From: Leon Miller-O. <le...@si...> - 2009-02-13 16:31:03
|
Hi, all! One of my servers is exhibiting a problem where fail2ban is generally working but fails to ban some IP addresses. I've looked at the logs and the configurations scripts, and I've even tested everything using fail2ban-regex, but some IP addresses are still able to attempt to brute-force my sshd, trying thousands of times in one day without being banned. fail2ban.log contains no mention of the IP address in question, and neither does my iptables ruleset. Any ideas where I should look next? Thank you! Leon ============================= Leon Miller-Out President, Singlebrook Technology, Inc le...@si... p 607-330-1493 f 607-697-0457 516 W. State St. - Suite 100 Ithaca, NY 14850 |
From: Leon Miller-O. <le...@si...> - 2009-07-28 18:29:02
Attachments:
sshd-conf.txt
f2b-regex.txt
|
2009-07-27 16:41:50,718 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3 2009-07-27 16:41:50,718 fail2ban.jail : INFO Creating new jail 'ssh-iptables' 2009-07-27 16:41:50,719 fail2ban.jail : INFO Jail 'ssh-iptables' uses Gamin 2009-07-27 16:41:50,729 fail2ban.filter : INFO Added logfile = /var/log/secure 2009-07-27 16:41:50,729 fail2ban.filter : INFO Set maxRetry = 5 2009-07-27 16:41:50,730 fail2ban.filter : INFO Set findtime = 600 2009-07-27 16:41:50,731 fail2ban.actions: INFO Set banTime = 600 2009-07-27 16:41:50,756 fail2ban.jail : INFO Jail 'ssh-iptables' started 2009-07-27 16:41:51,763 fail2ban.actions: WARNING [ssh-iptables] Ban 208.112.1.158 2009-07-27 16:51:52,733 fail2ban.actions: WARNING [ssh-iptables] Unban 208.112.1.158 |
From: Leon Miller-O. <le...@si...> - 2009-08-10 17:43:18
|
I've solved my problem my changing the backend in jail.conf from "auto" to "polling". I have no idea why this worked, but I'm happy now. $ rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE} %{ARCH}\n" gamin gamin-0.1.7-1.2.EL4 i386 gamin-0.1.7-1.2.EL4 x86_64 Maybe having two versions of gamin installed is no good, or maybe one of them overwrote the other one partially. Some lines from another rpm seem to suggest this. Note how both packages have placed a file at /usr/libexec/gam_server $ rpm -q --dump gamin /usr/lib/libgamin-1.so.0.1.7 26468 1178232611 45f350921f274cdab989f7ebaba90075 0100755 root root 0 0 0 X/usr/libexec/gam_server 64904 1178232611 e5b47e1a2f86ce11b4c3b8c1e5e9581c 0100755 root root 0 0 0 X /usr/lib64/libgamin-1.so.0.1.7 32360 1178232404 312a2ca1e83e3ad3b7453948524920ac 0100755 root root 0 0 0 X /usr/libexec/gam_server 82464 1178232404 d5111a80525e3618991ba84fa8a58d12 0100755 root root 0 0 0 X I guess this is a problem for the RedHat or CentOS maintainers. ============================= Leon Miller-Out President, Singlebrook Technology, Inc le...@si... p 607-330-1493 f 607-697-0457 516 W. State St. - Suite 100 Ithaca, NY 14850 On Tue, Jul 28, 2009 at 1:58 PM, Leon Miller-Out <le...@si...>wrote: > One of my servers is exhibiting a problem where fail2ban is generally > working but fails to ban some IP addresses > > Version: Revision: 672OS: CentOS release 4.5 (Final) > > I've attached a snipped version of > my fail2ban log, my sshd.conf, and snipped output from fail2ban-regex. > > fail2ban-regex seems to be identifying lots of attempts that never get > banned. In the time period I'm looking at, only my test attempt was banned! > I don't understand how it could be partially working. fail2ban appears to be > working correctly on every other server I use it on. > > I hope someone can help. The logwatch emails from the server are just > massive because of all the failed ssh attempts. > > Thanks! > > Leon > > ============================= > Leon Miller-Out > President, Singlebrook Technology, Inc > le...@si... > p 607-330-1493 > f 607-697-0457 > 516 W. State St. - Suite 100 > Ithaca, NY 14850 > > > On Sat, Feb 14, 2009 at 3:09 PM, Leutnant Steiner <chk...@gm...>wrote: > >> hi ! >> >> can you show us some details, maybee someone can tell if you supply things >> like >> - logs of where this happens >> - fail2ban version / config's >> >> .. you could check sshd_config ... fe. have you set maxAuthTries ? >> >> >> cu >> >> >> 2009/2/13 Leon Miller-Out <le...@si...> >> >>> Hi, all! One of my servers is exhibiting a problem where fail2ban is >>> generally working but fails to ban some IP addresses. I've looked at >>> the logs and the configurations scripts, and I've even tested >>> everything using fail2ban-regex, but some IP addresses are still able >>> to attempt to brute-force my sshd, trying thousands of times in one >>> day without being banned. fail2ban.log contains no mention of the IP >>> address in question, and neither does my iptables ruleset. Any ideas >>> where I should look next? >>> >>> Thank you! >>> >>> Leon >>> >>> ============================= >>> Leon Miller-Out >>> President, Singlebrook Technology, Inc >>> le...@si... >>> p 607-330-1493 >>> f 607-697-0457 >>> 516 W. State St. - Suite 100 >>> Ithaca, NY 14850 >>> >>> >>> ------------------------------------------------------------------------------ >>> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, >>> CA >>> -OSBC tackles the biggest issue in open source: Open Sourcing the >>> Enterprise >>> -Strategies to boost innovation and cut costs with open source >>> participation >>> -Receive a $600 discount off the registration fee with the source code: >>> SFAD >>> http://p.sf.net/sfu/XcvMzF8H >>> _______________________________________________ >>> Fail2ban-users mailing list >>> Fai...@li... >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> >> >> > |