From: Lasse B. <ze...@ze...> - 2008-05-28 19:21:59
|
Hi, I am having problems getting fail2ban to run on my machine, and I was hoping that you might be able to help. I have installed iptables and have loaded the following modules: xt_multiport 2624 2 iptable_filter 2368 1 ip_tables 8464 1 iptable_filter x_tables 10564 2 xt_multiport,ip_tables My kernel have the following modules: CONFIG_NETFILTER_XTABLES=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m CONFIG_NETFILTER_XT_MATCH_STATE=m CONFIG_NETFILTER_XT_MATCH_U32=m CONFIG_IP_NF_FILTER=m However, entering these commands followed by starting fail2ban yields this: iptables -N fail2ban-ssh iptables -A fail2ban-ssh -j RETURN iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh /etc/init.d/iptables save /etc/init.d/fail2ban start tail -f /var/log/fail2ban.log Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest> 2008-05-28 20:54:39,491 fail2ban.actions.action: INFO Set actionStart = echo -en "Hi,\n The jail <name> has been started successfuly.\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest> 2008-05-28 20:54:39,495 fail2ban.actions.action: INFO Set actionUnban = 2008-05-28 20:54:39,497 fail2ban.actions.action: INFO Set actionCheck = 2008-05-28 20:54:39,583 fail2ban.actions.action: ERROR iptables -N fail2ban-SSH iptables -A fail2ban-SSH -j RETURN iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 100 I am unsure why this fails. I have also tried without entering the first commands, which sets iptables up. Any ideas? Thanks in advance, Lasse |
From: Cyril J. <cyr...@fa...> - 2008-05-28 21:26:25
|
Hi Lasse, > However, entering these commands followed by starting fail2ban yields > this: > iptables -N fail2ban-ssh > iptables -A fail2ban-ssh -j RETURN > iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh > /etc/init.d/iptables save > /etc/init.d/fail2ban start > tail -f /var/log/fail2ban.log > Why do you run those commands before starting fail2ban? This is not needed as fail2ban will do it for you. Or am I missing something? Regards, Cyril |
From: Lasse B. <ze...@ze...> - 2008-05-28 21:33:07
|
On 23:26, Wed 28 May, Cyril Jaquier wrote: > > iptables -N fail2ban-ssh > > iptables -A fail2ban-ssh -j RETURN > > iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh > > /etc/init.d/iptables save > > /etc/init.d/fail2ban start > > tail -f /var/log/fail2ban.log > > Why do you run those commands before starting fail2ban? This is not > needed as fail2ban will do it for you. Or am I missing something? They are mostly for debugging purposes, so that you may see that the commands do not fail, and that I have installed things properly. I would not run these usually. /Lasse |
From: Yaroslav H. <li...@on...> - 2008-05-30 16:04:12
|
> meridian ~ # iptables > iptables v1.3.8: no command specified > Try `iptables -h' or 'iptables --help' for more information. > Is the version alright or should I up-/downgrade? heh heh -- not sure... also it is not only iptables but kernel version... just FYI 1.3.7 and 1.3.8 releases combined fix 35 bugs, but I didn't spot any possible relevant one. and 1.3.6 from etch Debian seems to work fine... but also I neither had problem with 1.3.[78] whenever they were in Debian unstable... so it must be something more peculiar. 1 question though: did you modify fail2ban configs in any ways which could be relevant? (althouth that is probably irrelevant since it fails on those commands from cmdline too) looking through the thread I got a feeling that you have two chains for ssh: 1 using regular iptables, another one uses iptables-multiport? or am I wrong? in any case -- it might help if you provide complete configuration you are using (as an attachement) so it is up to you to upgrade iptables/kernel and see if problem persists. btw - may be I missed -- what distribution/release are you running? > Thanks for your help, > Lasse > > On Thu, 29 May 2008, Lasse Bigum wrote: > > > On 10:49, Thu 29 May, Yaroslav Halchenko wrote: > > > > may be iptables gets confused a bit while having two chains with the > > > > same name if taken in the same case... > > > > stop fail2ban > > > > remove any traces of it in iptables: > > > > for chain in fail2ban-SSH fail2ban-ssh; do > > > > iptables -D INPUT -p tcp -m multiport --dports 22 -j $chain > > > > iptables -F $chain > > > > iptables -X $chain > > > > done > > > > ah -- probably wouldn't work fine since you have two jumps from INPUT > > > > over to fail2ban-ssh but none to fail2ban-SSH > > > > so just remove them manually by line number > > > > iptables -D INPUT 1 > > > > iptables -D INPUT 1 > > > > if there is nothing else there > > > > after you made sure that no traces of fail2ban is there (iptables -L -n) > > > > -- try starting it again > > > meridian ~ # /etc/init.d/fail2ban stop * Stopping fail2ban ... > > > [ ok ] > > > meridian ~ # iptables -L -n > > > Chain INPUT (policy ACCEPT) > > > target prot opt source destination > > > Chain FORWARD (policy ACCEPT) > > > target prot opt source destination > > > Chain OUTPUT (policy ACCEPT) > > > target prot opt source destination > > > meridian ~ # /etc/init.d/fail2ban start > > > * Starting fail2ban ... > > > * [ ok ] > > > meridian ~ # tail -10 /var/log/fail2ban.log > > > Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest> > > > 2008-05-29 16:58:25,945 fail2ban.actions.action: INFO Set actionStart > > > = echo -en "Hi,\n > > > The jail <name> has been started successfuly.\n > > > Regards,\n > > > Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest> > > > 2008-05-29 16:58:25,948 fail2ban.actions.action: INFO Set actionUnban > > > = > > > 2008-05-29 16:58:25,951 fail2ban.actions.action: INFO Set actionCheck > > > = > > > 2008-05-29 16:58:26,042 fail2ban.actions.action: ERROR iptables -N > > > fail2ban-SSH > > > iptables -A fail2ban-SSH -j RETURN > > > iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 100 > > > Did not seem to help unfortunately. > > > /Lasse > > > TDC1 > > > TDC OCES CA0 > > > 060328205500Z > > > 080328212500Z0s1 > > > DK1)0' > > > Ingen organisatorisk tilknytning190 > > > Lasse Bigum0# > > > PID:9208-2002-2-0652938794930 > > > 9/NR/pv > > > In!6 > > > f:[; > > > 20060328205500Z > > > 20080328212500Z0 > > > #http://www.certifikat.dk/repository0 > > > TDC0 > > > For anvendelse af certifikatet g > > > lder OCES vilk > > > r, CPS og OCES CP, der kan hentes fra www.certifikat.dk/repository. Bem > > > rk, at TDC efter vilk > > > rene har et begr > > > nset ansvar ift. professionelle parter.0A > > > 50301 > > > %http://ocsp.certifikat.dk/ocsp/status0" > > > La...@ha...0 > > > }0{0K > > > E0C1 > > > TDC1 > > > TDC OCES CA1 > > > CRL12260, > > > &http://crl.oces.certifikat.dk/oces.crl0 > > > V7.1 > > > :C0_ > > > m_]Z > > > 1/CA > > > TDC1 > > > TDC OCES CA0 > > > 030211083930Z > > > 370211090930Z011 > > > TDC1 > > > TDC OCES CA0 > > > &NJL > > > b)q1 > > > #http://www.certifikat.dk/repository0 > > > TDC0 > > > Certifikater fra denne CA udstedes under OID 1.2.208.169.1.1.1. Certificates from this CA are issued under OID 1.2.208.169.1.1.1.0 > > > z0x0H > > > B0@1 > > > TDC1 > > > TDC OCES CA1 > > > CRL10, > > > &http://crl.oces.certifikat.dk/oces.crl0+ > > > 20030211083930Z > > > 20370211090930Z0 > > > V6.0:4.0 > > > CA)b > > > 1p'T > > > >t]t > > > h}Hbr > > > /_bS1 > > > 09011 > > > TDC1 > > > TDC OCES CA > > > 080529150001Z0# > > > 1E0C0 > > > Q\~, > > > 8LBB > > > ------------------------------------------------------------------------- > > > This SF.net email is sponsored by: Microsoft > > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > _______________________________________________ > > > Fail2ban-users mailing list > > > Fai...@li... > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > -- > > Yaroslav Halchenko > > Research Assistant, Psychology Department, Rutgers-Newark > > Student Ph.D. @ CS Dept. NJIT > > Office: (973) 353-5440x263 | FWD: 82823 | Fax: (973) 353-1171 > > 101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102 > > WWW: http://www.linkedin.com/in/yarik -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |
From: Lasse B. <ze...@ze...> - 2008-05-30 10:05:50
|
On 00:25, Fri 30 May, Yaroslav Halchenko wrote: > and what was output for iptables -L -n after that 'clean failure'? meridian ~ # /etc/init.d/fail2ban stop * Stopping fail2ban ... [ ok ] meridian ~ # iptables -D INPUT 1 iptables: Index of deletion too big meridian ~ # iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination > what version of iptables are you running? anything too new or too old > may be? meridian ~ # iptables iptables v1.3.8: no command specified Try `iptables -h' or 'iptables --help' for more information. Is the version alright or should I up-/downgrade? Thanks for your help, Lasse > On Thu, 29 May 2008, Lasse Bigum wrote: > > > On 10:49, Thu 29 May, Yaroslav Halchenko wrote: > > > may be iptables gets confused a bit while having two chains with the > > > same name if taken in the same case... > > > > stop fail2ban > > > remove any traces of it in iptables: > > > for chain in fail2ban-SSH fail2ban-ssh; do > > > iptables -D INPUT -p tcp -m multiport --dports 22 -j $chain > > > iptables -F $chain > > > iptables -X $chain > > > done > > > > ah -- probably wouldn't work fine since you have two jumps from INPUT > > > over to fail2ban-ssh but none to fail2ban-SSH > > > > so just remove them manually by line number > > > iptables -D INPUT 1 > > > iptables -D INPUT 1 > > > if there is nothing else there > > > > after you made sure that no traces of fail2ban is there (iptables -L -n) > > > -- try starting it again > > > meridian ~ # /etc/init.d/fail2ban stop * Stopping fail2ban ... > > [ ok ] > > meridian ~ # iptables -L -n > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > meridian ~ # /etc/init.d/fail2ban start > > * Starting fail2ban ... > > * [ ok ] > > meridian ~ # tail -10 /var/log/fail2ban.log > > Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest> > > 2008-05-29 16:58:25,945 fail2ban.actions.action: INFO Set actionStart > > = echo -en "Hi,\n > > The jail <name> has been started successfuly.\n > > Regards,\n > > Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest> > > 2008-05-29 16:58:25,948 fail2ban.actions.action: INFO Set actionUnban > > = > > 2008-05-29 16:58:25,951 fail2ban.actions.action: INFO Set actionCheck > > = > > 2008-05-29 16:58:26,042 fail2ban.actions.action: ERROR iptables -N > > fail2ban-SSH > > iptables -A fail2ban-SSH -j RETURN > > iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 100 > > > Did not seem to help unfortunately. > > > /Lasse > > > TDC1 > > TDC OCES CA0 > > 060328205500Z > > 080328212500Z0s1 > > DK1)0' > > Ingen organisatorisk tilknytning190 > > Lasse Bigum0# > > PID:9208-2002-2-0652938794930 > > 9/NR/pv > > In!6 > > f:[; > > 20060328205500Z > > 20080328212500Z0 > > #http://www.certifikat.dk/repository0 > > TDC0 > > For anvendelse af certifikatet g > > lder OCES vilk > > r, CPS og OCES CP, der kan hentes fra www.certifikat.dk/repository. Bem > > rk, at TDC efter vilk > > rene har et begr > > nset ansvar ift. professionelle parter.0A > > 50301 > > %http://ocsp.certifikat.dk/ocsp/status0" > > La...@ha...0 > > }0{0K > > E0C1 > > TDC1 > > TDC OCES CA1 > > CRL12260, > > &http://crl.oces.certifikat.dk/oces.crl0 > > V7.1 > > :C0_ > > m_]Z > > 1/CA > > TDC1 > > TDC OCES CA0 > > 030211083930Z > > 370211090930Z011 > > TDC1 > > TDC OCES CA0 > > &NJL > > b)q1 > > #http://www.certifikat.dk/repository0 > > TDC0 > > Certifikater fra denne CA udstedes under OID 1.2.208.169.1.1.1. Certificates from this CA are issued under OID 1.2.208.169.1.1.1.0 > > z0x0H > > B0@1 > > TDC1 > > TDC OCES CA1 > > CRL10, > > &http://crl.oces.certifikat.dk/oces.crl0+ > > 20030211083930Z > > 20370211090930Z0 > > V6.0:4.0 > > CA)b > > 1p'T > > >t]t > > h}Hbr > > /_bS1 > > 09011 > > TDC1 > > TDC OCES CA > > 080529150001Z0# > > 1E0C0 > > Q\~, > > 8LBB > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > -- > Yaroslav Halchenko > Research Assistant, Psychology Department, Rutgers-Newark > Student Ph.D. @ CS Dept. NJIT > Office: (973) 353-5440x263 | FWD: 82823 | Fax: (973) 353-1171 > 101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102 > WWW: http://www.linkedin.com/in/yarik > |
From: Cyril J. <cyr...@fa...> - 2008-05-28 21:46:33
|
> They are mostly for debugging purposes, so that you may see that the > commands do not fail, and that I have installed things properly. > > I would not run these usually. > Ok. Good good. Could you try to run these commands? iptables -N fail2ban-SSH iptables -A fail2ban-SSH -j RETURN iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH Do you run fail2ban as root? Thanks, Cyril |
From: Lasse B. <ze...@ze...> - 2008-05-31 09:38:56
|
On 12:04, Fri 30 May, Yaroslav Halchenko wrote: > > meridian ~ # iptables > > iptables v1.3.8: no command specified > > Try `iptables -h' or 'iptables --help' for more information. > > > Is the version alright or should I up-/downgrade? > heh heh -- not sure... also it is not only iptables but kernel > version... just FYI 1.3.7 and 1.3.8 releases combined fix 35 bugs, but I > didn't spot any possible relevant one. and 1.3.6 from etch Debian > seems to work fine... but also I neither had problem with 1.3.[78] > whenever they were in Debian unstable... so it must be something more > peculiar. meridian ~ # uname -a Linux meridian 2.6.25-gentoo-r4 #2 Wed May 28 18:20:48 CEST 2008 i686 VIA Esther processor 1500MHz CentaurHauls GNU/Linux > 1 question though: did you modify fail2ban configs in any ways which > could be relevant? (althouth that is probably irrelevant since it fails > on those commands from cmdline too) I mostly just followed this guide: http://gentoo-wiki.com/HOWTO_fail2ban So did not really change much, the only thing I changed was to enable sshd monitoring and then changing the path to the log-file as I am using metalog. My /etc/fail2ban/{fail2ban.conf,jail.conf} are attached, and I only modified the two mentioned lines in jail.conf > looking through the thread I got a feeling that you have two chains for > ssh: 1 using regular iptables, another one uses iptables-multiport? or > am I wrong? The multiport thing was just because I was googling for others with the same problem, and someone suggested that command, so I compiled that module as well and tried his command. Did not do any difference. > in any case -- it might help if you provide complete configuration you > are using (as an attachement) Done. > so it is up to you to upgrade iptables/kernel and see if problem > persists. :) > btw - may be I missed -- what distribution/release are you running? See the first part of my reply. /Lasse > > Thanks for your help, > > Lasse > > > > On Thu, 29 May 2008, Lasse Bigum wrote: > > > > > On 10:49, Thu 29 May, Yaroslav Halchenko wrote: > > > > > may be iptables gets confused a bit while having two chains with the > > > > > same name if taken in the same case... > > > > > > stop fail2ban > > > > > remove any traces of it in iptables: > > > > > for chain in fail2ban-SSH fail2ban-ssh; do > > > > > iptables -D INPUT -p tcp -m multiport --dports 22 -j $chain > > > > > iptables -F $chain > > > > > iptables -X $chain > > > > > done > > > > > > ah -- probably wouldn't work fine since you have two jumps from INPUT > > > > > over to fail2ban-ssh but none to fail2ban-SSH > > > > > > so just remove them manually by line number > > > > > iptables -D INPUT 1 > > > > > iptables -D INPUT 1 > > > > > if there is nothing else there > > > > > > after you made sure that no traces of fail2ban is there (iptables -L -n) > > > > > -- try starting it again > > > > > meridian ~ # /etc/init.d/fail2ban stop * Stopping fail2ban ... > > > > [ ok ] > > > > meridian ~ # iptables -L -n > > > > Chain INPUT (policy ACCEPT) > > > > target prot opt source destination > > > > > Chain FORWARD (policy ACCEPT) > > > > target prot opt source destination > > > > > Chain OUTPUT (policy ACCEPT) > > > > target prot opt source destination > > > > meridian ~ # /etc/init.d/fail2ban start > > > > * Starting fail2ban ... > > > > * [ ok ] > > > > meridian ~ # tail -10 /var/log/fail2ban.log > > > > Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest> > > > > 2008-05-29 16:58:25,945 fail2ban.actions.action: INFO Set actionStart > > > > = echo -en "Hi,\n > > > > The jail <name> has been started successfuly.\n > > > > Regards,\n > > > > Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest> > > > > 2008-05-29 16:58:25,948 fail2ban.actions.action: INFO Set actionUnban > > > > = > > > > 2008-05-29 16:58:25,951 fail2ban.actions.action: INFO Set actionCheck > > > > = > > > > 2008-05-29 16:58:26,042 fail2ban.actions.action: ERROR iptables -N > > > > fail2ban-SSH > > > > iptables -A fail2ban-SSH -j RETURN > > > > iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 100 > > > > > Did not seem to help unfortunately. > > > > > /Lasse > > > > > TDC1 > > > > TDC OCES CA0 > > > > 060328205500Z > > > > 080328212500Z0s1 > > > > DK1)0' > > > > Ingen organisatorisk tilknytning190 > > > > Lasse Bigum0# > > > > PID:9208-2002-2-0652938794930 > > > > 9/NR/pv > > > > In!6 > > > > f:[; > > > > 20060328205500Z > > > > 20080328212500Z0 > > > > #http://www.certifikat.dk/repository0 > > > > TDC0 > > > > For anvendelse af certifikatet g > > > > lder OCES vilk > > > > r, CPS og OCES CP, der kan hentes fra www.certifikat.dk/repository. Bem > > > > rk, at TDC efter vilk > > > > rene har et begr > > > > nset ansvar ift. professionelle parter.0A > > > > 50301 > > > > %http://ocsp.certifikat.dk/ocsp/status0" > > > > La...@ha...0 > > > > }0{0K > > > > E0C1 > > > > TDC1 > > > > TDC OCES CA1 > > > > CRL12260, > > > > &http://crl.oces.certifikat.dk/oces.crl0 > > > > V7.1 > > > > :C0_ > > > > m_]Z > > > > 1/CA > > > > TDC1 > > > > TDC OCES CA0 > > > > 030211083930Z > > > > 370211090930Z011 > > > > TDC1 > > > > TDC OCES CA0 > > > > &NJL > > > > b)q1 > > > > #http://www.certifikat.dk/repository0 > > > > TDC0 > > > > Certifikater fra denne CA udstedes under OID 1.2.208.169.1.1.1. Certificates from this CA are issued under OID 1.2.208.169.1.1.1.0 > > > > z0x0H > > > > B0@1 > > > > TDC1 > > > > TDC OCES CA1 > > > > CRL10, > > > > &http://crl.oces.certifikat.dk/oces.crl0+ > > > > 20030211083930Z > > > > 20370211090930Z0 > > > > V6.0:4.0 > > > > CA)b > > > > 1p'T > > > > >t]t > > > > h}Hbr > > > > /_bS1 > > > > 09011 > > > > TDC1 > > > > TDC OCES CA > > > > 080529150001Z0# > > > > 1E0C0 > > > > Q\~, > > > > 8LBB > > > > > > ------------------------------------------------------------------------- > > > > This SF.net email is sponsored by: Microsoft > > > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > > _______________________________________________ > > > > Fail2ban-users mailing list > > > > Fai...@li... > > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > -- > > > Yaroslav Halchenko > > > Research Assistant, Psychology Department, Rutgers-Newark > > > Student Ph.D. @ CS Dept. NJIT > > > Office: (973) 353-5440x263 | FWD: 82823 | Fax: (973) 353-1171 > > > 101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102 > > > WWW: http://www.linkedin.com/in/yarik > > > > -- > .-. > =------------------------------ /v\ ----------------------------= > Keep in touch // \\ (yoh@|www.)onerussian.com > Yaroslav Halchenko /( )\ ICQ#: 60653192 > Linux User ^^-^^ [175555] > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: Lasse B. <ze...@ze...> - 2008-05-28 22:15:55
|
On 23:46, Wed 28 May, Cyril Jaquier wrote: > Could you try to run these commands? > > iptables -N fail2ban-SSH > iptables -A fail2ban-SSH -j RETURN > iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH If I have fail2ban started, I get: meridian linux # iptables -N fail2ban-SSH iptables: Chain already exists meridian linux # iptables -A fail2ban-SSH -j RETURN meridian linux # iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH iptables: No chain/target/match by that name If I stop fail2ban first, I get: meridian linux # iptables -N fail2ban-SSH meridian linux # iptables -A fail2ban-SSH -j RETURN meridian linux # iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH iptables: No chain/target/match by that name > Do you run fail2ban as root? Yes, I start it using /etc/init.d/fail2ban (this is on Gentoo) /Lasse |
From: Lasse B. <ze...@ze...> - 2008-06-01 18:46:04
Attachments:
fail2ban.conf
jail.conf
|
Ups, forgot attachment :) It is attached now. /Lasse On 11:39, Sat 31 May, Lasse Bigum wrote: > On 12:04, Fri 30 May, Yaroslav Halchenko wrote: > > > meridian ~ # iptables > > > iptables v1.3.8: no command specified > > > Try `iptables -h' or 'iptables --help' for more information. > > > > > Is the version alright or should I up-/downgrade? > > heh heh -- not sure... also it is not only iptables but kernel > > version... just FYI 1.3.7 and 1.3.8 releases combined fix 35 bugs, but I > > didn't spot any possible relevant one. and 1.3.6 from etch Debian > > seems to work fine... but also I neither had problem with 1.3.[78] > > whenever they were in Debian unstable... so it must be something more > > peculiar. > > meridian ~ # uname -a > Linux meridian 2.6.25-gentoo-r4 #2 Wed May 28 18:20:48 CEST 2008 i686 > VIA Esther processor 1500MHz CentaurHauls GNU/Linux > > > 1 question though: did you modify fail2ban configs in any ways which > > could be relevant? (althouth that is probably irrelevant since it fails > > on those commands from cmdline too) > > I mostly just followed this guide: > http://gentoo-wiki.com/HOWTO_fail2ban > > So did not really change much, the only thing I changed was to enable > sshd monitoring and then changing the path to the log-file as I am using > metalog. > > My /etc/fail2ban/{fail2ban.conf,jail.conf} are attached, and I only > modified the two mentioned lines in jail.conf > > > looking through the thread I got a feeling that you have two chains for > > ssh: 1 using regular iptables, another one uses iptables-multiport? or > > am I wrong? > > The multiport thing was just because I was googling for others with the > same problem, and someone suggested that command, so I compiled that > module as well and tried his command. Did not do any difference. > > > in any case -- it might help if you provide complete configuration you > > are using (as an attachement) > > Done. > > > so it is up to you to upgrade iptables/kernel and see if problem > > persists. > > :) > > > btw - may be I missed -- what distribution/release are you running? > > See the first part of my reply. > > /Lasse > > > > Thanks for your help, > > > Lasse > > > > > > On Thu, 29 May 2008, Lasse Bigum wrote: > > > > > > > On 10:49, Thu 29 May, Yaroslav Halchenko wrote: > > > > > > may be iptables gets confused a bit while having two chains with the > > > > > > same name if taken in the same case... > > > > > > > > stop fail2ban > > > > > > remove any traces of it in iptables: > > > > > > for chain in fail2ban-SSH fail2ban-ssh; do > > > > > > iptables -D INPUT -p tcp -m multiport --dports 22 -j $chain > > > > > > iptables -F $chain > > > > > > iptables -X $chain > > > > > > done > > > > > > > > ah -- probably wouldn't work fine since you have two jumps from INPUT > > > > > > over to fail2ban-ssh but none to fail2ban-SSH > > > > > > > > so just remove them manually by line number > > > > > > iptables -D INPUT 1 > > > > > > iptables -D INPUT 1 > > > > > > if there is nothing else there > > > > > > > > after you made sure that no traces of fail2ban is there (iptables -L -n) > > > > > > -- try starting it again > > > > > > > meridian ~ # /etc/init.d/fail2ban stop * Stopping fail2ban ... > > > > > [ ok ] > > > > > meridian ~ # iptables -L -n > > > > > Chain INPUT (policy ACCEPT) > > > > > target prot opt source destination > > > > > > > Chain FORWARD (policy ACCEPT) > > > > > target prot opt source destination > > > > > > > Chain OUTPUT (policy ACCEPT) > > > > > target prot opt source destination > > > > > meridian ~ # /etc/init.d/fail2ban start > > > > > * Starting fail2ban ... > > > > > * [ ok ] > > > > > meridian ~ # tail -10 /var/log/fail2ban.log > > > > > Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest> > > > > > 2008-05-29 16:58:25,945 fail2ban.actions.action: INFO Set actionStart > > > > > = echo -en "Hi,\n > > > > > The jail <name> has been started successfuly.\n > > > > > Regards,\n > > > > > Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest> > > > > > 2008-05-29 16:58:25,948 fail2ban.actions.action: INFO Set actionUnban > > > > > = > > > > > 2008-05-29 16:58:25,951 fail2ban.actions.action: INFO Set actionCheck > > > > > = > > > > > 2008-05-29 16:58:26,042 fail2ban.actions.action: ERROR iptables -N > > > > > fail2ban-SSH > > > > > iptables -A fail2ban-SSH -j RETURN > > > > > iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 100 > > > > > > > Did not seem to help unfortunately. > > > > > > > /Lasse > > > > > > > TDC1 > > > > > TDC OCES CA0 > > > > > 060328205500Z > > > > > 080328212500Z0s1 > > > > > DK1)0' > > > > > Ingen organisatorisk tilknytning190 > > > > > Lasse Bigum0# > > > > > PID:9208-2002-2-0652938794930 > > > > > 9/NR/pv > > > > > In!6 > > > > > f:[; > > > > > 20060328205500Z > > > > > 20080328212500Z0 > > > > > #http://www.certifikat.dk/repository0 > > > > > TDC0 > > > > > For anvendelse af certifikatet g > > > > > lder OCES vilk > > > > > r, CPS og OCES CP, der kan hentes fra www.certifikat.dk/repository. Bem > > > > > rk, at TDC efter vilk > > > > > rene har et begr > > > > > nset ansvar ift. professionelle parter.0A > > > > > 50301 > > > > > %http://ocsp.certifikat.dk/ocsp/status0" > > > > > La...@ha...0 > > > > > }0{0K > > > > > E0C1 > > > > > TDC1 > > > > > TDC OCES CA1 > > > > > CRL12260, > > > > > &http://crl.oces.certifikat.dk/oces.crl0 > > > > > V7.1 > > > > > :C0_ > > > > > m_]Z > > > > > 1/CA > > > > > TDC1 > > > > > TDC OCES CA0 > > > > > 030211083930Z > > > > > 370211090930Z011 > > > > > TDC1 > > > > > TDC OCES CA0 > > > > > &NJL > > > > > b)q1 > > > > > #http://www.certifikat.dk/repository0 > > > > > TDC0 > > > > > Certifikater fra denne CA udstedes under OID 1.2.208.169.1.1.1. Certificates from this CA are issued under OID 1.2.208.169.1.1.1.0 > > > > > z0x0H > > > > > B0@1 > > > > > TDC1 > > > > > TDC OCES CA1 > > > > > CRL10, > > > > > &http://crl.oces.certifikat.dk/oces.crl0+ > > > > > 20030211083930Z > > > > > 20370211090930Z0 > > > > > V6.0:4.0 > > > > > CA)b > > > > > 1p'T > > > > > >t]t > > > > > h}Hbr > > > > > /_bS1 > > > > > 09011 > > > > > TDC1 > > > > > TDC OCES CA > > > > > 080529150001Z0# > > > > > 1E0C0 > > > > > Q\~, > > > > > 8LBB > > > > > > > > > ------------------------------------------------------------------------- > > > > > This SF.net email is sponsored by: Microsoft > > > > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > > > _______________________________________________ > > > > > Fail2ban-users mailing list > > > > > Fai...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > > > -- > > > > Yaroslav Halchenko > > > > Research Assistant, Psychology Department, Rutgers-Newark > > > > Student Ph.D. @ CS Dept. NJIT > > > > Office: (973) 353-5440x263 | FWD: 82823 | Fax: (973) 353-1171 > > > > 101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102 > > > > WWW: http://www.linkedin.com/in/yarik > > > > > > > > -- > > .-. > > =------------------------------ /v\ ----------------------------= > > Keep in touch // \\ (yoh@|www.)onerussian.com > > Yaroslav Halchenko /( )\ ICQ#: 60653192 > > Linux User ^^-^^ [175555] > > > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: Yaroslav H. <li...@on...> - 2008-05-29 04:24:08
|
> meridian linux # iptables -N fail2ban-SSH > iptables: Chain already exists > meridian linux # iptables -A fail2ban-SSH -j RETURN > meridian linux # iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH > iptables: No chain/target/match by that name wow -- interesting ;-) I wonder if INPUT is missing somehow? (since iptables just previousely confirmed that fail2ban-SSH is already there ;-)) what is your iptables -L -n ? does it show INPUT and fail2ban-SSH? -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |
From: Lasse B. <ze...@ze...> - 2008-06-04 21:18:05
|
For some strange reason, it seems to work now. I think i rebootet (AKA it crashed) the server at one point, and the next thing I knew, I was getting "[Fail2Ban] xxx.xxx.xxx.xxx is banned" mails, so I am assuming that it is working, although this command still comes up empty: meridian ~ # iptables --list |grep fail2ban Chain fail2ban-SSH (0 references) meridian ~ # iptables -L -n -v | grep fail2ban Chain fail2ban-SSH (0 references) Can this be because the bans expires after some time, or should the chains still return something? /Lasse On 20:45, Sun 01 Jun, Lasse Bigum wrote: > Ups, forgot attachment :) > > It is attached now. > > /Lasse > > On 11:39, Sat 31 May, Lasse Bigum wrote: > > On 12:04, Fri 30 May, Yaroslav Halchenko wrote: > > > > meridian ~ # iptables > > > > iptables v1.3.8: no command specified > > > > Try `iptables -h' or 'iptables --help' for more information. > > > > > > > Is the version alright or should I up-/downgrade? > > > heh heh -- not sure... also it is not only iptables but kernel > > > version... just FYI 1.3.7 and 1.3.8 releases combined fix 35 bugs, but I > > > didn't spot any possible relevant one. and 1.3.6 from etch Debian > > > seems to work fine... but also I neither had problem with 1.3.[78] > > > whenever they were in Debian unstable... so it must be something more > > > peculiar. > > > > meridian ~ # uname -a > > Linux meridian 2.6.25-gentoo-r4 #2 Wed May 28 18:20:48 CEST 2008 i686 > > VIA Esther processor 1500MHz CentaurHauls GNU/Linux > > > > > 1 question though: did you modify fail2ban configs in any ways which > > > could be relevant? (althouth that is probably irrelevant since it fails > > > on those commands from cmdline too) > > > > I mostly just followed this guide: > > http://gentoo-wiki.com/HOWTO_fail2ban > > > > So did not really change much, the only thing I changed was to enable > > sshd monitoring and then changing the path to the log-file as I am using > > metalog. > > > > My /etc/fail2ban/{fail2ban.conf,jail.conf} are attached, and I only > > modified the two mentioned lines in jail.conf > > > > > looking through the thread I got a feeling that you have two chains for > > > ssh: 1 using regular iptables, another one uses iptables-multiport? or > > > am I wrong? > > > > The multiport thing was just because I was googling for others with the > > same problem, and someone suggested that command, so I compiled that > > module as well and tried his command. Did not do any difference. > > > > > in any case -- it might help if you provide complete configuration you > > > are using (as an attachement) > > > > Done. > > > > > so it is up to you to upgrade iptables/kernel and see if problem > > > persists. > > > > :) > > > > > btw - may be I missed -- what distribution/release are you running? > > > > See the first part of my reply. > > > > /Lasse > > > > > > Thanks for your help, > > > > Lasse > > > > > > > > On Thu, 29 May 2008, Lasse Bigum wrote: > > > > > > > > > On 10:49, Thu 29 May, Yaroslav Halchenko wrote: > > > > > > > may be iptables gets confused a bit while having two chains with the > > > > > > > same name if taken in the same case... > > > > > > > > > > stop fail2ban > > > > > > > remove any traces of it in iptables: > > > > > > > for chain in fail2ban-SSH fail2ban-ssh; do > > > > > > > iptables -D INPUT -p tcp -m multiport --dports 22 -j $chain > > > > > > > iptables -F $chain > > > > > > > iptables -X $chain > > > > > > > done > > > > > > > > > > ah -- probably wouldn't work fine since you have two jumps from INPUT > > > > > > > over to fail2ban-ssh but none to fail2ban-SSH > > > > > > > > > > so just remove them manually by line number > > > > > > > iptables -D INPUT 1 > > > > > > > iptables -D INPUT 1 > > > > > > > if there is nothing else there > > > > > > > > > > after you made sure that no traces of fail2ban is there (iptables -L -n) > > > > > > > -- try starting it again > > > > > > > > > meridian ~ # /etc/init.d/fail2ban stop * Stopping fail2ban ... > > > > > > [ ok ] > > > > > > meridian ~ # iptables -L -n > > > > > > Chain INPUT (policy ACCEPT) > > > > > > target prot opt source destination > > > > > > > > > Chain FORWARD (policy ACCEPT) > > > > > > target prot opt source destination > > > > > > > > > Chain OUTPUT (policy ACCEPT) > > > > > > target prot opt source destination > > > > > > meridian ~ # /etc/init.d/fail2ban start > > > > > > * Starting fail2ban ... > > > > > > * [ ok ] > > > > > > meridian ~ # tail -10 /var/log/fail2ban.log > > > > > > Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest> > > > > > > 2008-05-29 16:58:25,945 fail2ban.actions.action: INFO Set actionStart > > > > > > = echo -en "Hi,\n > > > > > > The jail <name> has been started successfuly.\n > > > > > > Regards,\n > > > > > > Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest> > > > > > > 2008-05-29 16:58:25,948 fail2ban.actions.action: INFO Set actionUnban > > > > > > = > > > > > > 2008-05-29 16:58:25,951 fail2ban.actions.action: INFO Set actionCheck > > > > > > = > > > > > > 2008-05-29 16:58:26,042 fail2ban.actions.action: ERROR iptables -N > > > > > > fail2ban-SSH > > > > > > iptables -A fail2ban-SSH -j RETURN > > > > > > iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 100 > > > > > > > > > Did not seem to help unfortunately. > > > > > > > > > /Lasse > > > > > > > > > TDC1 > > > > > > TDC OCES CA0 > > > > > > 060328205500Z > > > > > > 080328212500Z0s1 > > > > > > DK1)0' > > > > > > Ingen organisatorisk tilknytning190 > > > > > > Lasse Bigum0# > > > > > > PID:9208-2002-2-0652938794930 > > > > > > 9/NR/pv > > > > > > In!6 > > > > > > f:[; > > > > > > 20060328205500Z > > > > > > 20080328212500Z0 > > > > > > #http://www.certifikat.dk/repository0 > > > > > > TDC0 > > > > > > For anvendelse af certifikatet g > > > > > > lder OCES vilk > > > > > > r, CPS og OCES CP, der kan hentes fra www.certifikat.dk/repository. Bem > > > > > > rk, at TDC efter vilk > > > > > > rene har et begr > > > > > > nset ansvar ift. professionelle parter.0A > > > > > > 50301 > > > > > > %http://ocsp.certifikat.dk/ocsp/status0" > > > > > > La...@ha...0 > > > > > > }0{0K > > > > > > E0C1 > > > > > > TDC1 > > > > > > TDC OCES CA1 > > > > > > CRL12260, > > > > > > &http://crl.oces.certifikat.dk/oces.crl0 > > > > > > V7.1 > > > > > > :C0_ > > > > > > m_]Z > > > > > > 1/CA > > > > > > TDC1 > > > > > > TDC OCES CA0 > > > > > > 030211083930Z > > > > > > 370211090930Z011 > > > > > > TDC1 > > > > > > TDC OCES CA0 > > > > > > &NJL > > > > > > b)q1 > > > > > > #http://www.certifikat.dk/repository0 > > > > > > TDC0 > > > > > > Certifikater fra denne CA udstedes under OID 1.2.208.169.1.1.1. Certificates from this CA are issued under OID 1.2.208.169.1.1.1.0 > > > > > > z0x0H > > > > > > B0@1 > > > > > > TDC1 > > > > > > TDC OCES CA1 > > > > > > CRL10, > > > > > > &http://crl.oces.certifikat.dk/oces.crl0+ > > > > > > 20030211083930Z > > > > > > 20370211090930Z0 > > > > > > V6.0:4.0 > > > > > > CA)b > > > > > > 1p'T > > > > > > >t]t > > > > > > h}Hbr > > > > > > /_bS1 > > > > > > 09011 > > > > > > TDC1 > > > > > > TDC OCES CA > > > > > > 080529150001Z0# > > > > > > 1E0C0 > > > > > > Q\~, > > > > > > 8LBB > > > > > > > > > > > > ------------------------------------------------------------------------- > > > > > > This SF.net email is sponsored by: Microsoft > > > > > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > > > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > > > > _______________________________________________ > > > > > > Fail2ban-users mailing list > > > > > > Fai...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > > > > > > -- > > > > > Yaroslav Halchenko > > > > > Research Assistant, Psychology Department, Rutgers-Newark > > > > > Student Ph.D. @ CS Dept. NJIT > > > > > Office: (973) 353-5440x263 | FWD: 82823 | Fax: (973) 353-1171 > > > > > 101 Warren Str, Smith Hall, Rm 4-105, Newark NJ 07102 > > > > > WWW: http://www.linkedin.com/in/yarik > > > > > > > > > > > > -- > > > .-. > > > =------------------------------ /v\ ----------------------------= > > > Keep in touch // \\ (yoh@|www.)onerussian.com > > > Yaroslav Halchenko /( )\ ICQ#: 60653192 > > > Linux User ^^-^^ [175555] > > > > > > > > > > > > ------------------------------------------------------------------------- > > > This SF.net email is sponsored by: Microsoft > > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > _______________________________________________ > > > Fail2ban-users mailing list > > > Fai...@li... > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > # Fail2Ban configuration file > # > # Author: Cyril Jaquier > # > # $Revision: 494 $ > # > > [Definition] > > # Option: loglevel > # Notes.: Set the log level output. > # 1 = ERROR > # 2 = WARN > # 3 = INFO > # 4 = DEBUG > # Values: NUM Default: 3 > # > loglevel = 3 > > # Option: logtarget > # Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT. > # Only one log target can be specified. > # Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log > # > logtarget = /var/log/fail2ban.log > > # Option: socket > # Notes.: Set the socket file. This is used to communicate with the daemon. Do > # not remove this file when Fail2ban runs. It will not be possible to > # communicate with the server afterwards. > # Values: FILE Default: /tmp/fail2ban.sock > # > socket = /tmp/fail2ban.sock > > # Fail2Ban configuration file > # > # Author: Cyril Jaquier > # > # $Revision: 552 $ > # > > # The DEFAULT allows a global definition of the options. They can be override > # in each jail afterwards. > > [DEFAULT] > > # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not > # ban a host which matches an address in this list. Several addresses can be > # defined using space separator. > ignoreip = 127.0.0.1 > > # "bantime" is the number of seconds that a host is banned. > bantime = 600 > > # A host is banned if it has generated "maxretry" during the last "findtime" > # seconds. > findtime = 600 > > # "maxretry" is the number of failures before a host get banned. > maxretry = 3 > > # "backend" specifies the backend used to get files modification. Available > # options are "gamin", "polling" and "auto". This option can be overridden in > # each jail too (use "gamin" for a jail and "polling" for another). > # > # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin > # is not installed, Fail2ban will use polling. > # polling: uses a polling algorithm which does not require external libraries. > # auto: will choose Gamin if available and polling otherwise. > backend = auto > > > # This jail corresponds to the standard configuration in Fail2ban 0.6. > # The mail-whois action send a notification e-mail with a whois request > # in the body. > > [ssh-iptables] > > enabled = true > filter = sshd > action = iptables[name=SSH, port=ssh, protocol=tcp] > mail-whois[name=SSH, dest=ze...@ze...] > logpath = /var/log/sshd/current > maxretry = 5 > > [proftpd-iptables] > > enabled = false > filter = proftpd > action = iptables[name=ProFTPD, port=ftp, protocol=tcp] > mail-whois[name=ProFTPD, dest=you...@ma...] > logpath = /var/log/proftpd/proftpd.log > maxretry = 6 > > # This jail forces the backend to "polling". > > [sasl-iptables] > > enabled = false > filter = sasl > backend = polling > action = iptables[name=sasl, port=smtp, protocol=tcp] > mail-whois[name=sasl, dest=you...@ma...] > logpath = /var/log/mail.log > > # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is > # used to avoid banning the user "myuser". > > [ssh-tcpwrapper] > > enabled = false > filter = sshd > action = hostsdeny > mail-whois[name=SSH, dest=you...@ma...] > ignoreregex = for myuser from > logpath = /var/log/sshd.log > > # This jail demonstrates the use of wildcards in "logpath". > # Moreover, it is possible to give other files on a new line. > > [apache-tcpwrapper] > > enabled = false > filter = apache-auth > action = hostsdeny > logpath = /var/log/apache*/*access.log > /home/www/myhomepage/access.log > maxretry = 6 > > # The hosts.deny path can be defined with the "file" argument if it is > # not in /etc. > > [postfix-tcpwrapper] > > enabled = false > filter = postfix > action = hostsdeny[file=/not/a/standard/path/hosts.deny] > mail[name=Postfix, dest=you...@ma...] > logpath = /var/log/postfix.log > bantime = 300 > > # Do not ban anybody. Just report information about the remote host. > # A notification is sent at most every 600 seconds (bantime). > > [vsftpd-notification] > > enabled = false > filter = vsftpd > action = mail-whois[name=VSFTPD, dest=you...@ma...] > logpath = /var/log/vsftpd.log > maxretry = 5 > bantime = 1800 > > # Same as above but with banning the IP address. > > [vsftpd-iptables] > > enabled = false > filter = vsftpd > action = iptables[name=VSFTPD, port=ftp, protocol=tcp] > mail-whois[name=VSFTPD, dest=you...@ma...] > logpath = /var/log/vsftpd.log > maxretry = 5 > bantime = 1800 > > # Ban hosts which agent identifies spammer robots crawling the web > # for email addresses. The mail outputs are buffered. > > [apache-badbots] > > enabled = false > filter = apache-badbots > action = iptables-multiport[name=BadBots, port="http,https"] > mail-buffered[name=BadBots, lines=5, dest=you...@ma...] > logpath = /var/www/*/logs/access_log > bantime = 172800 > maxretry = 1 > > # Use shorewall instead of iptables. > > [apache-shorewall] > > enabled = false > filter = apache-noscript > action = shorewall > mail[name=Postfix, dest=you...@ma...] > logpath = /var/log/apache2/error_log > > # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip" > # option is overridden in this jail. Moreover, the action "mail-whois" defines > # the variable "name" which contains a comma using "". The characters '' are > # valid too. > > [ssh-ipfw] > > enabled = false > filter = sshd > action = ipfw[localhost=192.168.0.1] > mail-whois[name="SSH,IPFW", dest=you...@ma...] > logpath = /var/log/auth.log > ignoreip = 168.192.0.1 > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Yaroslav H. <li...@on...> - 2008-06-05 04:25:20
|
nope... seems to be incorrect -- there should be references from the INPUT chain, smth like *$> sudo iptables -n --list | grep fail2 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain fail2ban-ssh (1 references) otherwise I don't see how you could start receiving email notifications about banning from fail2ban On Wed, 04 Jun 2008, Lasse Bigum wrote: > For some strange reason, it seems to work now. I think i rebootet (AKA > it crashed) the server at one point, and the next thing I knew, I was > getting "[Fail2Ban] xxx.xxx.xxx.xxx is banned" mails, so I am assuming > that it is working, although this command still comes up empty: > meridian ~ # iptables --list |grep fail2ban > Chain fail2ban-SSH (0 references) > meridian ~ # iptables -L -n -v | grep fail2ban > Chain fail2ban-SSH (0 references) > Can this be because the bans expires after some time, or should the > chains still return something? -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |
From: Lasse B. <ze...@ze...> - 2008-05-29 07:04:18
|
On 00:24, Thu 29 May, Yaroslav Halchenko wrote: > > meridian linux # iptables -N fail2ban-SSH > > iptables: Chain already exists > > meridian linux # iptables -A fail2ban-SSH -j RETURN > > meridian linux # iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH > > iptables: No chain/target/match by that name > > wow -- interesting ;-) I wonder if INPUT is missing somehow? (since > iptables just previousely confirmed that fail2ban-SSH is already there > ;-)) > > what is your iptables -L -n ? does it show INPUT and fail2ban-SSH? meridian ~ # iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-SSH (0 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-ssh (2 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0 meridian ~ # /Lasse |
From: Yaroslav H. <li...@on...> - 2008-05-29 14:49:44
|
may be iptables gets confused a bit while having two chains with the same name if taken in the same case... stop fail2ban remove any traces of it in iptables: for chain in fail2ban-SSH fail2ban-ssh; do iptables -D INPUT -p tcp -m multiport --dports 22 -j $chain iptables -F $chain iptables -X $chain done ah -- probably wouldn't work fine since you have two jumps from INPUT over to fail2ban-ssh but none to fail2ban-SSH so just remove them manually by line number iptables -D INPUT 1 iptables -D INPUT 1 if there is nothing else there after you made sure that no traces of fail2ban is there (iptables -L -n) -- try starting it again On Thu, 29 May 2008, Lasse Bigum wrote: > On 00:24, Thu 29 May, Yaroslav Halchenko wrote: > > > meridian linux # iptables -N fail2ban-SSH > > > iptables: Chain already exists > > > meridian linux # iptables -A fail2ban-SSH -j RETURN > > > meridian linux # iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH > > > iptables: No chain/target/match by that name > > wow -- interesting ;-) I wonder if INPUT is missing somehow? (since > > iptables just previousely confirmed that fail2ban-SSH is already there > > ;-)) > > what is your iptables -L -n ? does it show INPUT and fail2ban-SSH? > meridian ~ # iptables -L -n > Chain INPUT (policy ACCEPT) > target prot opt source destination > fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 > fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 > Chain FORWARD (policy ACCEPT) > target prot opt source destination > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > Chain fail2ban-SSH (0 references) > target prot opt source destination > RETURN all -- 0.0.0.0/0 0.0.0.0/0 > Chain fail2ban-ssh (2 references) > target prot opt source destination > RETURN all -- 0.0.0.0/0 0.0.0.0/0 > RETURN all -- 0.0.0.0/0 0.0.0.0/0 > meridian ~ # > /Lasse -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |
From: Lasse B. <ze...@ze...> - 2008-05-29 15:50:25
Attachments:
smime.p7s
|
On 10:49, Thu 29 May, Yaroslav Halchenko wrote: > may be iptables gets confused a bit while having two chains with the > same name if taken in the same case... > > stop fail2ban > remove any traces of it in iptables: > for chain in fail2ban-SSH fail2ban-ssh; do > iptables -D INPUT -p tcp -m multiport --dports 22 -j $chain > iptables -F $chain > iptables -X $chain > done > > ah -- probably wouldn't work fine since you have two jumps from INPUT > over to fail2ban-ssh but none to fail2ban-SSH > > so just remove them manually by line number > iptables -D INPUT 1 > iptables -D INPUT 1 > if there is nothing else there > > after you made sure that no traces of fail2ban is there (iptables -L -n) > -- try starting it again meridian ~ # /etc/init.d/fail2ban stop * Stopping fail2ban ... [ ok ] meridian ~ # iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination meridian ~ # /etc/init.d/fail2ban start * Starting fail2ban ... * [ ok ] meridian ~ # tail -10 /var/log/fail2ban.log Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest> 2008-05-29 16:58:25,945 fail2ban.actions.action: INFO Set actionStart = echo -en "Hi,\n The jail <name> has been started successfuly.\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest> 2008-05-29 16:58:25,948 fail2ban.actions.action: INFO Set actionUnban = 2008-05-29 16:58:25,951 fail2ban.actions.action: INFO Set actionCheck = 2008-05-29 16:58:26,042 fail2ban.actions.action: ERROR iptables -N fail2ban-SSH iptables -A fail2ban-SSH -j RETURN iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 100 Did not seem to help unfortunately. /Lasse |