From: Mauce <met...@gm...> - 2005-12-23 13:25:20
|
Hi, I'm running fail2ban 0.6.0 on Mandriva Powerpack 2006 and came across the next problem after some testing: when fail2ban is started the iptables-commands configured for 'fwstart' and 'fwend' are not executed. 1) I start fail2ban (the logfiles says it started up properly. but when I check my iptables with (iptables --list) there are no fail2ban chains 2) When I execute the commands as defined in e.g. 'fwstart' manually it works. 3) The same applies for the fwend function. Is there a workaround? I really need this (I need to block IP's in case of attacks on SSH or FTP) I've been searching a lot on the internet for alternatives but I coudn't find a tool that is reliable or has the same functionaly as fail2ban: daemonshield (doesn't work on mandriva, crashes), blockhosts (not what I'm looking for). Can anyone help please. Thanks in advance Mauce |
From: Yaroslav H. <li...@on...> - 2005-12-23 16:21:02
|
Please boost up verbose to 2 and then analyse/send the log file -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |
From: Mauce <met...@gm...> - 2005-12-23 16:49:21
|
Hi Yaroslav, This is the requested logging 2005-12-23 17:39:06,844 WARNING: Verbose level is 2 2005-12-23 17:39:06,845 WARNING: DEBUG MODE: FIREWALL COMMANDS ARE _NOT_ EXECUTED BUT ONLY DISPLAYED IN THE LOG MESSAGES 2005-12-23 17:39:06,845 DEBUG: Created PID lock (1511) in /var/run/fail2ban.pid 2005-12-23 17:39:06,846 DEBUG: ConfFile is /etc/fail2ban.conf 2005-12-23 17:39:06,846 DEBUG: BanTime is 600 2005-12-23 17:39:06,846 DEBUG: FindTime is 600 2005-12-23 17:39:06,846 DEBUG: MaxFailure is 5 2005-12-23 17:39:06,847 INFO: Fail2Ban v0.6.0 is running 2005-12-23 17:39:06,849 DEBUG: Add 127.0.0.1 to ignore list 2005-12-23 17:39:06,849 DEBUG: Add 192.168.0.0/16 to ignore list 2005-12-23 17:39:06,849 DEBUG: Nothing to do 2005-12-23 17:39:06,850 DEBUG: SSH: Initialize firewall rules 2005-12-23 17:39:06,850 DEBUG: iptables -N fail2ban-ssh iptables -A fail2ban-ssh -j RETURN iptables -I INPUT -p tcp --dport ssh -j fail2ban-ssh 2005-12-23 17:39:06,850 DEBUG: /var/log/auth.log has been modified 2005-12-23 17:39:06,850 DEBUG: /var/log/auth.log 2005-12-23 17:39:06,863 DEBUG: Date 0 is smaller than 1134875254.0 2005-12-23 17:39:06,863 DEBUG: Log rotation detected for /var/log/auth.log 2005-12-23 17:39:06,863 DEBUG: Setting file position to 0 for /var/log/auth.log The logging says it creates a new chain in iptables but when I check it's not there: /fail2ban-0.6.0 # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination SSHD tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain SSHD (1 references) target prot opt source destination But when I execute the fwstart commands manually it does work (so it's not = a syntax issue): # iptables -N fail2ban-ssh # iptables -A fail2ban-ssh -j RETURN # iptables -I INPUT -p tcp --dport ssh -j fail2ban-ssh # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- anywhere anywhere tcp dpt:ssh fail2ban-ftp tcp -- anywhere anywhere tcp dpt:ftp SSHD tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain SSHD (1 references) target prot opt source destination Chain fail2ban-ftp (1 references) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere Once the chains are created successfully (by hand) the same problem occurs when an IP needs to be banned. In that case the log files also says it banned the IP but when check it out with 'iptables --list' nothing is configured (and access from that IP is still possible) Any ideas how to proceed from here? Thanks in advance! Mauce 2005/12/23, Yaroslav Halchenko <li...@on...>: > > Please boost up verbose to 2 and then analyse/send the log file > > -- > .-. > =3D------------------------------ /v\ ----------------------------=3D > Keep in touch // \\ (yoh@|www.)onerussian.com > Yaroslav Halchenko /( )\ ICQ#: 60653192 > Linux User ^^-^^ [175555] > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_id=3D7637&alloc_id=3D16865&op=3Dclick > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > -- __________ MetalMauce met...@gm... |
From: Cyril J. <cyr...@bl...> - 2005-12-23 18:51:11
|
Hi, > 2005-12-23 17:39:06,845 WARNING: DEBUG MODE: FIREWALL COMMANDS ARE _NOT_ > EXECUTED BUT ONLY DISPLAYED IN THE LOG MESSAGES I will remove this %#@& debug mode in the next release ;) In debug mode, firewall commands are _NOT_ executed. I use this option to test Fail2ban but it seems to be quite confusing for people. Just remove "-d" and/or set "debug = false". This will fix your problem ;) Regards, Cyril Jaquier |