it should show the ip address that is connecting. | 01:32 |
| [Mew2] | no there is no failed authentication message | 01:33 |
| joeb3_ | ok, that's where fail2ban looks. | 01:33 |
| joeb3_ | so now you have to figure out where your ssh is logging. | 01:33 |
| TJ- | possibly changeled SyslogFacility or LogLevel in /etc/ssh/sshd_config | 01:34 |
| joeb3_ | or grep "Failed password" /var/log/* | 01:35 |
| [Mew2] | ok now i cant ssh | 01:36 |
| [Mew2] | i think it worked | 01:36 |
| [Mew2] | how long is the initial ban? | 01:37 |
| joeb3_ | ten minutes | 01:37 |
| [Mew2] | ok | 01:37 |
| [Mew2] | i think it worked, ill check in 10 minutes, | 01:37 |
| joeb3_ | [Mew2], did you find the problem | 01:37 |
| [Mew2] | i dont know | 01:37 |
| [Mew2] | i tried to ssh in as many times as i could as fast as i could | 01:38 |
| [Mew2] | and something must have triggered it | 01:38 |
| [Mew2] | /var/log/fail2ban.log | 01:38 |
| [Mew2] | this is where i can verify if it worked? | 01:38 |
| joeb3_ | yes | 01:40 |
| [Mew2] | ok ill check that in a few minutes | 01:41 |
| [Mew2] | thank you so much joeb3_ TJ- and JanC :) | 01:41 |
| [Mew2] | fail2ban.actions: WARNING [ssh] Ban | 01:45 |
| [Mew2] | fail2ban.actions: WARNING [ssh] Unban | 01:45 |
| [Mew2] | :-d | 01:45 |
| [Mew2] | i am so sorry | 01:45 |
| [Mew2] | i dont know what i was doing wrong | 01:45 |
| [Mew2] | i guess i wasnt testing it correctly | 01:45 |
| [Mew2] | do you guys know if i can use this for other ports then just ssh? | 01:48 |
| joeb3_ | yes, look at the samples in the config file. | 01:49 |
| [Mew2] | so to confirm am i doing this on jail.conf or jail.local | 01:49 |
| joeb3_ | jail.conf | 01:50 |
| [Mew2] | thank you :) | 01:51 |
| === Monthrect is now known as Piper-Off | ||
| === Lcawte|Away is now known as Lcawte | ||
| lordievader | Good morning. | 10:06 |
| jelly | [Mew2]: ideally you'd put customizations in jail.local so the default config files are managed transparently on package upgrades | 13:24 |
| === Piper-Off is now known as Monthrect | ||
| wrksx | hello there | 15:25 |
| wrksx | Is ubuntu server a special distrib? | 15:26 |
| wrksx | I'm on "Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-73-generic x86_64)" it's not server, is it? | 15:27 |
| sisve | wrksx: "Ubuntu has a server edition that uses the same APT repositories as the Ubuntu Desktop Edition. The differences between them are the absence of an X Window environment in a default installation of the server edition [...]" - https://en.wikipedia.org/wiki/Ubuntu_(operating_system)#Ubuntu_Server | 15:29 |
| Sling | yeah apart from the installation procedure and cd/dvd contents there isn't really a difference anymore these days | 15:29 |
| Sling | in the past there were server optimized kernels etc | 15:29 |
| wrksx | okay. How can I know if I'm on server version or not? I didn't installed the system myself | 15:30 |
| Sling | there is no server version | 15:30 |
| sisve | For what purpose are you asking? | 15:30 |
| Sling | you just have ubuntu | 15:30 |
| Sling | what packages you install define whether it's suitable for desktop or server use | 15:31 |
| Sling | (or both) | 15:31 |
| wrksx | sisve, because I want to know what is "ubuntu server" and if i'm using it or not. But it looks like "ubuntu server" is a virtual distrib, isn't it? | 15:31 |
| Sling | wrksx: we've said what the differences are, read up | 15:31 |
| sisve | It's just the name of a template of installed packages. | 15:32 |
| Sling | it's not a separate distribution | 15:32 |
| wrksx | okay I get it thanks | 15:32 |
| sisve | I've got virtual machines that are connected to a datacenter-wide public (but internal to the datacenter) network. I'm trying to limit access to my machines on this internal network to my trusted machines. I often create new machines and would prefer to avoid the hazzle of updating iptables rules every time I add another machine. What's the correct way to solve this? | 15:35 |
| simosx | wrksx, you can verify if it is not Ubuntu Desktop, by the absense of packages. For example, with "apt-cache policy unity" you can check whether Unity is installed. If it is not, then it's not Ubuntu Desktop. | 15:36 |
| Sling | sisve: configuration management like puppet could help there | 15:36 |
| Sling | or ansible, chef, etc. | 15:36 |
| wrksx | simosx, I guess it's not desktop since it's a cmd line only install | 15:36 |
| sisve | I'm looked into ipsec, but it looks like I need to configure for every single connection (5 machines => 5*4=20 connection). This mail got me all warm inside, but it seems outdated by now. https://lwn.net/Articles/184670/ | 15:36 |
| teward | Sling: not sure that's the question they're asking, since they want to avoid having to do that to update their trusted machnes' iptables | 15:36 |
| simosx | wrksx, well, it's possible to configure Ubuntu Desktop to only start the cmd line. | 15:37 |
| sisve | teward: Well, perhaps it's just me being totally off in my approach to. But updating iptables means that I would need to touch _all_ machines everytime I add one more machine. | 15:38 |
| Sling | sisve: with centralized configuration management you could avoid this | 15:38 |
| Sling | it's quite simple to use puppet only for iptables and leave the rest of the system as-is | 15:38 |
| teward | ahh, OK, sisve | 15:38 |
| Sling | set up one of your systems as puppet master | 15:38 |
| teward | then puppet or chef or such are where you want to go :P | 15:38 |
| wrksx | simosx, "unity: | 15:39 |
| wrksx | Installed: (none)" =) | 15:39 |
| teward | (though, having individual separate subnets, one for 'trusted' one for 'not trusted' is likely a better way to go) | 15:39 |
| teward | wrksx: simosx: there's another way to determine | 15:39 |
| Sling | yeah the other approach would be overlaying your own network with one or more router-vm's | 15:39 |
| teward | wrksx: `apt-cache policy ubuntu-desktop` | 15:39 |
| Sling | or rather, getting your own vlan on this network | 15:39 |
| wrksx | Installed: (none) | 15:39 |
| teward | check for the metapackage, if `ubuntu-desktop` exists then it was installed with the Desktop ISO and has the entire default Desktop suite of applications, however the ultimate point is that Desktop and Server aren't truly specialized on their own | 15:40 |
| wrksx | nice channel guys, keep up the good work | 15:40 |
| wrksx | bbye | 15:40 |
| teward | Sling: that might be the more sensible long term approach for them, because they then don't have to handle firewalling each machine individually | 15:40 |
| teward | which, affecting each system, is a headache in the long term and isn't really scalable | 15:40 |
| sisve | teward: My virtual hosting solution does not allow me per-customer networking; all machines are connected to the internet and optionally a "private network", but it is only private as in "datacenter-wide". All customers are on the same private network. | 15:40 |
| teward | sisve: then your remaining option is Chef / Puppet | 15:41 |
| teward | as Sling suggested | 15:41 |
| Sling | sisve: give https://forge.puppetlabs.com/puppetlabs/firewall a read | 15:41 |
| Sling | and test test test before you roll it out in production | 15:41 |
| Sling | nothing worse than making all your servers unavailable because of a puppet firewall messup :) | 15:42 |
| sisve | teward, Sling: Sorry, got pinned down by the concept of "reality". I'll read up on Puppet and that guide now. | 15:57 |
| teward | Sling: serial consoles are for that reason :P | 17:00 |
| RoyK | teward: or network consoles? | 17:02 |
| teward | that too :P | 17:03 |
| RoyK | teward: a wee bit simpler since most things are networked these days, and it should track mostly everything except nic driver failures | 17:06 |
| teward | indeed. | 17:09 |
| teward | *sigh* guess it's time to test NGINX 1.9.9 on Xenial before i upload... VMs are annoying >.> | 17:09 |
| patdk-lap | http://unix.rulez.org/~calver/pictures/vippy.png | 17:14 |
| RoyK | [A | 17:24 |
| === Lcawte is now known as Lcawte|Away | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!
