Fail2Ban Configuration

Discussion in 'Installation/Configuration' started by dclardy, Sep 8, 2009.

  1. dclardy

    dclardy Member

    I am receiving an error message from my fail2ban configuration, and I am wondering if anyone can help me with this.

    Code:
    2009-09-07 20:32:03,707 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
    2009-09-07 20:32:03,717 fail2ban.jail : INFO Creating new jail 'courierpop3'
    2009-09-07 20:32:03,717 fail2ban.jail : INFO Jail 'courierpop3' uses poller
    2009-09-07 20:32:03,782 fail2ban.filter : INFO Added logfile = /var/log/mail.log
    2009-09-07 20:32:03,783 fail2ban.filter : INFO Set maxRetry = 5
    2009-09-07 20:32:03,784 fail2ban.comm : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:\\]']
    I copied exactly the information from falko's tutorial. It can be found here.

    HTML:
    http://www.howtoforge.com/fail2ban_debian_etch
    I am running on Debian Lenny. Thanks.
     
  2. falko

    falko Super Moderator ISPConfig Developer

    What's in /etc/fail2ban/jail.local?
     
  3. dclardy

    dclardy Member

    Here is what I have in the file. It is exactly what you posted in your configuration.

    Code:
    [DEFAULT]
    
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host
    ignoreip = 127.0.0.1 192.168.1.100
    bantime  = 600
    maxretry = 3
    
    # "backend" specifies the backend used to get files modification. Available
    # options are "gamin", "polling" and "auto".
    # yoh: For some reason Debian shipped python-gamin didn't work as expected
    #      This issue left ToDo, so polling is default backend for now
    backend = polling
    
    #
    # Destination email address used solely for the interpolations in
    # jail.{conf,local} configuration files.
    destemail = [email protected]
    
    # Default action to take: ban only
    action = iptables[name=%(__name__)s, port=%(port)s]
    
    
    [ssh]
    
    enabled = true
    port    = ssh
    filter  = sshd
    logpath  = /var/log/auth.log
    maxretry = 5
    
    
    [apache]
    
    enabled = true
    port    = http
    filter  = apache-auth
    logpath = /var/log/apache*/*error.log
    maxretry = 5
    
    
    [apache-noscript]
    
    enabled = false
    port    = http
    filter  = apache-noscript
    logpath = /var/log/apache*/*error.log
    maxretry = 5
    
    
    [vsftpd]
    
    enabled  = false
    port     = ftp
    filter   = vsftpd
    logpath  = /var/log/auth.log
    maxretry = 5
    
    
    [proftpd]
    
    enabled  = true
    port     = ftp
    filter   = proftpd
    logpath  = /var/log/auth.log
    failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
    maxretry = 5
    
    
    [wuftpd]
    enabled  = false
    port     = ftp
    filter   = wuftpd
    logpath  = /var/log/auth.log
    maxretry = 5
    
    
    [postfix]
    
    enabled  = false
    port     = smtp
    filter   = postfix
    logpath  = /var/log/mail.log
    maxretry = 5
    
    
    [courierpop3]
    
    enabled  = true
    port     = pop3
    filter   = courierlogin
    failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
    logpath  = /var/log/mail.log
    maxretry = 5
    
    
    [courierimap]
    
    enabled  = true
    port     = imap2
    filter   = courierlogin
    failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
    logpath  = /var/log/mail.log
    maxretry = 5
    
    
    [sasl]
    
    enabled  = true
    port     = smtp
    filter   = sasl
    failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
    logpath  = /var/log/mail.log
    maxretry = 5
     
  4. dclardy

    dclardy Member

    Any update on this? An IP is attacking my ftp server, and it is not getting blocked. I would like to get this resolved.

    Falko, I guess that I really asking you for help.
     
  5. falko

    falko Super Moderator ISPConfig Developer

    I have no idea what's wrong. The configuration seems to be ok. :confused:
     
  6. astewart

    astewart ISPConfig Developer ISPConfig Developer



    I'm not very familiar with 'Fail2Ban' but I noticed in your configuration file, you seem to be missing [pureftpd].

    You have a few other ftp's in there but not [pureftpd].

    Could this be the problem?
     
  7. dclardy

    dclardy Member

    I made the change to pureftpd. Tried to restart fail2ban, and it fails.

    Falko,

    Should you jail.local file work with Debain Lenny and ISPConfig 3.0.1.4.

    I thought that it should still be fine. I guess that I am doing something wrong.
     
  8. astewart

    astewart ISPConfig Developer ISPConfig Developer

    It looks like it's fairly easy to setup but I can't even get it to start :(

    The log file for fail2ban is not telling me anything helpful either..
    Whats up with that?
     
  9. astewart

    astewart ISPConfig Developer ISPConfig Developer

    After investigating a little further into this, it appears that I am missing the 'fail2ban.sock' file which should be in /var/run/fail2ban directory.

    I've set the Log level to Debug but unfortunitly nothing is being logged, even when I stop, start or restart it.

    I can't find this file anywhere.

    My setup:
    Ubuntu 8.04, ISPCONFIG 3.0.1.4.

    Does anyone have any ideas what I should do from here?
     
  10. giftsnake

    giftsnake New Member

    afaik the fail2ban.sock file gets generated when successfully starting the process!?

    i would try to restore default configuration for fail2ban and then step by step insert the filters in your guide.
     
  11. dclardy

    dclardy Member

    Does anyone have a working configuration of Fail2Ban on ISPConfig 3.0.1.4? If so, please post this so that I can see what I am doing wrong!

    Thanks,
    Drew
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    The Fial2ban config is not specific to ISPConfig. If you enter "fail2ban" in the search here on howtoforge, you will find several howtos from falko that explain the fail2ban configuration for different services and Linux distributions.
     

Share This Page