From: <pi...@al...> - 2013-08-30 09:47:55
|
Hi, Working on Ubuntu 13.04 I've got fail2ban working for sshd|ssh-ddos etc, however when I configure a new jail :- filter = portscan action = iptables[name=portscan] bantime = 300 logpath = /var/log/syslog maxretry = 3 It works fine (a test portscan is detected and iptables are updated) but I don't get a notification in email. Addionally on start/stop the portscan jail isn't notifed in +email as the others are. I have searched and played with it, I do get a notification if I set the action to be iptables-multiport, however due to the nature of a portscan I obviously don't want to +create a rule like that. Testing with the client and -d shows for a jail that does get the notifications, the following lines appear :- ['set', 'ssh-ddos', 'setcinfo', 'sendmail-whois-lines', 'dest', 'root@localhost'] ['set', 'ssh-ddos', 'setcinfo', 'sendmail-whois-lines', 'logpath', '/var/log/auth.log'] ['set', 'ssh-ddos', 'setcinfo', 'sendmail-whois-lines', 'name', 'ssh-ddos'] ['set', 'ssh-ddos', 'setcinfo', 'sendmail-whois-lines', 'chain', 'INPUT'] ['set', 'ssh-ddos', 'setcinfo', 'sendmail-whois-lines', 'sender', 'fail2ban'] but for the portscan jail they do not. I have action = %(action_mwl)s configured globally and all config is in jail.local, as I say the actual action works and I get emails in response to tests for the other configured jails - just not this one! Can some kind soul point me in the right direction please? Ta J -- interesting quote here |
From: Yaroslav H. <li...@on...> - 2013-08-31 03:18:16
|
sorry -- I might be missing smth, but you have "action = iptables" so that already says that it would run only iptables and now sendmail-* actions. if you like this action to include other "actions" -- list them there as default definition for action_mwl (check its definition in stock jail.conf you have) On Fri, 30 Aug 2013, pi...@al... wrote: > Hi, > Working on Ubuntu 13.04 I've got fail2ban working for sshd|ssh-ddos etc, however when I configure a new jail :- > filter = portscan > action = iptables[name=portscan] > bantime = 300 > logpath = /var/log/syslog > maxretry = 3 > It works fine (a test portscan is detected and iptables are updated) but I don't get a notification in email. Addionally on start/stop the portscan jail isn't notifed in > +email as the others are. > I have searched and played with it, I do get a notification if I set the action to be iptables-multiport, however due to the nature of a portscan I obviously don't want to > +create a rule like that. > Testing with the client and -d shows for a jail that does get the notifications, the following lines appear :- > ['set', 'ssh-ddos', 'setcinfo', 'sendmail-whois-lines', 'dest', 'root@localhost'] > ['set', 'ssh-ddos', 'setcinfo', 'sendmail-whois-lines', 'logpath', '/var/log/auth.log'] > ['set', 'ssh-ddos', 'setcinfo', 'sendmail-whois-lines', 'name', 'ssh-ddos'] > ['set', 'ssh-ddos', 'setcinfo', 'sendmail-whois-lines', 'chain', 'INPUT'] > ['set', 'ssh-ddos', 'setcinfo', 'sendmail-whois-lines', 'sender', 'fail2ban'] > but for the portscan jail they do not. > I have action = %(action_mwl)s configured globally and all config is in jail.local, as I say the actual action works and I get emails in response to tests for the other configured jails - just not this one! > Can some kind soul point me in the right direction please? > Ta > J -- Yaroslav O. Halchenko, Ph.D. http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org Senior Research Associate, Psychological and Brain Sciences Dept. Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik |