HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   fail2ban bug resurfaced? (http://www.howtoforge.com/forums/showthread.php?t=36139)

KenMasters 9th June 2009 02:08

fail2ban bug resurfaced?
 
I have this exact error in CentOS 5.3 x86_64, using ISPConfig 3.0.1.3:
FS#588 - CentOS: Monitoring plugin doesn't recognize fail2ban

I followed the The Perfect Server - CentOS 5.3 x86_64 [ISPConfig 3] to the letter (and found another bug in it - you must run "yum install apr-devel" or you will fail compiling SuPHP).

Everything seems to be fine (still checking some functions), yet the fail2ban plugin isn't working.

till 9th June 2009 12:21

Please post the output of:

which faul2ban

KenMasters 9th June 2009 21:38

which fail2ban produces:
/usr/bin/which: no fail2ban in (/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)

The command I used to install it was "yum install fail2ban", as described in the server howto.

The actual client is found, no problem:
which fail2ban-client produces:
/usr/bin/fail2ban-client

The log file is here, but is empty:
/var/log/fail2ban.log

KenMasters 9th June 2009 22:16

Lol, nevermind, I made a configuration error, being new to fail2ban. I didn't realize the jails had to be activated before it would start logging. You'd think it would log something, even a "no jails active" message.

Now my problem is that I can't seem to figure out why it's not working correctly. I'm not sure what I should enable, or what's safe with ISPConfig 3. I'm getting logs, but they look like this:

Code:

2009-06-09 15:06:59,959 fail2ban.jail : INFO Using Gamin
2009-06-09 15:06:59,967 fail2ban.filter : INFO Created Filter
2009-06-09 15:06:59,967 fail2ban.filter : INFO Created FilterGamin
2009-06-09 15:06:59,968 fail2ban.filter : INFO Set maxRetry = 5
2009-06-09 15:06:59,970 fail2ban.filter : INFO Set findtime = 600
2009-06-09 15:06:59,971 fail2ban.actions: INFO Set banTime = 3600
2009-06-09 15:06:59,998 fail2ban.actions.action: INFO Set actionBan = iptables -I fail2ban- 1 -s -j DROP
2009-06-09 15:06:59,998 fail2ban.actions.action: INFO Set actionStop = iptables -D INPUT -p --dport -j fail2ban-
iptables -F fail2ban-
iptables -X fail2ban-
2009-06-09 15:06:59,999 fail2ban.actions.action: INFO Set actionStart = iptables -N fail2ban-
iptables -A fail2ban- -j RETURN
iptables -I INPUT -p --dport -j fail2ban-
2009-06-09 15:06:59,999 fail2ban.actions.action: INFO Set actionUnban = iptables -D fail2ban- -s -j DROP
2009-06-09 15:07:00,000 fail2ban.actions.action: INFO Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-
2009-06-09 15:07:00,001 fail2ban.actions.action: INFO Set actionBan = printf %b "Subject: [Fail2Ban] : banned
From: Fail2Ban <>
To: \n
Hi,\n
The IP has just been banned by Fail2Ban after
attempts against .\n\n
Here are more information about :\n
`/usr/bin/whois `\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f
2009-06-09 15:07:00,002 fail2ban.actions.action: INFO Set actionStop = printf %b "Subject: [Fail2Ban] : stopped
From: Fail2Ban <>
To: \n
Hi,\n
The jail has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f
2009-06-09 15:07:00,002 fail2ban.actions.action: INFO Set actionStart = printf %b "Subject: [Fail2Ban] : started
From: Fail2Ban <>
To: \n
Hi,\n
The jail has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f
2009-06-09 15:07:00,003 fail2ban.actions.action: INFO Set actionUnban =
2009-06-09 15:07:00,003 fail2ban.actions.action: INFO Set actionCheck =
2009-06-09 15:07:00,005 fail2ban.jail : INFO Using Gamin
2009-06-09 15:07:00,005 fail2ban.filter : INFO Created Filter
2009-06-09 15:07:00,005 fail2ban.filter : INFO Created FilterGamin
2009-06-09 15:07:00,005 fail2ban.filter : INFO Set maxRetry = 3
2009-06-09 15:07:00,007 fail2ban.filter : INFO Set findtime = 600
2009-06-09 15:07:00,007 fail2ban.actions: INFO Set banTime = 300
2009-06-09 15:07:00,008 fail2ban.actions.action: INFO Set actionBan = IP= &&
printf %b "ALL: $IP\n" >>
2009-06-09 15:07:00,009 fail2ban.actions.action: INFO Set actionStop =
2009-06-09 15:07:00,009 fail2ban.actions.action: INFO Set actionStart =
2009-06-09 15:07:00,010 fail2ban.actions.action: INFO Set actionUnban = IP= && sed -i.old /ALL:\ $IP/d
2009-06-09 15:07:00,010 fail2ban.actions.action: INFO Set actionCheck =
2009-06-09 15:07:00,011 fail2ban.actions.action: INFO Set actionBan = printf %b "Subject: [Fail2Ban] : banned
From: Fail2Ban <>
To: \n
Hi,\n
The IP has just been banned by Fail2Ban after
attempts against .\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f
2009-06-09 15:07:00,012 fail2ban.actions.action: INFO Set actionStop = printf %b "Subject: [Fail2Ban] : stopped
From: Fail2Ban <>
To: \n
Hi,\n
The jail has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f
2009-06-09 15:07:00,012 fail2ban.actions.action: INFO Set actionStart = printf %b "Subject: [Fail2Ban] : started
From: Fail2Ban <>
To: \n
Hi,\n
The jail has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f
2009-06-09 15:07:00,013 fail2ban.actions.action: INFO Set actionUnban =
2009-06-09 15:07:00,013 fail2ban.actions.action: INFO Set actionCheck =
2009-06-09 15:07:00,014 fail2ban.jail : INFO Using Gamin
2009-06-09 15:07:00,015 fail2ban.filter : INFO Created Filter
2009-06-09 15:07:00,015 fail2ban.filter : INFO Created FilterGamin
2009-06-09 15:07:00,015 fail2ban.filter : INFO Set maxRetry = 3
2009-06-09 15:07:00,016 fail2ban.comm : WARNING Invalid command: ['set', 'ssh-tcpwrapper', 'ignoreregex', 'for myuser from']

This doesn't look like any of the logs I've seen elsewhere. :confused:


Edit: I believe I enabled two conflicting jails. I'm now getting sane messages in my logs, and the email confirmations are working. Still not sure what's safe to use in conjunction with ISPC3, but I'll go with it for now.

till 10th June 2009 08:42

ISPConfig is just displaying the log file in its monitor, so there is nothing safe or unsafe regarding fail2ban.


All times are GMT +2. The time now is 10:32.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.