Made once again fresh installation of Debian squeeze and ISPConfig3. One thing I have noticed before, but now find out also time of change. org log of fail2ban (I have set all to 3 maxtrials) Code: 2011-03-27 07:24:43,861 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN 2011-03-27 07:24:43,862 fail2ban.jail : INFO Creating new jail 'ssh' 2011-03-27 07:24:43,862 fail2ban.jail : INFO Jail 'ssh' uses poller 2011-03-27 07:24:43,922 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2011-03-27 07:24:43,923 fail2ban.filter : INFO Set maxRetry = 6 2011-03-27 07:24:43,924 fail2ban.filter : INFO Set findtime = 600 2011-03-27 07:24:43,925 fail2ban.actions: INFO Set banTime = 600 2011-03-27 07:24:43,994 fail2ban.jail : INFO Jail 'ssh' started 2011-03-27 07:28:24,470 fail2ban.jail : INFO Jail 'ssh' stopped 2011-03-27 07:28:24,470 fail2ban.server : INFO Exiting Fail2ban 2011-03-27 07:28:24,877 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN 2011-03-27 07:28:24,878 fail2ban.jail : INFO Creating new jail 'courierimap' 2011-03-27 07:28:24,879 fail2ban.jail : INFO Jail 'courierimap' uses poller 2011-03-27 07:28:24,897 fail2ban.filter : INFO Added logfile = /var/log/mail.log 2011-03-27 07:28:24,898 fail2ban.filter : INFO Set maxRetry = 3 2011-03-27 07:28:24,899 fail2ban.filter : INFO Set findtime = 600 2011-03-27 07:28:24,900 fail2ban.actions: INFO Set banTime = 600 2011-03-27 07:28:24,907 fail2ban.jail : INFO Creating new jail 'courierpop3' 2011-03-27 07:28:24,908 fail2ban.jail : INFO Jail 'courierpop3' uses poller 2011-03-27 07:28:24,909 fail2ban.filter : INFO Added logfile = /var/log/mail.log 2011-03-27 07:28:24,910 fail2ban.filter : INFO Set maxRetry = 3 2011-03-27 07:28:24,911 fail2ban.filter : INFO Set findtime = 600 2011-03-27 07:28:24,912 fail2ban.actions: INFO Set banTime = 600 2011-03-27 07:28:24,919 fail2ban.jail : INFO Creating new jail 'courierpop3s' 2011-03-27 07:28:24,919 fail2ban.jail : INFO Jail 'courierpop3s' uses poller 2011-03-27 07:28:24,920 fail2ban.filter : INFO Added logfile = /var/log/mail.log 2011-03-27 07:28:24,921 fail2ban.filter : INFO Set maxRetry = 3 2011-03-27 07:28:24,923 fail2ban.filter : INFO Set findtime = 600 2011-03-27 07:28:24,923 fail2ban.actions: INFO Set banTime = 600 2011-03-27 07:28:24,931 fail2ban.jail : INFO Creating new jail 'pureftpd' 2011-03-27 07:28:24,931 fail2ban.jail : INFO Jail 'pureftpd' uses poller 2011-03-27 07:28:24,932 fail2ban.filter : INFO Added logfile = /var/log/syslog 2011-03-27 07:28:24,933 fail2ban.filter : INFO Set maxRetry = 3 2011-03-27 07:28:24,934 fail2ban.filter : INFO Set findtime = 600 2011-03-27 07:28:24,935 fail2ban.actions: INFO Set banTime = 600 2011-03-27 07:28:24,942 fail2ban.jail : INFO Creating new jail 'ssh' 2011-03-27 07:28:24,943 fail2ban.jail : INFO Jail 'ssh' uses poller 2011-03-27 07:28:24,944 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2011-03-27 07:28:24,945 fail2ban.filter : INFO Set maxRetry = 6 2011-03-27 07:28:24,946 fail2ban.filter : INFO Set findtime = 600 2011-03-27 07:28:24,947 fail2ban.actions: INFO Set banTime = 600 2011-03-27 07:28:25,014 fail2ban.jail : INFO Creating new jail 'sasl' 2011-03-27 07:28:25,014 fail2ban.jail : INFO Jail 'sasl' uses poller 2011-03-27 07:28:25,015 fail2ban.filter : INFO Added logfile = /var/log/mail.log 2011-03-27 07:28:25,016 fail2ban.filter : INFO Set maxRetry = 3 2011-03-27 07:28:25,018 fail2ban.filter : INFO Set findtime = 600 2011-03-27 07:28:25,019 fail2ban.actions: INFO Set banTime = 600 2011-03-27 07:28:25,027 fail2ban.jail : INFO Creating new jail 'courierimaps' 2011-03-27 07:28:25,027 fail2ban.jail : INFO Jail 'courierimaps' uses poller 2011-03-27 07:28:25,028 fail2ban.filter : INFO Added logfile = /var/log/mail.log 2011-03-27 07:28:25,029 fail2ban.filter : INFO Set maxRetry = 3 2011-03-27 07:28:25,030 fail2ban.filter : INFO Set findtime = 600 2011-03-27 07:28:25,031 fail2ban.actions: INFO Set banTime = 600 2011-03-27 07:28:25,039 fail2ban.jail : INFO Jail 'courierimap' started 2011-03-27 07:28:25,044 fail2ban.jail : INFO Jail 'courierpop3' started 2011-03-27 07:28:25,050 fail2ban.jail : INFO Jail 'courierpop3s' started 2011-03-27 07:28:25,062 fail2ban.jail : INFO Jail 'pureftpd' started 2011-03-27 07:28:25,072 fail2ban.jail : INFO Jail 'ssh' started 2011-03-27 07:28:25,084 fail2ban.jail : INFO Jail 'sasl' started 2011-03-27 07:28:25,098 fail2ban.jail : INFO Jail 'courierimaps' started 2011-03-27 08:38:26,027 fail2ban.jail : INFO Jail 'courierpop3s' stopped 2011-03-27 08:38:27,023 fail2ban.jail : INFO Jail 'courierimap' stopped 2011-03-27 08:38:28,030 fail2ban.jail : INFO Jail 'ssh' stopped 2011-03-27 08:38:29,025 fail2ban.jail : INFO Jail 'courierimaps' stopped 2011-03-27 08:38:30,024 fail2ban.jail : INFO Jail 'pureftpd' stopped 2011-03-27 08:38:31,027 fail2ban.jail : INFO Jail 'sasl' stopped 2011-03-27 08:38:32,029 fail2ban.jail : INFO Jail 'courierpop3' stopped 2011-03-27 08:38:32,030 fail2ban.server : INFO Exiting Fail2ban After following manual to make system to use ssl in 8080 (with extra ln-link) all seems to be working, but now fail2ban generates errors (but e.g, keeps blocking as release statements comes to log) Code: ... 2011-03-27 08:47:20,621 fail2ban.actions: INFO Set banTime = 600 2011-03-27 08:47:20,652 fail2ban.jail : INFO Jail 'courierimap' started 2011-03-27 08:47:20,667 fail2ban.jail : INFO Jail 'courierpop3' started 2011-03-27 08:47:20,679 fail2ban.jail : INFO Jail 'courierpop3s' started 2011-03-27 08:47:20,687 fail2ban.jail : INFO Jail 'pureftpd' started 2011-03-27 08:47:20,703 fail2ban.jail : INFO Jail 'ssh' started 2011-03-27 08:47:20,715 fail2ban.jail : INFO Jail 'sasl' started 2011-03-27 08:47:20,733 fail2ban.jail : INFO Jail 'courierimaps' started 2011-03-27 08:47:20,935 fail2ban.actions.action: ERROR iptables -N fail2ban-courierpop3s iptables -A fail2ban-courierpop3s -j RETURN iptables -I INPUT -p tcp -m multiport --dports pop3s -j fail2ban-courierpop3s returned 200 2011-03-27 08:47:20,936 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh iptables -A fail2ban-ssh -j RETURN iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 200 2011-03-27 08:47:20,937 fail2ban.actions.action: ERROR iptables -N fail2ban-sasl iptables -A fail2ban-sasl -j RETURN iptables -I INPUT -p tcp -m multiport --dports smtp -j fail2ban-sasl returned 200 2011-03-27 08:47:20,938 fail2ban.actions.action: ERROR iptables -N fail2ban-courierimap iptables -A fail2ban-courierimap -j RETURN iptables -I INPUT -p tcp -m multiport --dports imap2 -j fail2ban-courierimap returned 200 2011-03-27 08:47:20,939 fail2ban.actions.action: ERROR iptables -N fail2ban-pureftpd iptables -A fail2ban-pureftpd -j RETURN iptables -I INPUT -p tcp -m multiport --dports ftp -j fail2ban-pureftpd returned 200 2011-03-27 08:47:20,940 fail2ban.actions.action: ERROR iptables -N fail2ban-courierimaps iptables -A fail2ban-courierimaps -j RETURN iptables -I INPUT -p tcp -m multiport --dports imaps -j fail2ban-courierimaps returned 200 What should I change to get fail2ban log back to nice-looking non-error mode?
Thanks for your support Code: xxxxx:~$ ls -la /etc/fail2ban/filter.d/ total 140 drwxr-xr-x 2 root root 4096 Mar 27 08:58 . drwxr-xr-x 4 root root 4096 Mar 27 08:57 .. -rw-r--r-- 1 root root 711 Feb 8 2009 apache-auth.conf -rw-r--r-- 1 root root 2381 Jun 29 2010 apache-badbots.conf -rw-r--r-- 1 root root 628 Oct 13 2008 apache-nohome.conf -rw-r--r-- 1 root root 763 Feb 8 2009 apache-noscript.conf -rw-r--r-- 1 root root 444 Mar 5 2008 apache-overflows.conf -rw-r--r-- 1 root root 1039 Feb 8 2009 common.conf -rw-r--r-- 1 root root 557 Mar 27 06:27 courierimap.conf -rw-r--r-- 1 root root 561 Mar 27 06:28 courierimaps.conf -rw-r--r-- 1 root root 616 Feb 8 2009 courierlogin.conf -rw-r--r-- 1 root root 557 Mar 27 06:26 courierpop3.conf -rw-r--r-- 1 root root 561 Mar 27 06:26 courierpop3s.conf -rw-r--r-- 1 root root 591 Feb 8 2009 couriersmtp.conf -rw-r--r-- 1 root root 1012 Feb 8 2009 cyrus-imap.conf -rw-r--r-- 1 root root 613 Feb 8 2009 exim.conf -rw-r--r-- 1 root root 447 May 21 2008 gssftpd.conf -rw-r--r-- 1 root root 397 Aug 30 2009 lighttpd-fastcgi.conf -rw-r--r-- 1 root root 1013 Feb 9 2009 named-refused.conf -rw-r--r-- 1 root root 870 May 21 2008 pam-generic.conf -rw-r--r-- 1 root root 867 Aug 30 2009 php-url-fopen.conf -rw-r--r-- 1 root root 591 Feb 8 2009 postfix.conf -rw-r--r-- 1 root root 866 Jun 29 2010 proftpd.conf -rw-r--r-- 1 root root 806 Jun 29 2010 pure-ftpd.conf -rw-r--r-- 1 root root 111 Mar 27 06:25 pureftpd.conf -rw-r--r-- 1 root root 606 Feb 8 2009 qmail.conf -rw-r--r-- 1 root root 72 Mar 27 08:58 roundcube.conf -rw-r--r-- 1 root root 679 Feb 8 2009 sasl.conf -rw-r--r-- 1 root root 581 Feb 3 2009 sieve.conf -rw-r--r-- 1 root root 1649 Jun 29 2010 sshd.conf -rw-r--r-- 1 root root 627 Feb 8 2009 sshd-ddos.conf -rw-r--r-- 1 root root 700 Feb 8 2009 vsftpd.conf -rw-r--r-- 1 root root 827 Feb 8 2009 webmin-auth.conf -rw-r--r-- 1 root root 437 May 21 2008 wuftpd.conf -rw-r--r-- 1 root root 848 Feb 8 2009 xinetd-fail.conf xxxx :~$
Sorry for delay - see enclosed (should be as per perfect server and then ssl-roundcube instructions, but only 3 trials) Code: [pureftpd] enabled = true port = ftp filter = pureftpd logpath = /var/log/syslog maxretry = 3 [sasl] enabled = true port = smtp filter = sasl logpath = /var/log/mail.log maxretry = 3 [courierpop3] enabled = true port = pop3 filter = courierpop3 logpath = /var/log/mail.log maxretry = 3 [courierpop3s] enabled = true port = pop3s filter = courierpop3s logpath = /var/log/mail.log maxretry = 3 [courierimap] enabled = true port = imap2 filter = courierimap logpath = /var/log/mail.log maxretry = 3 [courierimaps] enabled = true port = imaps filter = courierimaps logpath = /var/log/mail.log maxretry = 3 [roundcube] enabled = true port = http,8080 filter = roundcube logpath = /var/log/roundcube/userlogins maxretry = 3 [webmin-auth] enabled = true port = 10000 filter = webmin-auth logpath = /var/log/auth.log maxretry = 3 Thanks for support....
This is how it looks: Code: # iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-sasl tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25 fail2ban-courierimaps tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 993 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-courierimaps (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-sasl (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 [email protected]:/home/asyamain# what next?
I think that not all of jails start. Maybe this will help: http://www.howtoforge.com/extending-perfect-server-debian-squeeze-ispconfig-3-p2 (make the change in /usr/bin/fail2ban-client) or this one http://www.howtoforge.com/forums/showthread.php?t=51599
Thanks for your help, Now after changes looks like Code: # iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-sasl tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 25 fail2ban-roundcube tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,8080 fail2ban-courierimap tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 143 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 fail2ban-pureftpd tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 21 fail2ban-webmin-auth tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 10000 fail2ban-courierpop3s tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 995 fail2ban-courierimaps tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 993 fail2ban-courierpop3 tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 110 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-courierimap (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-courierimaps (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-courierpop3 (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-courierpop3s (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-pureftpd (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-roundcube (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-sasl (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-webmin-auth (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Does it look OK now?
ISPConfig3 monitor (Fail2Ban Log) looks better now (at least for newbee) Code: 2011-04-08 09:13:57,025 fail2ban.server : INFO Exiting Fail2ban 2011-04-08 09:13:57,801 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN 2011-04-08 09:13:57,853 fail2ban.jail : INFO Creating new jail 'courierpop3' 2011-04-08 09:13:57,853 fail2ban.jail : INFO Jail 'courierpop3' uses poller 2011-04-08 09:13:57,921 fail2ban.filter : INFO Added logfile = /var/log/mail.log 2011-04-08 09:13:57,973 fail2ban.filter : INFO Set maxRetry = 3 2011-04-08 09:13:58,074 fail2ban.filter : INFO Set findtime = 600 2011-04-08 09:13:58,125 fail2ban.actions: INFO Set banTime = 600 2011-04-08 09:13:58,682 fail2ban.jail : INFO Creating new jail 'courierimaps' 2011-04-08 09:13:58,683 fail2ban.jail : INFO Jail 'courierimaps' uses poller 2011-04-08 09:13:58,734 fail2ban.filter : INFO Added logfile = /var/log/mail.log 2011-04-08 09:13:58,785 fail2ban.filter : INFO Set maxRetry = 3 2011-04-08 09:13:58,886 fail2ban.filter : INFO Set findtime = 600 2011-04-08 09:13:58,937 fail2ban.actions: INFO Set banTime = 600 2011-04-08 09:13:59,495 fail2ban.jail : INFO Creating new jail 'courierpop3s' 2011-04-08 09:13:59,507 fail2ban.jail : INFO Jail 'courierpop3s' uses poller 2011-04-08 09:13:59,558 fail2ban.filter : INFO Added logfile = /var/log/mail.log 2011-04-08 09:13:59,609 fail2ban.filter : INFO Set maxRetry = 3 2011-04-08 09:13:59,710 fail2ban.filter : INFO Set findtime = 600 2011-04-08 09:13:59,761 fail2ban.actions: INFO Set banTime = 600 2011-04-08 09:14:00,320 fail2ban.jail : INFO Creating new jail 'webmin-auth' 2011-04-08 09:14:00,320 fail2ban.jail : INFO Jail 'webmin-auth' uses poller 2011-04-08 09:14:00,372 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2011-04-08 09:14:00,423 fail2ban.filter : INFO Set maxRetry = 3 2011-04-08 09:14:00,524 fail2ban.filter : INFO Set findtime = 600 2011-04-08 09:14:00,575 fail2ban.actions: INFO Set banTime = 600 2011-04-08 09:14:01,185 fail2ban.jail : INFO Creating new jail 'pureftpd' 2011-04-08 09:14:01,185 fail2ban.jail : INFO Jail 'pureftpd' uses poller 2011-04-08 09:14:01,236 fail2ban.filter : INFO Added logfile = /var/log/syslog 2011-04-08 09:14:01,287 fail2ban.filter : INFO Set maxRetry = 3 2011-04-08 09:14:01,389 fail2ban.filter : INFO Set findtime = 600 2011-04-08 09:14:01,440 fail2ban.actions: INFO Set banTime = 600 2011-04-08 09:14:01,998 fail2ban.jail : INFO Creating new jail 'ssh' 2011-04-08 09:14:01,998 fail2ban.jail : INFO Jail 'ssh' uses poller 2011-04-08 09:14:02,050 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2011-04-08 09:14:02,101 fail2ban.filter : INFO Set maxRetry = 6 2011-04-08 09:14:02,202 fail2ban.filter : INFO Set findtime = 600 2011-04-08 09:14:02,253 fail2ban.actions: INFO Set banTime = 600 2011-04-08 09:14:03,321 fail2ban.jail : INFO Creating new jail 'courierimap' 2011-04-08 09:14:03,321 fail2ban.jail : INFO Jail 'courierimap' uses poller 2011-04-08 09:14:03,373 fail2ban.filter : INFO Added logfile = /var/log/mail.log 2011-04-08 09:14:03,424 fail2ban.filter : INFO Set maxRetry = 3 2011-04-08 09:14:03,525 fail2ban.filter : INFO Set findtime = 600 2011-04-08 09:14:03,576 fail2ban.actions: INFO Set banTime = 600 2011-04-08 09:14:04,134 fail2ban.jail : INFO Creating new jail 'roundcube' 2011-04-08 09:14:04,135 fail2ban.jail : INFO Jail 'roundcube' uses poller 2011-04-08 09:14:04,186 fail2ban.filter : INFO Added logfile = /var/log/roundcube/userlogins 2011-04-08 09:14:04,237 fail2ban.filter : INFO Set maxRetry = 3 2011-04-08 09:14:04,338 fail2ban.filter : INFO Set findtime = 600 2011-04-08 09:14:04,389 fail2ban.actions: INFO Set banTime = 600 2011-04-08 09:14:04,440 fail2ban.filter : ERROR No 'host' group in 'FAILED login for .*. from ' 2011-04-08 09:14:04,947 fail2ban.jail : INFO Creating new jail 'sasl' 2011-04-08 09:14:04,947 fail2ban.jail : INFO Jail 'sasl' uses poller 2011-04-08 09:14:04,999 fail2ban.filter : INFO Added logfile = /var/log/mail.log 2011-04-08 09:14:05,050 fail2ban.filter : INFO Set maxRetry = 3 2011-04-08 09:14:05,151 fail2ban.filter : INFO Set findtime = 600 2011-04-08 09:14:05,202 fail2ban.actions: INFO Set banTime = 600 2011-04-08 09:14:05,761 fail2ban.jail : INFO Jail 'courierpop3' started 2011-04-08 09:14:05,813 fail2ban.jail : INFO Jail 'courierimaps' started 2011-04-08 09:14:05,865 fail2ban.jail : INFO Jail 'courierpop3s' started 2011-04-08 09:14:05,917 fail2ban.jail : INFO Jail 'webmin-auth' started 2011-04-08 09:14:05,969 fail2ban.jail : INFO Jail 'pureftpd' started 2011-04-08 09:14:06,021 fail2ban.jail : INFO Jail 'ssh' started 2011-04-08 09:14:06,073 fail2ban.jail : INFO Jail 'courierimap' started 2011-04-08 09:14:06,125 fail2ban.jail : INFO Jail 'roundcube' started 2011-04-08 09:14:06,177 fail2ban.jail : INFO Jail 'sasl' started I'll assume now OK - big thanks