fail2ban log-changes after manual 6.2. and 6.3

Made once again fresh installation of Debian squeeze and ISPConfig3.

One thing I have noticed before, but now find out also time of change.

org log of fail2ban (I have set all to 3 maxtrials)

Code:

2011-03-27 07:24:43,861 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2011-03-27 07:24:43,862 fail2ban.jail   : INFO   Creating new jail 'ssh'
2011-03-27 07:24:43,862 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2011-03-27 07:24:43,922 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2011-03-27 07:24:43,923 fail2ban.filter : INFO   Set maxRetry = 6
2011-03-27 07:24:43,924 fail2ban.filter : INFO   Set findtime = 600
2011-03-27 07:24:43,925 fail2ban.actions: INFO   Set banTime = 600
2011-03-27 07:24:43,994 fail2ban.jail   : INFO   Jail 'ssh' started
2011-03-27 07:28:24,470 fail2ban.jail   : INFO   Jail 'ssh' stopped
2011-03-27 07:28:24,470 fail2ban.server : INFO   Exiting Fail2ban
2011-03-27 07:28:24,877 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2011-03-27 07:28:24,878 fail2ban.jail   : INFO   Creating new jail 'courierimap'
2011-03-27 07:28:24,879 fail2ban.jail   : INFO   Jail 'courierimap' uses poller
2011-03-27 07:28:24,897 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2011-03-27 07:28:24,898 fail2ban.filter : INFO   Set maxRetry = 3
2011-03-27 07:28:24,899 fail2ban.filter : INFO   Set findtime = 600
2011-03-27 07:28:24,900 fail2ban.actions: INFO   Set banTime = 600
2011-03-27 07:28:24,907 fail2ban.jail   : INFO   Creating new jail 'courierpop3'
2011-03-27 07:28:24,908 fail2ban.jail   : INFO   Jail 'courierpop3' uses poller
2011-03-27 07:28:24,909 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2011-03-27 07:28:24,910 fail2ban.filter : INFO   Set maxRetry = 3
2011-03-27 07:28:24,911 fail2ban.filter : INFO   Set findtime = 600
2011-03-27 07:28:24,912 fail2ban.actions: INFO   Set banTime = 600
2011-03-27 07:28:24,919 fail2ban.jail   : INFO   Creating new jail 'courierpop3s'
2011-03-27 07:28:24,919 fail2ban.jail   : INFO   Jail 'courierpop3s' uses poller
2011-03-27 07:28:24,920 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2011-03-27 07:28:24,921 fail2ban.filter : INFO   Set maxRetry = 3
2011-03-27 07:28:24,923 fail2ban.filter : INFO   Set findtime = 600
2011-03-27 07:28:24,923 fail2ban.actions: INFO   Set banTime = 600
2011-03-27 07:28:24,931 fail2ban.jail   : INFO   Creating new jail 'pureftpd'
2011-03-27 07:28:24,931 fail2ban.jail   : INFO   Jail 'pureftpd' uses poller
2011-03-27 07:28:24,932 fail2ban.filter : INFO   Added logfile = /var/log/syslog
2011-03-27 07:28:24,933 fail2ban.filter : INFO   Set maxRetry = 3
2011-03-27 07:28:24,934 fail2ban.filter : INFO   Set findtime = 600
2011-03-27 07:28:24,935 fail2ban.actions: INFO   Set banTime = 600
2011-03-27 07:28:24,942 fail2ban.jail   : INFO   Creating new jail 'ssh'
2011-03-27 07:28:24,943 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2011-03-27 07:28:24,944 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2011-03-27 07:28:24,945 fail2ban.filter : INFO   Set maxRetry = 6
2011-03-27 07:28:24,946 fail2ban.filter : INFO   Set findtime = 600
2011-03-27 07:28:24,947 fail2ban.actions: INFO   Set banTime = 600
2011-03-27 07:28:25,014 fail2ban.jail   : INFO   Creating new jail 'sasl'
2011-03-27 07:28:25,014 fail2ban.jail   : INFO   Jail 'sasl' uses poller
2011-03-27 07:28:25,015 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2011-03-27 07:28:25,016 fail2ban.filter : INFO   Set maxRetry = 3
2011-03-27 07:28:25,018 fail2ban.filter : INFO   Set findtime = 600
2011-03-27 07:28:25,019 fail2ban.actions: INFO   Set banTime = 600
2011-03-27 07:28:25,027 fail2ban.jail   : INFO   Creating new jail 'courierimaps'
2011-03-27 07:28:25,027 fail2ban.jail   : INFO   Jail 'courierimaps' uses poller
2011-03-27 07:28:25,028 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2011-03-27 07:28:25,029 fail2ban.filter : INFO   Set maxRetry = 3
2011-03-27 07:28:25,030 fail2ban.filter : INFO   Set findtime = 600
2011-03-27 07:28:25,031 fail2ban.actions: INFO   Set banTime = 600
2011-03-27 07:28:25,039 fail2ban.jail   : INFO   Jail 'courierimap' started
2011-03-27 07:28:25,044 fail2ban.jail   : INFO   Jail 'courierpop3' started
2011-03-27 07:28:25,050 fail2ban.jail   : INFO   Jail 'courierpop3s' started
2011-03-27 07:28:25,062 fail2ban.jail   : INFO   Jail 'pureftpd' started
2011-03-27 07:28:25,072 fail2ban.jail   : INFO   Jail 'ssh' started
2011-03-27 07:28:25,084 fail2ban.jail   : INFO   Jail 'sasl' started
2011-03-27 07:28:25,098 fail2ban.jail   : INFO   Jail 'courierimaps' started
2011-03-27 08:38:26,027 fail2ban.jail   : INFO   Jail 'courierpop3s' stopped
2011-03-27 08:38:27,023 fail2ban.jail   : INFO   Jail 'courierimap' stopped
2011-03-27 08:38:28,030 fail2ban.jail   : INFO   Jail 'ssh' stopped
2011-03-27 08:38:29,025 fail2ban.jail   : INFO   Jail 'courierimaps' stopped
2011-03-27 08:38:30,024 fail2ban.jail   : INFO   Jail 'pureftpd' stopped
2011-03-27 08:38:31,027 fail2ban.jail   : INFO   Jail 'sasl' stopped
2011-03-27 08:38:32,029 fail2ban.jail   : INFO   Jail 'courierpop3' stopped
2011-03-27 08:38:32,030 fail2ban.server : INFO   Exiting Fail2ban

After following manual to make system to use ssl in 8080

(with extra ln-link)
all seems to be working, but now fail2ban generates errors (but e.g, keeps blocking as release statements comes to log)

Code:

...
2011-03-27 08:47:20,621 fail2ban.actions: INFO   Set banTime = 600
2011-03-27 08:47:20,652 fail2ban.jail   : INFO   Jail 'courierimap' started
2011-03-27 08:47:20,667 fail2ban.jail   : INFO   Jail 'courierpop3' started
2011-03-27 08:47:20,679 fail2ban.jail   : INFO   Jail 'courierpop3s' started
2011-03-27 08:47:20,687 fail2ban.jail   : INFO   Jail 'pureftpd' started
2011-03-27 08:47:20,703 fail2ban.jail   : INFO   Jail 'ssh' started
2011-03-27 08:47:20,715 fail2ban.jail   : INFO   Jail 'sasl' started
2011-03-27 08:47:20,733 fail2ban.jail   : INFO   Jail 'courierimaps' started
2011-03-27 08:47:20,935 fail2ban.actions.action: ERROR  iptables -N fail2ban-courierpop3s
iptables -A fail2ban-courierpop3s -j RETURN
iptables -I INPUT -p tcp -m multiport --dports pop3s -j fail2ban-courierpop3s returned 200
2011-03-27 08:47:20,936 fail2ban.actions.action: ERROR  iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 200
2011-03-27 08:47:20,937 fail2ban.actions.action: ERROR  iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp -m multiport --dports smtp -j fail2ban-sasl returned 200
2011-03-27 08:47:20,938 fail2ban.actions.action: ERROR  iptables -N fail2ban-courierimap
iptables -A fail2ban-courierimap -j RETURN
iptables -I INPUT -p tcp -m multiport --dports imap2 -j fail2ban-courierimap returned 200
2011-03-27 08:47:20,939 fail2ban.actions.action: ERROR  iptables -N fail2ban-pureftpd
iptables -A fail2ban-pureftpd -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ftp -j fail2ban-pureftpd returned 200
2011-03-27 08:47:20,940 fail2ban.actions.action: ERROR  iptables -N fail2ban-courierimaps
iptables -A fail2ban-courierimaps -j RETURN
iptables -I INPUT -p tcp -m multiport --dports imaps -j fail2ban-courierimaps returned 200

What should I change to get fail2ban log back to nice-looking non-error mode?

 

What's in /etc/fail2ban/jail.local? What's the output of

Code:

ls -la /etc/fail2ban/filter.d/

?

 

Thanks for your support

Code:

xxxxx:~$ ls -la /etc/fail2ban/filter.d/
total 140
drwxr-xr-x 2 root root 4096 Mar 27 08:58 .
drwxr-xr-x 4 root root 4096 Mar 27 08:57 ..
-rw-r--r-- 1 root root  711 Feb  8  2009 apache-auth.conf
-rw-r--r-- 1 root root 2381 Jun 29  2010 apache-badbots.conf
-rw-r--r-- 1 root root  628 Oct 13  2008 apache-nohome.conf
-rw-r--r-- 1 root root  763 Feb  8  2009 apache-noscript.conf
-rw-r--r-- 1 root root  444 Mar  5  2008 apache-overflows.conf
-rw-r--r-- 1 root root 1039 Feb  8  2009 common.conf
-rw-r--r-- 1 root root  557 Mar 27 06:27 courierimap.conf
-rw-r--r-- 1 root root  561 Mar 27 06:28 courierimaps.conf
-rw-r--r-- 1 root root  616 Feb  8  2009 courierlogin.conf
-rw-r--r-- 1 root root  557 Mar 27 06:26 courierpop3.conf
-rw-r--r-- 1 root root  561 Mar 27 06:26 courierpop3s.conf
-rw-r--r-- 1 root root  591 Feb  8  2009 couriersmtp.conf
-rw-r--r-- 1 root root 1012 Feb  8  2009 cyrus-imap.conf
-rw-r--r-- 1 root root  613 Feb  8  2009 exim.conf
-rw-r--r-- 1 root root  447 May 21  2008 gssftpd.conf
-rw-r--r-- 1 root root  397 Aug 30  2009 lighttpd-fastcgi.conf
-rw-r--r-- 1 root root 1013 Feb  9  2009 named-refused.conf
-rw-r--r-- 1 root root  870 May 21  2008 pam-generic.conf
-rw-r--r-- 1 root root  867 Aug 30  2009 php-url-fopen.conf
-rw-r--r-- 1 root root  591 Feb  8  2009 postfix.conf
-rw-r--r-- 1 root root  866 Jun 29  2010 proftpd.conf
-rw-r--r-- 1 root root  806 Jun 29  2010 pure-ftpd.conf
-rw-r--r-- 1 root root  111 Mar 27 06:25 pureftpd.conf
-rw-r--r-- 1 root root  606 Feb  8  2009 qmail.conf
-rw-r--r-- 1 root root   72 Mar 27 08:58 roundcube.conf
-rw-r--r-- 1 root root  679 Feb  8  2009 sasl.conf
-rw-r--r-- 1 root root  581 Feb  3  2009 sieve.conf
-rw-r--r-- 1 root root 1649 Jun 29  2010 sshd.conf
-rw-r--r-- 1 root root  627 Feb  8  2009 sshd-ddos.conf
-rw-r--r-- 1 root root  700 Feb  8  2009 vsftpd.conf
-rw-r--r-- 1 root root  827 Feb  8  2009 webmin-auth.conf
-rw-r--r-- 1 root root  437 May 21  2008 wuftpd.conf
-rw-r--r-- 1 root root  848 Feb  8  2009 xinetd-fail.conf
xxxx :~$ 

 

What's in /etc/fail2ban/jail.local?

 

Sorry for delay - see enclosed (should be as per perfect server and then ssl-roundcube instructions, but only 3 trials)

Code:

[pureftpd]

enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/syslog
maxretry = 3


[sasl]

enabled  = true
port     = smtp
filter   = sasl
logpath  = /var/log/mail.log
maxretry = 3


[courierpop3]

enabled  = true
port     = pop3
filter   = courierpop3
logpath  = /var/log/mail.log
maxretry = 3


[courierpop3s]

enabled  = true
port     = pop3s
filter   = courierpop3s
logpath  = /var/log/mail.log
maxretry = 3


[courierimap]

enabled  = true
port     = imap2
filter   = courierimap
logpath  = /var/log/mail.log
maxretry = 3


[courierimaps]

enabled  = true
port     = imaps
filter   = courierimaps
logpath  = /var/log/mail.log
maxretry = 3


[roundcube]
enabled  = true
port     = http,8080
filter   = roundcube
logpath  = /var/log/roundcube/userlogins
maxretry = 3
[webmin-auth]
enabled = true
port    = 10000
filter  = webmin-auth
logpath  = /var/log/auth.log
maxretry = 3 

Thanks for support....

 

What's the output of:

Code:

iptables -L -n 

 

This is how it looks:

Code:

# iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-sasl  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 25 
fail2ban-courierimaps  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 993 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-courierimaps (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-sasl (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
[email protected]:/home/asyamain# 

what next?

 

I think that not all of jails start.
Maybe this will help:
http://www.howtoforge.com/extending-perfect-server-debian-squeeze-ispconfig-3-p2
(make the change in /usr/bin/fail2ban-client)

or this one
http://www.howtoforge.com/forums/showthread.php?t=51599

 

Thanks for your help,

Now after changes looks like

Code:

# iptables -L -n 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-sasl  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 25 
fail2ban-roundcube  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 80,8080 
fail2ban-courierimap  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 143 
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 22 
fail2ban-pureftpd  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 21 
fail2ban-webmin-auth  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 10000 
fail2ban-courierpop3s  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 995 
fail2ban-courierimaps  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 993 
fail2ban-courierpop3  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 110 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-courierimap (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-courierimaps (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-courierpop3 (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-courierpop3s (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-pureftpd (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-roundcube (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-sasl (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-webmin-auth (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0 

Does it look OK now?

 

ISPConfig3 monitor (Fail2Ban Log) looks better now (at least for newbee)

Code:

2011-04-08 09:13:57,025 fail2ban.server : INFO Exiting Fail2ban
2011-04-08 09:13:57,801 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2011-04-08 09:13:57,853 fail2ban.jail : INFO Creating new jail 'courierpop3'
2011-04-08 09:13:57,853 fail2ban.jail : INFO Jail 'courierpop3' uses poller
2011-04-08 09:13:57,921 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2011-04-08 09:13:57,973 fail2ban.filter : INFO Set maxRetry = 3
2011-04-08 09:13:58,074 fail2ban.filter : INFO Set findtime = 600
2011-04-08 09:13:58,125 fail2ban.actions: INFO Set banTime = 600
2011-04-08 09:13:58,682 fail2ban.jail : INFO Creating new jail 'courierimaps'
2011-04-08 09:13:58,683 fail2ban.jail : INFO Jail 'courierimaps' uses poller
2011-04-08 09:13:58,734 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2011-04-08 09:13:58,785 fail2ban.filter : INFO Set maxRetry = 3
2011-04-08 09:13:58,886 fail2ban.filter : INFO Set findtime = 600
2011-04-08 09:13:58,937 fail2ban.actions: INFO Set banTime = 600
2011-04-08 09:13:59,495 fail2ban.jail : INFO Creating new jail 'courierpop3s'
2011-04-08 09:13:59,507 fail2ban.jail : INFO Jail 'courierpop3s' uses poller
2011-04-08 09:13:59,558 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2011-04-08 09:13:59,609 fail2ban.filter : INFO Set maxRetry = 3
2011-04-08 09:13:59,710 fail2ban.filter : INFO Set findtime = 600
2011-04-08 09:13:59,761 fail2ban.actions: INFO Set banTime = 600
2011-04-08 09:14:00,320 fail2ban.jail : INFO Creating new jail 'webmin-auth'
2011-04-08 09:14:00,320 fail2ban.jail : INFO Jail 'webmin-auth' uses poller
2011-04-08 09:14:00,372 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2011-04-08 09:14:00,423 fail2ban.filter : INFO Set maxRetry = 3
2011-04-08 09:14:00,524 fail2ban.filter : INFO Set findtime = 600
2011-04-08 09:14:00,575 fail2ban.actions: INFO Set banTime = 600
2011-04-08 09:14:01,185 fail2ban.jail : INFO Creating new jail 'pureftpd'
2011-04-08 09:14:01,185 fail2ban.jail : INFO Jail 'pureftpd' uses poller
2011-04-08 09:14:01,236 fail2ban.filter : INFO Added logfile = /var/log/syslog
2011-04-08 09:14:01,287 fail2ban.filter : INFO Set maxRetry = 3
2011-04-08 09:14:01,389 fail2ban.filter : INFO Set findtime = 600
2011-04-08 09:14:01,440 fail2ban.actions: INFO Set banTime = 600
2011-04-08 09:14:01,998 fail2ban.jail : INFO Creating new jail 'ssh'
2011-04-08 09:14:01,998 fail2ban.jail : INFO Jail 'ssh' uses poller
2011-04-08 09:14:02,050 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2011-04-08 09:14:02,101 fail2ban.filter : INFO Set maxRetry = 6
2011-04-08 09:14:02,202 fail2ban.filter : INFO Set findtime = 600
2011-04-08 09:14:02,253 fail2ban.actions: INFO Set banTime = 600
2011-04-08 09:14:03,321 fail2ban.jail : INFO Creating new jail 'courierimap'
2011-04-08 09:14:03,321 fail2ban.jail : INFO Jail 'courierimap' uses poller
2011-04-08 09:14:03,373 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2011-04-08 09:14:03,424 fail2ban.filter : INFO Set maxRetry = 3
2011-04-08 09:14:03,525 fail2ban.filter : INFO Set findtime = 600
2011-04-08 09:14:03,576 fail2ban.actions: INFO Set banTime = 600
2011-04-08 09:14:04,134 fail2ban.jail : INFO Creating new jail 'roundcube'
2011-04-08 09:14:04,135 fail2ban.jail : INFO Jail 'roundcube' uses poller
2011-04-08 09:14:04,186 fail2ban.filter : INFO Added logfile = /var/log/roundcube/userlogins
2011-04-08 09:14:04,237 fail2ban.filter : INFO Set maxRetry = 3
2011-04-08 09:14:04,338 fail2ban.filter : INFO Set findtime = 600
2011-04-08 09:14:04,389 fail2ban.actions: INFO Set banTime = 600
2011-04-08 09:14:04,440 fail2ban.filter : ERROR No 'host' group in 'FAILED login for .*. from '
2011-04-08 09:14:04,947 fail2ban.jail : INFO Creating new jail 'sasl'
2011-04-08 09:14:04,947 fail2ban.jail : INFO Jail 'sasl' uses poller
2011-04-08 09:14:04,999 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2011-04-08 09:14:05,050 fail2ban.filter : INFO Set maxRetry = 3
2011-04-08 09:14:05,151 fail2ban.filter : INFO Set findtime = 600
2011-04-08 09:14:05,202 fail2ban.actions: INFO Set banTime = 600
2011-04-08 09:14:05,761 fail2ban.jail : INFO Jail 'courierpop3' started
2011-04-08 09:14:05,813 fail2ban.jail : INFO Jail 'courierimaps' started
2011-04-08 09:14:05,865 fail2ban.jail : INFO Jail 'courierpop3s' started
2011-04-08 09:14:05,917 fail2ban.jail : INFO Jail 'webmin-auth' started
2011-04-08 09:14:05,969 fail2ban.jail : INFO Jail 'pureftpd' started
2011-04-08 09:14:06,021 fail2ban.jail : INFO Jail 'ssh' started
2011-04-08 09:14:06,073 fail2ban.jail : INFO Jail 'courierimap' started
2011-04-08 09:14:06,125 fail2ban.jail : INFO Jail 'roundcube' started
2011-04-08 09:14:06,177 fail2ban.jail : INFO Jail 'sasl' started

I'll assume now OK - big thanks