Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 8th May 2008, 21:02
bswinnerton bswinnerton is offline
Senior Member
 
Join Date: Jul 2007
Location: Connecticut, US
Posts: 502
Thanks: 51
Thanked 17 Times in 14 Posts
Default Fail2Ban not working

Ever since I updated to Ubuntu 8.04, I cannot get Fail2Ban to work. I have removed it and re-installed it but still no luck. I am using a jail.local as opposed to just the jail.conf.

I followed the debian how-to here on howtoforge.

Here is my jail.local:

Code:
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 (More are listed, removed for privacy)
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = webmaster@mysite.com

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define 
# action_* variables. Can be overriden globally or per 
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
 
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section 
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME] 
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled = true
port	= ssh,sftp
filter	= sshd
logpath  = /var/log/auth.log
maxretry = 3

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter	= pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6


[ssh-ddos]

enabled = false
port    = ssh,sftp
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = true
port	= http,https
filter	= apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = false
port	  = http,https
filter	  = apache-auth
logpath   = /var/log/apache*/*access.log
maxretry  = 6

[apache-noscript]

enabled = false
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

#
# FTP servers
#

[vsftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


[proftpd]

enabled  = true
port	 = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 5


[wuftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled  = false
port	 = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = false
port	 = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled  = false
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = true
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
logpath  = /var/log/mail.log
maxretry = 5


# DNS Servers

# Mention: by default logging is off with bind installation.
# Need smth like
# logging {
#         channel lame-servers_file { file "/var/log/named/lame-servers.log" versions 3 size 30m; severity dynamic; print-time yes; };
# 		category lame-servers { lame-servers_file; };
# }
# in your named.conf to provide proper logging

# Word of Caution:
# Given filter can lead to DoS attack against your DNS server
# since there is no way to assure that UDP packets come from the
# real source IP
[named-refused-udp]

enabled  = false
port     = domain,953
protocol = udp
filter   = named-refused
logpath  = /var/log/named/lame-servers.log

[named-refused-tcp]

enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/lame-servers.log
The logs look normal, beside the fact that it won't pick up hack-in attempts (all that i have seen so far is ssh)

Any help is much appreciated.
Reply With Quote
Sponsored Links
  #2  
Old 9th May 2008, 15:52
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

Can you try what is suggested in chapters 9 and 10 on http://www.howtoforge.com/perfect-se...ntu8.04-lts-p3 ?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 9th May 2008, 16:08
bswinnerton bswinnerton is offline
Senior Member
 
Join Date: Jul 2007
Location: Connecticut, US
Posts: 502
Thanks: 51
Thanked 17 Times in 14 Posts
Default

Alright, I tried it out. Now I'm just going to try to re-enact a break in ..Or just wait the couple seconds it takes to have someone else try =P
Reply With Quote
  #4  
Old 9th May 2008, 16:12
bswinnerton bswinnerton is offline
Senior Member
 
Join Date: Jul 2007
Location: Connecticut, US
Posts: 502
Thanks: 51
Thanked 17 Times in 14 Posts
Default

=( Still nothing. If I look in the fail2ban log it is running, because it detects log rotations, but it won't block any failed attempts
Reply With Quote
  #5  
Old 9th May 2008, 16:18
bswinnerton bswinnerton is offline
Senior Member
 
Join Date: Jul 2007
Location: Connecticut, US
Posts: 502
Thanks: 51
Thanked 17 Times in 14 Posts
Default

Code:
sudo /etc/init.d/fail2ban restart
 * Restarting authentication failure monitor fail2ban
   ...fail!
What log can I look in to see why it failed? fail2ban.log doesn't have any changes.
Reply With Quote
  #6  
Old 10th May 2008, 17:46
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

Try syslog.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 12th May 2008, 16:17
bswinnerton bswinnerton is offline
Senior Member
 
Join Date: Jul 2007
Location: Connecticut, US
Posts: 502
Thanks: 51
Thanked 17 Times in 14 Posts
Default

Nothing in Syslog, but now I have a new problem. I did a apt-get remove fail2ban and then deleted all instances of it using the comand locate. I deleted everything besides the stuff in /var/lib/dpkg/info/ and now when I go to install it, it will say

Code:
Building dependency tree       
Reading state information... Done
Suggested packages:
  mailx python-gamin
The following NEW packages will be installed:
  fail2ban
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/82.4kB of archives.
After this operation, 614kB of additional disk space will be used.
Selecting previously deselected package fail2ban.
(Reading database ... 31636 files and directories currently installed.)
Unpacking fail2ban (from .../fail2ban_0.8.2-2_all.deb) ...
Setting up fail2ban (0.8.2-2) ...
But nothing is being created. When I look in /etc/fail2ban there are two folders but no scripts or config files.

Here is the output of the current state of my machine when I search for fail2ban:

Code:
/etc/fail2ban
/etc/fail2ban/action.d
/etc/fail2ban/filter.d
/usr/bin/fail2ban-client
/usr/bin/fail2ban-regex
/usr/bin/fail2ban-server
/usr/share/fail2ban
/usr/share/doc/fail2ban
/usr/share/doc/fail2ban/NEWS.Debian.gz
/usr/share/doc/fail2ban/README
/usr/share/doc/fail2ban/README.Debian.gz
/usr/share/doc/fail2ban/TODO
/usr/share/doc/fail2ban/TODO.Debian
/usr/share/doc/fail2ban/changelog.Debian.gz
/usr/share/doc/fail2ban/changelog.gz
/usr/share/doc/fail2ban/copyright
/usr/share/doc/fail2ban/examples
/usr/share/doc/fail2ban/examples/ipmasq-ZZZzzz|fail2ban.rul
/usr/share/doc/fail2ban/examples/jail.conf.gz
/usr/share/fail2ban/client
/usr/share/fail2ban/common
/usr/share/fail2ban/fail2ban-0.8.2.egg-info
/usr/share/fail2ban/server
/usr/share/fail2ban/client/__init__.py
/usr/share/fail2ban/client/__init__.pyc
/usr/share/fail2ban/client/actionreader.py
/usr/share/fail2ban/client/actionreader.pyc
/usr/share/fail2ban/client/beautifier.py
/usr/share/fail2ban/client/beautifier.pyc
/usr/share/fail2ban/client/configparserinc.py
/usr/share/fail2ban/client/configparserinc.pyc
/usr/share/fail2ban/client/configreader.py
/usr/share/fail2ban/client/configreader.pyc
/usr/share/fail2ban/client/configurator.py
/usr/share/fail2ban/client/configurator.pyc
/usr/share/fail2ban/client/csocket.py
/usr/share/fail2ban/client/csocket.pyc
/usr/share/fail2ban/client/fail2banreader.py
/usr/share/fail2ban/client/fail2banreader.pyc
/usr/share/fail2ban/client/filterreader.py
/usr/share/fail2ban/client/filterreader.pyc
/usr/share/fail2ban/client/jailreader.py
/usr/share/fail2ban/client/jailreader.pyc
/usr/share/fail2ban/client/jailsreader.py
/usr/share/fail2ban/client/jailsreader.pyc
/usr/share/fail2ban/common/__init__.py
/usr/share/fail2ban/common/__init__.pyc
/usr/share/fail2ban/common/protocol.py
/usr/share/fail2ban/common/protocol.pyc
/usr/share/fail2ban/common/version.py
/usr/share/fail2ban/common/version.pyc
/usr/share/fail2ban/server/__init__.py
/usr/share/fail2ban/server/__init__.pyc
/usr/share/fail2ban/server/action.py
/usr/share/fail2ban/server/action.pyc
/usr/share/fail2ban/server/actions.py
/usr/share/fail2ban/server/actions.pyc
/usr/share/fail2ban/server/asyncserver.py
/usr/share/fail2ban/server/asyncserver.pyc
/usr/share/fail2ban/server/banmanager.py
/usr/share/fail2ban/server/banmanager.pyc
/usr/share/fail2ban/server/datedetector.py
/usr/share/fail2ban/server/datedetector.pyc
/usr/share/fail2ban/server/datetemplate.py
/usr/share/fail2ban/server/datetemplate.pyc
/usr/share/fail2ban/server/faildata.py
/usr/share/fail2ban/server/faildata.pyc
/usr/share/fail2ban/server/failmanager.py
/usr/share/fail2ban/server/failmanager.pyc
/usr/share/fail2ban/server/failregex.py
/usr/share/fail2ban/server/failregex.pyc
/usr/share/fail2ban/server/filter.py
/usr/share/fail2ban/server/filter.pyc
/usr/share/fail2ban/server/filtergamin.py
/usr/share/fail2ban/server/filtergamin.pyc
/usr/share/fail2ban/server/filterpoll.py
/usr/share/fail2ban/server/filterpoll.pyc
/usr/share/fail2ban/server/jail.py
/usr/share/fail2ban/server/jail.pyc
/usr/share/fail2ban/server/jails.py
/usr/share/fail2ban/server/jails.pyc
/usr/share/fail2ban/server/jailthread.py
/usr/share/fail2ban/server/jailthread.pyc
/usr/share/fail2ban/server/mytime.py
/usr/share/fail2ban/server/mytime.pyc
/usr/share/fail2ban/server/server.py
/usr/share/fail2ban/server/server.pyc
/usr/share/fail2ban/server/ticket.py
/usr/share/fail2ban/server/ticket.pyc
/usr/share/fail2ban/server/transmitter.py
/usr/share/fail2ban/server/transmitter.pyc
/usr/share/man/man1/fail2ban-client.1.gz
/usr/share/man/man1/fail2ban-regex.1.gz
/usr/share/man/man1/fail2ban-server.1.gz
/usr/share/pyshared-data/fail2ban
/var/cache/apt/archives/fail2ban_0.8.2-2_all.deb
/var/lib/dpkg/info/fail2ban.conffiles
/var/lib/dpkg/info/fail2ban.list
/var/lib/dpkg/info/fail2ban.md5sums
/var/lib/dpkg/info/fail2ban.postinst
/var/lib/dpkg/info/fail2ban.postrm
/var/lib/dpkg/info/fail2ban.preinst
/var/lib/dpkg/info/fail2ban.prerm
/var/log/fail2ban.log
Reply With Quote
  #8  
Old 13th May 2008, 15:32
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

Try
Code:
apt-get remove --purge fail2ban
and then install it again.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
bswinnerton (13th May 2008)
  #9  
Old 13th May 2008, 15:42
bswinnerton bswinnerton is offline
Senior Member
 
Join Date: Jul 2007
Location: Connecticut, US
Posts: 502
Thanks: 51
Thanked 17 Times in 14 Posts
Default

That worked! It created the config files and filled the log. Now I'll give it a try to see if it blocks again.
Reply With Quote
  #10  
Old 13th May 2008, 16:01
bswinnerton bswinnerton is offline
Senior Member
 
Join Date: Jul 2007
Location: Connecticut, US
Posts: 502
Thanks: 51
Thanked 17 Times in 14 Posts
 
Default

wohoo! It works.

Falko,

You're the man.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Fail2ban question joelee HOWTO-Related Questions 1 3rd April 2008 21:16
DNS stop working MZH General 3 22nd February 2008 12:10
Finally a working postfix server. But need a easy dns configuration mnewbegin Server Operation 5 17th October 2007 23:35
spamassassin stop working after woody to sarge update shark_tico Server Operation 1 19th October 2006 15:01
ftp not working pesja Installation/Configuration 3 17th July 2006 13:37


All times are GMT +2. The time now is 00:37.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.