HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   need help with fail2ban install (http://www.howtoforge.com/forums/showthread.php?t=13630)

cruz 24th June 2007 04:57

need help with fail2ban install
 
I had to unistall fail2ban because I delited the wrong file. I reinstalled. when i got to the place were I was to create the file jail.local, i copied the the file from your install, pasted it to word. added my ip address for my laptop. then pasted it in the new file jail.local. when I restarted the program I got this error.
HTML Code:

server1:~# vi /etc/fail2ban/jail.local
server1:~# /etc/init.d/fail2ban restart
Restarting authentication failure monitor: fail2banTraceback (most recent call l                                                                            ast):
  File "/usr/bin/fail2ban-client", line 333, in ?
    if client.start(sys.argv):
  File "/usr/bin/fail2ban-client", line 311, in start
    return self.__processCommand(args)
  File "/usr/bin/fail2ban-client", line 175, in __processCommand
    self.__readConfig()
  File "/usr/bin/fail2ban-client", line 315, in __readConfig
    self.__configurator.readAll()
  File "/usr/share/fail2ban/client/configurator.py", line 56, in readAll
    self.__jails.read()
  File "/usr/share/fail2ban/client/jailsreader.py", line 41, in read
    ConfigReader.read(self, "jail")
  File "/usr/share/fail2ban/client/configreader.py", line 57, in read
    SafeConfigParser.read(self, [bConf, bLocal])
  File "/usr/lib/python2.4/ConfigParser.py", line 267, in read
    self._read(fp, filename)
  File "/usr/lib/python2.4/ConfigParser.py", line 462, in _read
    raise MissingSectionHeaderError(fpname, lineno, line)
ConfigParser.MissingSectionHeaderError: File contains no section headers.
file: /etc/fail2ban/jail.local, line: 4
'ignoreip = 127.0.0.1 192.168.1.101\n'
 failed!

What dose this all mean. It sounded like all I had to change was to add my ip to the ignoreip line.

falko 25th June 2007 16:26

What's in /etc/fail2ban/jail.local?

cruz 26th June 2007 04:48

here you go
 
[HTML][[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.1.101 192.168.1.102
bantime = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]


[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5


[apache]

enabled = true
port = http
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 5


[apache-noscript]

enabled = false
port = http
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 5


[vsftpd]

enabled = false
port = ftp
filter = vsftpd
logpath = /var/log/auth.log
maxretry = 5


[proftpd]

enabled = true
port = ftp
filter = proftpd
logpath = /var/log/auth.log
failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
maxretry = 5


[wuftpd]

enabled = false
port = ftp
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 5


[postfix]

enabled = false
port = smtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 5


[courierpop3]

enabled = true
port = pop3
filter = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5


[courierimap]

enabled = true
port = imap2
filter = courierlogin
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath = /var/log/mail.log
maxretry = 5


[sasl]

enabled = true
port = smtp
filter = sasl
failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
logpath = /var/log/mail.log
maxretry = 5/HTML] this is the file I had copied to a text doc. when I checked the file in /etc/fail3ban/jail.local it had a missing part in the front of the file. I fixed it and then restarted it and got this. Is this corect responce after the restart? (Restarting authentication failure monitor: fail2ban) then it ends up at the comand promp.

falko 27th June 2007 18:24

Quote:

Originally Posted by cruz
Is this corect responce after the restart? (Restarting authentication failure monitor: fail2ban) then it ends up at the comand promp.

Can you check the output of
Code:

ps aux
to see if it's running? If it is, I think you're good to go. :)

cruz 27th June 2007 19:21

results from ps aux
 
I do not see it on here.
HTML Code:

larry@server1:~$ ps aux
USER      PID %CPU %MEM    VSZ  RSS TTY      STAT START  TIME COMMAND
root        1  0.0  0.2  1944  652 ?        Ss  09:55  0:01 init [2]
root        2  0.0  0.0      0    0 ?        S    09:55  0:00 [migration/0]
root        3  0.0  0.0      0    0 ?        SN  09:55  0:00 [ksoftirqd/0]
root        4  0.0  0.0      0    0 ?        S<  09:55  0:00 [events/0]
root        5  0.0  0.0      0    0 ?        S<  09:55  0:00 [khelper]
root        6  0.0  0.0      0    0 ?        S<  09:55  0:00 [kthread]
root        9  0.0  0.0      0    0 ?        S<  09:55  0:00 [kblockd/0]
root        10  0.0  0.0      0    0 ?        S<  09:55  0:00 [kacpid]
root        81  0.0  0.0      0    0 ?        S<  09:55  0:00 [kseriod]
root      117  0.0  0.0      0    0 ?        S    09:55  0:00 [pdflush]
root      118  0.0  0.0      0    0 ?        S    09:55  0:00 [pdflush]
root      119  0.0  0.0      0    0 ?        S<  09:55  0:00 [kswapd0]
root      120  0.0  0.0      0    0 ?        S<  09:55  0:00 [aio/0]
root      574  0.0  0.0      0    0 ?        S<  09:55  0:00 [khubd]
root      937  0.0  0.0      0    0 ?        S<  09:55  0:00 [kjournald]
root      1114  0.0  0.2  2176  612 ?        S<s  09:55  0:00 udevd --daemon
root      1414  0.0  0.0      0    0 ?        S<  09:55  0:00 [kpsmoused]
root      1721  0.0  0.0      0    0 ?        S<  09:55  0:00 [kmirrord]
daemon    1908  0.0  0.1  1688  376 ?        Ss  09:55  0:00 /sbin/portmap
root      2111  0.0  0.2  1624  564 ?        Ss  09:55  0:00 /sbin/syslogd -
root      2117  0.0  0.1  1580  388 ?        Ss  09:55  0:00 /sbin/klogd -x
root      2191  0.0  0.5  2672  1340 ?        S    09:55  0:00 /bin/sh /usr/bi
mysql    2228  0.0  6.7 127276 17412 ?        Sl  09:55  0:00 /usr/sbin/mysql
root      2229  0.0  0.1  1564  512 ?        S    09:55  0:00 logger -p daemo
root      2341  0.0  0.2  1572  560 ?        Ss  09:55  0:00 /usr/sbin/acpid
root      2345  0.0  0.1  1756  404 ?        S    09:55  0:00 /usr/sbin/couri
root      2346  0.0  0.2  1908  604 ?        S    09:55  0:00 /usr/lib/courie
root      2353  0.0  0.1  1908  272 ?        S    09:55  0:00 /usr/lib/courie
root      2354  0.0  0.1  1908  272 ?        S    09:55  0:00 /usr/lib/courie
root      2355  0.0  0.1  1908  272 ?        S    09:55  0:00 /usr/lib/courie
root      2356  0.0  0.1  1908  272 ?        S    09:55  0:00 /usr/lib/courie
root      2357  0.0  0.1  1908  272 ?        S    09:55  0:00 /usr/lib/courie
root      2361  0.0  0.1  1752  328 ?        S    09:55  0:00 /usr/sbin/couri
root      2362  0.0  0.2  1852  552 ?        S    09:55  0:00 /usr/sbin/couri
root      2373  0.0  0.1  1756  332 ?        S    09:55  0:00 /usr/sbin/couri
root      2374  0.0  0.2  1852  556 ?        S    09:55  0:00 /usr/sbin/couri
root      2379  0.0  0.1  1856  508 ?        S    09:55  0:00 /usr/sbin/couri
root      2385  0.0  0.1  1620  316 ?        S    09:55  0:00 /usr/sbin/couri
root      2392  0.0  0.1  1752  328 ?        S    09:55  0:00 /usr/sbin/couri
root      2393  0.0  0.2  1852  552 ?        S    09:55  0:00 /usr/sbin/couri
root      2402  0.0  0.2  1752  568 ?        Ss  09:55  0:00 /usr/sbin/inetd
root      2481  0.0  0.3  7216  984 ?        Ss  09:55  0:00 /usr/sbin/sasla
root      2482  0.0  0.2  7216  540 ?        S    09:55  0:00 /usr/sbin/sasla
root      2483  0.0  0.1  7216  360 ?        S    09:55  0:00 /usr/sbin/sasla
root      2484  0.0  0.1  7216  360 ?        S    09:55  0:00 /usr/sbin/sasla
root      2485  0.0  0.1  7216  360 ?        S    09:55  0:00 /usr/sbin/sasla
root      2491  0.0  0.4  4924  1088 ?        Ss  09:55  0:00 /usr/sbin/sshd
statd    2531  0.0  0.2  1756  740 ?        Ss  09:55  0:00 /sbin/rpc.statd
ntp      2548  0.0  0.5  4132  1336 ?        Ss  09:55  0:00 /usr/sbin/ntpd
daemon    2572  0.0  0.1  1828  412 ?        Ss  09:55  0:00 /usr/sbin/atd
root      2579  0.0  0.3  2192  876 ?        Ss  09:55  0:00 /usr/sbin/cron
root      2614  0.0  1.5 121336  4008 ?        Sl  09:55  0:00 python2.4 /usr/
root      2823  0.0  3.4  14612  8732 ?        Ss  09:56  0:00 /root/ispconfig
root      2824  0.0  0.4  2644  1268 ?        S    09:56  0:00 /bin/bash /root
1001      2829  0.0  2.9  14612  7500 ?        S    09:56  0:00 /root/ispconfig
root      2844  0.0  4.7  36376 12160 ?        Ss  09:56  0:00 /usr/sbin/apach
root      2845  0.0  0.1  1488  288 ?        S    09:56  0:00 /root/ispconfig
www-data  2865  0.0  2.1  36508  5464 ?        S    09:56  0:00 /usr/sbin/apach
www-data  2866  0.0  2.0  36376  5324 ?        S    09:56  0:00 /usr/sbin/apach
www-data  2867  0.0  2.0  36376  5320 ?        S    09:56  0:00 /usr/sbin/apach
www-data  2868  0.0  2.0  36376  5320 ?        S    09:56  0:00 /usr/sbin/apach
www-data  2869  0.0  2.0  36376  5320 ?        S    09:56  0:00 /usr/sbin/apach
root      2930  0.0  0.6  4812  1624 ?        Ss  09:56  0:00 /usr/lib/postfi
postfix  2939  0.0  0.6  4820  1576 ?        S    09:56  0:00 pickup -l -t fi
postfix  2940  0.0  0.6  4856  1616 ?        S    09:56  0:00 qmgr -l -t fifo
bind      2960  0.0  1.0  30268  2744 ?        Ssl  09:56  0:00 /usr/sbin/named
proftpd  2981  0.0  0.5  9152  1508 ?        Ss  09:56  0:00 proftpd: (accep
1001      2990  0.0  0.4  2496  1064 ?        Ss  09:56  0:00 /home/admispcon
root      3016  0.0  0.1  1576  496 tty1    Ss+  09:56  0:00 /sbin/getty 384
root      3017  0.0  0.1  1576  496 tty2    Ss+  09:56  0:00 /sbin/getty 384
root      3018  0.0  0.1  1572  492 tty3    Ss+  09:56  0:00 /sbin/getty 384
root      3019  0.0  0.1  1572  492 tty4    Ss+  09:56  0:00 /sbin/getty 384
root      3020  0.0  0.1  1572  492 tty5    Ss+  09:56  0:00 /sbin/getty 384
root      3023  0.0  0.1  1572  492 tty6    Ss+  09:56  0:00 /sbin/getty 384
root      3464  0.2  0.8  7700  2288 ?        Ss  10:16  0:00 sshd: larry [pr
larry    3468  0.0  0.6  7700  1588 ?        S    10:16  0:00 sshd: larry@pts
larry    3469  3.6  1.1  5384  2916 pts/0    Ss  10:16  0:00 -bash
root      3489  0.0  0.1  1564  400 ?        S    10:16  0:00 sleep 10
larry    3490  0.0  0.3  3428  1000 pts/0    R+  10:16  0:00 ps aux

I might be missing it for some reason.

falko 28th June 2007 21:40

I don't see it either.
Any errors in your logs? What's in var/log/fail2ban.log?
What's in /etc/init.d/fail2ban?

cruz 30th June 2007 05:18

copying files in PuTTY
 
How do I copy the whole file in PuTTY? I understand that I need to past it into word or some other doc program to be able to work with the file. I tried to highlite it, but I can only get so much of the file. Thanks for the help.

falko 1st July 2007 13:30

You can copy the file over to your desktop (for example with WinSCP) and then open it in your favourite text editor.

cruz 11th July 2007 22:10

/etc/init.d/fail2ban file
 
[HTML#! /bin/sh
### BEGIN INIT INFO
# Provides: fail2ban
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $time $network $syslog iptables firehol shorewall ipmasq
# Should-Stop: $network $syslog iptables firehol shorewall ipmasq
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start/stop fail2ban
# Description: Start/stop fail2ban, a daemon scanning the log files and
# banning potential attackers.
### END INIT INFO

# Author: Aaron Isotton <aaron@isotton.com>
# Modified: by Yaroslav Halchenko <debian@onerussian.com>
# reindented + minor corrections + to work on sarge without modifications
#
PATH=/usr/sbin:/usr/bin:/sbin:/bin
DESC="authentication failure monitor"
NAME=fail2ban

# fail2ban-client is not a daemon itself but starts a daemon and
# loads its with configuration
DAEMON=/usr/bin/$NAME-client
SOCKFILE=/tmp/$NAME.sock
SCRIPTNAME=/etc/init.d/$NAME

# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
DAEMON_ARGS="$FAIL2BAN_OPTS"

# Load the VERBOSE setting and other rcS variables
[ -f /etc/default/rcS ] && . /etc/default/rcS

# Predefine what can be missing from lsb source later on -- necessary to run
# on sarge. Just present it in a bit more compact way from what was shipped
log_daemon_msg () {
[ -z "$1" ] && return 1
echo -n "$1:"
[ -z "$2" ] || echo -n " $2"
}

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
# Actually has to (>=2.0-7) present in sarge. log_daemon_msg is predefined
# so we must be ok
. /lib/lsb/init-functions

#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
do_status && return 1
start-stop-daemon --start --quiet --chuid root --exec $DAEMON -- \
$DAEMON_ARGS start > /dev/null\
|| return 2
}

#
# Shortcut function for abnormal init script interruption
#
report_bug()
{
echo $*
echo "Please submit a bug report to Debian BTS (reportbug fail2ban)"
exit 1
}

#
# Function that checks the status of fail2ban and returns
# corresponding code
#
do_status()
{
$DAEMON status > /dev/null
case $? in
0) return 0
;;
255)
if [ -S $SOCKFILE ]; then
if [ -r $SOCKFILE ]; then
return 1
else
return 4
fi
else
return 3
fi
;;
*)
report_bug "Unknown return code from fail2ban."
esac
}

#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
$DAEMON status > /dev/null || return 1
$DAEMON stop > /dev/null || return 2
return 0
}

#
# Function to reload configuration
#
do_reload() {
$DAEMON reload > /dev/null && return 0 || return 1
return 0
}

# yoh:
# shortcut function to don't duplicate case statements and to don't use
# bashisms (arrays). Fixes #368218
#
log_end_msg_wrapper()
{
[ $1 -lt $2 ] && value=0 || value=1
log_end_msg $value
}

case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
[ "$VERBOSE" != no ] && log_end_msg_wrapper $? 2
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
[ "$VERBOSE" != no ] && log_end_msg_wrapper $? 2
;;
restart|force-reload)
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
# now we need actually to wait a bit since it might take time
# for server to react on client's stop request
count=1
while do_status && [ $count -lt 10 ]; do
sleep 1
count=$(($count+1))
done

[ $count -lt 10 ] || log_end_msg 1 # failed to stop

do_start
log_end_msg_wrapper $? 1
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;

reload|force-reload)
log_daemon_msg "Reloading $DESC" "$NAME"
do_reload
log_end_msg $?
;;

status)
log_daemon_msg "Status of $DESC"
do_status
case $? in
0) log_success_msg " $NAME is running" ;;
1) log_failure_msg " $NAME is not running but $SOCKFILE exists" ;;
3) log_warning_msg " $NAME is not running" ;;
4) log_failure_msg " $SOCKFILE not readable, status of $NAME unknown";;
*) report_bug "Unknown status code"
esac
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2
exit 3
;;
esac

:
][/HTML] The log file you reqiested has two files. what file do I post? fail2ban.log or faIl2ban.log1

falko 12th July 2007 14:16

What's the output of
Code:

ls -l /usr/bin/fail2ban-client
?

Quote:

The log file you reqiested has two files. what file do I post? fail2ban.log or faIl2ban.log1
Take a look at both. fail2ban.log is the current log file, fail2ban.log1 the old one.


All times are GMT +2. The time now is 15:23.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.