Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 13th August 2009, 16:05
rlischer rlischer is offline
Senior Member
 
Join Date: Jul 2009
Posts: 121
Thanks: 6
Thanked 1 Time in 1 Post
Default Need help with fail2ban on centos 5.3

I need some help and clarity on what I need to do.

I went through centos 5.3 perfect server setup. So, iptables is off and fail2ban is on. I turned on the default firewall ports for the server in ipsconfig 3 admin. It works, I tested it by opening and closing a few ports.

ISP Config 3 tells me "fail2ban is not installed at this server.
See more (for debian) here..."


I try to ssh in as root and use bad passwords over and over, then after about 6 or 7 tries I get the boot, then I can go right back and try again. Why is my IP not banned? And why does ISPConfig 3 say "fail2ban is not installed at this server"

Thanks!!!



vi /etc/fail2ban/filter.d/sshd.conf
Code:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 663 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = sshd

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
            ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
vi /etc/fail2ban/jail.conf (with new "logpath = /var/log/secure" path)
Code:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 617 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled  = false
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
logpath  = /var/log/secure
maxretry = 3

[proftpd-iptables]

enabled  = false
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=you@mail.com]
logpath  = /var/log/proftpd/proftpd.log
"/etc/fail2ban/jail.conf" 205L, 5658C
My log file as I try to break in as root:
Code:
Aug 13 05:17:35 server sshd[10791]: PAM 7 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.42.154.202
Aug 13 05:17:35 server sshd[10791]: PAM service(sshd) ignoring max retries; 8 > 3
Aug 13 05:17:47 server sshd[10828]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 13 05:17:47 server sshd[10828]: Accepted password for root from 66.42.154.202 port 35685 ssh2
Aug 13 05:17:47 server sshd[10828]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 13 05:23:17 server sshd[10828]: pam_unix(sshd:session): session closed for user root
Aug 13 05:25:13 server sshd[11212]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 13 05:25:13 server sshd[11212]: Accepted password for root from 66.42.154.202 port 39441 ssh2
Aug 13 05:25:13 server sshd[11212]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 13 05:32:15 server sshd[11212]: pam_unix(sshd:session): session closed for user root
Aug 13 05:42:50 server sshd[12434]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 13 05:42:50 server sshd[12434]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.42.154.202  user=root
Aug 13 05:42:53 server sshd[12434]: Failed password for root from 66.42.154.202 port 48067 ssh2
Aug 13 05:43:27 server last message repeated 7 times
Aug 13 05:43:27 server sshd[12435]: Disconnecting: Too many authentication failures for root
Aug 13 05:43:27 server sshd[12434]: PAM 7 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.42.154.202  user=root
Aug 13 05:43:27 server sshd[12434]: PAM service(sshd) ignoring max retries; 8 > 3
Aug 13 05:43:38 server sshd[12472]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 13 05:43:38 server sshd[12472]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.42.154.202  user=root
Aug 13 05:43:41 server sshd[12472]: Failed password for root from 66.42.154.202 port 48627 ssh2
Aug 13 05:43:45 server sshd[12473]: fatal: Read from socket failed: Connection reset by peer
Aug 13 05:45:01 server sshd[12515]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 13 05:45:01 server sshd[12515]: Accepted password for root from 66.42.154.202 port 49833 ssh2
Aug 13 05:45:01 server sshd[12515]: pam_unix(sshd:session): session opened for user root by (uid=0)
Reply With Quote
Sponsored Links
 

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 07:29
Centos 5.2 + ISPConfig 3 tutorial - Problem with email tanakskool Server Operation 1 3rd June 2009 16:22
have the problem with mydns on CentOS 5.3 x86_64 thaibinhtt Installation/Configuration 1 26th May 2009 08:59
PHP & PowerDNS and PowerAdmin on CentOS 5.3 need_a_linux_brain HOWTO-Related Questions 9 4th May 2009 15:42
Need CentOS 5.3 Nikto, DenyHosts, FTtester, Chrooted SSH, Chkrootkit-Portsentry need_a_linux_brain HOWTO-Related Questions 0 1st May 2009 19:10


All times are GMT +2. The time now is 00:52.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.