From: William L. <kg...@n1...> - 2015-06-28 18:21:31
|
Hello: Problem #1: I just updated my Fail2Ban to version: 0.8.13.-1-nd12.04+1 from the Neuro Dabian repository and now I see that when Fail2Ban detects a match to one of my Jails, fail2ban erroneously drops the last digit off the offending IP address and thus bans the wrong ip address. Here is an example: Here is a line from my log file: Sun Jun 28 10:53:12 2015 87.221.129.170:56512 - MBOX (root) bad login But fail2ban reports banning IP address 87.221.129.17 (Note the missing "0") Fail2ban should have banned 87.221.129.170. When I look at my firewall (I use SHOREWALL) I see these lines. -A dynamic -s 201.52.10.18/32 -j reject -A dynamic -s 95.180.179.21/32 -j reject -A dynamic -s 87.221.129.17/32 -j reject -A dynamic -s 182.209.52.14/32 -j reject Every last one is missing the last digit, so the wrong ip is banned. Here are the correct ip addresses as seen in my log file. Sun Jun 28 10:46:35 2015 201.52.10.189:39679 - MBOX (root) bad login Sun Jun 28 10:42:04 2015 95.180.179.218:53539 - MBOX (root) bad login Sun Jun 28 10:47:35 2015 87.221.129.170:53538 - MBOX (root) bad login Sun Jun 28 10:49:34 2015 182.209.52.142:2935 - MBOX (support) bad login Problem #2: I have my config in the jail set to email with with the WHOIS as well as the offending lines in the log file (using: action = %(action_mwl)s) Yet when I get the email, it gives me the WHOIS, but no log lines are included. I am thinking it may not contain the actual offending logbook lines because problem #1 above is capturing the incorrect IP address, thus there is no match to report in the email. Just a guess though. Problem #1 would have to be corrected, then see if problem #2 remains or is also fixed. Problem #3: I also noted that my previous version of fail2ban used "DROP" in shorewall, which is what I prefer. The new update now uses "reject" instead. Is there a way to change this in a config somewhere back to DROP? Thanks, Wm Lewis |