I need help with fail2ban...

trist007 · 12-11-2009, 01:36 PM

I am running Slackware 13.0 and I have installed fail2ban. I am trying to setup fail2ban to work with proftpd 1.32. I have iptables already running with no rules and sendmail works like a charm. I removed my email in the jail.local for privacy reasons.

In the directory /etc/fail2ban I have created duplicates of jail.conf and
fail2ban.conf (jail.local and fail2ban.local) as instructed by the manual. I make all the changes on the local files, those files are read in after the *.conf ones. So in the jail.local file I have this

Code:

[proftpd-iptables]

enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=xxxxxxxx@xxxxx.com]
logpath  = /var/log/proftpd.log
maxretry = 6

# This jail forces the backend to "polling".

I make no changes to fail2ban.local, then I start fail2ban with

Code:

fail2ban-client start

Then in the /var/log/fail2ban.log I see this

Code:

2009-12-11 13:31:25,897 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2009-12-11 13:31:25,898 fail2ban.jail   : INFO   Creating new jail 'proftpd-iptables'
2009-12-11 13:31:25,912 fail2ban.jail   : INFO   Jail 'proftpd-iptables' uses Gamin
2009-12-11 13:31:25,997 fail2ban.filter : INFO   Added logfile = /var/log/proftpd.log
2009-12-11 13:31:25,999 fail2ban.filter : INFO   Set maxRetry = 6
2009-12-11 13:31:26,000 fail2ban.filter : INFO   Set findtime = 600
2009-12-11 13:31:26,001 fail2ban.actions: INFO   Set banTime = 600
2009-12-11 13:31:26,014 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,015 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,016 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,017 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,018 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,019 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,021 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,022 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,023 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,025 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,026 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,027 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,028 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,029 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,030 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,031 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,033 fail2ban.jail   : INFO   Jail 'proftpd-iptables' started
2009-12-11 13:31:26,042 fail2ban.server : ERROR  Unexpected communication error

I also remember reading that fail2ban uses /var/run/fail2ban/fail2ban.sock to communicate with client. I checked the sock file and it looks like 'fail2ban.sock=', why does it have an equal sign?

I have python 2.6.2 and I have tried changing the python shibang in
/usr/bin/fail2ban-server
from #!/usr/bin/python
to
#!/usr/sbin/python2.6
and still nothing.

I also do not want to use proftpd's ban mod, which prevents banned users from logging into ftp server but not from connected to the server, so my proftpd.log will still be filled with user/pass attempts.

If I can't get this working, I may give Snort a go, it just seems very intimidating.

I'm a little confused, there are two binaries, fail2ban-client and fail2ban-server. Surprisingly they seem to be the same thing. The manuals say to use the client but for experimentation, I tried starting the server first, then the client and when I tried doing the client it said that server was already up.
Anyhow, any ideas?

bathory · 12-12-2009, 08:12 AM

Hi,

Why don't you use the startup script from the Slackware fail2ban package

Regards

trist007 · 12-12-2009, 11:38 AM

I've tried that, I still get the unexpected communication error.

bathory · 12-12-2009, 12:06 PM

fail2ban-0.8.3 does not work with python 2.6 (here), so I guess you're using an old version and you need to upgrade.

Quote:

I have python 2.6.2 and I have tried changing the python shibang in
/usr/bin/fail2ban-server
from #!/usr/bin/python
to
#!/usr/sbin/python2.6
and still nothing.

The correct path is /usr/bin/python2.6.
Mind that /usr/bin/python is actually a symlink to /usr/bin/python2.6, so there was no need to change the shebang.

Regards

trist007 · 12-12-2009, 07:50 PM

Excellent, got the fail2ban 0.8.4 Slackbuild and it works like charm. Thank you bathory for pointing that out.

trist007 · 12-12-2009, 08:19 PM

I spoke too soon. I no longer have 'unexpected errors' in my fail2ban.log, however, fail2ban doesn't seem to be working. When I enter fail2ban-client status, I get

Code:

ERROR  Unable to contact server. Is it running?

bathory · 12-13-2009, 11:38 AM

Check if fail2ban is running:

Code:

ps -ef|grep fail2ban

If it runs, stop it:

Code:

/etc/rc.d/rc.fail2ban stop

Check if the socket exists and delete it:

Code:

rm /var/run/fail2ban/fail2ban.sock

Restart it and see if it works.

trist007 · 12-13-2009, 01:33 PM

If I

Code:

rc.fail2ban stop

Then there is no fail2ban.socket in /var/run/fail2ban

However, fail2ban.socket does exists when fail2ban is started via

Code:

rc.fail2ban start

I stopped and restarted, and still I get the same 'ERROR Unable to contact server. It it running?' error.

bathory · 12-13-2009, 01:53 PM

What is the output of

Code:

ps aux|grep fail2

Mine looks like this

Quote:

/usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -x

in Slackware (I've used the sources and not the Slackware package)

trist007 · 12-13-2009, 04:44 PM

Mine looks exactly like yours.

trist007 · 12-13-2009, 07:46 PM

bathory, you think I should just try snort instead? I'd be a great program to learn in terms of getting a job. Then again, I would like to understand why fail2ban is not working.

trist007 · 12-13-2009, 10:58 PM

I removed/reinstalled the package and now I see a new script /etc/rc.d/rc.fail2ban.new

I tried that one and lo and behold it works now hehe. I get no errors at all and fail2ban-client status works fine.

However, I can't seem to get it to jail an ftp user that I've been testing.

I use my roommates computer and login via ftp as the same user with wrong passwords 6 times in a row and nothing happens.

jail.local

Code:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 617 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled  = false
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
logpath  = /var/log/sshd.log
maxretry = 5

[proftpd-iptables]

enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=root@server.com]
logpath  = /var/log/proftpd.log
maxretry = 3

fail2ban.local

Code:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 629 $
#

[Definition]

# Option:  loglevel
# Notes.:  Set the log level output.
#          1 = ERROR
#          2 = WARN
#          3 = INFO
#          4 = DEBUG
# Values:  NUM  Default:  3
#
loglevel = 4

# Option:  logtarget
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#          Only one log target can be specified.
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log

# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
#         not remove this file when Fail2ban runs. It will not be possible to
#         communicate with the server afterwards.
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock

trist007 · 12-13-2009, 11:03 PM

woohoo it works!!!!

I noticed while testing that if I try to bruteforce a valid ftp user account, then my ip will not get banned.

In the proftpd log file, the failed login is logged as

Code:

User xxx (Login failed): Incorrect password.

which matches up exactly with the 2nd phrase in the regex in /etc/fail2ban/filter.d/proftpd.conf

Code:

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 677 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$
            \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$
            \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$
            \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

/var/log/fail2ban.log

Code:

2009-12-13 23:15:35,287 fail2ban.comm   : DEBUG  Command: ['status']
2009-12-13 23:15:58,461 fail2ban.filter : DEBUG  Got event: 1 for /var/log/proftpd.log
2009-12-13 23:15:58,461 fail2ban.filter : DEBUG  File changed: /var/log/proftpd.log
2009-12-13 23:15:58,462 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2009-12-13 23:16:01,468 fail2ban.filter : DEBUG  Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:01,468 fail2ban.filter : DEBUG  File changed: /var/log/proftpd.log
2009-12-13 23:16:01,468 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2009-12-13 23:16:04,475 fail2ban.filter : DEBUG  Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:04,475 fail2ban.filter : DEBUG  File changed: /var/log/proftpd.log
2009-12-13 23:16:04,475 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2009-12-13 23:16:07,482 fail2ban.filter : DEBUG  Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:07,482 fail2ban.filter : DEBUG  File changed: /var/log/proftpd.log
2009-12-13 23:16:07,482 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2009-12-13 23:16:17,795 fail2ban.comm   : DEBUG  Command: ['status']
2009-12-13 23:16:22,513 fail2ban.filter : DEBUG  Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:22,513 fail2ban.filter : DEBUG  File changed: /var/log/proftpd.log
2009-12-13 23:16:22,513 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2009-12-13 23:16:39,547 fail2ban.filter : DEBUG  Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:39,548 fail2ban.filter : DEBUG  File changed: /var/log/proftpd.log
2009-12-13 23:16:39,549 fail2ban.filter : DEBUG  Found a match for '3:16:37 server proftpd[4301] server.darkstar.net (192.168.1.106[192.168.1.106]): USER xbox (Login$
' but no valid date/time found for '3:16:37 server proftpd[4301] server.darkstar.net (192.168.1.106[192.168.1.106]): USER xbox (Login failed): Incorrect password.
'. Please contact the author in order to get support for this format
2009-12-13 23:16:39,549 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2009-12-13 23:16:41,552 fail2ban.filter : DEBUG  Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:41,553 fail2ban.filter : DEBUG  File changed: /var/log/proftpd.log
2009-12-13 23:16:41,553 fail2ban.filter : DEBUG  Found 192.168.1.106
2009-12-13 23:16:41,554 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2009-12-13 23:16:44,559 fail2ban.filter : DEBUG  Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:44,560 fail2ban.filter : DEBUG  File changed: /var/log/proftpd.log
2009-12-13 23:16:44,560 fail2ban.filter : DEBUG  Found 192.168.1.106
2009-12-13 23:16:44,561 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2009-12-13 23:17:03,598 fail2ban.filter : DEBUG  Got event: 1 for /var/log/proftpd.log
2009-12-13 23:17:03,599 fail2ban.filter : DEBUG  File changed: /var/log/proftpd.log
2009-12-13 23:17:03,599 fail2ban.filter.datedetector: DEBUG  Sorting the template list

As you can see I logged twice, each time trying 3 user/pass with the same user.

Why isn't fail2ban recognizing the phrase?
I'm thinking maybe the format works out different if it's an IP from within my internal network instead of coming in from outside my router(gateway).

After doing like 13 incorrect user/pass, fail2ban finally recognized the pattern and banned the IP. For typical bruteforcing bots out there on the net, it'll do. I can finally sleep well at nite

.

trist007 · 12-14-2009, 12:17 AM

I'd like to setup a jail for my postgresql database. This is the log lines that I would like to capture. The first is when I enter a user that does not exist, the second is why I enter a valid user but an incorrect password.

/home/postgres/serverlog

Code:

FATAL:  no pg_hba.conf entry for host "127.0.0.1", user "sick", database "darkstar"
FATAL:  password authentication failed for user "marty"

jail.local

Code:

[postgresql-iptables]

enabled  = true
filter   = postgresql
action   = iptables[name=Postgresql, port=49891, protocol=udp]
           sendmail-whois[name=Postgresql, dest=root@server.com]
logpath  = /home/postgres/serverlog
maxretry = 3

filter.d/postgresql.conf

Code:

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 677 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex =FATAL:   no pg_hba.conf entry for host "S+", user "USER", database "darkstar" 
           FATAL:   password authentication failed for user "USER"

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

when I run lsof -i
I can see that postmaster(postgresql) has four instances all running on udp:49891
However, on the second type of log I want to capture 'FATAL: password authentication failed for user "marty"' will I have a problem since there is no IP listed on that line?

trist007 · 12-14-2009, 12:29 AM

Come to think of it I don't think the
postgresql jail will work. This server runs an apache web server that has a postgresql database attached to it via php. Users go to the website and login to the database which is obviously on the same machine. So when a user trues to sign in the IP address will alwaya be the IP address of the web server 127.0.0.1. I wouldn't want to block my loopback. Any thoughts? I don't want to move my database onto another computer.