Need help with fail2ban on centos 5.3

Discussion in 'Installation/Configuration' started by rlischer, Aug 13, 2009.

  1. rlischer

    rlischer Member HowtoForge Supporter

    I need some help and clarity on what I need to do.

    I went through centos 5.3 perfect server setup. So, iptables is off and fail2ban is on. I turned on the default firewall ports for the server in ipsconfig 3 admin. It works, I tested it by opening and closing a few ports.

    ISP Config 3 tells me "fail2ban is not installed at this server.
    See more (for debian) here..."


    I try to ssh in as root and use bad passwords over and over, then after about 6 or 7 tries I get the boot, then I can go right back and try again. Why is my IP not banned? And why does ISPConfig 3 say "fail2ban is not installed at this server"

    Thanks!!!



    vi /etc/fail2ban/filter.d/sshd.conf
    Code:
    # Fail2Ban configuration file
    #
    # Author: Cyril Jaquier
    #
    # $Revision: 663 $
    #
    
    [INCLUDES]
    
    # Read common prefixes. If any customizations available -- read them from
    # common.local
    before = common.conf
    
    
    [Definition]
    
    _daemon = sshd
    
    # Option:  failregex
    # Notes.:  regex to match the password failures messages in the logfile. The
    #          host must be matched by a group named "host". The tag "<HOST>" can
    #          be used for standard IP/hostname matching and is only an alias for
    #          (?:::f{4,6}:)?(?P<host>\S+)
    # Values:  TEXT
    #
    failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
                ^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
                ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
                ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
                ^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
                ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
                ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
                ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$
    
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    ignoreregex =
    
    
    vi /etc/fail2ban/jail.conf (with new "logpath = /var/log/secure" path)
    Code:
    # Fail2Ban configuration file
    #
    # Author: Cyril Jaquier
    #
    # $Revision: 617 $
    #
    
    # The DEFAULT allows a global definition of the options. They can be override
    # in each jail afterwards.
    
    [DEFAULT]
    
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
    # ban a host which matches an address in this list. Several addresses can be
    # defined using space separator.
    ignoreip = 127.0.0.1
    
    # "bantime" is the number of seconds that a host is banned.
    bantime  = 600
    
    # A host is banned if it has generated "maxretry" during the last "findtime"
    # seconds.
    findtime  = 600
    
    # "maxretry" is the number of failures before a host get banned.
    maxretry = 3
    
    # "backend" specifies the backend used to get files modification. Available
    # options are "gamin", "polling" and "auto". This option can be overridden in
    # each jail too (use "gamin" for a jail and "polling" for another).
    #
    # gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
    #          is not installed, Fail2ban will use polling.
    # polling: uses a polling algorithm which does not require external libraries.
    # auto:    will choose Gamin if available and polling otherwise.
    backend = auto
    
    
    # This jail corresponds to the standard configuration in Fail2ban 0.6.
    # The mail-whois action send a notification e-mail with a whois request
    # in the body.
    
    [ssh-iptables]
    
    enabled  = false
    filter   = sshd
    action   = iptables[name=SSH, port=ssh, protocol=tcp]
               sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
    logpath  = /var/log/secure
    maxretry = 3
    
    [proftpd-iptables]
    
    enabled  = false
    filter   = proftpd
    action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
               sendmail-whois[name=ProFTPD, dest=you@mail.com]
    logpath  = /var/log/proftpd/proftpd.log
    "/etc/fail2ban/jail.conf" 205L, 5658C
    
    
    My log file as I try to break in as root:
    Code:
    Aug 13 05:17:35 server sshd[10791]: PAM 7 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.42.154.202
    Aug 13 05:17:35 server sshd[10791]: PAM service(sshd) ignoring max retries; 8 > 3
    Aug 13 05:17:47 server sshd[10828]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT!
    Aug 13 05:17:47 server sshd[10828]: Accepted password for root from 66.42.154.202 port 35685 ssh2
    Aug 13 05:17:47 server sshd[10828]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Aug 13 05:23:17 server sshd[10828]: pam_unix(sshd:session): session closed for user root
    Aug 13 05:25:13 server sshd[11212]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT!
    Aug 13 05:25:13 server sshd[11212]: Accepted password for root from 66.42.154.202 port 39441 ssh2
    Aug 13 05:25:13 server sshd[11212]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Aug 13 05:32:15 server sshd[11212]: pam_unix(sshd:session): session closed for user root
    Aug 13 05:42:50 server sshd[12434]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT!
    Aug 13 05:42:50 server sshd[12434]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.42.154.202  user=root
    Aug 13 05:42:53 server sshd[12434]: Failed password for root from 66.42.154.202 port 48067 ssh2
    Aug 13 05:43:27 server last message repeated 7 times
    Aug 13 05:43:27 server sshd[12435]: Disconnecting: Too many authentication failures for root
    Aug 13 05:43:27 server sshd[12434]: PAM 7 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.42.154.202  user=root
    Aug 13 05:43:27 server sshd[12434]: PAM service(sshd) ignoring max retries; 8 > 3
    Aug 13 05:43:38 server sshd[12472]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT!
    Aug 13 05:43:38 server sshd[12472]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.42.154.202  user=root
    Aug 13 05:43:41 server sshd[12472]: Failed password for root from 66.42.154.202 port 48627 ssh2
    Aug 13 05:43:45 server sshd[12473]: fatal: Read from socket failed: Connection reset by peer
    Aug 13 05:45:01 server sshd[12515]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT!
    Aug 13 05:45:01 server sshd[12515]: Accepted password for root from 66.42.154.202 port 49833 ssh2
    Aug 13 05:45:01 server sshd[12515]: pam_unix(sshd:session): session opened for user root by (uid=0)
    
    
     
  2. rlischer

    rlischer Member HowtoForge Supporter

    I did find 1 error on my part "enabled = false" needs to be "enabled = true" in the jail config. It still takes 7 failed attempts to get dropped, and does NOT ban my IP at all, so I can try to hack in all day.

    It also shows up in my log now inside ISPConfig 3.

    Code:
    2009-08-13 11:42:58,295 fail2ban.jail : INFO Using Gamin
    2009-08-13 11:42:58,301 fail2ban.filter : INFO Created Filter
    2009-08-13 11:42:58,302 fail2ban.filter : INFO Created FilterGamin
    2009-08-13 11:42:58,302 fail2ban.filter : INFO Added logfile = /var/log/secure
    2009-08-13 11:42:58,305 fail2ban.filter : INFO Set maxRetry = 3
    2009-08-13 11:42:58,306 fail2ban.filter : INFO Set findtime = 600
    2009-08-13 11:42:58,306 fail2ban.actions: INFO Set banTime = 600
    2009-08-13 11:42:58,329 fail2ban.actions.action: INFO Set actionBan = iptables -I fail2ban- 1 -s -j DROP
    2009-08-13 11:42:58,329 fail2ban.actions.action: INFO Set actionStop = iptables -D INPUT -p --dport -j fail2ban-
    iptables -F fail2ban-
    iptables -X fail2ban-
    2009-08-13 11:42:58,330 fail2ban.actions.action: INFO Set actionStart = iptables -N fail2ban-
    iptables -A fail2ban- -j RETURN
    iptables -I INPUT -p --dport -j fail2ban-
    2009-08-13 11:42:58,330 fail2ban.actions.action: INFO Set actionUnban = iptables -D fail2ban- -s -j DROP
    2009-08-13 11:42:58,331 fail2ban.actions.action: INFO Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-
    2009-08-13 11:42:58,332 fail2ban.actions.action: INFO Set actionBan = printf %b "Subject: [Fail2Ban] : banned 
    From: Fail2Ban <>
    To: \n
    Hi,\n
    The IP has just been banned by Fail2Ban after
    attempts against .\n\n
    Here are more information about :\n
    `/usr/bin/whois `\n
    Regards,\n
    Fail2Ban" | /usr/sbin/sendmail -f 
    2009-08-13 11:42:58,333 fail2ban.actions.action: INFO Set actionStop = printf %b "Subject: [Fail2Ban] : stopped
    From: Fail2Ban <>
    To: \n
    Hi,\n
    The jail has been stopped.\n
    Regards,\n
    Fail2Ban" | /usr/sbin/sendmail -f 
    2009-08-13 11:42:58,333 fail2ban.actions.action: INFO Set actionStart = printf %b "Subject: [Fail2Ban] : started
    From: Fail2Ban <>
    To: \n
    Hi,\n
    The jail has been started successfully.\n
    Regards,\n
    Fail2Ban" | /usr/sbin/sendmail -f 
    2009-08-13 11:42:58,334 fail2ban.actions.action: INFO Set actionUnban = 
    2009-08-13 11:42:58,334 fail2ban.actions.action: INFO Set actionCheck = 
    2009-08-13 11:42:58,335 fail2ban.jail : INFO Using Gamin
    2009-08-13 11:42:58,335 fail2ban.filter : INFO Created Filter
    2009-08-13 11:42:58,335 fail2ban.filter : INFO Created FilterGamin
    2009-08-13 11:42:58,336 fail2ban.filter : INFO Set maxRetry = 3
    2009-08-13 11:42:58,337 fail2ban.filter : INFO Set findtime = 600
    2009-08-13 11:42:58,337 fail2ban.actions: INFO Set banTime = 300
    2009-08-13 11:42:58,338 fail2ban.actions.action: INFO Set actionBan = IP= &&
    printf %b "ALL: $IP\n" >> 
    2009-08-13 11:42:58,339 fail2ban.actions.action: INFO Set actionStop = 
    2009-08-13 11:42:58,339 fail2ban.actions.action: INFO Set actionStart = 
    2009-08-13 11:42:58,340 fail2ban.actions.action: INFO Set actionUnban = IP= && sed -i.old /ALL:\ $IP/d 
    2009-08-13 11:42:58,340 fail2ban.actions.action: INFO Set actionCheck = 
    2009-08-13 11:42:58,341 fail2ban.actions.action: INFO Set actionBan = printf %b "Subject: [Fail2Ban] : banned 
    From: Fail2Ban <>
    To: \n
    Hi,\n
    The IP has just been banned by Fail2Ban after
    attempts against .\n
    Regards,\n
    Fail2Ban" | /usr/sbin/sendmail -f 
    2009-08-13 11:42:58,341 fail2ban.actions.action: INFO Set actionStop = printf %b "Subject: [Fail2Ban] : stopped
    From: Fail2Ban <>
    To: \n
    Hi,\n
    The jail has been stopped.\n
    Regards,\n
    Fail2Ban" | /usr/sbin/sendmail -f 
    2009-08-13 11:42:58,342 fail2ban.actions.action: INFO Set actionStart = printf %b "Subject: [Fail2Ban] : started
    From: Fail2Ban <>
    To: \n
    Hi,\n
    The jail has been started successfully.\n
    Regards,\n
    Fail2Ban" | /usr/sbin/sendmail -f 
    2009-08-13 11:42:58,342 fail2ban.actions.action: INFO Set actionUnban = 
    2009-08-13 11:42:58,343 fail2ban.actions.action: INFO Set actionCheck = 
    2009-08-13 11:42:58,344 fail2ban.jail : INFO Using Gamin
    2009-08-13 11:42:58,344 fail2ban.filter : INFO Created Filter
    2009-08-13 11:42:58,345 fail2ban.filter : INFO Created FilterGamin
    2009-08-13 11:42:58,345 fail2ban.filter : INFO Set maxRetry = 3
    2009-08-13 11:42:58,346 fail2ban.comm : WARNING Invalid command: ['set', 'ssh-tcpwrapper', 'ignoreregex', 'for myuser from']
    
    
     
    Last edited: Aug 13, 2009
  3. rlischer

    rlischer Member HowtoForge Supporter

    One more question, I see sendmail is used to email the admin if someone was banned, ISPConfig 3 does not use sendmail right? Can this be changed to use mail server used by ISPConfig 3?

    Thanks
     
  4. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Postfix comes with a Sendmail binary for compatibility reasons, so that's no problem. :)
     

Share This Page