Fail2ban (without iptables) doesn't work, why?

[MET]

My externally hosted vserver runs with Debian lenny stable. Fail2ban 0.8.3 (and iptables) have been installed with the package-manager. The intention is to use fail2ban with the messages-file from asterisk, i.e. without iptables. The configuration files for fail2ban are according this howto.

When I start fail2ban with
/etc/init.d/fail2ban start
no further information is given, so I thought it would work. Later I questioned whether it would require beforehand a
/etc/init.d/fail2ban reload
or a
/etc/init.d/fail2ban restart
and in both of these cases I obtain each time the result "failed!"

How could I find out what is going wrong?

Note: I'm not very familiar with Linux, I only use it in the context of the asterisk.

[MET]

Fail2Ban works now. The reload has to be done with

/usr/bin/fail2ban-client reload

and not with
/etc/init.d/fail2ban reload
(as mentioned in the howto from Voip-Info.org)

However, the log indicates that there is still an issue with the mail message (address changed here):

Quote:

2010-05-22 11:57:10,435 fail2ban.actions.action: ERROR printf %b "Hi,\n
The jail ASTERISK has been started successfully.\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] ASTERISK: started" Me@My.com returned 7f00

Any ideas why the mail-message doesn't work? The mail address is on a different server. Could this be the reason?

[falko]

Can you post your /etc/fail2ban/jail.conf?

[MET]

Quote:

Originally Posted by falko

Can you post your /etc/fail2ban/jail.conf?

Note that I tried with different mail-addresses. None of them is hosted on the same server:

Code:

# Fail2Ban configuration file
...
# $Revision: 747 $
...

[DEFAULT]

bantime  = 600
findtime  = 600
maxretry = 3
backend = auto


[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = hostsdeny[name=ASTERISK, protocol=all]
           mail-whois[name=ASTERISK, dest=Me@My1stDomain.com, sender=Me@My2ndDomain.com]
logpath  = /var/log/asterisk/messages
# maxretry = 5
# bantime = 259200
maxretry = 3
findtime = 300
bantime = 600

...
all other entries have: enabled=false

[MET]

I just had an other an other attack. The settings in jail.conf were for manual testing as sent before:

maxretry = 3
findtime = 300
bantime = 600

The log files show the following:

Asterisk

Code:

[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"1249349713"<sip:1249349713@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"100"<sip:100@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"101"<sip:101@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"102"<sip:102@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"103"<sip:103@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"104"<sip:104@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
....
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9994"<sip:9994@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9995"<sip:9995@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9996"<sip:9996@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9997"<sip:9997@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9998"<sip:9998@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
[2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9999"<sip:9999@12.34.56.78>' failed for '76.76.96.74' - No matching peer found

Fail2ban:

Code:

2010-05-22 16:04:06,632 fail2ban.actions: WARNING [asterisk-iptables] Ban 76.76.96.74
2010-05-22 16:04:09,130 fail2ban.actions.action: ERROR  printf %b "Hi,\n
The IP 76.76.96.74 has just been banned by Fail2Ban after
11 attempts against ASTERISK.\n\n
Here are more information about 76.76.96.74:\n
`whois 76.76.96.74`\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] ASTERISK: banned 76.76.96.74" Me@My.net returned 7f00
2010-05-22 16:04:09,130 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:10,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:11,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:12,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:13,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:14,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:15,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:16,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:04:17,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
...
2010-05-22 16:12:55,309 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:12:56,311 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:12:57,318 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:12:58,321 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
2010-05-22 16:14:07,356 fail2ban.actions: WARNING [asterisk-iptables] Unban 76.76.96.74

There are about 40 attacks per second whereas fail2ban reacts in about one second intervals only by reporting "already banned".

Fail2ban added the IP also in the File /etc/hosts.deny

Why then hasn't the IP been blocked ?
Any suggestions/recommendations to get it working ?

[make-fun]

What is the output of

Code:

grep -h "Ban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c

Code:

grep -h "already banned" /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c

Code:

grep -h "Unban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c

Do they match?

[Ben]

For my understanding, hosts.allow / deny files are only for tcp wrappered app's which I assume asterisk not to be.

Why do you try to avoid using iptables?

[MET]

Quote:

Originally Posted by Ben

Why do you try to avoid using iptables?

Because asterisk is on an externally hosted vserver where I do not have access to the root.

[MET]

Quote:

Originally Posted by make-fun

What is the output of

Code:

grep -h "Ban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c

Code:

grep -h "already banned" /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c

Code:

grep -h "Unban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c

Do they match?

I'm not sure whether I understand these commands, but they didn't show anything on the CLI. It could also be that I made in the meantime a reload. After the attack I checked the files
host.deny this one was empty and host.allow contained the IP which attacked before. I interpreted this to be the result of the action command which unbaned with bantime = 600 the IP after 10 min.

[make-fun]

Quote:

Originally Posted by MET

I'm not sure whether I understand these commands, but they didn't show anything on the CLI. .

Where is your fail2ban logfile?

Code:

grep -h "Ban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c

Should return a list with number of BANs per day and what filter was hit -- like here with postfix:

Code:

    123 [postfix] 2010-05-16
    114 [postfix] 2010-05-17
     75 [postfix] 2010-05-18
     45 [postfix] 2010-05-20
    104 [postfix] 2010-05-21
    100 [postfix] 2010-05-22
    103 [postfix] 2010-05-23
     43 [postfix] 2010-05-24

This normaly a good way to see if and what's happening, as you can compare "Ban ", "already banned", "Unban ". If you got nothing there, fail2ban never's done anything for you--it seems.