Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 21st January 2009, 23:36
eeyore eeyore is offline
Junior Member
 
Join Date: Jan 2009
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Default Fail2ban not working with FC10

I just upgraded Fedora from 8 to 10. Fail2ban worked very well in core 8 but now it is not working anymore. Fail2ban is running normal but it is not banning because the /var/log/secure log is different:

fc8:
Aug 3 14:53:34 monica sshd[3954]: Failed password for root from xxx.90.213.110 port 3231 ssh2

fc10:
2009-01-21T22:47:31.848351+02:00 monica sshd[16422]: Failed password for invalid user oracle from xxx.193.4.5 port 55490 ssh2

Fail2ban version is 0.8.3-16. Any solutions?
Reply With Quote
Sponsored Links
  #2  
Old 21st January 2009, 23:53
marpada marpada is offline
Senior Member
 
Join Date: Sep 2008
Posts: 139
Thanks: 2
Thanked 14 Times in 14 Posts
Default

Add a new regular expression to the filter for sshd.conf
________
BRUNETTE LATINA
________
Suzuki Gsx Series Specifications

Last edited by marpada; 13th May 2011 at 02:05.
Reply With Quote
  #3  
Old 22nd January 2009, 10:53
eeyore eeyore is offline
Junior Member
 
Join Date: Jan 2009
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Ok, sounds good but I have no idea how to do that. I guess the problem is the date stamp so is there any chance to change logger config back to old mode?
Reply With Quote
  #4  
Old 22nd January 2009, 14:35
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

What's in the sshd filter right now? What's in /etc/fail2ban/jail.conf?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 22nd January 2009, 14:56
eeyore eeyore is offline
Junior Member
 
Join Date: Jan 2009
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Default

/etc/fail2ban/jail.conf
Quote:
bantime = -1

findtime = 600

maxretry = 3

backend = auto

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = 2

[ftp-iptables]

enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
logpath = /var/log/secure
maxretry = 3
/etc/fail2ban/filter.d/sshd.conf
Quote:
[INCLUDES]

before = common.conf

[Definition]

_daemon = sshd

failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+us
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$

ignoreregex =
Reply With Quote
  #6  
Old 23rd January 2009, 13:15
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Add the following line to the failregex stanza in sshd..conf and restart fail2ban:

Code:
^%(__prefix_line)sFailed [-/\w]+ for invalid user .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 23rd January 2009, 16:01
eeyore eeyore is offline
Junior Member
 
Join Date: Jan 2009
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks falko, I added the line but still not working.

It seems like there is a problem with the time because if I run:


fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
Code:
...
[4] 77 match(es)
...
Addresses found:
...
xxx.193.4.5 (Wed Jan 21 20:47:35 2009)
...
31157 hit(s): ISO 8601

Success, the total number of match is 181
But /var/log/secure says:

Code:
2009-01-21T22:47:35.525108+02:00 monica sshd[16424]: Invalid user test from xxx.193.4.5
What can I do with that?
Reply With Quote
  #8  
Old 24th January 2009, 13:09
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

That's a different error message; I think it should be covered by the
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
regex.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #9  
Old 25th January 2009, 17:37
eeyore eeyore is offline
Junior Member
 
Join Date: Jan 2009
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Default

When I run regex it is working OK but there's wrong time. For some reason it decrease 2 hours which is marked to secure log (+02:00).

example,
regex: xxx.193.4.5 (Wed Jan 21 20:47:35 2009) <->
secure log: 2009-01-21T22:47:35.525108+02:00

If I edit secure log timezone to +00:00 and run regex, the time is ok.

Should I change fail2ban config somehow, timezone settings or what?
Reply With Quote
  #10  
Old 9th February 2009, 10:25
eeyore eeyore is offline
Junior Member
 
Join Date: Jan 2009
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

Problem solved, this is post from Cyril Jaquier:

Replace utctimetuple with timetuple in datetemplate.py.

Code:
 		if dateMatch:
 			# Parses the date.
 			value = dateMatch.group()
- -			date = list(iso8601.parse_date(value).utctimetuple())
+			date = list(iso8601.parse_date(value).timetuple())
 		return date
https://sourceforge.net/tracker2/ind...32&atid=689044
The fix will be in 0.8.4.

Last edited by eeyore; 9th February 2009 at 10:29.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Fail2Ban not banning? tristanlee85 Server Operation 4 15th October 2008 13:44
Fail2ban not working on FC9 nanotechgeek2 HOWTO-Related Questions 3 6th October 2008 10:22
Fail2Ban not working bswinnerton Installation/Configuration 17 16th May 2008 20:12
Fail2ban question joelee HOWTO-Related Questions 1 3rd April 2008 20:16
DNS stop working MZH General 3 22nd February 2008 11:10


All times are GMT +2. The time now is 14:14.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.