Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 11th January 2013, 16:44
albertux albertux is offline
Member
 
Join Date: Sep 2006
Location: Chile
Posts: 90
Thanks: 7
Thanked 0 Times in 0 Posts
Send a message via Skype™ to albertux
Default fail2ban don't work !

I have done everything possible but nothing works.

There is some documentation to work in Debian Squeeze with IPSConfig 3.

I appreciate your feedback.
Reply With Quote
Sponsored Links
  #2  
Old 12th January 2013, 13:40
SamTzu SamTzu is offline
HowtoForge Supporter
 
Join Date: Apr 2007
Location: Helsinki
Posts: 438
Thanks: 34
Thanked 56 Times in 39 Posts
Send a message via Skype™ to SamTzu
Default

Fail2ban has 2 different conf files. Check out the .local version.
__________________

Sami Mattila
Internet-Content

Telephone:
00358942833310
Email: firstname.lastname@internet-content.org
Shop: http://shop.internet-content.net
Site: http://www.internet-content.net
Blog: http://www.internet-content.net/en/blog
FB: https://www.facebook.com/internetcontent

Reply With Quote
  #3  
Old 14th January 2013, 18:09
albertux albertux is offline
Member
 
Join Date: Sep 2006
Location: Chile
Posts: 90
Thanks: 7
Thanked 0 Times in 0 Posts
Send a message via Skype™ to albertux
Default

Quote:
Originally Posted by SamTzu View Post
Fail2ban has 2 different conf files. Check out the .local version.
Yes i know that ... and write the filters for the diferent service too, but nothing work ...

My jail.local file :

[pureftpd]

enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3


[sasl]

enabled = true
port = smtp
filter = sasl
logpath = /var/log/mail.log
maxretry = 5


[courierpop3]

enabled = true
port = pop3
filter = courierpop3
logpath = /var/log/mail.log
maxretry = 5


[courierpop3s]

enabled = true
port = pop3s
filter = courierpop3s
logpath = /var/log/mail.log
maxretry = 5


[courierimap]

enabled = true
port = imap2
filter = courierimap
logpath = /var/log/mail.log
maxretry = 5


[courierimaps]

enabled = true
port = imaps
filter = courierimaps
logpath = /var/log/mail.log
maxretry = 5



Thank you for your answer
Reply With Quote
  #4  
Old 14th February 2013, 12:47
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,269
Thanks: 84
Thanked 25 Times in 21 Posts
Default

similar problem here, I manually tried to trigger fail2ban logging in anonymously into pure-ftp:

my fail2ban settings:
Quote:
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*

[pureftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3
The logs look like this:

Quote:
Feb 14 11:44:32 h2118175 pure-ftpd: (?@85.214.249.219) [WARNING] Authentication failed for user [anonymous]
I tested it and it should pick up the attempts:
Quote:
fail2ban-regex /var/log/syslog /etc/fail2ban/filter.d/pure-ftpd.conf
.
.
.
Success, the total number of match is 19
I found this version somewhere, which one is the right one:
Quote:
[pureftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3
###edit###
The problem is fail2ban does absolutely nothing , just sits there looking pretty :-(

Last edited by Ovidiu; 14th February 2013 at 12:53.
Reply With Quote
  #5  
Old 15th February 2013, 16:40
Parsec Parsec is offline
Member
 
Join Date: Jan 2013
Posts: 66
Thanks: 1
Thanked 9 Times in 8 Posts
Default

What is in /var/log/fail2ban.log?

If nothing try restarting/reloading it and check that log. (debian = /etc/init.d/fail2ban reload)
Reply With Quote
  #6  
Old 16th February 2013, 10:14
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,269
Thanks: 84
Thanked 25 Times in 21 Posts
Default

The log file only contains the normal operating logs:

Quote:
2013-02-14 14:22:04,800 fail2ban.filter : INFO Set findtime = 300
2013-02-14 14:22:04,800 fail2ban.actions: INFO Set banTime = 3600
2013-02-14 14:22:04,846 fail2ban.jail : INFO Creating new jail 'postfix'
2013-02-14 14:22:04,846 fail2ban.jail : INFO Jail 'postfix' uses poller
2013-02-14 14:22:04,847 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2013-02-14 14:22:04,847 fail2ban.filter : INFO Set maxRetry = 3
2013-02-14 14:22:04,847 fail2ban.filter : INFO Set findtime = 300
2013-02-14 14:22:04,848 fail2ban.actions: INFO Set banTime = 3600
2013-02-14 14:22:04,850 fail2ban.jail : INFO Creating new jail 'sasl'
2013-02-14 14:22:04,850 fail2ban.jail : INFO Jail 'sasl' uses poller
2013-02-14 14:22:04,851 fail2ban.filter : INFO Added logfile = /var/log/mail.warn
2013-02-14 14:22:04,851 fail2ban.filter : INFO Set maxRetry = 3
2013-02-14 14:22:04,852 fail2ban.filter : INFO Set findtime = 300
2013-02-14 14:22:04,852 fail2ban.actions: INFO Set banTime = 3600
2013-02-14 14:22:04,855 fail2ban.jail : INFO Jail 'dovecot-pop3imap' started
2013-02-14 14:22:04,856 fail2ban.jail : INFO Jail 'ssh-ddos' started
2013-02-14 14:22:04,856 fail2ban.jail : INFO Jail 'pureftpd' started
2013-02-14 14:22:04,857 fail2ban.jail : INFO Jail 'ssh' started
2013-02-14 14:22:04,858 fail2ban.jail : INFO Jail 'postfix' started
2013-02-14 14:22:04,858 fail2ban.jail : INFO Jail 'sasl' started
2013-02-14 23:59:23,072 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2013-02-15 23:59:21,950 fail2ban.filter : INFO Log rotation detected for /var/log/syslo
Reply With Quote
  #7  
Old 16th February 2013, 13:00
Parsec Parsec is offline
Member
 
Join Date: Jan 2013
Posts: 66
Thanks: 1
Thanked 9 Times in 8 Posts
Default

Hmm, no real idea. The easiest one to check is the ssh jail, generally /var/log/auth.log will show attempts. Perhaps you might like to check the default "banaction" you have set in jail.conf. Generally the iptables-multiport one is the one to use. You might also need to define it's action in the jail.local eg;

[pureftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = pure-ftpd
action = %(action_mw)s
logpath = /var/log/syslog
maxretry = 3
Reply With Quote
  #8  
Old 17th February 2013, 00:37
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,269
Thanks: 84
Thanked 25 Times in 21 Posts
Default

Not sure why I should check auth.log since THERE ARE attempts within syslog:

Quote:
fail2ban-regex /var/log/syslog /etc/fail2ban/filter.d/pure-ftpd.conf
.
.
.
Success, the total number of match is 19
the ban action is defined in jail.conf as follows:

Quote:
banaction = iptables-multiport
I just saw that fail2ban.conf has the option of raising the loglevel to debugging:

Quote:
loglevel = 4
Now lets see if anything interesting turns up in fail2ban's log file.

Thanks for helping out so far!
Reply With Quote
  #9  
Old 17th February 2013, 00:53
Parsec Parsec is offline
Member
 
Join Date: Jan 2013
Posts: 66
Thanks: 1
Thanked 9 Times in 8 Posts
Default

I was referring to the ssh jail which uses the auth.log simply because this is the one that will get hit the most - more then ftp will. The fail2ban-regex is also just checking that the regex works. Having 19 successful matches doesn't indicate they occurred within the time frame for fail2ban to ban the attempts.
Reply With Quote
  #10  
Old 17th February 2013, 01:20
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,269
Thanks: 84
Thanked 25 Times in 21 Posts
 
Default

I rarely have any attempts on SSH since I moved it to another port. BUT I jsut tried to anonymously log in via FTP 5x and found this in auth.log:

Feb 17 00:15:04 h2118175 pure-ftpd: (?@85.214.249.219) [WARNING] Authentication failed for user [anonymous]

So that is ok and indeed in fail2ban.log I see:

Quote:
2013-02-17 00:15:15,780 fail2ban.filter : DEBUG /var/log/syslog has been modified
2013-02-17 00:15:15,795 fail2ban.filter : DEBUG Found 85.214.249.219
The settings for this jail are:

Quote:
[pureftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3
findtime = 86400
So I should have been blocked :-(
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 08:29
Fail2ban only ban on first time. ivomendonca Installation/Configuration 1 30th October 2009 19:48
SquirrelMail/imap/pop3 fail2ban IP address gscott187 General 8 14th August 2009 11:51
Webalizer returns no output,getnameinfo didn't return any usable information! CarbonCopy Server Operation 1 11th August 2009 04:46
Cant get any messenger program to work SimplyMepis 6.0 gtoman Technical 1 13th November 2006 16:26


All times are GMT +2. The time now is 07:49.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.