View Single Post
  #5  
Old 4th August 2009, 13:41
rlischer rlischer is offline
Senior Member
 
Join Date: Jul 2009
Posts: 120
Thanks: 5
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by gscott187 View Post
In CentOS 5.3 edit the file /etc/fail2ban/jail.conf for the [ssh-iptables] entry such that the line beginning with logpath... is altered to that shown in red below.

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=me@mysystem.com, sender=fail2ban@mysystem.com]
logpath = /var/log/secure
maxretry = 4


You can view /var/log/secure before you make these changes to verify that SSH attempts are logged here.

After editing jail.conf don't forget to restart fail2ban with the command:

# service fail2ban restart

If you get an OK when fail2ban starts (i.e. the process has started), test it again and see if you're blocked after maxretry attempts.
Thanks! I changed the config, restarted fail2ban. I did verify that /var/log/secure had information in it. I tried to hack in as root with bad passwords, but it keeps letting me try.

The log says I was banned, but it lies:
Code:
The IP has just been banned by Fail2Ban after
attempts against .\n\n
Here are more information about :\n
`/usr/bin/whois `\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f 
2009-08-04 07:38:10,866 fail2ban.actions.action: INFO Set actionStop = printf %b "Subject: [Fail2Ban] : stopped
From: Fail2Ban <>
To: \n
Hi,\n
The jail has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f 
2009-08-04 07:38:10,869 fail2ban.actions.action: INFO Set actionStart = printf %b "Subject: [Fail2Ban] : started
From: Fail2Ban <>
To: \n
Hi,\n
The jail has been started successfully.\n
Reply With Quote