Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 23rd November 2011, 23:50
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 395
Thanks: 30
Thanked 58 Times in 50 Posts
Default fail2ban does not modify iptables entries

Hello,

I realize that this problem may not be ISPConfig-specific, but I'd like to eliminate that possibility, if nothing else. I'm using ISPConfig 3.0.4.

I've installed fail2ban 0.8.4, with minimal configuration changes, on Ubuntu 10.04-2 LTS. I installed fail2ban from the Ubuntu repository using apt-get.

My goal is to cover Apache authentication first, and then extend the fail2ban configuration to other services, such as ftp, dovecot, etc.

The default fail2ban configuration seems to be adequate, and the only change I made was to create the file /etc/fail2ban/jail.local and insert the following:

Code:
[apache]
enabled = true
logpath = /var/log/ispconfig/httpd/*/error.log
Likewise, the default regular expressions appear to be functioning as expected:

Code:
# fail2ban-regex /var/log/ispconfig/httpd/example.com/error.log /etc/fail2ban/filter.d/apache-auth.conf
Code:
Running tests
=============

Use regex file : /etc/fail2ban/filter.d/apache-auth.conf
Use log file   : /var/log/ispconfig/httpd/example.com/error.log


Results
=======

Failregex
|- Regular expressions:
|  [1] [[]client <HOST>[]] user .* authentication failure
|  [2] [[]client <HOST>[]] user .* not found
|  [3] [[]client <HOST>[]] user .* password mismatch
|
`- Number of matches:
   [1] 48 match(es)
   [2] 119 match(es)
   [3] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
    xxx.xxx.xxx.xxx (Fri Sep 09 11:26:18 2011)
    ... [etc] ...

Date template hits:
9836 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 167

However, look at the above section 'Running tests' which could contain important
information.
In my attempts to trigger a ban, I've entered invalid Apache credentials as many as two dozen times over the course of several minutes, yet the iptables rules are never modified accordingly (even though fail2ban is parsing the log entries correctly, per the above output).

Nothing significant is written to the fail2ban logs when I intentionally fail Apache authentication a dozen or so times. When I start the service, the following output is written to fail2ban's log:

Code:
2011-11-23 13:49:35,406 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2011-11-23 13:49:35,407 fail2ban.jail   : INFO   Creating new jail 'ssh'
2011-11-23 13:49:35,407 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2011-11-23 13:49:35,425 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2011-11-23 13:49:35,425 fail2ban.filter : INFO   Set maxRetry = 6
2011-11-23 13:49:35,427 fail2ban.filter : INFO   Set findtime = 600
2011-11-23 13:49:35,428 fail2ban.actions: INFO   Set banTime = 600
2011-11-23 13:49:35,519 fail2ban.jail   : INFO   Creating new jail 'apache'
2011-11-23 13:49:35,519 fail2ban.jail   : INFO   Jail 'apache' uses poller
2011-11-23 13:49:35,520 fail2ban.filter : INFO   Added logfile = /var/log/ispconfig/httpd/sub1.example.com/error.log
2011-11-23 13:49:35,521 fail2ban.filter : INFO   Added logfile = /var/log/ispconfig/httpd/sub2.example.com/error.log
2011-11-23 13:49:35,521 fail2ban.filter : INFO   Set maxRetry = 6
2011-11-23 13:49:35,522 fail2ban.filter : INFO   Set findtime = 600
2011-11-23 13:49:35,523 fail2ban.actions: INFO   Set banTime = 600
2011-11-23 13:49:35,532 fail2ban.jail   : INFO   Jail 'ssh' started
2011-11-23 13:49:35,533 fail2ban.jail   : INFO   Jail 'apache' started
Where should I be looking next? Am I overlooking something obvious?

Thanks for any insights!

Last edited by cbj4074; 23rd November 2011 at 23:55. Reason: Added fail2ban log contents.
Reply With Quote
Sponsored Links
 

Bookmarks

Tags
apache, fail2ban, iptables, ubuntu

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Port foreword + openVPN + iptables ? flan Server Operation 0 16th May 2011 00:31
Help with Fail2ban florix.net Installation/Configuration 4 26th January 2011 01:53
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 08:29
IPtables rule to let PPTP access LAN brianwebb01 Installation/Configuration 0 1st May 2008 22:23
configuring IPTABLES firewall adityavpratap HOWTO-Related Questions 9 27th May 2006 22:42


All times are GMT +2. The time now is 20:03.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.