From: Richard Creighton <ricreig@gm...> - 2007-07-24 00:17:56
Recently I got the following in my log:
2007-07-21 06:59:55,727 fail2ban.actions.action: ERROR iptables -n -L
INPUT | grep -q fail2ban-SSH returned 100
2007-07-21 06:59:55,727 fail2ban.actions.action: ERROR Invariant check
failed. Trying to restore a sane environment
2007-07-21 06:59:55,741 fail2ban.actions.action: ERROR iptables -D
INPUT -p tcp --dport ssh -j fail2ban-SSH
iptables -F fail2ban-SSH
iptables -X fail2ban-SSH returned 100
I had installed fail2ban from the SUSE 0.8 RPM file obtained from the
website links via sourceforge. The rpm installed correctly and I
happily started the program. Initially when an attack came in, NOTHING
HAPPENED! I contacted the author (not knowing about this list) and he
suggested checking the *.conf file and I found each line in the ssh.conf
file ended in '$'. He suggested changing it to '<HOST>', which I did
and immediately I had another ssdh attack and immediately the offender
was banned and immediately I also got the above error message.
It turns out, thanks to diligent feedback from a list member who
volunteered help and 'attacks' :) that in my 'actions.d' files, the
commands included 'SSH'. His suggestion were to make them 'ssh'.
This was after I noticed that the results of iptables -nv -L looked
right except that the output was all lower case even though the error
message included UPPER case. Making that change FIXED the problem.
SO...it appears that the SUSE 0.8 rpm file has the correct executables
but it has configuration files from an earlier version and they need to
be edited before you go online. This is probably an oversight but it
has cost many hours of frustration. Still, the effort put into
creating that package is highly appreciated and hopefully when fail2ban
is updated, if it ever needs it, the rpm will also be updated and the
proper config files will also be included.
Thanks to all who helped and to the author for a fine product!