From: Iain L. <ia...@br...> - 2009-01-04 21:09:34
|
I have spent the last day trying to get fail2ban 0.8.3 working on: - Fedora 10 64 bit running on a dual opteron server + 8GB RAM - Linux fw1-lan010 2.6.27.5-117.fc10.x86_64 #1 SMP Tue Nov 18 11:58:53 EST 2008 x86_64 x86_64 x86_64 GNU/Linux - python-2.5.2-1.fc10.x86_64 - fail2ban-0.8.3-16.fc10.noarch System is configured to send *.* to /var/log/messages (everything in 1 logfile) which is then used in fail2ban config files. /etc/rsyslog.conf: # provides --MARK-- message capability $ModLoad immark # provides UDP syslog reception $ModLoad imudp # provides TCP syslog reception $ModLoad imtcp # provides support for local system logging (e.g. via logger command) $ModLoad imuxsock # provides kernel logging support (previously done by rklogd) $ModLoad imklog # provides GSSAPI syslog reception #$ModLoad imgssapi # this MUST be before the $UDPServerRun directive! $UDPServerAddress 192.168.10.5 $UDPServerRun 514 *.* /var/log/messages Output format with iso date in /var/log/messages is: 2009-01-04T11:55:19.271930+01:00 fw1-lan010 sshd[9934]: \ Failed password for invalid user unitedcolo from \ 195.70.36.149 port 44542 ssh2 Same config but with old style date in syslog worked fine on Fedora 6 and 8 systems. I have attached various debug info as it just does not work. Has anyone any tips to try and fix this as I am out of them? Thanx Iain -- +49-172-8196039 skype: iain.lea |
From: Klaus L. <leh...@t-...> - 2009-01-06 09:26:56
|
On Sun, 4 Jan 2009 21:45:32 +0100, Iain Lea wrote: hi Iain my advice 1. use snapshot: (it's the newest) http://www.fail2ban.org/nightly/fail2ban-FAIL2BAN-0_8.tar.bz2 2. it's eays to install, by Yourself ;-) to do only this: python setup.py install why: I don't want to use precompiled packages. yours klaus <cit>I have spent the last day trying to get fail2ban 0.8.3 working on: <cit> <cit>- Fedora 10 64 bit running on a dual opteron server + 8GB RAM <cit>- Linux fw1-lan010 2.6.27.5-117.fc10.x86_64 #1 SMP Tue Nov 18 11:58:53 EST 2008 x86_64 x86_64 x86_64 GNU/Linux <cit>- python-2.5.2-1.fc10.x86_64 <cit>- fail2ban-0.8.3-16.fc10.noarch <cit> <cit>System is configured to send *.* to /var/log/messages (everything in 1 <cit>logfile) which is then used in fail2ban config files. <cit> <cit>/etc/rsyslog.conf: <cit> <cit># provides --MARK-- message capability <cit>$ModLoad immark <cit># provides UDP syslog reception <cit>$ModLoad imudp <cit># provides TCP syslog reception <cit>$ModLoad imtcp <cit># provides support for local system logging (e.g. via logger command) <cit>$ModLoad imuxsock <cit># provides kernel logging support (previously done by rklogd) <cit>$ModLoad imklog <cit># provides GSSAPI syslog reception <cit>#$ModLoad imgssapi <cit> <cit># this MUST be before the $UDPServerRun directive! <cit>$UDPServerAddress 192.168.10.5 <cit>$UDPServerRun 514 <cit> <cit>*.* /var/log/messages <cit> <cit>Output format with iso date in /var/log/messages is: <cit> <cit>2009-01-04T11:55:19.271930+01:00 fw1-lan010 sshd[9934]: \ <cit> Failed password for invalid user unitedcolo from \ <cit> 195.70.36.149 port 44542 ssh2 <cit> <cit>Same config but with old style date in syslog worked fine on <cit>Fedora 6 and 8 systems. <cit> <cit>I have attached various debug info as it just does not work. <cit> <cit>Has anyone any tips to try and fix this as I am out of them? <cit> <cit>Thanx <cit> <cit>Iain <cit> |
From: Iain L. <ia...@br...> - 2009-01-07 06:31:34
|
On Tue, Jan 06, 2009 at 10:26:35AM +0100, Klaus Lehmann wrote: > On Sun, 4 Jan 2009 21:45:32 +0100, Iain Lea wrote: > > my advice > 1. use snapshot: (it's the newest) > http://www.fail2ban.org/nightly/fail2ban-FAIL2BAN-0_8.tar.bz2 > 2. it's eays to install, by Yourself ;-) > to do only this: python setup.py install I downloaded the SVN snapshot from 6.1.2009 and built RPM source and noarch packages. The RPM packages are available here: http://iainlea.dyndns.org/software/fail2ban/ After installing it the problem is still there... any other ideas? So is anyone on this list successfully using fail2ban on fedora 10? Thanx Iain -- +49-172-8196039 skype: iain.lea |
From: Frank M. <fra...@fe...> - 2009-01-07 08:07:21
|
Iain Lea wrote: > > > So is anyone on this list successfully using fail2ban on fedora 10? > > Thanx > > Iain > I'm using the fedora10 repo fail2ban, with no problems thus far. (ssh jail only) Frank |
From: Iain L. <ia...@br...> - 2009-01-12 06:05:19
|
On Wed, Jan 07, 2009 at 07:31:13AM +0100, Iain Lea wrote: > On Tue, Jan 06, 2009 at 10:26:35AM +0100, Klaus Lehmann wrote: > > On Sun, 4 Jan 2009 21:45:32 +0100, Iain Lea wrote: > > > > my advice > > 1. use snapshot: (it's the newest) > > http://www.fail2ban.org/nightly/fail2ban-FAIL2BAN-0_8.tar.bz2 > > 2. it's eays to install, by Yourself ;-) > > to do only this: python setup.py install > > I downloaded the SVN snapshot from 6.1.2009 and built RPM source > and noarch packages. The RPM packages are available here: > > http://iainlea.dyndns.org/software/fail2ban/ > > After installing it the problem is still there... any other ideas? Neither 0.8.3 or 0.8.4 from SVN worked with syslog using ISO date format. As a workaround to get fail2ban to work I disabled the ISO date format via the following variable in /etc/rsyslog.conf and restarted syslog: $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat Not clean, not nice but got fail2ban working. Iain -- +49-172-8196039 skype: iain.lea |
From: Cyril J. <cyr...@fa...> - 2009-01-20 23:17:10
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Iain, > Neither 0.8.3 or 0.8.4 from SVN worked with syslog using ISO date format. > Did you look at [1]? Could it be related to your problem? It seems that the following test report the right time. Or did I miss something? $ ./fail2ban-regex "2009-01-04T11:55:19.271930+01:00 failed from 1.1.1.1" "failed from <HOST>$" Running tests ============= Use regex line : failed from <HOST>$ Use single line: 2009-01-04T11:55:19.271930+01:00 failed from 1.1.1.1 Results ======= Failregex |- Regular expressions: | [1] failed from <HOST>$ | `- Number of matches: [1] 1 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Addresses found: [1] 1.1.1.1 (Sun Jan 04 10:55:19 2009) Date template hits: 0 hit(s): MONTH Day Hour:Minute:Second 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year 0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second 0 hit(s): Year/Month/Day Hour:Minute:Second 0 hit(s): Day/Month/Year Hour:Minute:Second 0 hit(s): Day/MONTH/Year:Hour:Minute:Second 0 hit(s): Year-Month-Day Hour:Minute:Second 0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond] 0 hit(s): Day-Month-Year Hour:Minute:Second 0 hit(s): TAI64N 0 hit(s): Epoch 2 hit(s): ISO 8601 0 hit(s): Hour:Minute:Second 0 hit(s): <Month/Day/Year@Hour:Minute:Second> Success, the total number of match is 1 However, look at the above section 'Running tests' which could contain important information. Cheers, Cyril [1] https://sourceforge.net/tracker/?func=detail&atid=689044&aid=2500276&group_id=121032 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl2W2cACgkQlYy8cEwUMaR6cQCfT/OkuHiqXSmHdu5v0GirZcbK 3GYAn1dwm6iKy8ADjuBMva57NOylkSa3 =ejtR -----END PGP SIGNATURE----- |
From: Iain L. <ia...@br...> - 2009-01-21 04:47:28
|
On Wed, Jan 21, 2009 at 12:17:00AM +0100, Cyril Jaquier wrote: > Hi Iain, > > > Neither 0.8.3 or 0.8.4 from SVN worked with syslog using ISO date format. > > > > Did you look at [1]? Could it be related to your problem? It seems that > the following test report the right time. Or did I miss something? > > https://sourceforge.net/tracker/?func=detail&atid=689044&aid=2500276&group_id=121032 Cyril, I went back to using the old date format for syslog. That works ok and that enough for me. Not optimal but it works. Iain -- +49-172-8196039 skype: iain.lea |