From: Stephen B. (Contractor) <ste...@nr...> - 2014-02-26 14:30:13
|
I'm trying to manually ban an IP address and it doesn't seem to be working. The system is running RHEL 5.10 and I'm using fail2ban-0.8.4-29.el5.noarch.rpm from the EPEL5 repo. I tried 0.8.11 from the EPEL6 repo but it want to run, also tried 0.8.12 from the tar ball at fail2ban.org website with about the same results. [root@<hostname> fail2ban]# fail2ban-client -vvv set ssh-iptables banip x.x.x.x DEBUG Reading /etc/fail2ban/fail2ban DEBUG Reading files: ['/etc/fail2ban/fail2ban.conf', '/etc/fail2ban/fail2ban.local'] INFO Using socket file /var/run/fail2ban/fail2ban.sock DEBUG OK : 'x.x.x.x' DEBUG Beautify 'x.x.x.x' with ['set', 'ssh-iptables', 'banip', 'x.x.x.x'] x.x.x.x [root@<hostname> fail2ban]# fail2ban-client -vv status ssh-iptables DEBUG Reading /etc/fail2ban/fail2ban DEBUG Reading files: ['/etc/fail2ban/fail2ban.conf', '/etc/fail2ban/fail2ban.local'] INFO Using socket file /var/run/fail2ban/fail2ban.sock DEBUG OK : [('filter', [('Currently failed', 1), ('Total failed', 181), ('File list', ['/var/log/secure'])]), ('action', [('Currently banned', 0), ('Total banned', 5), ('IP list', [])])] DEBUG Beautify [('filter', [('Currently failed', 1), ('Total failed', 181), ('File list', ['/var/log/secure'])]), ('action', [('Currently banned', 0), ('Total banned', 5), ('IP list', [])])] with ['status', 'ssh-iptables'] Status for the jail: ssh-iptables |- filter | |- File list: /var/log/secure | |- Currently failed: 1 | `- Total failed: 181 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 5 Nothing shows up in /var/log/fail2ban and "iptables -L" doesn't indicate the IP has been banned. I'm fairly new to using fail2ban so this is possibly just a configuration issue, but I haven't found anything to get it fixed. The bad guys are getting banned as they should, but I've got a couple of IP addresses that are doing a real slow break in attempt, they try once every 30 to 45 minutes so fail2ban doesn't pick it up as an attempt to get the address banned automatically. -- Stephen Berg Systems Administrator NRL Code: 7320 Office: 228-688-5738 ste...@nr... |
From: Finn <so...@pr...> - 2014-02-26 15:12:50
|
Hi Stephen. You don't do it with fail2ban - You do it from the CLI (command line) (fail2ban is a marveless piece of software/script that checks Your logfiles for everything You want and You can take action on bad inputs - and it makes use of iptables ) iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP is how You drop an incoming ip . But look up iptables - it is need to know knowledge Regards, Finn Den 26-02-2014 14:53, Stephen Berg (Contractor) skrev: > I'm trying to manually ban an IP address and it doesn't seem to be > working. The system is running RHEL 5.10 and I'm using > fail2ban-0.8.4-29.el5.noarch.rpm from the EPEL5 repo. I tried 0.8.11 > from the EPEL6 repo but it want to run, also tried 0.8.12 from the tar > ball at fail2ban.org website with about the same results. > > [root@<hostname> fail2ban]# fail2ban-client -vvv set ssh-iptables banip > x.x.x.x > DEBUG Reading /etc/fail2ban/fail2ban > DEBUG Reading files: ['/etc/fail2ban/fail2ban.conf', > '/etc/fail2ban/fail2ban.local'] > INFO Using socket file /var/run/fail2ban/fail2ban.sock > DEBUG OK : 'x.x.x.x' > DEBUG Beautify 'x.x.x.x' with ['set', 'ssh-iptables', 'banip', 'x.x.x.x'] > x.x.x.x > > [root@<hostname> fail2ban]# fail2ban-client -vv status ssh-iptables > DEBUG Reading /etc/fail2ban/fail2ban > DEBUG Reading files: ['/etc/fail2ban/fail2ban.conf', > '/etc/fail2ban/fail2ban.local'] > INFO Using socket file /var/run/fail2ban/fail2ban.sock > DEBUG OK : [('filter', [('Currently failed', 1), ('Total failed', 181), > ('File list', ['/var/log/secure'])]), ('action', [('Currently banned', > 0), ('Total banned', 5), ('IP list', [])])] > DEBUG Beautify [('filter', [('Currently failed', 1), ('Total failed', > 181), ('File list', ['/var/log/secure'])]), ('action', [('Currently > banned', 0), ('Total banned', 5), ('IP list', [])])] with ['status', > 'ssh-iptables'] > Status for the jail: ssh-iptables > |- filter > | |- File list: /var/log/secure > | |- Currently failed: 1 > | `- Total failed: 181 > `- action > |- Currently banned: 0 > | `- IP list: > `- Total banned: 5 > > Nothing shows up in /var/log/fail2ban and "iptables -L" doesn't indicate > the IP has been banned. > > I'm fairly new to using fail2ban so this is possibly just a > configuration issue, but I haven't found anything to get it fixed. The > bad guys are getting banned as they should, but I've got a couple of IP > addresses that are doing a real slow break in attempt, they try once > every 30 to 45 minutes so fail2ban doesn't pick it up as an attempt to > get the address banned automatically. > > > |
From: Stephen B. (Contractor) <ste...@nr...> - 2014-02-26 15:36:24
|
On 02/26/2014 09:12 AM, Finn wrote: > Hi Stephen. > > You don't do it with fail2ban - You do it from the CLI (command line) > (fail2ban is a marveless piece of software/script that checks Your > logfiles for everything You want and You can take action on bad inputs - > and it makes use of iptables ) > > iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP > > is how You drop an incoming ip . > > But look up iptables - it is need to know knowledge > > > Regards, > Finn > Yeah I understand that and that works just fine. But it doesn't explain why a documented feature of the fail2ban seems to be broken. Running "fail2ban-client -vvv set ssh-iptables banip x.x.x.x" should ban the IP address given. It does not and results in no error message and no log entries. The advantage to using fail2ban-client should be that the IP address banned would get unbanned after the bantime expires. Using iptables I'd have to manually remove the ban or the list of banned IP's would continue to grow. -- Stephen Berg Systems Administrator NRL Code: 7320 Office: 228-688-5738 ste...@nr... |
From: Finn <so...@pr...> - 2014-02-26 16:02:20
|
Sorry ! I haven't that feature in my documentation for version 0.8.7 / Den 26-02-2014 16:35, Stephen Berg (Contractor) skrev: > On 02/26/2014 09:12 AM, Finn wrote: >> Hi Stephen. >> >> You don't do it with fail2ban - You do it from the CLI (command line) >> (fail2ban is a marveless piece of software/script that checks Your >> logfiles for everything You want and You can take action on bad inputs - >> and it makes use of iptables ) >> >> iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP >> >> is how You drop an incoming ip . >> >> But look up iptables - it is need to know knowledge >> >> >> Regards, >> Finn >> > Yeah I understand that and that works just fine. But it doesn't explain > why a documented feature of the fail2ban seems to be broken. Running > "fail2ban-client -vvv set ssh-iptables banip x.x.x.x" should ban the IP > address given. It does not and results in no error message and no log > entries. > > The advantage to using fail2ban-client should be that the IP address > banned would get unbanned after the bantime expires. Using iptables I'd > have to manually remove the ban or the list of banned IP's would > continue to grow. > |
From: Steven H. <ste...@hi...> - 2014-02-26 18:14:33
|
On 26/02/14 13:53, Stephen Berg (Contractor) wrote: > I'm trying to manually ban an IP address and it doesn't seem to be > working. The system is running RHEL 5.10 and I'm using > fail2ban-0.8.4-29.el5.noarch.rpm from the EPEL5 repo. I tried 0.8.11 > from the EPEL6 repo but it want to run, also tried 0.8.12 from the tar > ball at fail2ban.org website with about the same results. Seems that this was fixed in a commit in 0.8.7 release: https://github.com/fail2ban/fail2ban/commit/958aa2e932c88bbc0488ae81bbce81c61719a3a7 You therefore could try upgrading to 0.8.7, or run the banip command "maxretry" times. Obviously the best bet would to upgrade to the latest version, but are you saying this isn't working at all? May be worth running at DEBUG level by setting "loglevel = 4" in /etc/fail2ban/fail2ban.conf, and then sharing any errors in your fail2ban log file (default /var/log/fail2ban.log) -- Steven Hiscocks |