Navigation

albertux · #1 11th January 2013, 15:44

I have done everything possible but nothing works.

There is some documentation to work in Debian Squeeze with IPSConfig 3.

I appreciate your feedback.

*SamTzu* · #2 12th January 2013, 12:40

Fail2ban has 2 different conf files. Check out the .local version.

albertux · #3 14th January 2013, 17:09

Quote:

Originally Posted by SamTzu

Fail2ban has 2 different conf files. Check out the .local version.

Yes i know that ... and write the filters for the diferent service too, but nothing work ...

My jail.local file :

[pureftpd]

enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3

[sasl]

enabled = true
port = smtp
filter = sasl
logpath = /var/log/mail.log
maxretry = 5

[courierpop3]

enabled = true
port = pop3
filter = courierpop3
logpath = /var/log/mail.log
maxretry = 5

[courierpop3s]

enabled = true
port = pop3s
filter = courierpop3s
logpath = /var/log/mail.log
maxretry = 5

[courierimap]

enabled = true
port = imap2
filter = courierimap
logpath = /var/log/mail.log
maxretry = 5

[courierimaps]

enabled = true
port = imaps
filter = courierimaps
logpath = /var/log/mail.log
maxretry = 5

Thank you for your answer

Ovidiu · #4 14th February 2013, 11:47

similar problem here, I manually tried to trigger fail2ban logging in anonymously into pure-ftp:

my fail2ban settings:

Quote:

failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*

[pureftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3

The logs look like this:

Quote:

Feb 14 11:44:32 h2118175 pure-ftpd: (?@85.214.249.219) [WARNING] Authentication failed for user [anonymous]

I tested it and it should pick up the attempts:

Quote:

fail2ban-regex /var/log/syslog /etc/fail2ban/filter.d/pure-ftpd.conf
.
.
.
Success, the total number of match is 19

I found this version somewhere, which one is the right one:

Quote:

[pureftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3

###edit###
The problem is fail2ban does absolutely nothing , just sits there looking pretty :-(

Parsec · #5 15th February 2013, 15:40

What is in /var/log/fail2ban.log?

If nothing try restarting/reloading it and check that log. (debian = /etc/init.d/fail2ban reload)

Ovidiu · #6 16th February 2013, 09:14

The log file only contains the normal operating logs:

Quote:

2013-02-14 14:22:04,800 fail2ban.filter : INFO Set findtime = 300
2013-02-14 14:22:04,800 fail2ban.actions: INFO Set banTime = 3600
2013-02-14 14:22:04,846 fail2ban.jail : INFO Creating new jail 'postfix'
2013-02-14 14:22:04,846 fail2ban.jail : INFO Jail 'postfix' uses poller
2013-02-14 14:22:04,847 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2013-02-14 14:22:04,847 fail2ban.filter : INFO Set maxRetry = 3
2013-02-14 14:22:04,847 fail2ban.filter : INFO Set findtime = 300
2013-02-14 14:22:04,848 fail2ban.actions: INFO Set banTime = 3600
2013-02-14 14:22:04,850 fail2ban.jail : INFO Creating new jail 'sasl'
2013-02-14 14:22:04,850 fail2ban.jail : INFO Jail 'sasl' uses poller
2013-02-14 14:22:04,851 fail2ban.filter : INFO Added logfile = /var/log/mail.warn
2013-02-14 14:22:04,851 fail2ban.filter : INFO Set maxRetry = 3
2013-02-14 14:22:04,852 fail2ban.filter : INFO Set findtime = 300
2013-02-14 14:22:04,852 fail2ban.actions: INFO Set banTime = 3600
2013-02-14 14:22:04,855 fail2ban.jail : INFO Jail 'dovecot-pop3imap' started
2013-02-14 14:22:04,856 fail2ban.jail : INFO Jail 'ssh-ddos' started
2013-02-14 14:22:04,856 fail2ban.jail : INFO Jail 'pureftpd' started
2013-02-14 14:22:04,857 fail2ban.jail : INFO Jail 'ssh' started
2013-02-14 14:22:04,858 fail2ban.jail : INFO Jail 'postfix' started
2013-02-14 14:22:04,858 fail2ban.jail : INFO Jail 'sasl' started
2013-02-14 23:59:23,072 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2013-02-15 23:59:21,950 fail2ban.filter : INFO Log rotation detected for /var/log/syslo

Parsec · #7 16th February 2013, 12:00

Hmm, no real idea. The easiest one to check is the ssh jail, generally /var/log/auth.log will show attempts. Perhaps you might like to check the default "banaction" you have set in jail.conf. Generally the iptables-multiport one is the one to use. You might also need to define it's action in the jail.local eg;

[pureftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = pure-ftpd
action = %(action_mw)s
logpath = /var/log/syslog
maxretry = 3

Ovidiu · #8 16th February 2013, 23:37

Not sure why I should check auth.log since THERE ARE attempts within syslog:

Quote:

fail2ban-regex /var/log/syslog /etc/fail2ban/filter.d/pure-ftpd.conf
.
.
.
Success, the total number of match is 19

the ban action is defined in jail.conf as follows:

Quote:

banaction = iptables-multiport

I just saw that fail2ban.conf has the option of raising the loglevel to debugging:

Quote:

loglevel = 4

Now lets see if anything interesting turns up in fail2ban's log file.

Thanks for helping out so far!

Parsec · #9 16th February 2013, 23:53

I was referring to the ssh jail which uses the auth.log simply because this is the one that will get hit the most - more then ftp will. The fail2ban-regex is also just checking that the regex works. Having 19 successful matches doesn't indicate they occurred within the time frame for fail2ban to ban the attempts.

Ovidiu · #10 17th February 2013, 00:20

I rarely have any attempts on SSH since I moved it to another port. BUT I jsut tried to anonymously log in via FTP 5x and found this in auth.log:

Feb 17 00:15:04 h2118175 pure-ftpd: (?@85.214.249.219) [WARNING] Authentication failed for user [anonymous]

So that is ok and indeed in fail2ban.log I see:

Quote:

2013-02-17 00:15:15,780 fail2ban.filter : DEBUG /var/log/syslog has been modified
2013-02-17 00:15:15,795 fail2ban.filter : DEBUG Found 85.214.249.219

The settings for this jail are:

Quote:

[pureftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3
findtime = 86400

So I should have been blocked :-(