Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 13th August 2009, 16:05
rlischer rlischer is offline
Senior Member
 
Join Date: Jul 2009
Posts: 120
Thanks: 5
Thanked 1 Time in 1 Post
Default Need help with fail2ban on centos 5.3

I need some help and clarity on what I need to do.

I went through centos 5.3 perfect server setup. So, iptables is off and fail2ban is on. I turned on the default firewall ports for the server in ipsconfig 3 admin. It works, I tested it by opening and closing a few ports.

ISP Config 3 tells me "fail2ban is not installed at this server.
See more (for debian) here..."


I try to ssh in as root and use bad passwords over and over, then after about 6 or 7 tries I get the boot, then I can go right back and try again. Why is my IP not banned? And why does ISPConfig 3 say "fail2ban is not installed at this server"

Thanks!!!



vi /etc/fail2ban/filter.d/sshd.conf
Code:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 663 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = sshd

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
            ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
vi /etc/fail2ban/jail.conf (with new "logpath = /var/log/secure" path)
Code:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 617 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled  = false
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
logpath  = /var/log/secure
maxretry = 3

[proftpd-iptables]

enabled  = false
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=you@mail.com]
logpath  = /var/log/proftpd/proftpd.log
"/etc/fail2ban/jail.conf" 205L, 5658C
My log file as I try to break in as root:
Code:
Aug 13 05:17:35 server sshd[10791]: PAM 7 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.42.154.202
Aug 13 05:17:35 server sshd[10791]: PAM service(sshd) ignoring max retries; 8 > 3
Aug 13 05:17:47 server sshd[10828]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 13 05:17:47 server sshd[10828]: Accepted password for root from 66.42.154.202 port 35685 ssh2
Aug 13 05:17:47 server sshd[10828]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 13 05:23:17 server sshd[10828]: pam_unix(sshd:session): session closed for user root
Aug 13 05:25:13 server sshd[11212]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 13 05:25:13 server sshd[11212]: Accepted password for root from 66.42.154.202 port 39441 ssh2
Aug 13 05:25:13 server sshd[11212]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 13 05:32:15 server sshd[11212]: pam_unix(sshd:session): session closed for user root
Aug 13 05:42:50 server sshd[12434]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 13 05:42:50 server sshd[12434]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.42.154.202  user=root
Aug 13 05:42:53 server sshd[12434]: Failed password for root from 66.42.154.202 port 48067 ssh2
Aug 13 05:43:27 server last message repeated 7 times
Aug 13 05:43:27 server sshd[12435]: Disconnecting: Too many authentication failures for root
Aug 13 05:43:27 server sshd[12434]: PAM 7 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.42.154.202  user=root
Aug 13 05:43:27 server sshd[12434]: PAM service(sshd) ignoring max retries; 8 > 3
Aug 13 05:43:38 server sshd[12472]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 13 05:43:38 server sshd[12472]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.42.154.202  user=root
Aug 13 05:43:41 server sshd[12472]: Failed password for root from 66.42.154.202 port 48627 ssh2
Aug 13 05:43:45 server sshd[12473]: fatal: Read from socket failed: Connection reset by peer
Aug 13 05:45:01 server sshd[12515]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 13 05:45:01 server sshd[12515]: Accepted password for root from 66.42.154.202 port 49833 ssh2
Aug 13 05:45:01 server sshd[12515]: pam_unix(sshd:session): session opened for user root by (uid=0)
Reply With Quote
Sponsored Links
  #2  
Old 13th August 2009, 21:53
rlischer rlischer is offline
Senior Member
 
Join Date: Jul 2009
Posts: 120
Thanks: 5
Thanked 1 Time in 1 Post
Default

I did find 1 error on my part "enabled = false" needs to be "enabled = true" in the jail config. It still takes 7 failed attempts to get dropped, and does NOT ban my IP at all, so I can try to hack in all day.

It also shows up in my log now inside ISPConfig 3.

Code:
2009-08-13 11:42:58,295 fail2ban.jail : INFO Using Gamin
2009-08-13 11:42:58,301 fail2ban.filter : INFO Created Filter
2009-08-13 11:42:58,302 fail2ban.filter : INFO Created FilterGamin
2009-08-13 11:42:58,302 fail2ban.filter : INFO Added logfile = /var/log/secure
2009-08-13 11:42:58,305 fail2ban.filter : INFO Set maxRetry = 3
2009-08-13 11:42:58,306 fail2ban.filter : INFO Set findtime = 600
2009-08-13 11:42:58,306 fail2ban.actions: INFO Set banTime = 600
2009-08-13 11:42:58,329 fail2ban.actions.action: INFO Set actionBan = iptables -I fail2ban- 1 -s -j DROP
2009-08-13 11:42:58,329 fail2ban.actions.action: INFO Set actionStop = iptables -D INPUT -p --dport -j fail2ban-
iptables -F fail2ban-
iptables -X fail2ban-
2009-08-13 11:42:58,330 fail2ban.actions.action: INFO Set actionStart = iptables -N fail2ban-
iptables -A fail2ban- -j RETURN
iptables -I INPUT -p --dport -j fail2ban-
2009-08-13 11:42:58,330 fail2ban.actions.action: INFO Set actionUnban = iptables -D fail2ban- -s -j DROP
2009-08-13 11:42:58,331 fail2ban.actions.action: INFO Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-
2009-08-13 11:42:58,332 fail2ban.actions.action: INFO Set actionBan = printf %b "Subject: [Fail2Ban] : banned 
From: Fail2Ban <>
To: \n
Hi,\n
The IP has just been banned by Fail2Ban after
attempts against .\n\n
Here are more information about :\n
`/usr/bin/whois `\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f 
2009-08-13 11:42:58,333 fail2ban.actions.action: INFO Set actionStop = printf %b "Subject: [Fail2Ban] : stopped
From: Fail2Ban <>
To: \n
Hi,\n
The jail has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f 
2009-08-13 11:42:58,333 fail2ban.actions.action: INFO Set actionStart = printf %b "Subject: [Fail2Ban] : started
From: Fail2Ban <>
To: \n
Hi,\n
The jail has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f 
2009-08-13 11:42:58,334 fail2ban.actions.action: INFO Set actionUnban = 
2009-08-13 11:42:58,334 fail2ban.actions.action: INFO Set actionCheck = 
2009-08-13 11:42:58,335 fail2ban.jail : INFO Using Gamin
2009-08-13 11:42:58,335 fail2ban.filter : INFO Created Filter
2009-08-13 11:42:58,335 fail2ban.filter : INFO Created FilterGamin
2009-08-13 11:42:58,336 fail2ban.filter : INFO Set maxRetry = 3
2009-08-13 11:42:58,337 fail2ban.filter : INFO Set findtime = 600
2009-08-13 11:42:58,337 fail2ban.actions: INFO Set banTime = 300
2009-08-13 11:42:58,338 fail2ban.actions.action: INFO Set actionBan = IP= &&
printf %b "ALL: $IP\n" >> 
2009-08-13 11:42:58,339 fail2ban.actions.action: INFO Set actionStop = 
2009-08-13 11:42:58,339 fail2ban.actions.action: INFO Set actionStart = 
2009-08-13 11:42:58,340 fail2ban.actions.action: INFO Set actionUnban = IP= && sed -i.old /ALL:\ $IP/d 
2009-08-13 11:42:58,340 fail2ban.actions.action: INFO Set actionCheck = 
2009-08-13 11:42:58,341 fail2ban.actions.action: INFO Set actionBan = printf %b "Subject: [Fail2Ban] : banned 
From: Fail2Ban <>
To: \n
Hi,\n
The IP has just been banned by Fail2Ban after
attempts against .\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f 
2009-08-13 11:42:58,341 fail2ban.actions.action: INFO Set actionStop = printf %b "Subject: [Fail2Ban] : stopped
From: Fail2Ban <>
To: \n
Hi,\n
The jail has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f 
2009-08-13 11:42:58,342 fail2ban.actions.action: INFO Set actionStart = printf %b "Subject: [Fail2Ban] : started
From: Fail2Ban <>
To: \n
Hi,\n
The jail has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f 
2009-08-13 11:42:58,342 fail2ban.actions.action: INFO Set actionUnban = 
2009-08-13 11:42:58,343 fail2ban.actions.action: INFO Set actionCheck = 
2009-08-13 11:42:58,344 fail2ban.jail : INFO Using Gamin
2009-08-13 11:42:58,344 fail2ban.filter : INFO Created Filter
2009-08-13 11:42:58,345 fail2ban.filter : INFO Created FilterGamin
2009-08-13 11:42:58,345 fail2ban.filter : INFO Set maxRetry = 3
2009-08-13 11:42:58,346 fail2ban.comm : WARNING Invalid command: ['set', 'ssh-tcpwrapper', 'ignoreregex', 'for myuser from']

Last edited by rlischer; 13th August 2009 at 22:27.
Reply With Quote
  #3  
Old 13th August 2009, 22:02
rlischer rlischer is offline
Senior Member
 
Join Date: Jul 2009
Posts: 120
Thanks: 5
Thanked 1 Time in 1 Post
Default

One more question, I see sendmail is used to email the admin if someone was banned, ISPConfig 3 does not use sendmail right? Can this be changed to use mail server used by ISPConfig 3?

Thanks
Reply With Quote
  #4  
Old 14th August 2009, 11:47
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
 
Default

Postfix comes with a Sendmail binary for compatibility reasons, so that's no problem.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 07:29
Centos 5.2 + ISPConfig 3 tutorial - Problem with email tanakskool Server Operation 1 3rd June 2009 16:22
have the problem with mydns on CentOS 5.3 x86_64 thaibinhtt Installation/Configuration 1 26th May 2009 08:59
PHP & PowerDNS and PowerAdmin on CentOS 5.3 need_a_linux_brain HOWTO-Related Questions 9 4th May 2009 15:42
Need CentOS 5.3 Nikto, DenyHosts, FTtester, Chrooted SSH, Chkrootkit-Portsentry need_a_linux_brain HOWTO-Related Questions 0 1st May 2009 19:10


All times are GMT +2. The time now is 01:01.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.