need help with fail2ban install

Discussion in 'Server Operation' started by cruz, Jun 24, 2007.

  1. cruz

    cruz New Member

    I had to unistall fail2ban because I delited the wrong file. I reinstalled. when i got to the place were I was to create the file jail.local, i copied the the file from your install, pasted it to word. added my ip address for my laptop. then pasted it in the new file jail.local. when I restarted the program I got this error.
    HTML:
    server1:~# vi /etc/fail2ban/jail.local
    server1:~# /etc/init.d/fail2ban restart
    Restarting authentication failure monitor: fail2banTraceback (most recent call l                                                                             ast):
      File "/usr/bin/fail2ban-client", line 333, in ?
        if client.start(sys.argv):
      File "/usr/bin/fail2ban-client", line 311, in start
        return self.__processCommand(args)
      File "/usr/bin/fail2ban-client", line 175, in __processCommand
        self.__readConfig()
      File "/usr/bin/fail2ban-client", line 315, in __readConfig
        self.__configurator.readAll()
      File "/usr/share/fail2ban/client/configurator.py", line 56, in readAll
        self.__jails.read()
      File "/usr/share/fail2ban/client/jailsreader.py", line 41, in read
        ConfigReader.read(self, "jail")
      File "/usr/share/fail2ban/client/configreader.py", line 57, in read
        SafeConfigParser.read(self, [bConf, bLocal])
      File "/usr/lib/python2.4/ConfigParser.py", line 267, in read
        self._read(fp, filename)
      File "/usr/lib/python2.4/ConfigParser.py", line 462, in _read
        raise MissingSectionHeaderError(fpname, lineno, line)
    ConfigParser.MissingSectionHeaderError: File contains no section headers.
    file: /etc/fail2ban/jail.local, line: 4
    'ignoreip = 127.0.0.1 192.168.1.101\n'
     failed!
    
    What dose this all mean. It sounded like all I had to change was to add my ip to the ignoreip line.
     
  2. falko

    falko Super Moderator

    What's in /etc/fail2ban/jail.local?
     
  3. cruz

    cruz New Member

    here you go

    HTML:
    [[DEFAULT]
    
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host
    ignoreip = 127.0.0.1 192.168.1.101 192.168.1.102
    bantime  = 600
    maxretry = 3
    
    # "backend" specifies the backend used to get files modification. Available
    # options are "gamin", "polling" and "auto".
    # yoh: For some reason Debian shipped python-gamin didn't work as expected
    #      This issue left ToDo, so polling is default backend for now
    backend = polling
    
    #
    # Destination email address used solely for the interpolations in
    # jail.{conf,local} configuration files.
    destemail = root@localhost
    
    # Default action to take: ban only
    action = iptables[name=%(__name__)s, port=%(port)s]
    
    
    [ssh]
    
    enabled = true
    port    = ssh
    filter  = sshd
    logpath  = /var/log/auth.log
    maxretry = 5
    
    
    [apache]
    
    enabled = true
    port    = http
    filter  = apache-auth
    logpath = /var/log/apache*/*error.log
    maxretry = 5
    
    
    [apache-noscript]
    
    enabled = false
    port    = http
    filter  = apache-noscript
    logpath = /var/log/apache*/*error.log
    maxretry = 5
    
    
    [vsftpd]
    
    enabled  = false
    port     = ftp
    filter   = vsftpd
    logpath  = /var/log/auth.log
    maxretry = 5
    
    
    [proftpd]
    
    enabled  = true
    port     = ftp
    filter   = proftpd
    logpath  = /var/log/auth.log
    failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
    maxretry = 5
    
    
    [wuftpd]
    
    enabled  = false
    port     = ftp
    filter   = wuftpd
    logpath  = /var/log/auth.log
    maxretry = 5
    
    
    [postfix]
    
    enabled  = false
    port     = smtp
    filter   = postfix
    logpath  = /var/log/mail.log
    maxretry = 5
    
    
    [courierpop3]
    
    enabled  = true
    port     = pop3
    filter   = courierlogin
    failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
    logpath  = /var/log/mail.log
    maxretry = 5
    
    
    [courierimap]
    
    enabled  = true
    port     = imap2
    filter   = courierlogin
    failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
    logpath  = /var/log/mail.log
    maxretry = 5
    
    
    [sasl]
    
    enabled  = true
    port     = smtp
    filter   = sasl
    failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
    logpath  = /var/log/mail.log
    maxretry = 5/HTML] this is the file I had copied to a text doc. when I checked the file in /etc/fail3ban/jail.local it had a missing part in the front of the file. I fixed it and then restarted it and got this. Is this corect responce after the restart? (Restarting authentication failure monitor: fail2ban) then it ends up at the comand promp.
     
    Last edited: Jun 26, 2007
  4. falko

    falko Super Moderator

    Can you check the output of
    Code:
    ps aux
    to see if it's running? If it is, I think you're good to go. :)
     
  5. cruz

    cruz New Member

    results from ps aux

    I do not see it on here.
    HTML:
    larry@server1:~$ ps aux
    USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
    root         1  0.0  0.2   1944   652 ?        Ss   09:55   0:01 init [2]
    root         2  0.0  0.0      0     0 ?        S    09:55   0:00 [migration/0]
    root         3  0.0  0.0      0     0 ?        SN   09:55   0:00 [ksoftirqd/0]
    root         4  0.0  0.0      0     0 ?        S<   09:55   0:00 [events/0]
    root         5  0.0  0.0      0     0 ?        S<   09:55   0:00 [khelper]
    root         6  0.0  0.0      0     0 ?        S<   09:55   0:00 [kthread]
    root         9  0.0  0.0      0     0 ?        S<   09:55   0:00 [kblockd/0]
    root        10  0.0  0.0      0     0 ?        S<   09:55   0:00 [kacpid]
    root        81  0.0  0.0      0     0 ?        S<   09:55   0:00 [kseriod]
    root       117  0.0  0.0      0     0 ?        S    09:55   0:00 [pdflush]
    root       118  0.0  0.0      0     0 ?        S    09:55   0:00 [pdflush]
    root       119  0.0  0.0      0     0 ?        S<   09:55   0:00 [kswapd0]
    root       120  0.0  0.0      0     0 ?        S<   09:55   0:00 [aio/0]
    root       574  0.0  0.0      0     0 ?        S<   09:55   0:00 [khubd]
    root       937  0.0  0.0      0     0 ?        S<   09:55   0:00 [kjournald]
    root      1114  0.0  0.2   2176   612 ?        S<s  09:55   0:00 udevd --daemon
    root      1414  0.0  0.0      0     0 ?        S<   09:55   0:00 [kpsmoused]
    root      1721  0.0  0.0      0     0 ?        S<   09:55   0:00 [kmirrord]
    daemon    1908  0.0  0.1   1688   376 ?        Ss   09:55   0:00 /sbin/portmap
    root      2111  0.0  0.2   1624   564 ?        Ss   09:55   0:00 /sbin/syslogd -
    root      2117  0.0  0.1   1580   388 ?        Ss   09:55   0:00 /sbin/klogd -x
    root      2191  0.0  0.5   2672  1340 ?        S    09:55   0:00 /bin/sh /usr/bi
    mysql     2228  0.0  6.7 127276 17412 ?        Sl   09:55   0:00 /usr/sbin/mysql
    root      2229  0.0  0.1   1564   512 ?        S    09:55   0:00 logger -p daemo
    root      2341  0.0  0.2   1572   560 ?        Ss   09:55   0:00 /usr/sbin/acpid
    root      2345  0.0  0.1   1756   404 ?        S    09:55   0:00 /usr/sbin/couri
    root      2346  0.0  0.2   1908   604 ?        S    09:55   0:00 /usr/lib/courie
    root      2353  0.0  0.1   1908   272 ?        S    09:55   0:00 /usr/lib/courie
    root      2354  0.0  0.1   1908   272 ?        S    09:55   0:00 /usr/lib/courie
    root      2355  0.0  0.1   1908   272 ?        S    09:55   0:00 /usr/lib/courie
    root      2356  0.0  0.1   1908   272 ?        S    09:55   0:00 /usr/lib/courie
    root      2357  0.0  0.1   1908   272 ?        S    09:55   0:00 /usr/lib/courie
    root      2361  0.0  0.1   1752   328 ?        S    09:55   0:00 /usr/sbin/couri
    root      2362  0.0  0.2   1852   552 ?        S    09:55   0:00 /usr/sbin/couri
    root      2373  0.0  0.1   1756   332 ?        S    09:55   0:00 /usr/sbin/couri
    root      2374  0.0  0.2   1852   556 ?        S    09:55   0:00 /usr/sbin/couri
    root      2379  0.0  0.1   1856   508 ?        S    09:55   0:00 /usr/sbin/couri
    root      2385  0.0  0.1   1620   316 ?        S    09:55   0:00 /usr/sbin/couri
    root      2392  0.0  0.1   1752   328 ?        S    09:55   0:00 /usr/sbin/couri
    root      2393  0.0  0.2   1852   552 ?        S    09:55   0:00 /usr/sbin/couri
    root      2402  0.0  0.2   1752   568 ?        Ss   09:55   0:00 /usr/sbin/inetd
    root      2481  0.0  0.3   7216   984 ?        Ss   09:55   0:00 /usr/sbin/sasla
    root      2482  0.0  0.2   7216   540 ?        S    09:55   0:00 /usr/sbin/sasla
    root      2483  0.0  0.1   7216   360 ?        S    09:55   0:00 /usr/sbin/sasla
    root      2484  0.0  0.1   7216   360 ?        S    09:55   0:00 /usr/sbin/sasla
    root      2485  0.0  0.1   7216   360 ?        S    09:55   0:00 /usr/sbin/sasla
    root      2491  0.0  0.4   4924  1088 ?        Ss   09:55   0:00 /usr/sbin/sshd
    statd     2531  0.0  0.2   1756   740 ?        Ss   09:55   0:00 /sbin/rpc.statd
    ntp       2548  0.0  0.5   4132  1336 ?        Ss   09:55   0:00 /usr/sbin/ntpd
    daemon    2572  0.0  0.1   1828   412 ?        Ss   09:55   0:00 /usr/sbin/atd
    root      2579  0.0  0.3   2192   876 ?        Ss   09:55   0:00 /usr/sbin/cron
    root      2614  0.0  1.5 121336  4008 ?        Sl   09:55   0:00 python2.4 /usr/
    root      2823  0.0  3.4  14612  8732 ?        Ss   09:56   0:00 /root/ispconfig
    root      2824  0.0  0.4   2644  1268 ?        S    09:56   0:00 /bin/bash /root
    1001      2829  0.0  2.9  14612  7500 ?        S    09:56   0:00 /root/ispconfig
    root      2844  0.0  4.7  36376 12160 ?        Ss   09:56   0:00 /usr/sbin/apach
    root      2845  0.0  0.1   1488   288 ?        S    09:56   0:00 /root/ispconfig
    www-data  2865  0.0  2.1  36508  5464 ?        S    09:56   0:00 /usr/sbin/apach
    www-data  2866  0.0  2.0  36376  5324 ?        S    09:56   0:00 /usr/sbin/apach
    www-data  2867  0.0  2.0  36376  5320 ?        S    09:56   0:00 /usr/sbin/apach
    www-data  2868  0.0  2.0  36376  5320 ?        S    09:56   0:00 /usr/sbin/apach
    www-data  2869  0.0  2.0  36376  5320 ?        S    09:56   0:00 /usr/sbin/apach
    root      2930  0.0  0.6   4812  1624 ?        Ss   09:56   0:00 /usr/lib/postfi
    postfix   2939  0.0  0.6   4820  1576 ?        S    09:56   0:00 pickup -l -t fi
    postfix   2940  0.0  0.6   4856  1616 ?        S    09:56   0:00 qmgr -l -t fifo
    bind      2960  0.0  1.0  30268  2744 ?        Ssl  09:56   0:00 /usr/sbin/named
    proftpd   2981  0.0  0.5   9152  1508 ?        Ss   09:56   0:00 proftpd: (accep
    1001      2990  0.0  0.4   2496  1064 ?        Ss   09:56   0:00 /home/admispcon
    root      3016  0.0  0.1   1576   496 tty1     Ss+  09:56   0:00 /sbin/getty 384
    root      3017  0.0  0.1   1576   496 tty2     Ss+  09:56   0:00 /sbin/getty 384
    root      3018  0.0  0.1   1572   492 tty3     Ss+  09:56   0:00 /sbin/getty 384
    root      3019  0.0  0.1   1572   492 tty4     Ss+  09:56   0:00 /sbin/getty 384
    root      3020  0.0  0.1   1572   492 tty5     Ss+  09:56   0:00 /sbin/getty 384
    root      3023  0.0  0.1   1572   492 tty6     Ss+  09:56   0:00 /sbin/getty 384
    root      3464  0.2  0.8   7700  2288 ?        Ss   10:16   0:00 sshd: larry [pr
    larry     3468  0.0  0.6   7700  1588 ?        S    10:16   0:00 sshd: larry@pts
    larry     3469  3.6  1.1   5384  2916 pts/0    Ss   10:16   0:00 -bash
    root      3489  0.0  0.1   1564   400 ?        S    10:16   0:00 sleep 10
    larry     3490  0.0  0.3   3428  1000 pts/0    R+   10:16   0:00 ps aux
    
    I might be missing it for some reason.
     
  6. falko

    falko Super Moderator

    I don't see it either.
    Any errors in your logs? What's in var/log/fail2ban.log?
    What's in /etc/init.d/fail2ban?
     
  7. cruz

    cruz New Member

    copying files in PuTTY

    How do I copy the whole file in PuTTY? I understand that I need to past it into word or some other doc program to be able to work with the file. I tried to highlite it, but I can only get so much of the file. Thanks for the help.
     
  8. falko

    falko Super Moderator

    You can copy the file over to your desktop (for example with WinSCP) and then open it in your favourite text editor.
     
  9. cruz

    cruz New Member

    /etc/init.d/fail2ban file

    [HTML#! /bin/sh
    ### BEGIN INIT INFO
    # Provides: fail2ban
    # Required-Start: $local_fs $remote_fs
    # Required-Stop: $local_fs $remote_fs
    # Should-Start: $time $network $syslog iptables firehol shorewall ipmasq
    # Should-Stop: $network $syslog iptables firehol shorewall ipmasq
    # Default-Start: 2 3 4 5
    # Default-Stop: 0 1 6
    # Short-Description: Start/stop fail2ban
    # Description: Start/stop fail2ban, a daemon scanning the log files and
    # banning potential attackers.
    ### END INIT INFO

    # Author: Aaron Isotton <aaron@isotton.com>
    # Modified: by Yaroslav Halchenko <debian@onerussian.com>
    # reindented + minor corrections + to work on sarge without modifications
    #
    PATH=/usr/sbin:/usr/bin:/sbin:/bin
    DESC="authentication failure monitor"
    NAME=fail2ban

    # fail2ban-client is not a daemon itself but starts a daemon and
    # loads its with configuration
    DAEMON=/usr/bin/$NAME-client
    SOCKFILE=/tmp/$NAME.sock
    SCRIPTNAME=/etc/init.d/$NAME

    # Exit if the package is not installed
    [ -x "$DAEMON" ] || exit 0

    # Read configuration variable file if it is present
    [ -r /etc/default/$NAME ] && . /etc/default/$NAME
    DAEMON_ARGS="$FAIL2BAN_OPTS"

    # Load the VERBOSE setting and other rcS variables
    [ -f /etc/default/rcS ] && . /etc/default/rcS

    # Predefine what can be missing from lsb source later on -- necessary to run
    # on sarge. Just present it in a bit more compact way from what was shipped
    log_daemon_msg () {
    [ -z "$1" ] && return 1
    echo -n "$1:"
    [ -z "$2" ] || echo -n " $2"
    }

    # Define LSB log_* functions.
    # Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
    # Actually has to (>=2.0-7) present in sarge. log_daemon_msg is predefined
    # so we must be ok
    . /lib/lsb/init-functions

    #
    # Function that starts the daemon/service
    #
    do_start()
    {
    # Return
    # 0 if daemon has been started
    # 1 if daemon was already running
    # 2 if daemon could not be started
    do_status && return 1
    start-stop-daemon --start --quiet --chuid root --exec $DAEMON -- \
    $DAEMON_ARGS start > /dev/null\
    || return 2
    }

    #
    # Shortcut function for abnormal init script interruption
    #
    report_bug()
    {
    echo $*
    echo "Please submit a bug report to Debian BTS (reportbug fail2ban)"
    exit 1
    }

    #
    # Function that checks the status of fail2ban and returns
    # corresponding code
    #
    do_status()
    {
    $DAEMON status > /dev/null
    case $? in
    0) return 0
    ;;
    255)
    if [ -S $SOCKFILE ]; then
    if [ -r $SOCKFILE ]; then
    return 1
    else
    return 4
    fi
    else
    return 3
    fi
    ;;
    *)
    report_bug "Unknown return code from fail2ban."
    esac
    }

    #
    # Function that stops the daemon/service
    #
    do_stop()
    {
    # Return
    # 0 if daemon has been stopped
    # 1 if daemon was already stopped
    # 2 if daemon could not be stopped
    # other if a failure occurred
    $DAEMON status > /dev/null || return 1
    $DAEMON stop > /dev/null || return 2
    return 0
    }

    #
    # Function to reload configuration
    #
    do_reload() {
    $DAEMON reload > /dev/null && return 0 || return 1
    return 0
    }

    # yoh:
    # shortcut function to don't duplicate case statements and to don't use
    # bashisms (arrays). Fixes #368218
    #
    log_end_msg_wrapper()
    {
    [ $1 -lt $2 ] && value=0 || value=1
    log_end_msg $value
    }

    case "$1" in
    start)
    [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
    do_start
    [ "$VERBOSE" != no ] && log_end_msg_wrapper $? 2
    ;;
    stop)
    [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
    do_stop
    [ "$VERBOSE" != no ] && log_end_msg_wrapper $? 2
    ;;
    restart|force-reload)
    log_daemon_msg "Restarting $DESC" "$NAME"
    do_stop
    case "$?" in
    0|1)
    # now we need actually to wait a bit since it might take time
    # for server to react on client's stop request
    count=1
    while do_status && [ $count -lt 10 ]; do
    sleep 1
    count=$(($count+1))
    done

    [ $count -lt 10 ] || log_end_msg 1 # failed to stop

    do_start
    log_end_msg_wrapper $? 1
    ;;
    *)
    # Failed to stop
    log_end_msg 1
    ;;
    esac
    ;;

    reload|force-reload)
    log_daemon_msg "Reloading $DESC" "$NAME"
    do_reload
    log_end_msg $?
    ;;

    status)
    log_daemon_msg "Status of $DESC"
    do_status
    case $? in
    0) log_success_msg " $NAME is running" ;;
    1) log_failure_msg " $NAME is not running but $SOCKFILE exists" ;;
    3) log_warning_msg " $NAME is not running" ;;
    4) log_failure_msg " $SOCKFILE not readable, status of $NAME unknown";;
    *) report_bug "Unknown status code"
    esac
    ;;
    *)
    echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2
    exit 3
    ;;
    esac

    :
    ][/HTML] The log file you reqiested has two files. what file do I post? fail2ban.log or faIl2ban.log1
     
  10. falko

    falko Super Moderator

    What's the output of
    Code:
    ls -l /usr/bin/fail2ban-client
    ?

    Take a look at both. fail2ban.log is the current log file, fail2ban.log1 the old one.
     
  11. cruz

    cruz New Member

    output

    -rwxr-xr-x 1 root root 9423 2006-12-10 16:44 /usr/bin/fail2ban-client
     
  12. falko

    falko Super Moderator

    Can you try
    Code:
    /etc/init.d/fail2ban restart
    again? Do you get any error messages? Do you see fail2ban then in the output of
    Code:
    ps aux
    ?
    Any errors in the logs?
     
  13. cruz

    cruz New Member

    restart

    HTML:
    Restarting authentication failure monitor: fail2ban
    this is what I get when trying to restart. the program is not running when I enter ps aux.
    I found this error in the log file
    HTML:
    t maxRetry = 5
    2007-07-20 10:47:50,077 fail2ban.filter : INFO   Set findtime = 600
    2007-07-20 10:47:50,081 fail2ban.actions: INFO   Set banTime = 600
    2007-07-20 10:47:50,091 fail2ban.filter : INFO   Set failregex = (?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P<host>\S+)
    2007-07-20 10:47:50,094 fail2ban.filter : INFO   Set ignoreregex =
    2007-07-20 10:47:50,101 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
    2007-07-20 10:47:50,105 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
    iptables -F fail2ban-<name>
    iptables -X fail2ban-<name>
    2007-07-20 10:47:50,109 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
    iptables -A fail2ban-<name> -j RETURN
    i
    root log refused.
     
    Last edited: Jul 20, 2007
  14. falko

    falko Super Moderator

    I'm not sure why fail2ban doesn't start on your system... :confused:
     
  15. susnake

    susnake New Member

    I had the same error. I just reinstalled the fail2ban and it worked.
     

Share This Page