HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   Help with Fail2ban (http://www.howtoforge.com/forums/showthread.php?t=51089)

florix.net 24th January 2011 10:28

Help with Fail2ban
 
My fail2ban log is showing following entries ....I am not sure if it is really working. Can someone help with this?

I am interested in blocking failed SSH and SMTP, POP attempts.

Richard

--------------------------------------------------------------------

2010-12-09 01:03:28,945 fail2ban.actions.action: INFO Set actionUnban =
2010-12-09 01:03:28,946 fail2ban.actions.action: INFO Set actionCheck =
2010-12-09 01:49:26,359 fail2ban.jail : INFO Using Gamin
2010-12-09 01:49:26,387 fail2ban.filter : INFO Created Filter
2010-12-09 01:49:26,442 fail2ban.filter : INFO Created FilterGamin
2010-12-09 01:49:26,445 fail2ban.filter : INFO Added logfile = /var/log/secure
2010-12-09 01:49:26,449 fail2ban.filter : INFO Set maxRetry = 5
2010-12-09 01:49:26,450 fail2ban.filter : INFO Set findtime = 600
2010-12-09 01:49:26,451 fail2ban.actions: INFO Set banTime = 600
2010-12-09 01:49:26,495 fail2ban.actions.action: INFO Set actionBan = iptables -I fail2ban- 1 -s -j DROP
2010-12-09 01:49:26,496 fail2ban.actions.action: INFO Set actionStop = iptables -D INPUT -p --dport -j fail2ban-
iptables -F fail2ban-
iptables -X fail2ban-
2010-12-09 01:49:26,497 fail2ban.actions.action: INFO Set actionStart = iptables -N fail2ban-
iptables -A fail2ban- -j RETURN
iptables -I INPUT -p --dport -j fail2ban-
2010-12-09 01:49:26,498 fail2ban.actions.action: INFO Set actionUnban = iptables -D fail2ban- -s -j DROP
2010-12-09 01:49:26,498 fail2ban.actions.action: INFO Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-
2010-12-09 01:49:26,501 fail2ban.actions.action: INFO Set actionBan = printf %b "Subject: [Fail2Ban] : banned
From: Fail2Ban <>
To: \n
Hi,\n
The IP has just been banned by Fail2Ban after
attempts against .\n\n
Here are more information about :\n
`/usr/bin/whois `\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f
2010-12-09 01:49:26,502 fail2ban.actions.action: INFO Set actionStop = printf %b "Subject: [Fail2Ban] : stopped
From: Fail2Ban <>
To: \n
Hi,\n
The jail has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f
2010-12-09 01:49:26,503 fail2ban.actions.action: INFO Set actionStart = printf %b "Subject: [Fail2Ban] : started
From: Fail2Ban <>
To: \n
Hi,\n
The jail has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f
2010-12-09 01:49:26,504 fail2ban.actions.action: INFO Set actionUnban =
2010-12-09 01:49:26,505 fail2ban.actions.action: INFO Set actionCheck =
2010-12-12 04:02:36,282 fail2ban.filter : INFO Log rotation detected for /var/log/secure
2010-12-12 05:01:16,548 fail2ban.filter : INFO Log rotation detected for /var/log/secure
2010-12-14 17:56:29,153 fail2ban.jail : INFO Using Gamin
2010-12-14 17:56:29,290 fail2ban.filter : INFO Created Filter
2010-12-14 17:56:29,451 fail2ban.filter : INFO Created FilterGamin
2010-12-14 17:56:29,464 fail2ban.filter : INFO Added logfile = /var/log/secure
2010-12-14 17:56:29,470 fail2ban.filter : INFO Set maxRetry = 5
2010-12-14 17:56:29,471 fail2ban.filter : INFO Set findtime = 600
2010-12-14 17:56:29,472 fail2ban.actions: INFO Set banTime = 600
2010-12-14 17:56:29,523 fail2ban.actions.action: INFO Set actionBan = iptables -I fail2ban- 1 -s -j DROP
2010-12-14 17:56:29,523 fail2ban.actions.action: INFO Set actionStop = iptables -D INPUT -p --dport -j fail2ban-
iptables -F fail2ban-
iptables -X fail2ban-
2010-12-14 17:56:29,524 fail2ban.actions.action: INFO Set actionStart = iptables -N fail2ban-
iptables -A fail2ban- -j RETURN
iptables -I INPUT -p --dport -j fail2ban-
2010-12-14 17:56:29,525 fail2ban.actions.action: INFO Set actionUnban = iptables -D fail2ban- -s -j DROP
2010-12-14 17:56:29,526 fail2ban.actions.action: INFO Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-
2010-12-14 17:56:29,529 fail2ban.actions.action: INFO Set actionBan = printf %b "Subject: [Fail2Ban] : banned
From: Fail2Ban <>
To: \n
Hi,\n
The IP has just been banned by Fail2Ban after
attempts against .\n\n
Here are more information about :\n
`/usr/bin/whois `\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f
2010-12-14 17:56:29,530 fail2ban.actions.action: INFO Set actionStop = printf %b "Subject: [Fail2Ban] : stopped
From: Fail2Ban <>
To: \n
Hi,\n
The jail has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f
2010-12-14 17:56:29,531 fail2ban.actions.action: INFO Set actionStart = printf %b "Subject: [Fail2Ban] : started
From: Fail2Ban <>
To: \n
Hi,\n
The jail has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f
2010-12-14 17:56:29,532 fail2ban.actions.action: INFO Set actionUnban =
2010-12-14 17:56:29,533 fail2ban.actions.action: INFO Set actionCheck =
2010-12-14 18:30:40,531 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH
iptables -F fail2ban-SSH
iptables -X fail2ban-SSH returned 100

falko 25th January 2011 15:20

Do you see blocked IPs in the output of
Code:

iptables -L
?

florix.net 25th January 2011 19:37

Hi,

There are no blocked IPs in the iptables list command output.

Should I upload my fail2ban config files? Which files I should upload?

Richard

akamarinos 25th January 2011 20:25

you should read chapter 6.5 of the manual

you might have to make some modifications in the configuration files if your
distribution is not Debian/Ubuntu

florix.net 26th January 2011 01:53

Hi,

I dont have access to manual ... I feel I will uninstall the fail2ban and install again.


What will be the correct way to do so?

yum remove fail2ban?


Richard


All times are GMT +2. The time now is 00:25.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.