| View previous topic :: View next topic |
| Author |
Message |
newtonian
Guru
Joined: 19 Jan 2005
Posts: 465
Location: Hokkaido Japan
|
 Posted: Mon Aug 27, 2007 1:28 am Post subject: fail2ban not creating an iptables chain - [SOLVED] |
 |
|
Hi-
I'm trying to stop brute for ssh attempts but can't seem to get fail2ban to add any rules to iptables.
Here is my setup:
| Code: | * net-analyzer/fail2ban
Latest version available: 0.8.0-r1
Latest version installed: 0.8.0-r1 |
| Code: | * net-firewall/iptables
Latest version available: 1.3.5-r4
Latest version installed: 1.3.5-r4 |
| Code: | 2007-08-27 10:07:36,138 fail2ban.comm : DEBUG Connection closed
2007-08-27 10:10:35,307 fail2ban.comm : DEBUG Starting new thread to handle the request
2007-08-27 10:10:35,307 fail2ban.comm : DEBUG Command: ['stop']
2007-08-27 10:10:35,308 fail2ban.comm : DEBUG Connection closed
2007-08-27 10:10:36,316 fail2ban.comm : DEBUG Removed socket file /tmp/fail2ban.sock
2007-08-27 10:10:36,316 fail2ban.comm : DEBUG Socket shutdown
2007-08-27 10:10:36,336 fail2ban.server : INFO Exiting Fail2ban
2007-08-27 10:10:36,603 fail2ban.comm : DEBUG Connection closed
2007-08-27 10:13:27,541 fail2ban.comm : DEBUG Starting new thread to handle the request
2007-08-27 10:13:27,542 fail2ban.comm : DEBUG Command: ['stop']
2007-08-27 10:13:27,543 fail2ban.comm : DEBUG Connection closed
2007-08-27 10:13:28,538 fail2ban.comm : DEBUG Removed socket file /tmp/fail2ban.sock
2007-08-27 10:13:28,539 fail2ban.comm : DEBUG Socket shutdown
2007-08-27 10:13:28,588 fail2ban.server : INFO Exiting Fail2ban
2007-08-27 10:13:28,825 fail2ban.comm : DEBUG Connection closed
|
| Code: | impala david # /etc/init.d/fail2ban status
* status: started |
| Code: | impala david # tail /var/log/sshd/current
- Last output repeated 2 times -
Aug 27 10:12:28 [sshd] Invalid user aoeu from 219.117.245.XXX
Aug 27 10:12:28 [sshd] Failed none for invalid user aoeu from 219.117.245.XXX port 35079 ssh2
Aug 27 10:12:31 [sshd] error: PAM: Authentication failure for illegal user aoeu from possum.xxx.com
Aug 27 10:12:31 [sshd] Failed keyboard-interactive/pam for invalid user aoeu from 219.117.245.xxx port 35079 ssh2
Aug 27 10:12:34 [sshd] error: PAM: Authentication failure for illegal user aoeu from possum.xxx.com
Aug 27 10:12:34 [sshd] Failed keyboard-interactive/pam for invalid user aoeu from 219.117.245.xxx port 35079 ssh2
Aug 27 10:12:36 [sshd] error: PAM: Authentication failure for illegal user aoeu from possum.xxx.com
Aug 27 10:12:36 [sshd] Failed keyboard-interactive/pam for invalid user aoeu from 219.117.245.xxx port 35079 ssh2
Aug 27 10:12:39 [sshd] Failed password for invalid user aoeu from 219.117.245.xxx port 35079 ssh2
|
| Code: | impala david # iptables --list |grep fail2ban
impala david # |
| Code: | impala david # cat /etc/fail2ban/jail.conf | grep -v "#" | grep -v "^$"
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 600
findtime = 600
maxretry = 3
backend = auto
[ssh-iptables]
enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
mail-whois[name=SSH, dest=yourmail@mail.com]
logpath = /var/log/sshd/current
maxretry = 3
[proftpd-iptables]
enabled = false
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
mail-whois[name=ProFTPD, dest=yourmail@mail.com]
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[sasl-iptables]
enabled = false
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
mail-whois[name=sasl, dest=yourmail@mail.com]
logpath = /var/log/mail.log
[ssh-tcpwrapper]
enabled = false
filter = sshd
action = hostsdeny
mail-whois[name=SSH, dest=yourmail@mail.com]
ignoreregex = for myuser from
logpath = /var/log/sshd/current
[apache-tcpwrapper]
enabled = false
filter = apache-auth
action = hostsdeny
logpath = /var/log/apache*/*access.log
/home/www/myhomepage/access.log
maxretry = 6
[postfix-tcpwrapper]
enabled = false
filter = postfix
action = hostsdeny[file=/not/a/standard/path/hosts.deny]
mail[name=Postfix, dest=yourmail@mail.com]
logpath = /var/log/postfix.log
bantime = 300
[vsftpd-notification]
enabled = false
filter = vsftpd
action = mail-whois[name=VSFTPD, dest=yourmail@mail.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800
[vsftpd-iptables]
enabled = false
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
mail-whois[name=VSFTPD, dest=yourmail@mail.com]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800
[apache-badbots]
enabled = false
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
mail-buffered[name=BadBots, lines=5, dest=yourmail@mail.com]
logpath = /var/www/*/logs/access_log
bantime = 172800
maxretry = 1
[apache-shorewall]
enabled = false
filter = apache-noscript
action = shorewall
mail[name=Postfix, dest=yourmail@mail.com]
logpath = /var/log/apache2/error_log
[ssh-ipfw]
enabled = false
filter = sshd
action = ipfw[localhost=192.168.0.1]
mail-whois[name="SSH,IPFW", dest=yourmail@mail.com]
logpath = /var/log/auth.log
ignoreip = 168.192.0.1
|
Last edited by newtonian on Mon Aug 27, 2007 10:38 am; edited 2 times in total |
|
| Back to top |
|
 |
newtonian
Guru
Joined: 19 Jan 2005
Posts: 465
Location: Hokkaido Japan
|
| Posted: Mon Aug 27, 2007 1:31 am Post subject: fail2ban |
|
|
| Code: | impala action.d # cat /etc/fail2ban/action.d/iptables.conf | grep -v "#" | grep -v "^$"
[Definition]
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>
actionstop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
name = default
port = ssh
protocol = tcp
|
|
|
| Back to top |
|
|
JeliJami
Veteran
Joined: 17 Jan 2006
Posts: 1086
Location: Belgium
|
| Posted: Mon Aug 27, 2007 10:17 am Post subject: |
|
|
all your filter definitions are enabled = false
set it to true for ssh-iptables, that may work
_________________
Unanswered Post Initiative | Search | FAQ
Former username: davjel |
|
| Back to top |
|
|
newtonian
Guru
Joined: 19 Jan 2005
Posts: 465
Location: Hokkaido Japan
|
| Posted: Mon Aug 27, 2007 10:35 am Post subject: |
|
|
| davjel wrote: | all your filter definitions are enabled = false
set it to true for ssh-iptables, that may work |
Setting enabled to true did the trick. Thank you.
| Code: | [ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
mail-whois[name=SSH, dest=yourmail@mail.com]
logpath = /var/log/sshd/current
maxretry = 3 |
Cheers,  |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
