From: Taschik, D. <Dan...@st...> - 2009-12-01 09:31:24
|
On 01.12.2009, at 10:10, matteo filippetto wrote: > 2009/12/1 Taschik, Daniel <Dan...@st...>: >> >> On 01.12.2009, at 09:41, matteo filippetto wrote: >> >>> 2009/11/30 Taschik, Daniel <Dan...@st...>: >>>> >>>> On 30.11.2009, at 09:08, matteo filippetto wrote: >>>> >>>>> 2009/11/30 Taschik, Daniel <Dan...@st...>: >>>>>> Hello everybody, >>>>>> >>>>>> I just tried fail2ban on my Debian Lenny and it seems that it founds possible break-in attempts an bans these IPs. But In the logfile I get some wierd Error messages and I do not really know what they mean or how to fix. Here is an extract: >>>>>> >>>>>> 2009-11-29 22:55:54,477 fail2ban.actions: WARNING [ssh] Ban 85.178.232.7 >>>>>> 2009-11-29 23:05:54,493 fail2ban.actions: WARNING [ssh] Unban 85.178.232.7 >>>>>> 2009-11-29 23:05:54,498 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-ssh returned 100 >>>>>> 2009-11-29 23:05:54,499 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment >>>>>> 2009-11-29 23:05:54,513 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh >>>>>> iptables -F fail2ban-ssh >>>>>> iptables -X fail2ban-ssh returned 100 >>>>>> 2009-11-29 23:05:54,543 fail2ban.actions.action: ERROR iptables -D fail2ban-ssh -s 85.178.232.7 -j DROP returned 100 >>>>>> >>>>>> Can somebody explain me these errors and possibly give a solution to fix these errors? >>>>>> >>>>>> Thanks in advance >>>>>> >>>>>> Daniel >>>>>> ------------------------------------------------------------------------------ >>>>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >>>>>> trial. Simplify your report design, integration and deployment - and focus on >>>>>> what you do best, core application coding. Discover what's new with >>>>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july >>>>>> _______________________________________________ >>>>>> Fail2ban-users mailing list >>>>>> Fai...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>>>>> >>>>> >>>>> Hi, >>>>> >>>>> maybe you are facing this bug ... >>>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470305 >>>>> >>>>> Best regards >>>>> >>>>> -- >>>>> Matteo Filippetto >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day >>>>> trial. Simplify your report design, integration and deployment - and focus on >>>>> what you do best, core application coding. Discover what's new with >>>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july >>>>> _______________________________________________ >>>>> Fail2ban-users mailing list >>>>> Fai...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>>> >>>> Hi Matteo, >>>> >>>> thanks for the tipp. But >>>> >>>> root@dev:/[22:38]lsmod | grep multiport >>>> xt_multiport 7424 1 >>>> x_tables 25096 17 xt_DSCP,xt_tcpudp,xt_TCPMSS,xt_owner,xt_mac,xt_length,xt_limit,xt_multiport,xt_state,xt_conntrack,ipt_ULOG,ipt_ttl,ipt_ecn,ipt_REJECT,ipt_LOG,ipt_recent,ip_tables >>>> >>>> >>>> shows me that multiport is loaded as module to the kernel. So this should be fine shouldn't it? >>>> >>>> Any other suggestions? Does it make sene to change the banaction in the jail.conf to regular iptables or install shorewall? >>>> >>>> >>>> Kind Regards >>>> >>>> Daniel >>> >>> Hi, >>> >>> yes the module is ok. what version of fail2ban are you using? >>> >>> I also find this link >>> >>> https://bugs.launchpad.net/ubuntu/+source/fail2ban/+bug/234122 >>> >>> Let me know, >>> best regards >>> >>> -- >>> Matteo Filippetto >> Hi, >> >> I'm using Fail2Ban v0.8.3 and iptables v1.4.2 at a Debian Lenny. All packages are from the standard Debian Repositories. >> I already switched from iptables-multiport to iptables only but the same error occures. I think I gonna try host.deny next. >> >> Any other Ideas? >> >> Kind Regards >> >> Daniel >> > > Have you tried to set log level to 4 (debug) and check it for informations? > > if you post it, maybe we can obtain more info... > > best regards > > -- > Matteo Filippetto I just switched to verbose level 4 with host.deny here is the extract: 2009-12-01 09:23:42,059 fail2ban.jail : INFO Jail 'ssh' stopped 2009-12-01 09:23:42,231 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3 2009-12-01 09:23:42,231 fail2ban.comm : DEBUG Command: ['add', 'ssh', 'polling'] 2009-12-01 09:23:42,232 fail2ban.jail : INFO Creating new jail 'ssh' 2009-12-01 09:23:42,232 fail2ban.jail : INFO Jail 'ssh' uses poller 2009-12-01 09:23:42,242 fail2ban.filter : DEBUG Created Filter 2009-12-01 09:23:42,242 fail2ban.filter : DEBUG Created FilterPoll 2009-12-01 09:23:42,242 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addlogpath', '/var/log/auth.log'] 2009-12-01 09:23:42,242 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2009-12-01 09:23:42,243 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'maxretry', '3'] 2009-12-01 09:23:42,243 fail2ban.filter : INFO Set maxRetry = 3 2009-12-01 09:23:42,243 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addignoreip', '127.0.0.1'] 2009-12-01 09:23:42,244 fail2ban.filter : DEBUG Add 127.0.0.1 to ignore list 2009-12-01 09:23:42,244 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'findtime', '600'] 2009-12-01 09:23:42,244 fail2ban.filter : INFO Set findtime = 600 2009-12-01 09:23:42,245 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'bantime', '600'] 2009-12-01 09:23:42,245 fail2ban.actions: INFO Set banTime = 600 2009-12-01 09:23:42,245 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error: PAM: )?Authentication failure for .* from <HOST>\\s*$'] 2009-12-01 09:23:42,247 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\\s*$'] 2009-12-01 09:23:42,250 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Failed (?:password|publickey) for .* from <HOST>(?: port \\d*)?(?: ssh\\d*)?$'] 2009-12-01 09:23:42,253 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*ROOT LOGIN REFUSED.* FROM <HOST>\\s*$'] 2009-12-01 09:23:42,257 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*[iI](?:llegal|nvalid) user .* from <HOST>\\s*$'] 2009-12-01 09:23:42,261 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User .+ from <HOST> not allowed because not listed in AllowUsers$'] 2009-12-01 09:23:42,267 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', "^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*$"] 2009-12-01 09:23:42,273 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*authentication failure; logname=\\S* uid=\\S* euid=\\S* tty=\\S* ruser=\\S* rhost=<HOST>(?:\\s+user=.*)?\\s*$'] 2009-12-01 09:23:42,281 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*refused connect from \\S+ \\(<HOST>\\)\\s*$'] 2009-12-01 09:23:42,291 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT\\s*$'] 2009-12-01 09:23:42,301 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addaction', 'hostsdeny'] 2009-12-01 09:23:42,301 fail2ban.actions.action: DEBUG Created Action 2009-12-01 09:23:42,302 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionban', 'hostsdeny', 'IP=<ip> &&\nprintf %b "ALL: $IP\\n" >> <file>'] 2009-12-01 09:23:42,302 fail2ban.actions.action: DEBUG Set actionBan = IP=<ip> && printf %b "ALL: $IP\n" >> <file> 2009-12-01 09:23:42,302 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionstop', 'hostsdeny', ''] 2009-12-01 09:23:42,302 fail2ban.actions.action: DEBUG Set actionStop = 2009-12-01 09:23:42,303 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionstart', 'hostsdeny', ''] 2009-12-01 09:23:42,303 fail2ban.actions.action: DEBUG Set actionStart = 2009-12-01 09:23:42,303 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionunban', 'hostsdeny', 'IP=<ip> && sed -i.old /ALL:\\ $IP/d <file>'] 2009-12-01 09:23:42,303 fail2ban.actions.action: DEBUG Set actionUnban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file> 2009-12-01 09:23:42,304 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actioncheck', 'hostsdeny', ''] 2009-12-01 09:23:42,304 fail2ban.actions.action: DEBUG Set actionCheck = 2009-12-01 09:23:42,304 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'setcinfo', 'hostsdeny', 'protocol', 'tcp'] 2009-12-01 09:23:42,305 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'setcinfo', 'hostsdeny', 'name', 'ssh'] 2009-12-01 09:23:42,305 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'setcinfo', 'hostsdeny', 'file', '/etc/hosts.deny'] 2009-12-01 09:23:42,306 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'setcinfo', 'hostsdeny', 'port', 'ssh'] 2009-12-01 09:23:42,306 fail2ban.comm : DEBUG Command: ['start', 'ssh'] 2009-12-01 09:23:42,306 fail2ban.filter : DEBUG /var/log/auth.log has been modified 2009-12-01 09:23:42,325 fail2ban.actions.action: DEBUG 2009-12-01 09:23:42,345 fail2ban.jail : INFO Jail 'ssh' started 2009-12-01 09:23:42,353 fail2ban.actions.action: DEBUG returned successfully 2009-12-01 09:23:44,761 fail2ban.filter : DEBUG Found 80.154.39.109 2009-12-01 09:23:44,761 fail2ban.filter : DEBUG Found 80.154.39.109 2009-12-01 09:23:44,762 fail2ban.filter.datedetector: DEBUG Sorting the template list what /I was wondering that even if he found an IP address he didn't added it to hosts.deny. and here what It looks with iptables as banaction: 2009-12-01 09:28:52,528 fail2ban.comm : DEBUG Command: ['add', 'ssh', 'polling'] 2009-12-01 09:28:52,528 fail2ban.jail : INFO Creating new jail 'ssh' 2009-12-01 09:28:52,528 fail2ban.jail : INFO Jail 'ssh' uses poller 2009-12-01 09:28:52,538 fail2ban.filter : DEBUG Created Filter 2009-12-01 09:28:52,538 fail2ban.filter : DEBUG Created FilterPoll 2009-12-01 09:28:52,538 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addlogpath', '/var/log/auth.log'] 2009-12-01 09:28:52,538 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2009-12-01 09:28:52,539 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'maxretry', '3'] 2009-12-01 09:28:52,539 fail2ban.filter : INFO Set maxRetry = 3 2009-12-01 09:28:52,539 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addignoreip', '127.0.0.1'] 2009-12-01 09:28:52,540 fail2ban.filter : DEBUG Add 127.0.0.1 to ignore list 2009-12-01 09:28:52,540 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'findtime', '600'] 2009-12-01 09:28:52,540 fail2ban.filter : INFO Set findtime = 600 2009-12-01 09:28:52,541 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'bantime', '600'] 2009-12-01 09:28:52,541 fail2ban.actions: INFO Set banTime = 600 2009-12-01 09:28:52,541 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error: PAM: )?Authentication failure for .* from <HOST>\\s*$'] 2009-12-01 09:28:52,543 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\\s*$'] 2009-12-01 09:28:52,546 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Failed (?:password|publickey) for .* from <HOST>(?: port \\d*)?(?: ssh\\d*)?$'] 2009-12-01 09:28:52,549 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*ROOT LOGIN REFUSED.* FROM <HOST>\\s*$'] 2009-12-01 09:28:52,553 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*[iI](?:llegal|nvalid) user .* from <HOST>\\s*$'] 2009-12-01 09:28:52,557 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User .+ from <HOST> not allowed because not listed in AllowUsers$'] 2009-12-01 09:28:52,563 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', "^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*$"] 2009-12-01 09:28:52,569 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*authentication failure; logname=\\S* uid=\\S* euid=\\S* tty=\\S* ruser=\\S* rhost=<HOST>(?:\\s+user=.*)?\\s*$'] 2009-12-01 09:28:52,577 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*refused connect from \\S+ \\(<HOST>\\)\\s*$'] 2009-12-01 09:28:52,586 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT\\s*$'] 2009-12-01 09:28:52,597 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addaction', 'iptables'] 2009-12-01 09:28:52,597 fail2ban.actions.action: DEBUG Created Action 2009-12-01 09:28:52,597 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionban', 'iptables', 'iptables -I fail2ban-<name> 1 -s <ip> -j DROP'] 2009-12-01 09:28:52,598 fail2ban.actions.action: DEBUG Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP 2009-12-01 09:28:52,598 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionstop', 'iptables', 'iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>'] 2009-12-01 09:28:52,598 fail2ban.actions.action: DEBUG Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> 2009-12-01 09:28:52,599 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionstart', 'iptables', 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name>'] 2009-12-01 09:28:52,599 fail2ban.actions.action: DEBUG Set actionStart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name> 2009-12-01 09:28:52,599 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionunban', 'iptables', 'iptables -D fail2ban-<name> -s <ip> -j DROP'] 2009-12-01 09:28:52,599 fail2ban.actions.action: DEBUG Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP 2009-12-01 09:28:52,600 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actioncheck', 'iptables', 'iptables -n -L INPUT | grep -q fail2ban-<name>'] 2009-12-01 09:28:52,600 fail2ban.actions.action: DEBUG Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name> 2009-12-01 09:28:52,600 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'setcinfo', 'iptables', 'protocol', 'tcp'] 2009-12-01 09:28:52,601 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'setcinfo', 'iptables', 'name', 'ssh'] 2009-12-01 09:28:52,601 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'setcinfo', 'iptables', 'port', 'ssh'] 2009-12-01 09:28:52,602 fail2ban.comm : DEBUG Command: ['start', 'ssh'] 2009-12-01 09:28:52,602 fail2ban.filter : DEBUG /var/log/auth.log has been modified 2009-12-01 09:28:52,625 fail2ban.actions.action: DEBUG iptables -N fail2ban-ssh iptables -A fail2ban-ssh -j RETURN iptables -I INPUT -p tcp --dport ssh -j fail2ban-ssh 2009-12-01 09:28:52,646 fail2ban.actions.action: DEBUG iptables -N fail2ban-ssh iptables -A fail2ban-ssh -j RETURN iptables -I INPUT -p tcp --dport ssh -j fail2ban-ssh returned successfully 2009-12-01 09:28:52,647 fail2ban.jail : INFO Jail 'ssh' started 2009-12-01 09:28:55,046 fail2ban.filter : DEBUG Found 80.154.39.109 2009-12-01 09:28:55,046 fail2ban.filter : DEBUG Found 80.154.39.109 2009-12-01 09:28:55,047 fail2ban.filter.datedetector: DEBUG Sorting the template list unfortunately fail2ban did not ban the ip with iptables, too root@dev:/[09:28]iptables -L INPUT Chain INPUT (policy ACCEPT) target prot opt source destination Well maybe I have to wait longer until someone tries to break in again. But can you already see some anomalous behavior? Cheers Daniel |