Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 21st May 2010, 18:11
MET MET is offline
Junior Member
 
Join Date: May 2010
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Fail2ban (without iptables) doesn't work, why?

My externally hosted vserver runs with Debian lenny stable. Fail2ban 0.8.3 (and iptables) have been installed with the package-manager. The intention is to use fail2ban with the messages-file from asterisk, i.e. without iptables. The configuration files for fail2ban are according this howto.

When I start fail2ban with
/etc/init.d/fail2ban start
no further information is given, so I thought it would work. Later I questioned whether it would require beforehand a
/etc/init.d/fail2ban reload
or a
/etc/init.d/fail2ban restart
and in both of these cases I obtain each time the result "failed!"

How could I find out what is going wrong?

Note: I'm not very familiar with Linux, I only use it in the context of the asterisk.
Reply With Quote
Sponsored Links
  #2  
Old 22nd May 2010, 12:35
MET MET is offline
Junior Member
 
Join Date: May 2010
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Fail2Ban works now. The reload has to be done with

/usr/bin/fail2ban-client reload

and not with
/etc/init.d/fail2ban reload
(as mentioned in the howto from Voip-Info.org)

However, the log indicates that there is still an issue with the mail message (address changed here):
Quote:
2010-05-22 11:57:10,435 fail2ban.actions.action: ERROR printf %b "Hi,\n
The jail ASTERISK has been started successfully.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] ASTERISK: started" Me@My.com returned 7f00
Any ideas why the mail-message doesn't work? The mail address is on a different server. Could this be the reason?
Reply With Quote
  #3  
Old 22nd May 2010, 14:34
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

Can you post your /etc/fail2ban/jail.conf?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
PDXErik (25th May 2010)
  #4  
Old 22nd May 2010, 15:51
MET MET is offline
Junior Member
 
Join Date: May 2010
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by falko View Post
Can you post your /etc/fail2ban/jail.conf?
Note that I tried with different mail-addresses. None of them is hosted on the same server:
Code:
# Fail2Ban configuration file
...
# $Revision: 747 $
...

[DEFAULT]

bantime  = 600
findtime  = 600
maxretry = 3
backend = auto


[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = hostsdeny[name=ASTERISK, protocol=all]
           mail-whois[name=ASTERISK, dest=Me@My1stDomain.com, sender=Me@My2ndDomain.com]
logpath  = /var/log/asterisk/messages
# maxretry = 5
# bantime = 259200
maxretry = 3
findtime = 300
bantime = 600

...
all other entries have: enabled=false
Reply With Quote
  #5  
Old 22nd May 2010, 17:06
MET MET is offline
Junior Member
 
Join Date: May 2010
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Fail2Ban fails to ban !

I just had an other an other attack. The settings in jail.conf were for manual testing as sent before:

maxretry = 3
findtime = 300
bantime = 600

The log files show the following:

Asterisk
Code:
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"1249349713"<sip:1249349713@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"100"<sip:100@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"101"<sip:101@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"102"<sip:102@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"103"<sip:103@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"104"<sip:104@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
....
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9994"<sip:9994@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9995"<sip:9995@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9996"<sip:9996@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9997"<sip:9997@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9998"<sip:9998@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9999"<sip:9999@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
Fail2ban:
Code:
2010-05-22 16:04:06,632 fail2ban.actions: WARNING [asterisk-iptables] Ban 76.76.96.74
2010-05-22 16:04:09,130 fail2ban.actions.action: ERROR  printf %b "Hi,\n
The IP 76.76.96.74 has just been banned by Fail2Ban after
11 attempts against ASTERISK.\n\n
Here are more information about 76.76.96.74:\n
`whois 76.76.96.74`\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] ASTERISK: banned 76.76.96.74" Me@My.net returned 7f00
2010-05-22 16:04:09,130 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:10,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:11,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:12,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:13,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:14,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:15,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:16,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:17,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
...
2010-05-22 16:12:55,309 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:12:56,311 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:12:57,318 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:12:58,321 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:14:07,356 fail2ban.actions: WARNING [asterisk-iptables] Unban 76.76.96.74
There are about 40 attacks per second whereas fail2ban reacts in about one second intervals only by reporting "already banned".

Fail2ban added the IP also in the File /etc/hosts.deny

Why then hasn't the IP been blocked ?
Any suggestions/recommendations to get it working ?

Last edited by MET; 24th May 2010 at 15:57.
Reply With Quote
  #6  
Old 25th May 2010, 07:43
make-fun make-fun is offline
Member
 
Join Date: Jan 2008
Posts: 92
Thanks: 8
Thanked 8 Times in 7 Posts
Default

What is the output of
Code:
grep -h "Ban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c
Code:
grep -h "already banned" /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c
Code:
grep -h "Unban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c
Do they match?
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 07:29
Iptables gateway with one lan adapter tsmr Installation/Configuration 1 7th August 2008 12:02
IPtables rule to let PPTP access LAN brianwebb01 Installation/Configuration 0 1st May 2008 21:23
Match IP with MAC using iptables for squid block cooljai Server Operation 0 30th August 2007 18:30
About iptables rules satimis Technical 0 24th August 2007 17:32


All times are GMT +2. The time now is 06:27.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.