Prev Previous Post   Next Post Next
  #1  
Old 23rd July 2009, 09:42
Wandering-Aimlessly Wandering-Aimlessly is offline
Junior Member
 
Join Date: Jul 2009
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default Fail2Ban fails to ban :-)

Hi people.

I have spent 2 days trying to get Fail2Ban to work. I have read everything I can find without success, so it is time to ask.

I have installed Fail2ban on a test server and after some messing with the configs got it working well. Then I tried to install on a production box but it just won't work. Both boxes are running Centos 5.3 and are reasonably identical (except the hardware of course). I have even copied the configs from the test to the production box.

Fail2ban seems to be running and passes all the tests I can come up with but it just fails to ban any attempts at brute force SSH.

Here are the configs/results of tests etc :-

# fail2ban-client status
Quote:
Status
|- Number of jail: 1
`- Jail list: ssh-iptables
# fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
Quote:
Success, the total number of match is 4896

Here is the result of a deliberate wrong user login (from /var/log/secure):
Quote:
Jul 23 07:49:24 my-server sshd[7438]: pam_unix(sshd:auth): check pass; user unknown
Jul 23 07:49:24 my-server sshd[7438]: pam_succeed_if(sshd:auth): error retrieving information about user uhbs
Jul 23 07:49:26 my-server sshd[7438]: Failed password for invalid user uhbs from 123.123.123.123 port 3107 ssh2
To ensure that there was not time issue,I immediately ran the date command
Quote:
Thu Jul 23 07:49:29 BST 2009
There are no local config files so here are the regular files (snipped for brevity):

Jail.conf
Quote:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 617 $



[DEFAULT]

ignoreip = 127.0.0.1

bantime = 60

findtime = 600

maxretry = 3

backend = auto



[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=my-email@my-domain.co.uk, sender=fail2ban@mail.com]
logpath = /var/log/secure
maxretry = 3

sshd.conf

Quote:
# Fail2Ban configuration file
# Author: Cyril Jaquier
# $Revision: 663 $


[INCLUDES]

before = common.conf

[Definition]
_daemon = sshd

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>\S+)
# Values: TEXT
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$


ignoreregex =

I have not changed iptables.conf

When I stop and start Fail2ban an email is sent confirming the stop and another for the start.

The version I installed was fail2ban-0.8.2-3.el5.rf.noarch.rpm from
DAG packages for Red Hat Linux el5 x86_64.

Hoping that someone can help. Thanks for reading.

Edited to add: var/log/fail2ban.log shows no entry for failed logins but does show entries for the start/stop.

Last edited by Wandering-Aimlessly; 23rd July 2009 at 09:47. Reason: Additional info
Reply With Quote
Sponsored Links
 

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Fail2ban admins Installation/Configuration 3 25th May 2009 10:25
fail2ban not working linuxwannabe Installation/Configuration 1 25th January 2009 06:09
Fail2Ban not banning? tristanlee85 Server Operation 4 15th October 2008 13:44
Fail2Ban not working bswinnerton Installation/Configuration 17 16th May 2008 20:12
Fail2ban question joelee HOWTO-Related Questions 1 3rd April 2008 20:16


All times are GMT +2. The time now is 01:59.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.