fail2ban problem

Discussion in 'Server Operation' started by mmistroni, Mar 1, 2008.

  1. mmistroni

    mmistroni New Member

    hi all,
    i am installing fail2ban on my VPS running Ubunti Feisty Fawn server
    i have followed tutorial here

    http://www.howtoforge.com/fail2ban_debian_etch

    however, i am getting this exception from fail2ban.log

    fail2ban.comm : WARNING Invalid command:['set','proftpd', 'failregex', 'proftpd:\\(pam_unix\\) authentication failure


    would it be because i don't have proftpd?

    thanks and regards
    marco
     
  2. mmistroni

    mmistroni New Member

    Hello,
    i realized maybe if i post more information.... my problem will seem clearer.

    here's my jail.local
    Code:
    # Fail2Ban configuration file.
    #
    # This file was composed for Debian systems from the original one
    #  provided now under /usr/share/doc/fail2ban/examples/jail.conf
    #  for additional examples.
    #
    # To avoid merges during upgrades DO NOT MODIFY THIS FILE
    # and rather provide your changes in /etc/fail2ban/jail.local
    #
    # Author: Yaroslav O. Halchenko <[email protected]>
    #
    # $Revision: 281 $
    #
    
    # The DEFAULT allows a global definition of the options. They can be override
    # in each jail afterwards.
    
    [DEFAULT]
    
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host
    ignoreip = 127.0.0.1 82.113.128.42
    bantime  = 600
    maxretry = 3
    
    # "backend" specifies the backend used to get files modification. Available
    # options are "gamin", "polling" and "auto".
    # yoh: For some reason Debian shipped python-gamin didn't work as expected
    #      This issue left ToDo, so polling is default backend for now
    backend = polling
    
    #
    # Destination email address used solely for the interpolations in
    # jail.{conf,local} configuration files.
    destemail = [email protected]
    
    #
    # ACTIONS
    #
    action = iptables[name=%(__name__)s, port=%(port)s]
    
    
    
    
    
    
    [ssh]
    
    enabled = true
    port	= ssh,sftp
    filter	= sshd
    logpath  = /var/log/auth.log
    maxretry = 6
    
    
    [ssh-ddos]
    
    enabled = false
    port    = ssh,sftp
    filter  = sshd-ddos
    logpath  = /var/log/auth.log
    maxretry = 6
    
    #
    # HTTP servers
    #
    
    [apache]
    
    enabled = true
    port	= http,https
    filter	= apache-auth
    logpath = /var/log/apache*/*error.log
    maxretry = 6
    
    # default action is now multiport, so apache-multiport jail was left
    # for compatibility with previous (<0.7.6-2) releases
    [apache-multiport]
    
    enabled   = false
    port	  = http,https
    filter	  = apache-auth
    logpath   = /var/log/apache*/*access.log
    maxretry  = 6
    
    [apache-noscript]
    
    enabled = false
    port    = http,https
    filter  = apache-noscript
    logpath = /var/log/apache*/*error.log
    maxretry = 6
    
    #
    # FTP servers
    #
    
    [vsftpd]
    
    enabled  = false
    port	 = ftp,ftp-data,ftps,ftps-data
    filter   = vsftpd
    logpath  = /var/log/.log
    logpath = /var/log/auth.log
    # if you want to rely on PAM failed login attempts
    # vsftpd's failregex should match both of those formats
    maxretry = 6
    
    
    [proftpd]
    
    enabled  = true
    port	 = ftp,ftp-data,ftps,ftps-data
    filter   = proftpd
    logpath  = /var/log/auth.log
    maxretry = 6
    
    
    [wuftpd]
    
    enabled  = false
    port	 = ftp,ftp-data,ftps,ftps-data
    filter   = wuftpd
    logpath  = /var/log/auth.log
    maxretry = 6
    
    
    #
    # Mail servers
    #
    
    [postfix]
    
    enabled  = false
    port	 = smtp,ssmtp
    filter   = postfix
    logpath  = /var/log/mail.log
    
    
    [couriersmtp]
    
    enabled  = false
    port	 = smtp,ssmtp
    filter   = couriersmtp
    logpath  = /var/log/mail.log
    
    
    #
    # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
    # all relevant ports get banned
    #
    [courierpop3]
    
    enabled  = true
    port     = pop3
    filter   = courierlogin
    failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
    logpath  = /var/log/mail.log
    maxretry = 5
    
    
    
    [courierimap]
    
    enabled  = true
    port     = imap2
    filter   = courierlogin
    failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
    logpath  = /var/log/mail.log
    maxretry = 5
    
    [sasl]
    
    #enabled  = true
    #port     = smtp
    #filter   = sasl
    #failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-#MD5) authentication failed
    #logpath  = /var/log/mail.log
    #maxretry = 5
    
    
    
    [sasl]
    
    enabled  = true
    port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    filter   = sasl
    logpath  = /var/log/mail.log
    
    and here's my fail2ban.log
    Code:
    2008-03-02 12:24:33,477 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
    2008-03-02 12:24:33,478 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
    iptables -F fail2ban-<name>
    iptables -X fail2ban-<name>
    2008-03-02 12:24:33,480 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
    iptables -A fail2ban-<name> -j RETURN
    iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
    2008-03-02 12:24:33,481 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
    2008-03-02 12:24:33,482 fail2ban.actions.action: INFO   Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
    2008-03-02 12:24:33,485 fail2ban.jail   : INFO   Using poller
    2008-03-02 12:24:33,485 fail2ban.filter : INFO   Created Filter
    2008-03-02 12:24:33,485 fail2ban.filter : INFO   Created FilterPoll
    2008-03-02 12:24:33,486 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
    2008-03-02 12:24:33,487 fail2ban.filter : INFO   Set maxRetry = 5
    2008-03-02 12:24:33,488 fail2ban.comm   : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
    

    anyone could help me for fixing the regex expression (as it seems to me that that is the problem)


    regards
    marco
     
  3. mmistroni

    mmistroni New Member

    oh, and here's my fail2ban.log
    Code:
    008-03-02 12:22:25,423 fail2ban.server : INFO   Exiting Fail2ban
    2008-03-02 12:24:33,461 fail2ban.jail   : INFO   Using poller
    2008-03-02 12:24:33,469 fail2ban.filter : INFO   Created Filter
    2008-03-02 12:24:33,469 fail2ban.filter : INFO   Created FilterPoll
    2008-03-02 12:24:33,470 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
    2008-03-02 12:24:33,471 fail2ban.filter : INFO   Set maxRetry = 6
    2008-03-02 12:24:33,473 fail2ban.filter : INFO   Set findtime = 600
    2008-03-02 12:24:33,474 fail2ban.actions: INFO   Set banTime = 600
    2008-03-02 12:24:33,477 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
    2008-03-02 12:24:33,478 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
    iptables -F fail2ban-<name>
    iptables -X fail2ban-<name>
    2008-03-02 12:24:33,480 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
    iptables -A fail2ban-<name> -j RETURN
    iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
    2008-03-02 12:24:33,481 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
    2008-03-02 12:24:33,482 fail2ban.actions.action: INFO   Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
    2008-03-02 12:24:33,485 fail2ban.jail   : INFO   Using poller
    2008-03-02 12:24:33,485 fail2ban.filter : INFO   Created Filter
    2008-03-02 12:24:33,485 fail2ban.filter : INFO   Created FilterPoll
    2008-03-02 12:24:33,486 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
    2008-03-02 12:24:33,487 fail2ban.filter : INFO   Set maxRetry = 5
    2008-03-02 12:24:33,488 fail2ban.comm   : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
    
    regards
    marco
     
  4. falko

    falko Super Moderator ISPConfig Developer

    What's in /etc/fail2ban/filter.d/proftpd?
     
  5. mmistroni

    mmistroni New Member

    falko,
    thanks for replying on a sunday :)

    here's what's in proftpd.conf
    Code:
    # Fail2Ban configuration file
    #
    # Author: Yaroslav Halchenko
    #
    # $Revision: 510 $
    #
    
    [Definition]
    
    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. The
    #          host must be matched by a group named "host". The tag "<HOST>" can
    #          be used for standard IP/hostname matching and is only an alias for
    #          (?:::f{4,6}:)?(?P<host>\S+)
    # Values: TEXT
    #
    failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$
    
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    ignoreregex = 
    
    HOwver to avoid problem i have 'disabled' all *ftp, in order to track down the problem. Now its' failing with courierpop3

    and here's the most recent failure, courierpop3
    Code:
    2008-03-02 14:57:47,249 fail2ban.comm   : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]']
    
    here's what's in courierlogin.conf


    Code:
    # Fail2Ban configuration file
    #
    # Author: Christoph Haas
    # Modified by: Cyril Jaquier
    #
    # $Revision: 510 $
    #
    
    [Definition]
    
    # Option:  failregex
    # Notes.:  regex to match the password failures messages in the logfile. The
    #          host must be matched by a group named "host". The tag "<HOST>" can
    #          be used for standard IP/hostname matching and is only an alias for
    #          (?:::f{4,6}:)?(?P<host>\S+)
    # Values:  TEXT
    #
    failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$
    
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    ignoreregex = 
    
    what am i missing?

    regards
    marco
     
  6. falko

    falko Super Moderator ISPConfig Developer

    Looks ok. Can you see anything like "\\(pam_unix\\) authentication failure" in any of the fail2ban configuration files?
     
  7. mmistroni

    mmistroni New Member

    falko,
    not in mail.log

    i have some in auth.log,
    it looks like this

    Code:
    (pam_unix) authentication failure; logname=uid=0 euid=0
    
    i m still keeping denyhost running, but it looks like when no auth failure is in the mail.log, i got the exception below
    and then it seems like fail2ban refuse to run....

    i might try to disable denyhost for a while and see how fail2ban perform, but it seems weird to me that fail2ban still does not update iptables based on , e.g., auth.log

    any more hints on what can cause the problem?
    if everything i have done looks ok, i'll try to disable denyhosts and have fail2ban run, to see if it work

    thanks and regards
    marco
     
  8. falko

    falko Super Moderator ISPConfig Developer

    Did you check the fail2ban configuration files (see my previous post)?
     
  9. mmistroni

    mmistroni New Member

    falko,
    just to make sure i undestand your question
    when you talk about fail2ban conf files, are you referring to all
    the logpath i am configurin in jail.local?

    regards
    marco
     
  10. falko

    falko Super Moderator ISPConfig Developer

    I mean all fail2ban configuration files in /etc/fail2ban and its subdirectories.
     

Share This Page