fail2ban not working?

Discussion in 'Installation/Configuration' started by dynamind, Jul 16, 2013.

  1. dynamind

    dynamind New Member

    I've been monitoring the mail.log and curiously just in this moment
    I found

    http://pastebin.com/ZgnNB953

    fail2ban doesn't respond? I had to stop that with iptables drop.


    bR
     
    Last edited: Jul 16, 2013
  2. alexa6moon

    alexa6moon New Member

    I also have some trouble when follow instruction install ISPConfig 3 in Debian
    18 Install fail2ban
    /etc/init.d/fail2ban restart
    [ ok ] Restarting authentication failure monitor: fail2ban.
    I change
    nano /etc/fail2ban/jail.local
    filter = pureftpd
    on
    filter = pure-ftpd
    but still appear
    [ ok ] Restarting authentication failure monitor: fail2ban.

    Please me need help!
     
    Last edited: Sep 14, 2013
  3. MaddinXx

    MaddinXx HowtoForge Supporter

    Multiple problems here.

    1. http://regexr.com?36beu -- the regex doesn't match
    2. banaction = route -> is this wanted? Don't know what route does, but it's not IPTables (at least not the default)
    3. The restart is fine... nothing wrong there..

    you could try:

    ^.* warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:) [A-Za-z0-9+/]*={0,2})?$
     
  4. scarleo

    scarleo New Member

    I'd say go with CSF instead, it is much more powerful than Fail2ban and really easy to setup: http://configserver.com/cp/csf.html

    It's almost out of the box, very little configuration needed.
     
  5. concept21

    concept21 Member

    fail2ban sasl filter works for my Ubuntu 10.04. :)

    I have read from other posts here. The procedure is simple.


    Edit the failregex line in /etc/fail2ban/filter.d/sasl.conf as:

    failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed




    Edit /etc/fail2ban/jail.local:

    [sasl]
    ..
    logpath = /var/log/mail.warn




    DONE!
    This picture shows how fail2ban blocks hackers attacking from 3 different mail protocols.
     

    Attached Files:

    Last edited: Sep 17, 2013
  6. SamTzu

    SamTzu HowtoForge Supporter

    According to their home page CSF may require rewriting some regex rules on Debian. I don't like that at all.
     

Share This Page