fail2ban don't work !

Discussion in 'General' started by albertux, Jan 11, 2013.

  1. albertux

    albertux New Member

    I have done everything possible but nothing works.

    There is some documentation to work in Debian Squeeze with IPSConfig 3.

    I appreciate your feedback.
     
  2. SamTzu

    SamTzu Member HowtoForge Supporter

    Fail2ban has 2 different conf files. Check out the .local version.
     
  3. albertux

    albertux New Member

    Yes i know that ... and write the filters for the diferent service too, but nothing work ... :(

    My jail.local file :

    [pureftpd]

    enabled = true
    port = ftp
    filter = pure-ftpd
    logpath = /var/log/syslog
    maxretry = 3


    [sasl]

    enabled = true
    port = smtp
    filter = sasl
    logpath = /var/log/mail.log
    maxretry = 5


    [courierpop3]

    enabled = true
    port = pop3
    filter = courierpop3
    logpath = /var/log/mail.log
    maxretry = 5


    [courierpop3s]

    enabled = true
    port = pop3s
    filter = courierpop3s
    logpath = /var/log/mail.log
    maxretry = 5


    [courierimap]

    enabled = true
    port = imap2
    filter = courierimap
    logpath = /var/log/mail.log
    maxretry = 5


    [courierimaps]

    enabled = true
    port = imaps
    filter = courierimaps
    logpath = /var/log/mail.log
    maxretry = 5



    Thank you for your answer :)
     
  4. Ovidiu

    Ovidiu Active Member

    similar problem here, I manually tried to trigger fail2ban logging in anonymously into pure-ftp:

    my fail2ban settings:
    The logs look like this:

    I tested it and it should pick up the attempts:
    I found this version somewhere, which one is the right one:
    ###edit###
    The problem is fail2ban does absolutely nothing , just sits there looking pretty :-(
     
    Last edited: Feb 14, 2013
  5. Parsec

    Parsec New Member

    What is in /var/log/fail2ban.log?

    If nothing try restarting/reloading it and check that log. (debian = /etc/init.d/fail2ban reload)
     
  6. Ovidiu

    Ovidiu Active Member

    The log file only contains the normal operating logs:

     
  7. Parsec

    Parsec New Member

    Hmm, no real idea. The easiest one to check is the ssh jail, generally /var/log/auth.log will show attempts. Perhaps you might like to check the default "banaction" you have set in jail.conf. Generally the iptables-multiport one is the one to use. You might also need to define it's action in the jail.local eg;

    [pureftpd]
    enabled = true
    port = ftp,ftp-data,ftps,ftps-data
    filter = pure-ftpd
    action = %(action_mw)s
    logpath = /var/log/syslog
    maxretry = 3
     
  8. Ovidiu

    Ovidiu Active Member

    Not sure why I should check auth.log since THERE ARE attempts within syslog:

    the ban action is defined in jail.conf as follows:

    I just saw that fail2ban.conf has the option of raising the loglevel to debugging:

    Now lets see if anything interesting turns up in fail2ban's log file.

    Thanks for helping out so far!
     
  9. Parsec

    Parsec New Member

    I was referring to the ssh jail which uses the auth.log simply because this is the one that will get hit the most - more then ftp will. The fail2ban-regex is also just checking that the regex works. Having 19 successful matches doesn't indicate they occurred within the time frame for fail2ban to ban the attempts.
     
  10. Ovidiu

    Ovidiu Active Member

    I rarely have any attempts on SSH since I moved it to another port. BUT I jsut tried to anonymously log in via FTP 5x and found this in auth.log:

    Feb 17 00:15:04 h2118175 pure-ftpd: (?@85.214.249.219) [WARNING] Authentication failed for user [anonymous]

    So that is ok and indeed in fail2ban.log I see:

    The settings for this jail are:

    So I should have been blocked :-(
     
  11. Parsec

    Parsec New Member

    No. You have maxretry = 3 You'll need to make a few attempts within the time frame. So, really on the 4th attempt you should be blocked.
     
    Last edited: Feb 17, 2013
  12. Ovidiu

    Ovidiu Active Member

    Of course I tried it 5 times and set the findtime up to make sure it fires but still nothing.
     
  13. Parsec

    Parsec New Member

    Got me beat.. bet there is something simple somewhere in one of the config's that's causing the problem.. just a matter of finding it :)
     
  14. Ovidiu

    Ovidiu Active Member

    Solved it by completely removing it: apt-get remove --purge fail2ban

    and now all of a sudden its log file shows:

    No idea what was wrong but its ok now :)
     
  15. Ovidiu

    Ovidiu Active Member

    one other error randomly popping up:

    Found a couple of threads that suggested editing iptables-multiport.conf and inserting a sleep command:

    but that didn't help. Anyone any other ideas?
     
  16. Parsec

    Parsec New Member

  17. Ovidiu

    Ovidiu Active Member

    I got my info from the exact same page, scroll a bit down and find this:

    BUT I have now tried the other method you mentioned. Lets see how it goes.
     
  18. Parsec

    Parsec New Member

    You should notice if it works immediately.. once fail2ban-client is edited just reload fail2ban (/etc/init.d/fail2ban reload) and check the log (/var/log/fail2ban)
     
  19. Ovidiu

    Ovidiu Active Member

    as I said above:
    and not when restarting fail2ban otherwise I'd have picked it up earlier.

    It jsut happened again, apparently at the first ban after it was restarted:

     

Share This Page