Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #11  
Old 17th February 2013, 01:34
Parsec Parsec is offline
Member
 
Join Date: Jan 2013
Posts: 66
Thanks: 1
Thanked 9 Times in 8 Posts
Default

No. You have maxretry = 3 You'll need to make a few attempts within the time frame. So, really on the 4th attempt you should be blocked.

Last edited by Parsec; 17th February 2013 at 01:34. Reason: typo's
Reply With Quote
Sponsored Links
  #12  
Old 18th February 2013, 06:49
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
Default

Of course I tried it 5 times and set the findtime up to make sure it fires but still nothing.
Reply With Quote
  #13  
Old 18th February 2013, 07:10
Parsec Parsec is offline
Member
 
Join Date: Jan 2013
Posts: 66
Thanks: 1
Thanked 9 Times in 8 Posts
Default

Got me beat.. bet there is something simple somewhere in one of the config's that's causing the problem.. just a matter of finding it
Reply With Quote
  #14  
Old 19th February 2013, 00:06
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
Default

Solved it by completely removing it: apt-get remove --purge fail2ban

and now all of a sudden its log file shows:

Quote:
root@h2118175:/var/www/foodandchatter.co.za/web# tail -f /var/log/fail2ban.log
2013-02-18 07:13:45,259 fail2ban.jail : INFO Jail 'dovecot-pop3imap' started
2013-02-18 07:13:45,260 fail2ban.jail : INFO Jail 'pureftpd' started
2013-02-18 07:13:45,260 fail2ban.jail : INFO Jail 'ssh' started
2013-02-18 09:52:40,928 fail2ban.actions: WARNING [dovecot-pop3imap] Ban 216.107.155.32
2013-02-18 10:02:41,573 fail2ban.actions: WARNING [dovecot-pop3imap] Unban 216.107.155.32
2013-02-18 11:19:29,178 fail2ban.actions: WARNING [dovecot-pop3imap] Ban 121.77.204.112
2013-02-18 11:29:29,804 fail2ban.actions: WARNING [dovecot-pop3imap] Unban 121.77.204.112
2013-02-18 15:04:56,010 fail2ban.actions: WARNING [dovecot-pop3imap] Ban 124.205.11.230
2013-02-18 15:14:56,680 fail2ban.actions: WARNING [dovecot-pop3imap] Unban 124.205.11.230
2013-02-18 23:59:23,003 fail2ban.filter : INFO Log rotation detected for /var/log/syslo
No idea what was wrong but its ok now :-)
Reply With Quote
  #15  
Old 22nd February 2013, 18:36
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
Default

one other error randomly popping up:

Quote:
2013-02-22 12:11:03,690 fail2ban.actions: WARNING [dovecot-pop3imap] Unban 80.87.204.216
2013-02-22 14:47:20,360 fail2ban.actions: WARNING [ssh] Ban 66.133.188.86
2013-02-22 14:47:20,365 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-ssh returned 100
2013-02-22 14:47:20,366 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
2013-02-22 14:47:20,375 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports 2222 -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 100
2013-02-22 15:47:20,857 fail2ban.actions: WARNING [ssh] Unban 66.133.188.86
Found a couple of threads that suggested editing iptables-multiport.conf and inserting a sleep command:

Quote:
actionstart = sleep `perl -e 'print rand(3);'`
iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
but that didn't help. Anyone any other ideas?
Reply With Quote
  #16  
Old 22nd February 2013, 22:42
Parsec Parsec is offline
Member
 
Join Date: Jan 2013
Posts: 66
Thanks: 1
Thanked 9 Times in 8 Posts
Default

The sleep isn't added to the iptables-multiport.conf. You need to change the python code in the fail2ban-client. (/usr/bin/fail2ban-client)

There are a few examples of how to do this on the web, you can see an example here:
http://www.fail2ban.org/wiki/index.p...rtup.2Frestart
Reply With Quote
  #17  
Old 23rd February 2013, 00:07
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
Default

I got my info from the exact same page, scroll a bit down and find this:

Quote:
Did not work on VPS hosted Ubuntu 10.04 systems (15th August 2011). The fixed delay time is too regular and still caused the same race condition. A successful resolution was to modify only the relevant action config (in this case iptables-multiport.conf) and insert a random sleep (0.0000 to 2.9999 seconds) before the iptables action, so actionstart becomes:
actionstart = sleep `perl -e 'print rand(3);'`
iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
BUT I have now tried the other method you mentioned. Lets see how it goes.
Reply With Quote
  #18  
Old 23rd February 2013, 00:36
Parsec Parsec is offline
Member
 
Join Date: Jan 2013
Posts: 66
Thanks: 1
Thanked 9 Times in 8 Posts
Default

You should notice if it works immediately.. once fail2ban-client is edited just reload fail2ban (/etc/init.d/fail2ban reload) and check the log (/var/log/fail2ban)
Reply With Quote
  #19  
Old 24th February 2013, 08:42
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,262
Thanks: 78
Thanked 24 Times in 20 Posts
 
Default

as I said above:
Quote:
one other error randomly popping up:
and not when restarting fail2ban otherwise I'd have picked it up earlier.

It jsut happened again, apparently at the first ban after it was restarted:

Quote:
013-02-23 00:05:12,767 fail2ban.filter : INFO Set maxRetry = 5
2013-02-23 00:05:12,968 fail2ban.filter : INFO Set findtime = 18000
2013-02-23 00:05:13,068 fail2ban.actions: INFO Set banTime = 3600
2013-02-23 00:05:15,076 fail2ban.jail : INFO Jail 'dovecot-pop3imap' started
2013-02-23 00:05:15,177 fail2ban.jail : INFO Jail 'ssh-ddos' started
2013-02-23 00:05:15,277 fail2ban.jail : INFO Jail 'pureftpd' started
2013-02-23 00:05:15,378 fail2ban.jail : INFO Jail 'ssh' started
2013-02-23 00:05:15,479 fail2ban.jail : INFO Jail 'postfix' started
2013-02-23 00:05:15,580 fail2ban.jail : INFO Jail 'sasl' started
2013-02-23 23:59:51,615 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2013-02-24 08:39:41,726 fail2ban.actions: WARNING [pureftpd] Ban 62.75.146.19
2013-02-24 08:39:41,732 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-pureftpd returned 100
2013-02-24 08:39:41,732 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
2013-02-24 08:39:41,741 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ftp,ftp-data,ftps,ftps-data -j fail2ban-pureftpd
iptables -F fail2ban-pureftpd
iptables -X fail2ban-pureftpd returned 100
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 07:29
Fail2ban only ban on first time. ivomendonca Installation/Configuration 1 30th October 2009 18:48
SquirrelMail/imap/pop3 fail2ban IP address gscott187 General 8 14th August 2009 10:51
Webalizer returns no output,getnameinfo didn't return any usable information! CarbonCopy Server Operation 1 11th August 2009 03:46
Cant get any messenger program to work SimplyMepis 6.0 gtoman Technical 1 13th November 2006 15:26


All times are GMT +2. The time now is 22:34.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.