Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General
Reload this Page fail2ban does not modify iptables entries
Register FAQ Members List Social Groups Calendar Search Today's Posts Mark Forums Read

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 23rd November 2011, 22:50
cbj4074 cbj4074 is online now
Senior Member
  
Join Date: Nov 2010
Posts: 320
Thanks: 21
Thanked 41 Times in 37 Posts
Default fail2ban does not modify iptables entries
Hello,

I realize that this problem may not be ISPConfig-specific, but I'd like to eliminate that possibility, if nothing else. I'm using ISPConfig 3.0.4.

I've installed fail2ban 0.8.4, with minimal configuration changes, on Ubuntu 10.04-2 LTS. I installed fail2ban from the Ubuntu repository using apt-get.

My goal is to cover Apache authentication first, and then extend the fail2ban configuration to other services, such as ftp, dovecot, etc.

The default fail2ban configuration seems to be adequate, and the only change I made was to create the file /etc/fail2ban/jail.local and insert the following:

Code:
[apache]
enabled = true
logpath = /var/log/ispconfig/httpd/*/error.log
Likewise, the default regular expressions appear to be functioning as expected:

Code:
# fail2ban-regex /var/log/ispconfig/httpd/example.com/error.log /etc/fail2ban/filter.d/apache-auth.conf
Code:
Running tests
=============

Use regex file : /etc/fail2ban/filter.d/apache-auth.conf
Use log file   : /var/log/ispconfig/httpd/example.com/error.log


Results
=======

Failregex
|- Regular expressions:
|  [1] [[]client <HOST>[]] user .* authentication failure
|  [2] [[]client <HOST>[]] user .* not found
|  [3] [[]client <HOST>[]] user .* password mismatch
|
`- Number of matches:
   [1] 48 match(es)
   [2] 119 match(es)
   [3] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
    xxx.xxx.xxx.xxx (Fri Sep 09 11:26:18 2011)
    ... [etc] ...

Date template hits:
9836 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 167

However, look at the above section 'Running tests' which could contain important
information.
In my attempts to trigger a ban, I've entered invalid Apache credentials as many as two dozen times over the course of several minutes, yet the iptables rules are never modified accordingly (even though fail2ban is parsing the log entries correctly, per the above output).

Nothing significant is written to the fail2ban logs when I intentionally fail Apache authentication a dozen or so times. When I start the service, the following output is written to fail2ban's log:

Code:
2011-11-23 13:49:35,406 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2011-11-23 13:49:35,407 fail2ban.jail   : INFO   Creating new jail 'ssh'
2011-11-23 13:49:35,407 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2011-11-23 13:49:35,425 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2011-11-23 13:49:35,425 fail2ban.filter : INFO   Set maxRetry = 6
2011-11-23 13:49:35,427 fail2ban.filter : INFO   Set findtime = 600
2011-11-23 13:49:35,428 fail2ban.actions: INFO   Set banTime = 600
2011-11-23 13:49:35,519 fail2ban.jail   : INFO   Creating new jail 'apache'
2011-11-23 13:49:35,519 fail2ban.jail   : INFO   Jail 'apache' uses poller
2011-11-23 13:49:35,520 fail2ban.filter : INFO   Added logfile = /var/log/ispconfig/httpd/sub1.example.com/error.log
2011-11-23 13:49:35,521 fail2ban.filter : INFO   Added logfile = /var/log/ispconfig/httpd/sub2.example.com/error.log
2011-11-23 13:49:35,521 fail2ban.filter : INFO   Set maxRetry = 6
2011-11-23 13:49:35,522 fail2ban.filter : INFO   Set findtime = 600
2011-11-23 13:49:35,523 fail2ban.actions: INFO   Set banTime = 600
2011-11-23 13:49:35,532 fail2ban.jail   : INFO   Jail 'ssh' started
2011-11-23 13:49:35,533 fail2ban.jail   : INFO   Jail 'apache' started
Where should I be looking next? Am I overlooking something obvious?

Thanks for any insights!
Last edited by cbj4074; 23rd November 2011 at 22:55. Reason: Added fail2ban log contents.
Reply With Quote
Sponsored Links
 

Bookmarks

Tags
apache, fail2ban, iptables, ubuntu

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Port foreword + openVPN + iptables ? flan Server Operation 0 15th May 2011 23:31
Help with Fail2ban florix.net Installation/Configuration 4 26th January 2011 00:53
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 07:29
IPtables rule to let PPTP access LAN brianwebb01 Installation/Configuration 0 1st May 2008 21:23
configuring IPTABLES firewall adityavpratap HOWTO-Related Questions 9 27th May 2006 21:42


All times are GMT +2. The time now is 21:36.

Contact Us - HowtoForge - Linux Howtos and Tutorials - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.