Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 8th September 2009, 17:25
dclardy dclardy is offline
Senior Member
 
Join Date: Sep 2009
Location: Dallas, TX
Posts: 347
Thanks: 10
Thanked 47 Times in 28 Posts
Default Fail2Ban Configuration

I am receiving an error message from my fail2ban configuration, and I am wondering if anyone can help me with this.

Code:
2009-09-07 20:32:03,707 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2009-09-07 20:32:03,717 fail2ban.jail : INFO Creating new jail 'courierpop3'
2009-09-07 20:32:03,717 fail2ban.jail : INFO Jail 'courierpop3' uses poller
2009-09-07 20:32:03,782 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2009-09-07 20:32:03,783 fail2ban.filter : INFO Set maxRetry = 5
2009-09-07 20:32:03,784 fail2ban.comm : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:\\]']
I copied exactly the information from falko's tutorial. It can be found here.

HTML Code:
http://www.howtoforge.com/fail2ban_debian_etch
I am running on Debian Lenny. Thanks.
Reply With Quote
Sponsored Links
  #2  
Old 9th September 2009, 15:37
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

What's in /etc/fail2ban/jail.local?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
AbannyvabVask (28th October 2013)
  #3  
Old 9th September 2009, 16:42
dclardy dclardy is offline
Senior Member
 
Join Date: Sep 2009
Location: Dallas, TX
Posts: 347
Thanks: 10
Thanked 47 Times in 28 Posts
Default

Here is what I have in the file. It is exactly what you posted in your configuration.

Code:
[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.1.100
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]


[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 5


[apache]

enabled = true
port    = http
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 5


[apache-noscript]

enabled = false
port    = http
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 5


[vsftpd]

enabled  = false
port     = ftp
filter   = vsftpd
logpath  = /var/log/auth.log
maxretry = 5


[proftpd]

enabled  = true
port     = ftp
filter   = proftpd
logpath  = /var/log/auth.log
failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
maxretry = 5


[wuftpd]
enabled  = false
port     = ftp
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 5


[postfix]

enabled  = false
port     = smtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 5


[courierpop3]

enabled  = true
port     = pop3
filter   = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5


[courierimap]

enabled  = true
port     = imap2
filter   = courierlogin
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5


[sasl]

enabled  = true
port     = smtp
filter   = sasl
failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
logpath  = /var/log/mail.log
maxretry = 5
Reply With Quote
  #4  
Old 11th September 2009, 04:43
dclardy dclardy is offline
Senior Member
 
Join Date: Sep 2009
Location: Dallas, TX
Posts: 347
Thanks: 10
Thanked 47 Times in 28 Posts
Default

Any update on this? An IP is attacking my ftp server, and it is not getting blocked. I would like to get this resolved.

Falko, I guess that I really asking you for help.
Reply With Quote
  #5  
Old 11th September 2009, 14:04
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

I have no idea what's wrong. The configuration seems to be ok.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #6  
Old 11th September 2009, 16:19
astewart astewart is offline
Member
 
Join Date: Feb 2007
Posts: 95
Thanks: 1
Thanked 7 Times in 7 Posts
Question

Quote:
Originally Posted by dclardy View Post
Any update on this? An IP is attacking my ftp server, and it is not getting blocked. I would like to get this resolved.

Falko, I guess that I really asking you for help.


I'm not very familiar with 'Fail2Ban' but I noticed in your configuration file, you seem to be missing [pureftpd].

You have a few other ftp's in there but not [pureftpd].

Could this be the problem?
Reply With Quote
  #7  
Old 11th September 2009, 16:43
dclardy dclardy is offline
Senior Member
 
Join Date: Sep 2009
Location: Dallas, TX
Posts: 347
Thanks: 10
Thanked 47 Times in 28 Posts
Default

I made the change to pureftpd. Tried to restart fail2ban, and it fails.

Falko,

Should you jail.local file work with Debain Lenny and ISPConfig 3.0.1.4.

I thought that it should still be fine. I guess that I am doing something wrong.
Reply With Quote
  #8  
Old 11th September 2009, 17:06
astewart astewart is offline
Member
 
Join Date: Feb 2007
Posts: 95
Thanks: 1
Thanked 7 Times in 7 Posts
Default

It looks like it's fairly easy to setup but I can't even get it to start

Quote:
root@server:/etc/fail2ban/filter.d# /etc/init.d/fail2ban restart
* Restarting authentication failure monitor fail2ban [fail]
The log file for fail2ban is not telling me anything helpful either..
Whats up with that?
Reply With Quote
  #9  
Old 11th September 2009, 17:27
astewart astewart is offline
Member
 
Join Date: Feb 2007
Posts: 95
Thanks: 1
Thanked 7 Times in 7 Posts
Default

After investigating a little further into this, it appears that I am missing the 'fail2ban.sock' file which should be in /var/run/fail2ban directory.

I've set the Log level to Debug but unfortunitly nothing is being logged, even when I stop, start or restart it.

I can't find this file anywhere.

My setup:
Ubuntu 8.04, ISPCONFIG 3.0.1.4.

Does anyone have any ideas what I should do from here?
Reply With Quote
  #10  
Old 11th September 2009, 17:40
giftsnake giftsnake is offline
Senior Member
 
Join Date: Jan 2009
Posts: 108
Thanks: 15
Thanked 9 Times in 8 Posts
 
Default

afaik the fail2ban.sock file gets generated when successfully starting the process!?

i would try to restore default configuration for fail2ban and then step by step insert the filters in your guide.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
All my mail is going to /var/mail/vmail _sluimers_ Installation/Configuration 21 10th January 2011 13:21
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 07:29
Ubuntu-9.04 - fail2ban configuration problems dudez Installation/Configuration 2 7th February 2010 23:26
The system is currently updating the configuration files. warlock General 8 21st February 2009 18:15
ispconfig and mambo shajazzi Installation/Configuration 70 28th March 2006 19:29


All times are GMT +2. The time now is 21:14.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.