Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 23rd July 2009, 10:42
Wandering-Aimlessly Wandering-Aimlessly is offline
Junior Member
 
Join Date: Jul 2009
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default Fail2Ban fails to ban :-)

Hi people.

I have spent 2 days trying to get Fail2Ban to work. I have read everything I can find without success, so it is time to ask.

I have installed Fail2ban on a test server and after some messing with the configs got it working well. Then I tried to install on a production box but it just won't work. Both boxes are running Centos 5.3 and are reasonably identical (except the hardware of course). I have even copied the configs from the test to the production box.

Fail2ban seems to be running and passes all the tests I can come up with but it just fails to ban any attempts at brute force SSH.

Here are the configs/results of tests etc :-

# fail2ban-client status
Quote:
Status
|- Number of jail: 1
`- Jail list: ssh-iptables
# fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
Quote:
Success, the total number of match is 4896

Here is the result of a deliberate wrong user login (from /var/log/secure):
Quote:
Jul 23 07:49:24 my-server sshd[7438]: pam_unix(sshd:auth): check pass; user unknown
Jul 23 07:49:24 my-server sshd[7438]: pam_succeed_if(sshd:auth): error retrieving information about user uhbs
Jul 23 07:49:26 my-server sshd[7438]: Failed password for invalid user uhbs from 123.123.123.123 port 3107 ssh2
To ensure that there was not time issue,I immediately ran the date command
Quote:
Thu Jul 23 07:49:29 BST 2009
There are no local config files so here are the regular files (snipped for brevity):

Jail.conf
Quote:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 617 $



[DEFAULT]

ignoreip = 127.0.0.1

bantime = 60

findtime = 600

maxretry = 3

backend = auto



[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=my-email@my-domain.co.uk, sender=fail2ban@mail.com]
logpath = /var/log/secure
maxretry = 3

sshd.conf

Quote:
# Fail2Ban configuration file
# Author: Cyril Jaquier
# $Revision: 663 $


[INCLUDES]

before = common.conf

[Definition]
_daemon = sshd

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>\S+)
# Values: TEXT
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$


ignoreregex =

I have not changed iptables.conf

When I stop and start Fail2ban an email is sent confirming the stop and another for the start.

The version I installed was fail2ban-0.8.2-3.el5.rf.noarch.rpm from
DAG packages for Red Hat Linux el5 x86_64.

Hoping that someone can help. Thanks for reading.

Edited to add: var/log/fail2ban.log shows no entry for failed logins but does show entries for the start/stop.

Last edited by Wandering-Aimlessly; 23rd July 2009 at 10:47. Reason: Additional info
Reply With Quote
Sponsored Links
  #2  
Old 23rd July 2009, 11:53
Flash Flash is offline
Member
 
Join Date: Oct 2008
Posts: 33
Thanks: 2
Thanked 4 Times in 3 Posts
Default

You will need at least 3 failed logins from thesame IP in order for fail2ban to ban the IP.
Reply With Quote
  #3  
Old 23rd July 2009, 12:09
Wandering-Aimlessly Wandering-Aimlessly is offline
Junior Member
 
Join Date: Jul 2009
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks Flash, I only included one failure for the sake of brevity, there have been dozens within the required 10 minute period.
Reply With Quote
  #4  
Old 29th July 2009, 10:37
Wandering-Aimlessly Wandering-Aimlessly is offline
Junior Member
 
Join Date: Jul 2009
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default Problem solved

Got the problem nailed !

In case anyone else suffers the same problem, here are the details.

In Jail.conf there is a "backend" option, this can be set to "gamin", "polling" or "auto" which chooses whatever method is available.

If I set this to "polling" Fail2Ban started working but "auto" or "gamin"! it didn't.

I could not find why gamin was not working and could find little information on testing/debugging it.

In the end, out of desperation I rebooted the server.

And the problem went away.
Reply With Quote
  #5  
Old 14th August 2009, 15:20
rlischer rlischer is offline
Senior Member
 
Join Date: Jul 2009
Posts: 121
Thanks: 6
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by Wandering-Aimlessly View Post
Got the problem nailed !

In case anyone else suffers the same problem, here are the details.

In Jail.conf there is a "backend" option, this can be set to "gamin", "polling" or "auto" which chooses whatever method is available.

If I set this to "polling" Fail2Ban started working but "auto" or "gamin"! it didn't.

I could not find why gamin was not working and could find little information on testing/debugging it.

In the end, out of desperation I rebooted the server.

And the problem went away.
Thanks for this! Did you change something in "sshd.conf" ? I made the change to "pooling". It still does not ban me after 3, but drops me after 7 and lets me go right back and do it 7 more times. I must be missing something somewhere.
I don't know why you looked at the date, mine says "Fri Aug 14 04:17:10 EDT 2009" which has the wrong time for me. Also, I did fix the path to var\log\secure.

Thanks
Reply With Quote
  #6  
Old 14th August 2009, 17:44
Wandering-Aimlessly Wandering-Aimlessly is offline
Junior Member
 
Join Date: Jul 2009
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by rlischer View Post
Thanks for this! Did you change something in "sshd.conf" ? I made the change to "pooling". It still does not ban me after 3, but drops me after 7 and lets me go right back and do it 7 more times. I must be missing something somewhere.
I don't know why you looked at the date, mine says "Fri Aug 14 04:17:10 EDT 2009" which has the wrong time for me. Also, I did fix the path to var\log\secure.

Thanks
Hi,

No, I made no changes to sshd.conf.

The only experience I have is on Cento5, is that what you are running ?

I guess you could make sure that the log time is the same as the clock time. If the logs don't have the same time as the clock (I don't know how this happens), funny things can happen.

I did that by logging on and then immediately running date" in an SSH session and confirm that the time shown is the same, or at least very near the time shown in the log file entry.

If the time is correct, please post the content of your jail.conf
Reply With Quote
  #7  
Old 14th August 2009, 18:15
rlischer rlischer is offline
Senior Member
 
Join Date: Jul 2009
Posts: 121
Thanks: 6
Thanked 1 Time in 1 Post
Default

I am in centos 5.3 and I did check the times and they match now server/log. Here is my jail.conf Thanks!


Code:
# FailBan configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 617 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = polling


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=memememem@gmail.com, sender=rob@emememememe.com]
logpath  = /var/log/secure
maxretry = 3

[proftpd-iptables]

enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=myemailaddress@gmail.com, sender=myemailaddress@anotherplace.com]
logpath  = /var/log/proftpd/proftpd.log
maxretry = 3

# This jail forces the backend to "polling".

[sasl-iptables]

enabled  = true
filter   = sasl
backend  = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois[name=sasl, dest=myemailaddress@gmail.com, sender=myemailaddress@anotherplace.com]
logpath  = /var/log/mail.log

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled     = true
filter      = sshd
action      = hostsdeny
              sendmail-whois[name=SSH, dest=myemailaddress@gmail.com, sender=myemailaddress@anotherplace.com]
ignoreregex = for myuser from
logpath     = /var/log/secure

# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled  = true
filter   = apache-auth
action   = hostsdeny
logpath  = /var/log/apache*/*error.log
           /home/www/myhomepage/error.log
maxretry = 3

# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.

[postfix-tcpwrapper]

enabled  = true
filter   = postfix
action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
           sendmail[name=Postfix, dest=myemailaddress@gmail.com, sender=myemailaddress@anotherplace.com]
logpath  = /var/log/postfix.log
bantime  = 300

# Do not ban anybody. Just report information about the remote host.
# A notification is sent at most every 600 seconds (bantime).

[vsftpd-notification]

enabled  = true
filter   = vsftpd
action   = sendmail-whois[name=VSFTPD, dest=myemailaddress@gmail.com, sender=myemailaddress@anotherplace.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800

# Same as above but with banning the IP address.

[vsftpd-iptables]

enabled  = true
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=VSFTPD, dest=myemailaddress@gmail.com, sender=myemailaddress@anotherplace.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail-buffered[name=BadBots, lines=5, dest=myemailaddress@gmail.com, sender=myemailaddress@anotherplace.com]
logpath  = /var/www/*/logs/access_log
bantime  = 172800
maxretry = 1

# Use shorewall instead of iptables.

[apache-shorewall]

enabled  = true
filter   = apache-noscript
action   = shorewall
           sendmail[name=Postfix, dest=myemailaddress@gmail.com, sender=myemailaddress@anotherplace.com]
logpath  = /var/log/apache2/error_log

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.

[ssh-ipfw]

enabled  = true
filter   = sshd
action   = ipfw[localhost=192.168.0.1]
           sendmail-whois[name="SSH,IPFW", dest=myemailaddress@gmail.com, sender=myemailaddress@anotherplace.com]
logpath  = /var/log/auth.log
ignoreip = 168.192.0.1

# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# }
#
# in your named.conf to provide proper logging.
# This jail blocks UDP traffic for DNS requests.

[named-refused-udp]

enabled  = true
filter   = named-refused
action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
           sendmail-whois[name=Named, dest=myemailaddress@gmail.com, sender=myemailaddress@anotherplace.com]
logpath  = /var/log/named/security.log
ignoreip = 168.192.0.1

# This jail blocks TCP traffic for DNS requests.

[named-refused-tcp]

enabled  = true
filter   = named-refused
action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
           sendmail-whois[name=Named, dest=myemailaddress@gmail.com, sender=myemailaddress@anotherplace.com]
logpath  = /var/log/named/security.log
ignoreip = 168.192.0.1
Reply With Quote
  #8  
Old 14th August 2009, 21:14
rlischer rlischer is offline
Senior Member
 
Join Date: Jul 2009
Posts: 121
Thanks: 6
Thanked 1 Time in 1 Post
Default

Here is my break in attempt at 14:14 as root. I get dropped on 7th try.

Code:
Aug 14 14:12:18 server sshd[8838]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 14 14:12:18 server sshd[8838]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.42.154.202  user=root
Aug 14 14:12:19 server sshd[8838]: Failed password for root from 66.42.154.202 port 28645 ssh2
Aug 14 14:12:43 server last message repeated 7 times
Aug 14 14:12:43 server sshd[8839]: Disconnecting: Too many authentication failures for root
Reply With Quote
  #9  
Old 17th August 2009, 09:03
Wandering-Aimlessly Wandering-Aimlessly is offline
Junior Member
 
Join Date: Jul 2009
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Sorry for the delay in this reply, been a busy weekend.

I'm am far from being any sort of expert on the topic so please don't berate me if I am wrong.

As I understand it :

This part "[ssh-iptables]" says "deal with SSH attacks using iptables".

And :

This part "[ssh-tcpwrapper]" "deal with SSH attacks using tcpwrapper".


In your config, you have both methods enabled. I wonder if that is the cause of the problem.

I suggest that you disable all sections ("enabled = false") with the exception of one SSH section (either iptables or tcpwrapper) and test again.

If that works ok, just enable the sections you need enabling.

I initially enabled, SSH, proftpd and sasl testing at each stage. Then I enabled Dovecot which needed a little more work.

Anyway, get it working in SSH first, then Pro Ftp, and test, then SASL. Once those are working we will sort out Dovecot.

Good luck.

Just had an afterthought. You might want to set the ban duration (bantime = 600) to something low during testing if you are using your own IP. I set mine to 60 (1 minute) so that I didn't have to wait ten minutes each time whilst testing.

Last edited by Wandering-Aimlessly; 17th August 2009 at 09:06. Reason: Afterthought
Reply With Quote
  #10  
Old 17th August 2009, 14:35
rlischer rlischer is offline
Senior Member
 
Join Date: Jul 2009
Posts: 121
Thanks: 6
Thanked 1 Time in 1 Post
 
Default

ok, thanks. I will give it a shot.

Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Fail2ban admins Installation/Configuration 3 25th May 2009 11:25
fail2ban not working linuxwannabe Installation/Configuration 1 25th January 2009 07:09
Fail2Ban not banning? tristanlee85 Server Operation 4 15th October 2008 14:44
Fail2Ban not working bswinnerton Installation/Configuration 17 16th May 2008 21:12
Fail2ban question joelee HOWTO-Related Questions 1 3rd April 2008 21:16


All times are GMT +2. The time now is 12:38.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.