View Single Post
  #1  
Old 23rd November 2011, 23:50
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 395
Thanks: 30
Thanked 58 Times in 50 Posts
Default fail2ban does not modify iptables entries

Hello,

I realize that this problem may not be ISPConfig-specific, but I'd like to eliminate that possibility, if nothing else. I'm using ISPConfig 3.0.4.

I've installed fail2ban 0.8.4, with minimal configuration changes, on Ubuntu 10.04-2 LTS. I installed fail2ban from the Ubuntu repository using apt-get.

My goal is to cover Apache authentication first, and then extend the fail2ban configuration to other services, such as ftp, dovecot, etc.

The default fail2ban configuration seems to be adequate, and the only change I made was to create the file /etc/fail2ban/jail.local and insert the following:

Code:
[apache]
enabled = true
logpath = /var/log/ispconfig/httpd/*/error.log
Likewise, the default regular expressions appear to be functioning as expected:

Code:
# fail2ban-regex /var/log/ispconfig/httpd/example.com/error.log /etc/fail2ban/filter.d/apache-auth.conf
Code:
Running tests
=============

Use regex file : /etc/fail2ban/filter.d/apache-auth.conf
Use log file   : /var/log/ispconfig/httpd/example.com/error.log


Results
=======

Failregex
|- Regular expressions:
|  [1] [[]client <HOST>[]] user .* authentication failure
|  [2] [[]client <HOST>[]] user .* not found
|  [3] [[]client <HOST>[]] user .* password mismatch
|
`- Number of matches:
   [1] 48 match(es)
   [2] 119 match(es)
   [3] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
    xxx.xxx.xxx.xxx (Fri Sep 09 11:26:18 2011)
    ... [etc] ...

Date template hits:
9836 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 167

However, look at the above section 'Running tests' which could contain important
information.
In my attempts to trigger a ban, I've entered invalid Apache credentials as many as two dozen times over the course of several minutes, yet the iptables rules are never modified accordingly (even though fail2ban is parsing the log entries correctly, per the above output).

Nothing significant is written to the fail2ban logs when I intentionally fail Apache authentication a dozen or so times. When I start the service, the following output is written to fail2ban's log:

Code:
2011-11-23 13:49:35,406 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2011-11-23 13:49:35,407 fail2ban.jail   : INFO   Creating new jail 'ssh'
2011-11-23 13:49:35,407 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2011-11-23 13:49:35,425 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2011-11-23 13:49:35,425 fail2ban.filter : INFO   Set maxRetry = 6
2011-11-23 13:49:35,427 fail2ban.filter : INFO   Set findtime = 600
2011-11-23 13:49:35,428 fail2ban.actions: INFO   Set banTime = 600
2011-11-23 13:49:35,519 fail2ban.jail   : INFO   Creating new jail 'apache'
2011-11-23 13:49:35,519 fail2ban.jail   : INFO   Jail 'apache' uses poller
2011-11-23 13:49:35,520 fail2ban.filter : INFO   Added logfile = /var/log/ispconfig/httpd/sub1.example.com/error.log
2011-11-23 13:49:35,521 fail2ban.filter : INFO   Added logfile = /var/log/ispconfig/httpd/sub2.example.com/error.log
2011-11-23 13:49:35,521 fail2ban.filter : INFO   Set maxRetry = 6
2011-11-23 13:49:35,522 fail2ban.filter : INFO   Set findtime = 600
2011-11-23 13:49:35,523 fail2ban.actions: INFO   Set banTime = 600
2011-11-23 13:49:35,532 fail2ban.jail   : INFO   Jail 'ssh' started
2011-11-23 13:49:35,533 fail2ban.jail   : INFO   Jail 'apache' started
Where should I be looking next? Am I overlooking something obvious?

Thanks for any insights!

Last edited by cbj4074; 23rd November 2011 at 23:55. Reason: Added fail2ban log contents.
Reply With Quote
Sponsored Links