HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   rkhunter and fail2ban logs not showing at ispconfig (http://www.howtoforge.com/forums/showthread.php?t=56079)

RioSif 6th February 2012 22:34

rkhunter and fail2ban logs not showing at ispconfig
 
Hello again,
i have a similar problem with this thread http://www.howtoforge.com/forums/showthread.php?t=44694 (which is not solved)
rkhunter and fail2ban logs not showing at ispconfig logfiles.
until yesterday rkhunter log was showing. i don't remember fail2ban to ever showed there...
Could you help?
I run ispconfig on centos 6.2 and nginx. Yesterday i did a yum update if that could help.
Thanks

till 7th February 2012 08:14

In which logfile does rkhunter and fail2ban log their actions on your server?

RioSif 7th February 2012 08:55

/var/log/fail2ban.log
/var/log/rkhunter/rkhunter.log

Here is the log of the updates i made before this happen:
Feb 05 20:39:33 Updated: glibc-common-2.12-1.47.el6_2.5.x86_64
Feb 05 20:39:46 Updated: glibc-2.12-1.47.el6_2.5.x86_64
Feb 05 20:39:48 Updated: php-common-5.3.10-2.el6.remi.x86_64
Feb 05 20:39:51 Updated: openssl-1.0.0-20.el6_2.1.x86_64
Feb 05 20:39:53 Updated: php-pdo-5.3.10-2.el6.remi.x86_64
Feb 05 20:39:53 Updated: openssh-5.3p1-70.el6_2.2.x86_64
Feb 05 20:39:55 Updated: php-cli-5.3.10-2.el6.remi.x86_64
Feb 05 20:39:57 Updated: t1lib-5.1.2-6.el6_2.1.x86_64
Feb 05 20:40:00 Updated: kernel-firmware-2.6.32-220.4.1.el6.noarch
Feb 05 20:40:07 Updated: kernel-headers-2.6.32-220.4.1.el6.x86_64
Feb 05 20:40:12 Updated: glibc-headers-2.12-1.47.el6_2.5.x86_64
Feb 05 20:40:14 Updated: glibc-devel-2.12-1.47.el6_2.5.x86_64
Feb 05 20:40:21 Installed: kernel-2.6.32-220.4.1.el6.x86_64
Feb 05 20:40:21 Updated: php-gd-5.3.10-2.el6.remi.x86_64
Feb 05 20:40:23 Updated: php-5.3.10-2.el6.remi.x86_64
Feb 05 20:40:27 Updated: openssh-server-5.3p1-70.el6_2.2.x86_64
Feb 05 20:40:28 Updated: openssh-clients-5.3p1-70.el6_2.2.x86_64
Feb 05 20:40:29 Updated: php-mysql-5.3.10-2.el6.remi.x86_64
Feb 05 20:40:31 Updated: php-odbc-5.3.10-2.el6.remi.x86_64
Feb 05 20:40:32 Updated: php-mssql-5.3.10-2.el6.remi.x86_64
Feb 05 20:40:34 Updated: openssl-devel-1.0.0-20.el6_2.1.x86_64
Feb 05 20:40:36 Updated: php-fpm-5.3.10-2.el6.remi.x86_64
Feb 05 20:40:38 Updated: php-imap-5.3.10-2.el6.remi.x86_64
Feb 05 20:40:42 Updated: 1:php-eaccelerator-0.9.6.1-11.el6.remi.x86_64
Feb 05 20:40:43 Updated: php-xmlrpc-5.3.10-2.el6.remi.x86_64
Feb 05 20:40:44 Updated: php-mcrypt-5.3.10-2.el6.remi.x86_64
Feb 05 20:40:45 Updated: php-mbstring-5.3.10-2.el6.remi.x86_64
Feb 05 20:40:46 Updated: php-xml-5.3.10-2.el6.remi.x86_64
Feb 05 20:40:47 Updated: php-soap-5.3.10-2.el6.remi.x86_64
Feb 05 20:40:48 Updated: php-snmp-5.3.10-2.el6.remi.x86_64
Feb 05 20:40:48 Updated: php-tidy-5.3.10-2.el6.remi.x86_64
Feb 05 20:40:54 Updated: php-ldap-5.3.10-2.el6.remi.x86_64
Feb 05 20:40:56 Updated: at-3.1.10-43.el6_2.1.x86_64
Feb 05 20:41:02 Updated: ghostscript-8.70-11.el6_2.6.x86_64
Feb 05 20:41:09 Installed: kernel-devel-2.6.32-220.4.1.el6.x86_64


and one more thing is that i changed the default ssh port to something else

till 7th February 2012 09:06

The log locations are ok. Please check that the fail2ban.log is not empty.

Regarding rkhunter, do you get the rkhunter sacn result on the shell when you execute this command:

rkhunter --update --checkall --nocolors --skip-keypress

RioSif 7th February 2012 09:33

Code:

System checks summary
=====================

File properties checks...
    Files checked: 137
    Suspect files: 2

Rootkit checks...
    Rootkits checked : 246
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 1 minute and 50 seconds

All results have been written to the log file (/var/log/rkhunter/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)

I get warnings for:
Checking for hidden files and directories [ Warning ]
Checking if SSH protocol v1 is allowed [ Warning ]
/usr/bin/unhide [ Warning ]
/usr/bin/unhide-tcp [ Warning ]

which was there since forever.

for fail2ban here is the last lines of the non-empty log:
Code:

2012-02-04 13:40:57,191 fail2ban.jail  : INFO  Creating new jail 'ssh-iptables'
2012-02-04 13:40:57,194 fail2ban.jail  : INFO  Jail 'ssh-iptables' uses Gamin
2012-02-04 13:40:57,261 fail2ban.filter : INFO  Added logfile = /var/log/secure
2012-02-04 13:40:57,262 fail2ban.filter : INFO  Set maxRetry = 5
2012-02-04 13:40:57,262 fail2ban.filter : INFO  Set findtime = 600
2012-02-04 13:40:57,262 fail2ban.actions: INFO  Set banTime = 600
2012-02-04 13:40:57,315 fail2ban.jail  : INFO  Jail 'ssh-iptables' started
2012-02-04 15:14:49,107 fail2ban.actions: WARNING [ssh-iptables] Ban 1.202.148.22
2012-02-04 15:24:50,058 fail2ban.actions: WARNING [ssh-iptables] Unban 1.202.148.22
2012-02-04 17:13:58,486 fail2ban.actions: WARNING [ssh-iptables] Ban 88.208.218.199
2012-02-04 17:23:58,592 fail2ban.actions: WARNING [ssh-iptables] Unban 88.208.218.199
2012-02-04 21:46:27,468 fail2ban.actions: WARNING [ssh-iptables] Ban 212.156.126.210
2012-02-04 21:56:27,636 fail2ban.actions: WARNING [ssh-iptables] Unban 212.156.126.210
2012-02-05 03:02:08,959 fail2ban.actions: WARNING [ssh-iptables] Ban 49.254.98.187
2012-02-05 03:12:09,586 fail2ban.actions: WARNING [ssh-iptables] Unban 49.254.98.187
2012-02-05 03:34:10,542 fail2ban.filter : INFO  Log rotation detected for /var/log/secure
2012-02-05 03:35:10,606 fail2ban.filter : INFO  Log rotation detected for /var/log/secure
2012-02-05 17:10:30,482 fail2ban.actions: WARNING [ssh-iptables] Ban 210.212.250.35
2012-02-05 17:20:30,860 fail2ban.actions: WARNING [ssh-iptables] Unban 210.212.250.35
2012-02-05 18:30:09,754 fail2ban.actions: WARNING [ssh-iptables] Ban 184.107.179.242
2012-02-05 18:40:09,807 fail2ban.actions: WARNING [ssh-iptables] Unban 184.107.179.242
2012-02-05 18:53:31,804 fail2ban.jail  : INFO  Jail 'ssh-iptables' stopped
2012-02-05 18:53:31,824 fail2ban.server : INFO  Exiting Fail2ban
2012-02-05 18:56:30,726 fail2ban.server : INFO  Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2012-02-05 18:56:30,726 fail2ban.jail  : INFO  Creating new jail 'ssh-iptables'
2012-02-05 18:56:30,754 fail2ban.jail  : INFO  Jail 'ssh-iptables' uses Gamin
2012-02-05 18:56:31,202 fail2ban.filter : INFO  Added logfile = /var/log/secure
2012-02-05 18:56:31,202 fail2ban.filter : INFO  Set maxRetry = 5
2012-02-05 18:56:31,220 fail2ban.filter : INFO  Set findtime = 600
2012-02-05 18:56:31,220 fail2ban.actions: INFO  Set banTime = 600
2012-02-05 18:56:31,273 fail2ban.jail  : INFO  Jail 'ssh-iptables' started
2012-02-05 18:56:34,455 fail2ban.jail  : INFO  Jail 'ssh-iptables' stopped
2012-02-05 18:56:34,456 fail2ban.server : INFO  Exiting Fail2ban
2012-02-05 18:56:35,643 fail2ban.server : INFO  Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2012-02-05 18:56:35,644 fail2ban.jail  : INFO  Creating new jail 'ssh-iptables'
2012-02-05 18:56:35,644 fail2ban.jail  : INFO  Jail 'ssh-iptables' uses Gamin
2012-02-05 18:56:35,655 fail2ban.filter : INFO  Added logfile = /var/log/secure
2012-02-05 18:56:35,656 fail2ban.filter : INFO  Set maxRetry = 5
2012-02-05 18:56:35,656 fail2ban.filter : INFO  Set findtime = 600
2012-02-05 18:56:35,657 fail2ban.actions: INFO  Set banTime = 600
2012-02-05 18:56:35,711 fail2ban.jail  : INFO  Jail 'ssh-iptables' started
2012-02-05 18:57:29,770 fail2ban.jail  : INFO  Jail 'ssh-iptables' stopped
2012-02-05 18:57:29,771 fail2ban.server : INFO  Exiting Fail2ban
2012-02-05 18:59:23,555 fail2ban.server : INFO  Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2012-02-05 18:59:23,555 fail2ban.jail  : INFO  Creating new jail 'ssh-iptables'
2012-02-05 18:59:23,556 fail2ban.jail  : INFO  Jail 'ssh-iptables' uses Gamin
2012-02-05 18:59:23,616 fail2ban.filter : INFO  Added logfile = /var/log/secure
2012-02-05 18:59:23,617 fail2ban.filter : INFO  Set maxRetry = 5
2012-02-05 18:59:23,618 fail2ban.filter : INFO  Set findtime = 600
2012-02-05 18:59:23,618 fail2ban.actions: INFO  Set banTime = 600
2012-02-05 18:59:23,672 fail2ban.jail  : INFO  Jail 'ssh-iptables' started
2012-02-05 18:59:26,967 fail2ban.jail  : INFO  Jail 'ssh-iptables' stopped
2012-02-05 18:59:26,967 fail2ban.server : INFO  Exiting Fail2ban
2012-02-05 18:59:28,184 fail2ban.server : INFO  Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2012-02-05 18:59:28,184 fail2ban.jail  : INFO  Creating new jail 'ssh-iptables'
2012-02-05 18:59:28,185 fail2ban.jail  : INFO  Jail 'ssh-iptables' uses Gamin
2012-02-05 18:59:28,194 fail2ban.filter : INFO  Added logfile = /var/log/secure
2012-02-05 18:59:28,195 fail2ban.filter : INFO  Set maxRetry = 5
2012-02-05 18:59:28,196 fail2ban.filter : INFO  Set findtime = 600
2012-02-05 18:59:28,196 fail2ban.actions: INFO  Set banTime = 600
2012-02-05 18:59:28,249 fail2ban.jail  : INFO  Jail 'ssh-iptables' started
2012-02-06 21:40:02,482 fail2ban.jail  : INFO  Jail 'ssh-iptables' stopped
2012-02-06 21:40:02,564 fail2ban.server : INFO  Exiting Fail2ban
2012-02-06 21:42:08,946 fail2ban.server : INFO  Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2012-02-06 21:42:08,959 fail2ban.jail  : INFO  Creating new jail 'ssh-iptables'
2012-02-06 21:42:08,983 fail2ban.jail  : INFO  Jail 'ssh-iptables' uses Gamin
2012-02-06 21:42:09,093 fail2ban.filter : INFO  Added logfile = /var/log/secure
2012-02-06 21:42:09,093 fail2ban.filter : INFO  Set maxRetry = 5
2012-02-06 21:42:09,095 fail2ban.filter : INFO  Set findtime = 600
2012-02-06 21:42:09,095 fail2ban.actions: INFO  Set banTime = 600
2012-02-06 21:42:09,159 fail2ban.jail  : INFO  Jail 'ssh-iptables' started
2012-02-06 22:21:17,721 fail2ban.jail  : INFO  Jail 'ssh-iptables' stopped
2012-02-06 22:21:17,734 fail2ban.server : INFO  Exiting Fail2ban


RioSif 7th February 2012 13:15

I found out that the problem is more more serious! I tried to add a new site, blog.riosif.gr.
Vhosts at nginx/sites-enabled and nginx/sites-active created. But nothing created at /var/www/
At the sites options i read "/var/www/clients/client1/web34/web:/var/www/clients/client1/web34/tmp" but no web34 folder is created.
I think this is caused of the update. What should i do? Please help!

RioSif 7th February 2012 15:47

One more thing i just found out and has to do with the no creation of new sites is this error when i try to restart php-fpm:
"Starting php-fpm: [07-Feb-2012 16:41:22] ERROR: [pool web36] cannot get uid for user 'web36'
[07-Feb-2012 16:41:22] ERROR: FPM initialization failed"

after that i delete the web36.conf
rm /etc/php-fpm.d/web36.conf
and php-fmp starts again but i cannot add new websites.


I guess that all this has something to do with priviledges of ispconfig but how should i fix it?

Maybe i should reinstall ispconfig? How could this be done?

till 7th February 2012 16:55

Dont reinstall ispconfig, this will just mess up your system.

Just look into the system log in the ispconfig monitor if there are any errors blocking the processing of system changes and if there are no errors, take a look at the ispconfig debugging instructions in the ispconfig faq.

RioSif 20th February 2012 23:08

Hello again.
I figure out that the problem is that when i add a new site no user is created and as a result nothing else is created. So i think it's a permissions issue that ispconfig can't create a new user(for example user web30 is not created).

RioSif 21st February 2012 10:19

Anyways i'll do an os reinstall. Last general linux os question. Because i'm not a linux/unix advanced user is there any article you know of or any guide or something about backing up-restoring the os at a previous state that could solve that kind of issues without a need of reinstallation?

Thank you


All times are GMT +2. The time now is 15:38.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.