New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Jail for MS SQL server work very slow #2592
Comments
See our wiki for more info.
Try something like this: [Definition]
# matches and cuts out `{"log":"\r2020-01-10 16:18:06.75`:
datepattern = ^\{"log":"\\r%%Y-%%m-%%d %%H:%%M:%%S\.%%f+\s+
# matches `Logon Login failed for user 'sa'. ... [CLIENT: 192.0.2.1] ...`:
failregex = ^Logon\s+Login failed for user '<F-USER>[^']*</F-USER>'. [^\[]+ \[CLIENT: <ADDR>\] This filter is at least 10-20 times faster.
Also it is interesting how the fail2ban.log does look, e. g. how messages |
Thank you!
in iptables there is rule:
And in same time I see in ms sql log:
|
OK, your banning action (
|
Again thank you for your help. |
Hmm looks not bad, but I don't know how prerouting or else routing decision is organized on your system, so which precedence is used for the packets to sql-server:
See https://stackoverflow.com/questions/12945233/iptables-forward-and-input for similar question. |
There is what I have. If I right understand first go DOCKER chain, that allow connections to port 1433 (MS SQL) and this go before reject from fail2ban?
|
One doesn't see the interface (NIC) in the rules, but DOCKER looks a bit strange (if both rules affecting same device): RETURN will bypass second rule (DNAT) in this case. If we can be sure the jail monitoring only one instance of docker with sql-server (listener of sql-server is accessible in single docker only), I would try to use either DOCKER-USER or FORWARD chain instead of INPUT, : [mssql-auth]
# banaction = %(known/banaction)s[chain='DOCKER-USER']
banaction = %(known/banaction_allports)s[chain='DOCKER-USER'] But it were better to "repair" the routing (or insert some special fail2ban chain affecting both interfaces at same time). Also note #2511, which provide some piece of documentation. I does not use docker on host directly connected to the internet (only outside of internet, behind the intranet), so I can marginally help you here. Additionally.
The TRACE target marks packets so that the kernel will log every rule which match the packets as those traverse the tables, chains, rules.
Anyway it looks like a 3rd party issue, thus closed. |
We will be very grateful, if your problem was described as completely as possible,
enclosing excerpts from logs (if possible within DEBUG mode, if no errors evident
within INFO mode), and configuration in particular of effected relevant settings
(e.g., with
fail2ban-client -d | grep 'affected-jail-name'
for a particularjail troubleshooting).
Thank you in advance for the details, because such issues like "It does not work"
alone could not help to resolve anything!
Thanks! (remove this paragraph and other comments upon reading)
Environment:
The issue:
I have MS SQL server running in docker and somebody attempt login to it several times to second.
Example of log:
I write custom jail but it work very slow. For one day it detect ~ 200 failure logins, and do only 3 bans. But When I look at log I see 3 or more connect attempts from same ip in 1 minute.
This is problem in my poor regex or other settings?
My Jail
The text was updated successfully, but these errors were encountered: