#1  
Old 1st March 2008, 18:49
mmistroni mmistroni is offline
Member
 
Join Date: Jan 2008
Posts: 37
Thanks: 0
Thanked 0 Times in 0 Posts
Default fail2ban problem

hi all,
i am installing fail2ban on my VPS running Ubunti Feisty Fawn server
i have followed tutorial here

http://www.howtoforge.com/fail2ban_debian_etch

however, i am getting this exception from fail2ban.log

fail2ban.comm : WARNING Invalid command:['set','proftpd', 'failregex', 'proftpd:\\(pam_unix\\) authentication failure


would it be because i don't have proftpd?

thanks and regards
marco
Reply With Quote
Sponsored Links
  #2  
Old 2nd March 2008, 13:36
mmistroni mmistroni is offline
Member
 
Join Date: Jan 2008
Posts: 37
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hello,
i realized maybe if i post more information.... my problem will seem clearer.

here's my jail.local
Code:
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 82.113.128.42
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = info@worldcorpservices.com

#
# ACTIONS
#
action = iptables[name=%(__name__)s, port=%(port)s]






[ssh]

enabled = true
port	= ssh,sftp
filter	= sshd
logpath  = /var/log/auth.log
maxretry = 6


[ssh-ddos]

enabled = false
port    = ssh,sftp
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = true
port	= http,https
filter	= apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = false
port	  = http,https
filter	  = apache-auth
logpath   = /var/log/apache*/*access.log
maxretry  = 6

[apache-noscript]

enabled = false
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

#
# FTP servers
#

[vsftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/.log
logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


[proftpd]

enabled  = true
port	 = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/auth.log
maxretry = 6


[wuftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled  = false
port	 = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = false
port	 = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#
[courierpop3]

enabled  = true
port     = pop3
filter   = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5



[courierimap]

enabled  = true
port     = imap2
filter   = courierlogin
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5

[sasl]

#enabled  = true
#port     = smtp
#filter   = sasl
#failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-#MD5) authentication failed
#logpath  = /var/log/mail.log
#maxretry = 5



[sasl]

enabled  = true
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
logpath  = /var/log/mail.log
and here's my fail2ban.log
Code:
2008-03-02 12:24:33,477 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2008-03-02 12:24:33,478 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2008-03-02 12:24:33,480 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2008-03-02 12:24:33,481 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2008-03-02 12:24:33,482 fail2ban.actions.action: INFO   Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2008-03-02 12:24:33,485 fail2ban.jail   : INFO   Using poller
2008-03-02 12:24:33,485 fail2ban.filter : INFO   Created Filter
2008-03-02 12:24:33,485 fail2ban.filter : INFO   Created FilterPoll
2008-03-02 12:24:33,486 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2008-03-02 12:24:33,487 fail2ban.filter : INFO   Set maxRetry = 5
2008-03-02 12:24:33,488 fail2ban.comm   : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']

anyone could help me for fixing the regex expression (as it seems to me that that is the problem)


regards
marco
Reply With Quote
  #3  
Old 2nd March 2008, 13:42
mmistroni mmistroni is offline
Member
 
Join Date: Jan 2008
Posts: 37
Thanks: 0
Thanked 0 Times in 0 Posts
Default

oh, and here's my fail2ban.log
Code:
008-03-02 12:22:25,423 fail2ban.server : INFO   Exiting Fail2ban
2008-03-02 12:24:33,461 fail2ban.jail   : INFO   Using poller
2008-03-02 12:24:33,469 fail2ban.filter : INFO   Created Filter
2008-03-02 12:24:33,469 fail2ban.filter : INFO   Created FilterPoll
2008-03-02 12:24:33,470 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2008-03-02 12:24:33,471 fail2ban.filter : INFO   Set maxRetry = 6
2008-03-02 12:24:33,473 fail2ban.filter : INFO   Set findtime = 600
2008-03-02 12:24:33,474 fail2ban.actions: INFO   Set banTime = 600
2008-03-02 12:24:33,477 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2008-03-02 12:24:33,478 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2008-03-02 12:24:33,480 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
2008-03-02 12:24:33,481 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2008-03-02 12:24:33,482 fail2ban.actions.action: INFO   Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2008-03-02 12:24:33,485 fail2ban.jail   : INFO   Using poller
2008-03-02 12:24:33,485 fail2ban.filter : INFO   Created Filter
2008-03-02 12:24:33,485 fail2ban.filter : INFO   Created FilterPoll
2008-03-02 12:24:33,486 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2008-03-02 12:24:33,487 fail2ban.filter : INFO   Set maxRetry = 5
2008-03-02 12:24:33,488 fail2ban.comm   : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
regards
marco
Reply With Quote
  #4  
Old 2nd March 2008, 14:50
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,722 Times in 2,563 Posts
Default

What's in /etc/fail2ban/filter.d/proftpd?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 2nd March 2008, 16:03
mmistroni mmistroni is offline
Member
 
Join Date: Jan 2008
Posts: 37
Thanks: 0
Thanked 0 Times in 0 Posts
Default

falko,
thanks for replying on a sunday

here's what's in proftpd.conf
Code:
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 510 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
HOwver to avoid problem i have 'disabled' all *ftp, in order to track down the problem. Now its' failing with courierpop3

and here's the most recent failure, courierpop3
Code:
2008-03-02 14:57:47,249 fail2ban.comm   : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
here's what's in courierlogin.conf


Code:
# Fail2Ban configuration file
#
# Author: Christoph Haas
# Modified by: Cyril Jaquier
#
# $Revision: 510 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
what am i missing?

regards
marco
Reply With Quote
  #6  
Old 3rd March 2008, 18:49
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,722 Times in 2,563 Posts
Default

Looks ok. Can you see anything like "\\(pam_unix\\) authentication failure" in any of the fail2ban configuration files?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 4th March 2008, 21:48
mmistroni mmistroni is offline
Member
 
Join Date: Jan 2008
Posts: 37
Thanks: 0
Thanked 0 Times in 0 Posts
Default

falko,
not in mail.log

i have some in auth.log,
it looks like this

Code:
(pam_unix) authentication failure; logname=uid=0 euid=0
i m still keeping denyhost running, but it looks like when no auth failure is in the mail.log, i got the exception below
and then it seems like fail2ban refuse to run....

i might try to disable denyhost for a while and see how fail2ban perform, but it seems weird to me that fail2ban still does not update iptables based on , e.g., auth.log

any more hints on what can cause the problem?
if everything i have done looks ok, i'll try to disable denyhosts and have fail2ban run, to see if it work

thanks and regards
marco
Reply With Quote
  #8  
Old 5th March 2008, 16:12
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,722 Times in 2,563 Posts
Default

Did you check the fail2ban configuration files (see my previous post)?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #9  
Old 5th March 2008, 21:06
mmistroni mmistroni is offline
Member
 
Join Date: Jan 2008
Posts: 37
Thanks: 0
Thanked 0 Times in 0 Posts
Default

falko,
just to make sure i undestand your question
when you talk about fail2ban conf files, are you referring to all
the logpath i am configurin in jail.local?

regards
marco
Reply With Quote
  #10  
Old 6th March 2008, 19:03
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,722 Times in 2,563 Posts
 
Default

I mean all fail2ban configuration files in /etc/fail2ban and its subdirectories.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
postfix problems with smtp linkdeb Server Operation 13 15th March 2014 17:58
Strange email problem for one of my domains... any help appreciated paulrobert_a Installation/Configuration 5 9th August 2010 14:15
sending e-mail using mail() function linuxuser1 HOWTO-Related Questions 38 21st April 2009 12:20
postfix mysql on fedora core5 igongora Installation/Configuration 7 17th April 2007 04:40
Postfix+MySQL Problem jasutton Installation/Configuration 1 15th June 2006 16:06


All times are GMT +2. The time now is 01:07.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.