Fail2ban (without iptables) doesn't work, why?

Discussion in 'Installation/Configuration' started by MET, May 21, 2010.

  1. MET

    MET New Member

    My externally hosted vserver runs with Debian lenny stable. Fail2ban 0.8.3 (and iptables) have been installed with the package-manager. The intention is to use fail2ban with the messages-file from asterisk, i.e. without iptables. The configuration files for fail2ban are according this howto.

    When I start fail2ban with
    /etc/init.d/fail2ban start
    no further information is given, so I thought it would work. Later I questioned whether it would require beforehand a
    /etc/init.d/fail2ban reload
    or a
    /etc/init.d/fail2ban restart
    and in both of these cases I obtain each time the result "failed!"

    How could I find out what is going wrong?

    Note: I'm not very familiar with Linux, I only use it in the context of the asterisk.
     
  2. MET

    MET New Member

    Fail2Ban works now. The reload has to be done with

    /usr/bin/fail2ban-client reload

    and not with
    /etc/init.d/fail2ban reload
    (as mentioned in the howto from Voip-Info.org)

    However, the log indicates that there is still an issue with the mail message (address changed here):
    Any ideas why the mail-message doesn't work? The mail address is on a different server. Could this be the reason?
     
  3. falko

    falko Super Moderator ISPConfig Developer

    Can you post your /etc/fail2ban/jail.conf?
     
  4. MET

    MET New Member

    Note that I tried with different mail-addresses. None of them is hosted on the same server:
    Code:
    # Fail2Ban configuration file
    ...
    # $Revision: 747 $
    ...
    
    [DEFAULT]
    
    bantime  = 600
    findtime  = 600
    maxretry = 3
    backend = auto
    
    
    [asterisk-iptables]
    
    enabled  = true
    filter   = asterisk
    action   = hostsdeny[name=ASTERISK, protocol=all]
               mail-whois[name=ASTERISK, dest=[email protected], sender=[email protected]]
    logpath  = /var/log/asterisk/messages
    # maxretry = 5
    # bantime = 259200
    maxretry = 3
    findtime = 300
    bantime = 600
    
    ...
    all other entries have: enabled=false
    
     
  5. MET

    MET New Member

    Fail2Ban fails to ban !

    I just had an other an other attack. The settings in jail.conf were for manual testing as sent before:

    maxretry = 3
    findtime = 300
    bantime = 600

    The log files show the following:

    Asterisk
    Code:
    [2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"1249349713"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"100"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"101"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"102"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"103"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"104"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found
    ....
    [2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9994"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9995"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9996"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9997"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9998"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9999"<sip:[email protected]>' failed for '76.76.96.74' - No matching peer found
    Fail2ban:
    Code:
    2010-05-22 16:04:06,632 fail2ban.actions: WARNING [asterisk-iptables] Ban 76.76.96.74
    2010-05-22 16:04:09,130 fail2ban.actions.action: ERROR  printf %b "Hi,\n
    The IP 76.76.96.74 has just been banned by Fail2Ban after
    11 attempts against ASTERISK.\n\n
    Here are more information about 76.76.96.74:\n
    `whois 76.76.96.74`\n
    Regards,\n
    Fail2Ban"|mail -s "[Fail2Ban] ASTERISK: banned 76.76.96.74" [email][email protected][/email] returned 7f00
    2010-05-22 16:04:09,130 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:04:10,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:04:11,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:04:12,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:04:13,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:04:14,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:04:15,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:04:16,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:04:17,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    ...
    2010-05-22 16:12:55,309 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:12:56,311 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:12:57,318 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:12:58,321 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:14:07,356 fail2ban.actions: WARNING [asterisk-iptables] Unban 76.76.96.74
    There are about 40 attacks per second whereas fail2ban reacts in about one second intervals only by reporting "already banned".

    Fail2ban added the IP also in the File /etc/hosts.deny

    Why then hasn't the IP been blocked ?
    Any suggestions/recommendations to get it working ?
     
    Last edited: May 24, 2010
  6. make-fun

    make-fun Member

    What is the output of
    Code:
    grep -h "Ban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c
    Code:
    grep -h "already banned" /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c
    Code:
    grep -h "Unban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c
    Do they match?
     
  7. Ben

    Ben ISPConfig Developer ISPConfig Developer

    For my understanding, hosts.allow / deny files are only for tcp wrappered app's which I assume asterisk not to be.

    Why do you try to avoid using iptables?
     
  8. MET

    MET New Member

    Because asterisk is on an externally hosted vserver where I do not have access to the root.
     
  9. MET

    MET New Member

    I'm not sure whether I understand these commands, but they didn't show anything on the CLI. It could also be that I made in the meantime a reload. After the attack I checked the files
    host.deny this one was empty and host.allow contained the IP which attacked before. I interpreted this to be the result of the action command which unbaned with bantime = 600 the IP after 10 min.
     
  10. make-fun

    make-fun Member

    Where is your fail2ban logfile?
    Code:
    grep -h "Ban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c
    Should return a list with number of BANs per day and what filter was hit -- like here with postfix:
    Code:
        123 [postfix] 2010-05-16
        114 [postfix] 2010-05-17
         75 [postfix] 2010-05-18
         45 [postfix] 2010-05-20
        104 [postfix] 2010-05-21
        100 [postfix] 2010-05-22
        103 [postfix] 2010-05-23
         43 [postfix] 2010-05-24
    
    This normaly a good way to see if and what's happening, as you can compare "Ban ", "already banned", "Unban ". If you got nothing there, fail2ban never's done anything for you--it seems.
     
  11. MET

    MET New Member

    As mentioned above, there is only the filter [asterisk-iptables] enabled. Attacks on the asterisk occur very irregular. Daly checks in the corresponding log-files show that nothing happened since the last one. I changed now the parameters in jail.conf to

    maxretry = 5
    bantime = 259200

    thus not specifying a findtime. I will see how fail2ban will be able to handle the next attack. I don't have much hope that it will improve. At least I would still be able to see whether fail2ban did put the IP into the host.deny-file or not. However, to my understanding, the log of the last attack actually indicates that the IP has first been placed in the host.deny-file. One finds there the three distinct actions "banned", "already banned" and "unban".
     

Share This Page