I am receiving an error message from my fail2ban configuration, and I am wondering if anyone can help me with this.

2009-09-07 20:32:03,707 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2009-09-07 20:32:03,717 fail2ban.jail : INFO Creating new jail 'courierpop3'
2009-09-07 20:32:03,717 fail2ban.jail : INFO Jail 'courierpop3' uses poller
2009-09-07 20:32:03,782 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2009-09-07 20:32:03,783 fail2ban.filter : INFO Set maxRetry = 5
2009-09-07 20:32:03,784 fail2ban.comm : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:\\]']

I copied exactly the information from falko's tutorial. It can be found here.

http://www.howtoforge.com/fail2ban_debian_etch

I am running on Debian Lenny. Thanks.

What's in /etc/fail2ban/jail.local?

Here is what I have in the file. It is exactly what you posted in your configuration.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.1.100
bantime = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]


[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5


[apache]

enabled = true
port = http
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 5


[apache-noscript]

enabled = false
port = http
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 5


[vsftpd]

enabled = false
port = ftp
filter = vsftpd
logpath = /var/log/auth.log
maxretry = 5


[proftpd]

enabled = true
port = ftp
filter = proftpd
logpath = /var/log/auth.log
failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
maxretry = 5


[wuftpd]
enabled = false
port = ftp
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 5


[postfix]

enabled = false
port = smtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 5


[courierpop3]

enabled = true
port = pop3
filter = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5


[courierimap]

enabled = true
port = imap2
filter = courierlogin
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5


[sasl]

enabled = true
port = smtp
filter = sasl
failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
logpath = /var/log/mail.log
maxretry = 5

Any update on this? An IP is attacking my ftp server, and it is not getting blocked. I would like to get this resolved.

Falko, I guess that I really asking you for help.

I have no idea what's wrong. The configuration seems to be ok. :confused:

Any update on this? An IP is attacking my ftp server, and it is not getting blocked. I would like to get this resolved.

Falko, I guess that I really asking you for help.



I'm not very familiar with 'Fail2Ban' but I noticed in your configuration file, you seem to be missing [pureftpd].

You have a few other ftp's in there but not [pureftpd].

Could this be the problem?

I made the change to pureftpd. Tried to restart fail2ban, and it fails.

Falko,

Should you jail.local file work with Debain Lenny and ISPConfig 3.0.1.4.

I thought that it should still be fine. I guess that I am doing something wrong.

It looks like it's fairly easy to setup but I can't even get it to start :(

root@server:/etc/fail2ban/filter.d# /etc/init.d/fail2ban restart
* Restarting authentication failure monitor fail2ban [fail]

The log file for fail2ban is not telling me anything helpful either..
Whats up with that?

After investigating a little further into this, it appears that I am missing the 'fail2ban.sock' file which should be in /var/run/fail2ban directory.

I've set the Log level to Debug but unfortunitly nothing is being logged, even when I stop, start or restart it.

I can't find this file anywhere.

My setup:
Ubuntu 8.04, ISPCONFIG 3.0.1.4.

Does anyone have any ideas what I should do from here?

afaik the fail2ban.sock file gets generated when successfully starting the process!?

i would try to restore default configuration for fail2ban and then step by step insert the filters in your guide.

Does anyone have a working configuration of Fail2Ban on ISPConfig 3.0.1.4? If so, please post this so that I can see what I am doing wrong!

Thanks,
Drew

The Fial2ban config is not specific to ISPConfig. If you enter "fail2ban" in the search here on howtoforge, you will find several howtos from falko that explain the fail2ban configuration for different services and Linux distributions.