From: Buddy <in...@ze...> - 2012-01-26 02:15:18
|
Yaroslav, Was using 0.8.4, and also tried 0.8.6 with same result. Thanks. At 07:49 PM 1/25/2012, you wrote: >and what version of f2b is that? > >On Wed, 25 Jan 2012, Buddy wrote: > > > > Greetings all, been running fail2ban with no problems for a year. > > After a reboot/new kernel (2.6.18-274.12.1) 2 weeks ago, the > > dovecot-pop3imap jail just spontaneously stops working. The fail2ban > > shows this in its log: > >-- >=------------------------------------------------------------------= >Keep in touch www.onerussian.com >Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic > > >----- >No virus found in this message. >Checked by AVG - www.avg.com >Version: 10.0.1416 / Virus Database: 2109/4765 - Release Date: 01/25/12 |
From: Buddy <in...@ze...> - 2012-01-26 16:06:22
|
Yaroslav, >On Wed, 25 Jan 2012, Buddy wrote: > > No message at all before or after it stops. Never saw the messages > > you refer to. >sad... btw -- does "tail -f" follows that file normally? I just wonder >may be it gets constantly overridden or smth like that... tail -f /var/log/fail2ban.log | grep maillog just scrolls along for a few hundred lines, and then stops. When I look at the logfile, the maillog entries stop. > > What is the current git master? > >that is what you would get having done >git://github.com/fail2ban/fail2ban.git > > > I think that's where I got 0.8.6. > >you could get 0.8.6 from that git as well since it was tagged indeed. >what does > >git describe Don't have git on the server. The Changelog says this: ver. 0.8.6 (2011/11/28) - stable The directory is this: fail2ban-fail2ban-a20d1f8. All files are dated Nov. 28. When I look at the link you sent (<https://github.com/fail2ban/fail2ban/commit/ed16ecc50abba6ddbe9be577fe0dd983f1795b80>https://github.com/fail2ban/fail2ban/commit/ed16ecc50abba6ddbe9be577fe0dd983f1795b80 ) it takes me to a file setup.py. I assume I replace the one in the distribution with the one at the link? Then what? Does "python setup.py install" incorporate the new setup.py, or do I have to do some sort of build? Thanks. |
From: Yaroslav H. <li...@on...> - 2012-01-26 18:57:32
|
On Thu, 26 Jan 2012, Buddy wrote: > sad... btw -- does "tail -f" follows that file normally? I just wonder > may be it gets constantly overridden or smth like that... > tail -f /var/log/fail2ban.log | grep maillog just scrolls along for a few > hundred lines, and then stops. When I look at the logfile, the maillog > entries stop. sorry for not being clear -- I thought about tail -f /var/log/maillog > The directory is this: fail2ban-fail2ban-a20d1f8. All files are dated Nov. > 28. ah cool -- that one is the 0.8.6 ;-) $> git describe a20d1f8 0.8.6 > When I look at the link you sent ( > [1]https://github.com/fail2ban/fail2ban/commit/ed16ecc50abba6ddbe9be577fe0dd983f1795b80 > ) it takes me to a file setup.py. I assume I replace the one in the strange -- since it leads me to changes done to server/actions.py > distribution with the one at the link? Then what? Does "python setup.py > install" incorporate the new setup.py, or do I have to do some sort of > build? Thanks. I guess the best now would be just to clone current git master: git clone git://github.com/fail2ban/fail2ban.git and then proceed as you did before with the installation (e.g. python setup.py install) Cheers -- =------------------------------------------------------------------= Keep in touch www.onerussian.com Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic |
From: Buddy <in...@ze...> - 2012-01-28 22:21:29
|
Yaroslav, OK, I installed pyinotify and restarted fail2ban. `grep -i pyinotify /var/log/fail2ban.log` didn't come back with anything. How do I know if fail2ban is using pyinotify? Thanks. >On 01/25/2012 10:38 PM, Yaroslav Halchenko wrote: > > On Wed, 25 Jan 2012, Buddy wrote: > >> Is there anything I need to install to use the > >> inotify API? > > juding from your kernel you run RHEL or CentOS -- check if repositories > > carry that module -- with my Debian-rotten-soul I simply don't even > > know where to look, besides google: > > > > https://www.google.com/search?q=rhel%20pyinotify >For inotify, you should need kernel 2.6.13 or greater, you can probably >confirm it by checking for /usr/include/sys/inotify.h as well. > >You'll also need pyinotify (Python package/API for inotify). You can >check if your distro provides it (it probably does), or run `git clone >https://github.com/seb-m/pyinotify.git` and run the setup.py script. > >You don't need to do this before you run fail2ban, but you'll need to >(re)start fail2ban after it's installed for it to get picked up. You can >confirm it in the logs `grep -i pyinotify /var/log/fail2ban.log`. |
From: Lee C. <ja...@le...> - 2012-01-28 22:32:17
|
On 01/28/2012 05:20 PM, Buddy wrote: > Yaroslav, > > OK, I installed pyinotify and restarted fail2ban. `grep -i pyinotify > /var/log/fail2ban.log` didn't come back with anything. How do I know > if fail2ban is using pyinotify? Thanks. Are you using the latest fail2ban from the master branch in github? Your jail.conf should have pyinotify in the comments above backend = auto - which was added after 0.8.6 was released. btw, I'm not Yaroslav :) |
From: Buddy <in...@ze...> - 2012-01-31 18:14:40
|
Yaroslav, Last piece of the puzzle: got inotify to work by changing jail.conf from backend=auto to backend=inotify. I assume it's working as this appears in the log: 2012-01-31 13:03:22,299 fail2ban.comm : DEBUG Command: ['add', 'apache-404', 'inotify'] Even so, fail2ban stops checking the /var/log/maillog after random lengths of time, from 10-50 minutes. BUT, I noticed another logfile, /var/log/messages, always gets checked. I.e., it isn't dropped like /var/log/maillog. What's the difference between the two? Only difference is in jail.conf is /var/log/messages has ignoreip set for a few IP addresses. When I add an ignoreip for the jail for /var/log/maillog, it fixed the problem! I.e, this configuration results in maillog not being checked after 10-50 minutes (X.X.X.X is an actual IP): enabled = true filter = named-refused action = iptables-allports[name=Named, protocol=all] sendmail-whois[name=Named, dest=in...@ze...] logpath = /var/log/messages ignoreip = X.X.X.X maxretry = 10 findtime = 600 bantime = 21600 [dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] sendmail-whois[name=Dovecot, dest=in...@ze...] logpath = /var/log/maillog maxretry = 30 findtime = 120 bantime = 10800 This configuration works perfectly (X.X.X.X is an actual IP): nabled = true filter = named-refused action = iptables-allports[name=Named, protocol=all] sendmail-whois[name=Named, dest=in...@ze...] logpath = /var/log/messages ignoreip = X.X.X.X maxretry = 10 findtime = 600 bantime = 21600 [dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] sendmail-whois[name=Dovecot, dest=in...@ze...] logpath = /var/log/maillog ignoreip = X.X.X.X maxretry = 30 findtime = 120 bantime = 10800 FYI there are no binary characters in jail.conf. Any ideas? Thanks. At 05:20 PM 1/28/2012, Buddy wrote: >Yaroslav, > >OK, I installed pyinotify and restarted fail2ban. `grep -i pyinotify >/var/log/fail2ban.log` didn't come back with anything. How do I know >if fail2ban is using pyinotify? Thanks. > >>On 01/25/2012 10:38 PM, Yaroslav Halchenko wrote: >> > On Wed, 25 Jan 2012, Buddy wrote: >> >> Is there anything I need to install to use the >> >> inotify API? >> > juding from your kernel you run RHEL or CentOS -- check if repositories >> > carry that module -- with my Debian-rotten-soul I simply don't even >> > know where to look, besides google: >> > >> > https://www.google.com/search?q=rhel%20pyinotify >>For inotify, you should need kernel 2.6.13 or greater, you can probably >>confirm it by checking for /usr/include/sys/inotify.h as well. >> >>You'll also need pyinotify (Python package/API for inotify). You can >>check if your distro provides it (it probably does), or run `git clone >>https://github.com/seb-m/pyinotify.git` and run the setup.py script. >> >>You don't need to do this before you run fail2ban, but you'll need to >>(re)start fail2ban after it's installed for it to get picked up. You can >>confirm it in the logs `grep -i pyinotify /var/log/fail2ban.log`. |
From: Lee C. <ja...@le...> - 2012-02-01 05:53:52
|
On 01/31/2012 01:14 PM, Buddy wrote: > Yaroslav, I'm still not Yaroslav, that's a different person :) Unless my mail viewer is messed up, you are still quoting my response as being from Yaroslav. > Last piece of the puzzle: got inotify to work by changing jail.conf > from backend=auto to backend=inotify. I assume it's working as this > appears in the log: > > 2012-01-31 13:03:22,299 fail2ban.comm : DEBUG Command: ['add', > 'apache-404', 'inotify'] I'm not sure how that works at all - the backend is 'pyinotify', not 'inotify'. So you should see an error and that it is defaulting over to the gamin or polling backend. inotify is a kernel subprocess, pyinotify is the Python API for that subprocess, which fail2ban implements. If you are using the latest master branch version from github, you should see pyinotify in the comments above the backend configuration in jail.conf. Do you see that? |
From: Buddy <in...@ze...> - 2012-02-06 23:26:42
|
OK, understood on the backend. To simplify things, I put it back to "auto". fail2ban works fine when I have an ignoreip line in the jail. When I remove it, the log stops getting polled from anywhere from 10-60 minutes. Seems very strange.... >On 01/31/2012 01:14 PM, Buddy wrote: > > Yaroslav, > >I'm still not Yaroslav, that's a different person :) > >Unless my mail viewer is messed up, you are still quoting my response as >being from Yaroslav. > > > Last piece of the puzzle: got inotify to work by changing jail.conf > > from backend=auto to backend=inotify. I assume it's working as this > > appears in the log: > > > > 2012-01-31 13:03:22,299 fail2ban.comm : DEBUG Command: ['add', > > 'apache-404', 'inotify'] > >I'm not sure how that works at all - the backend is 'pyinotify', not >'inotify'. So you should see an error and that it is defaulting over to >the gamin or polling backend. >inotify is a kernel subprocess, pyinotify is the Python API for that >subprocess, which fail2ban implements. > >If you are using the latest master branch version from github, you >should see pyinotify in the comments above the backend configuration in >jail.conf. Do you see that? > > > |
From: Yaroslav H. <li...@on...> - 2012-02-07 00:21:46
|
I am afraid that this issue will stay unsolved... I see no clue on why this could have happened... ESPECIALLY because jail.conf defines ignoreip to be 127.0.0.1/8 by default, which is taken then by all jails configurations, so from your words it is really the effect of having ignoreip OVERRIDEN in that specific jail section... all mysterious to the degree that a sane part of me (if any left) can't believe in it ;) On Mon, 06 Feb 2012, Buddy wrote: > OK, understood on the backend. To simplify things, I put it back to > "auto". fail2ban works fine when I have an ignoreip line in the jail. > When I remove it, the log stops getting polled from anywhere from > 10-60 minutes. Seems very strange.... -- =------------------------------------------------------------------= Keep in touch www.onerussian.com Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic |
From: Yaroslav H. <li...@on...> - 2012-01-26 02:37:03
|
hm, and before it "stops" -- is there any other message like "Too much read error. Set the jail idle" may be? what happens if you try using gamin backend or even better -- try current git master of f2b and use inotify backend? On Wed, 25 Jan 2012, Buddy wrote: > Was using 0.8.4, and also tried 0.8.6 with same result. Thanks. -- =------------------------------------------------------------------= Keep in touch www.onerussian.com Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic |
From: Buddy <in...@ze...> - 2012-01-26 03:04:09
|
No message at all before or after it stops. Never saw the messages you refer to. What is the current git master? I think that's where I got 0.8.6. Is there a later version? Is there anything I need to install to use the inotify API? Thanks. At 09:36 PM 1/25/2012, Yaroslav Halchenko wrote: >hm, and before it "stops" -- is there any other message like >"Too much read error. Set the jail idle" may be? > >what happens if you try using gamin backend or even better -- try >current git master of f2b and use inotify backend? > >On Wed, 25 Jan 2012, Buddy wrote: > > Was using 0.8.4, and also tried 0.8.6 with same result. Thanks. > >-- >=------------------------------------------------------------------= >Keep in touch www.onerussian.com >Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic > > >----- >No virus found in this message. >Checked by AVG - www.avg.com >Version: 10.0.1416 / Virus Database: 2109/4765 - Release Date: 01/25/12 |
From: Yaroslav H. <li...@on...> - 2012-01-26 03:38:29
|
On Wed, 25 Jan 2012, Buddy wrote: > No message at all before or after it stops. Never saw the messages > you refer to. sad... btw -- does "tail -f" follows that file normally? I just wonder may be it gets constantly overridden or smth like that... > What is the current git master? that is what you would get having done git://github.com/fail2ban/fail2ban.git > I think that's where I got 0.8.6. you could get 0.8.6 from that git as well since it was tagged indeed. what does git describe in that directory where you got 0.8.6 tells you? > Is > there a later version? the 'git master' is the latest (besides few topic branches to be merged in) > Is there anything I need to install to use the > inotify API? juding from your kernel you run RHEL or CentOS -- check if repositories carry that module -- with my Debian-rotten-soul I simply don't even know where to look, besides google: https://www.google.com/search?q=rhel%20pyinotify -- =------------------------------------------------------------------= Keep in touch www.onerussian.com Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic |
From: Lee C. <ja...@le...> - 2012-01-27 00:10:31
|
On 01/25/2012 10:38 PM, Yaroslav Halchenko wrote: > On Wed, 25 Jan 2012, Buddy wrote: >> Is there anything I need to install to use the >> inotify API? > juding from your kernel you run RHEL or CentOS -- check if repositories > carry that module -- with my Debian-rotten-soul I simply don't even > know where to look, besides google: > > https://www.google.com/search?q=rhel%20pyinotify For inotify, you should need kernel 2.6.13 or greater, you can probably confirm it by checking for /usr/include/sys/inotify.h as well. You'll also need pyinotify (Python package/API for inotify). You can check if your distro provides it (it probably does), or run `git clone https://github.com/seb-m/pyinotify.git` and run the setup.py script. You don't need to do this before you run fail2ban, but you'll need to (re)start fail2ban after it's installed for it to get picked up. You can confirm it in the logs `grep -i pyinotify /var/log/fail2ban.log`. |