View Single Post
Old 23rd July 2009, 09:42
Wandering-Aimlessly Wandering-Aimlessly is offline
Junior Member
Join Date: Jul 2009
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default Fail2Ban fails to ban :-)

Hi people.

I have spent 2 days trying to get Fail2Ban to work. I have read everything I can find without success, so it is time to ask.

I have installed Fail2ban on a test server and after some messing with the configs got it working well. Then I tried to install on a production box but it just won't work. Both boxes are running Centos 5.3 and are reasonably identical (except the hardware of course). I have even copied the configs from the test to the production box.

Fail2ban seems to be running and passes all the tests I can come up with but it just fails to ban any attempts at brute force SSH.

Here are the configs/results of tests etc :-

# fail2ban-client status
|- Number of jail: 1
`- Jail list: ssh-iptables
# fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
Success, the total number of match is 4896

Here is the result of a deliberate wrong user login (from /var/log/secure):
Jul 23 07:49:24 my-server sshd[7438]: pam_unix(sshd:auth): check pass; user unknown
Jul 23 07:49:24 my-server sshd[7438]: pam_succeed_if(sshd:auth): error retrieving information about user uhbs
Jul 23 07:49:26 my-server sshd[7438]: Failed password for invalid user uhbs from port 3107 ssh2
To ensure that there was not time issue,I immediately ran the date command
Thu Jul 23 07:49:29 BST 2009
There are no local config files so here are the regular files (snipped for brevity):

# Fail2Ban configuration file
# Author: Cyril Jaquier
# $Revision: 617 $


ignoreip =

bantime = 60

findtime = 600

maxretry = 3

backend = auto


enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = 3


# Fail2Ban configuration file
# Author: Cyril Jaquier
# $Revision: 663 $


before = common.conf

_daemon = sshd

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>\S+)
# Values: TEXT
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$

ignoreregex =

I have not changed iptables.conf

When I stop and start Fail2ban an email is sent confirming the stop and another for the start.

The version I installed was fail2ban-0.8.2-3.el5.rf.noarch.rpm from
DAG packages for Red Hat Linux el5 x86_64.

Hoping that someone can help. Thanks for reading.

Edited to add: var/log/fail2ban.log shows no entry for failed logins but does show entries for the start/stop.

Last edited by Wandering-Aimlessly; 23rd July 2009 at 09:47. Reason: Additional info
Reply With Quote
Sponsored Links