Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#16 ban at startup if log contain failed acces

closed-fixed
Cyril Jaquier
None
5
2006-11-26
2006-11-24
Anonymous
No

Hi,

fail2ban 0.7.4 (gentoo)

jail.conf
######################
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 600
maxretry = 3
maxtime = 600
backend = auto

[ssh-test]

enabled = true
filter = sshd
action = shorewall
# for not been realy banned ! lol
mail-whois[name=SSH, dest=gdelvit@dgir.fr]
logpath = /var/log/auth.log
maxretry = 5
bantime = 600
findtime = 600 <- seems not be used at startup
maxtime = 600
#####################

My auth.log :
#####################
Nov 20 09:31:04 ks37603 sshd(pam_unix)[17724]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=plop user=root

Nov 20 09:31:06 ks37603 sshd[16696]: error: PAM: Authentication failure for root from plop

Nov 24 11:49:00 ks37603 sshd(pam_unix)[24565]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=plop

Nov 24 11:49:02 ks37603 sshd[6449]: error: PAM: Authentication failure for illegal user toto from plop

Nov 24 12:13:26 ks37603 sshd(pam_unix)[10764]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=plop

Nov 24 12:13:28 ks37603 sshd[12288]: error: PAM: Authentication failure for illegal user toto from plop
####################

# date
ven nov 24 13:00:26 CET 2006

#/etc/init.d/fail2ban restart

# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: ssh-test

# fail2ban-client status ssh-test

Status for the jail: ssh-test
|- filter
| |- Currently failed: 0
| `- Total failed: 6 <--- WHAT ? He reads all auth.log from 2 days .....
`- action
|- Currently banned: 0
`- Total banned: 1 <--- so I'm band to have missed 6 times my login form 2 days ....(it could be 600 seconds !)

--

I think it's better to not analyse log file at startup ....

guiguid.

Discussion

  • Cyril Jaquier
    Cyril Jaquier
    2006-11-26

    Logged In: YES
    user_id=933467
    Originator: NO

    Thank you for reporting this. This should be fixed in the repository. Will be in 0.7.5.

    "maxtime" has been merged with "findtime" and now "findtime" is used correctly.

     
  • Cyril Jaquier
    Cyril Jaquier
    2006-11-26

    • assigned_to: nobody --> lostcontrol
    • status: open --> closed-fixed