Posts by ggvienna

Bei einem Update einer unsere Server ist folgender Fehler aufgetreten bei allen anderen hat es ohne Probleme funktioniert unterschied der Server ist das auf dem SpamAssassin läuft.

[ERROR] main::setupRebuildCustomerFiles:
Error while rebuilding customers files: [WARN] iMSCP::Debug::__ANON__: "my" variable $rs masks earlier declaration in same scope at /var/www/imscp/gui/plugins/SpamAssassin/backend/SpamAssassin.pm line 1226, <$fh> line 340.

iMSCP::Debug::__ANON__: "my" variable $rs masks earlier declaration in same scope at /var/www/imscp/gui/plugins/SpamAssassin/backend/SpamAssassin.pm line 1312, <$fh> line 340.

iMSCP::Debug::__ANON__: "my" variable $rs masks earlier declaration in same scope at /var/www/imscp/gui/plugins/SpamAssassin/backend/SpamAssassin.pm line 1315, <$fh> line 340.

iMSCP::Config::FETCH: Accessing non existing config value WEBMAIL_PATH from the /etc/imscp/imscp.conf file (see file /var/www/imscp/gui/plugins/SpamAssassin/backend/SpamAssassin.pm at line 936)
iMSCP::Debug::__ANON__: Use of uninitialized value in concatenation (.) or string at /var/www/imscp/gui/plugins/SpamAssassin/backend/SpamAssassin.pm line 936.

[ERROR] main::_process: Error while processing 1, SpamAssassin, tochange.
main::_process: See /var/log/imscp/Plugin_module_SpamAssassin.log for more details.
iMSCP::File::get: Unable to open /var/www/imscp/gui/public/toolsconfig/main.inc.php: No such file or directory
Plugin::SpamAssassin::_setRoundcubePlugin: Unable to read /var/www/imscp/gui/public/toolsconfig/main.inc.php

autoinstaller::Functions::install: An error occurred while performing installation steps

Wer sich mit dem Programm resolvconf nicht auskennt:

neue Nameserver in die Datei /etc/resolvconf/resolv.conf.d/head eintragen

z.B.:
nameserver 111.111.111.111
nameserver 222.222.222.222
.........

ACHTUNG: nach dem letzten Eintrag muss eine neue Zeile sein (Enter Taste) sonst steht der localhost in der gleichen Zeile wie der letzte Nameserver!!!

Dann resolvconf -u ausführen um die neuen Nameserver einzulesen.

In der Datei /etc/resolvconf/run/resolv.conf sollten die neuen Namserver jetzt eingetragen sein und auch nicht mehr bei Neustart des System überschrieben werden

Sorry lag daran mit FTP Programm geht es liegt daran wenn man es nur mit dem Browser probiert!!!

Ok versuche es mal mit einem anderen, für den test hab ich die FTP Verbindung nur über den Browser geöffnet.

Hab noch was festgestellt:

in der auth.log es ist immer ein Eintrag als Anonymous und dann erst al user, kann es sein das er die Anonymous Einträge als aAngriff deutet???

Hier die auth.log (111.111.111.111 = Server IP, 222.222.222.222 = Client IP, user@domain.tls = FTP- User):

Jan 8 19:09:28 www proftpd[14568]: 111.111.111.111 (222.222.222.222[222.222.222.222]) - USER anonymous: no such user found from 222.222.222.222 [222.222.222.222] to ::ffff:111.111.111.111

Jan 8 19:09:46 www proftpd[14570]: 111.111.111.111 (222.222.222.222[222.222.222.222]) - USER user@domain.tld: Login successful.

Jan 8 19:13:12 www proftpd[14574]: 111.111.111.111 (188.118.240.75[222.222.222.222]) - USER anonymous: no such user found from 222.222.222.222 [222.222.222.222] to ::ffff:111.111.111.111

Jan 8 19:13:12 www proftpd[14576]: 111.111.111.111(222.222.222.222[222.222.222.222]) - USER user@domain.tld: Login successful.

Jan 8 19:13:16 www proftpd[14578]: 111.111.111.111 (222.222.222.222[222.222.222.222]) - USER anonymous: no such user found from 222.222.222.222 [222.222.222.222] to ::ffff:111.111.111.111

Jan 8 19:13:16 www proftpd[14580]: 111.111.111.111 (222.222.222.222[222.222.222.222]) - USER user@domain.tld: Login successful.

Jan 8 19:25:38 www proftpd[14587]: 111.111.111.111 (222.222.222.222[222.222.222.222]) - USER anonymous: no such user found from 222.222.222.222 [222.222.222.222] to ::ffff:111.111.111.111

Jan 8 19:25:38 www proftpd[14589]: 111.111.111.111 (222.222.222.222[222.222.222.222]) - USER user@domain.tld: Login successful.

Jan 8 19:25:44 www proftpd[14591]: 111.111.111.111 (222.222.222.222[222.222.222.222]) - USER anonymous: no such user found from 222.222.222.222 [222.222.222.222] to ::ffff:111.111.111.111

Jan 8 19:25:44 www proftpd[14593]: 111.111.111.111 (222.222.222.222[222.222.222.222]) - USER user@domain.tld: Login successful.

Jan 8 19:25:46 www proftpd[14595]: 111.111.111.111 (222.222.222.222[222.222.222.222]) - USER anonymous: no such user found from 222.222.222.222[222.222.222.222] to ::ffff:111.111.111.111

Jan 8 19:25:47 www proftpd[14597]: 111.111.111.111 (222.222.222.222[222.222.222.222]) - USER user@domain.tld: Login successful.

scheinbar überprüft fail2ban die Log auth nach einträgen und nicht nach Fehlern, sprich wie oft ist die IP vorhanden.

Wenn ich eine Vervindung mit einem FTP- Client aufbaue wird z.B. jedes mal wenn ich z.B. ein Verzeichniss wechsle eine Verbindung aufgebaut und ein Eintrag in die auth.log

Nach 6 Einträgen macht fail2ban zu und sperrt die IP.

Hier die proftpd.conf aus der filters.de

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision$
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+ *$
\(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): .*$
\(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\. *$
\(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Hier die jail.conf

# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
findtime = 86400
bantime = 1800
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = office@wolz.at

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overriden globally or per
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]

# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 4

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6

[xinetd-fail]

enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2

[ssh-ddos]

enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-noscript]

enabled = false
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled = false
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2

#
# FTP servers
#

[vsftpd]

enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6

[proftpd]

enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/auth.log
maxretry = 6

[wuftpd]

enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6

#
# Mail servers
#

[postfix]

enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log

[couriersmtp]

enabled = false
port = smtp,ssmtp
filter = couriersmtp
logpath = /var/log/mail.log

#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
[5~logpath = /var/log/mail.log

[sasl]

enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
# You might consider monitoring /var/log/warn.log instead
# if you are running postfix. See http://bugs.debian.org/507990
logpath = /var/log/mail.log

# DNS Servers

# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
#
# in your named.conf to provide proper logging

# !!! WARNING !!!
# Since UDP is connectionless protocol, spoofing of IP and immitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/a…-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled = false
#port = domain,953
#protocol = udp
#filter = named-refused
#logpath = /var/log/named/security.log

[named-refused-tcp]

enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log

Hier oder privat??

Welche Conf benötigst du??