LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 12-11-2009, 02:36 PM   #1
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,004

Rep: Reputation: 67
I need help with fail2ban...


I am running Slackware 13.0 and I have installed fail2ban. I am trying to setup fail2ban to work with proftpd 1.32. I have iptables already running with no rules and sendmail works like a charm. I removed my email in the jail.local for privacy reasons.

In the directory /etc/fail2ban I have created duplicates of jail.conf and
fail2ban.conf (jail.local and fail2ban.local) as instructed by the manual. I make all the changes on the local files, those files are read in after the *.conf ones. So in the jail.local file I have this

Code:
[proftpd-iptables]

enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=xxxxxxxx@xxxxx.com]
logpath  = /var/log/proftpd.log
maxretry = 6

# This jail forces the backend to "polling".
I make no changes to fail2ban.local, then I start fail2ban with

Code:
fail2ban-client start
Then in the /var/log/fail2ban.log I see this

Code:
2009-12-11 13:31:25,897 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2009-12-11 13:31:25,898 fail2ban.jail   : INFO   Creating new jail 'proftpd-iptables'
2009-12-11 13:31:25,912 fail2ban.jail   : INFO   Jail 'proftpd-iptables' uses Gamin
2009-12-11 13:31:25,997 fail2ban.filter : INFO   Added logfile = /var/log/proftpd.log
2009-12-11 13:31:25,999 fail2ban.filter : INFO   Set maxRetry = 6
2009-12-11 13:31:26,000 fail2ban.filter : INFO   Set findtime = 600
2009-12-11 13:31:26,001 fail2ban.actions: INFO   Set banTime = 600
2009-12-11 13:31:26,014 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,015 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,016 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,017 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,018 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,019 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,021 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,022 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,023 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,025 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,026 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,027 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,028 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,029 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,030 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,031 fail2ban.server : ERROR  Unexpected communication error
2009-12-11 13:31:26,033 fail2ban.jail   : INFO   Jail 'proftpd-iptables' started
2009-12-11 13:31:26,042 fail2ban.server : ERROR  Unexpected communication error
I also remember reading that fail2ban uses /var/run/fail2ban/fail2ban.sock to communicate with client. I checked the sock file and it looks like 'fail2ban.sock=', why does it have an equal sign?

I have python 2.6.2 and I have tried changing the python shibang in
/usr/bin/fail2ban-server
from #!/usr/bin/python
to
#!/usr/sbin/python2.6
and still nothing.

I also do not want to use proftpd's ban mod, which prevents banned users from logging into ftp server but not from connected to the server, so my proftpd.log will still be filled with user/pass attempts.

If I can't get this working, I may give Snort a go, it just seems very intimidating.

I'm a little confused, there are two binaries, fail2ban-client and fail2ban-server. Surprisingly they seem to be the same thing. The manuals say to use the client but for experimentation, I tried starting the server first, then the client and when I tried doing the client it said that server was already up.
Anyhow, any ideas?

Last edited by trist007; 12-11-2009 at 03:43 PM.
 
Old 12-12-2009, 09:12 AM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,970

Rep: Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343
Hi,

Why don't you use the startup script from the Slackware fail2ban package

Regards
 
Old 12-12-2009, 12:38 PM   #3
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,004

Original Poster
Rep: Reputation: 67
I've tried that, I still get the unexpected communication error.
 
Old 12-12-2009, 01:06 PM   #4
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,970

Rep: Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343
fail2ban-0.8.3 does not work with python 2.6 (here), so I guess you're using an old version and you need to upgrade.
Quote:
I have python 2.6.2 and I have tried changing the python shibang in
/usr/bin/fail2ban-server
from #!/usr/bin/python
to
#!/usr/sbin/python2.6
and still nothing.
The correct path is /usr/bin/python2.6.
Mind that /usr/bin/python is actually a symlink to /usr/bin/python2.6, so there was no need to change the shebang.

Regards
 
Old 12-12-2009, 08:50 PM   #5
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,004

Original Poster
Rep: Reputation: 67
Excellent, got the fail2ban 0.8.4 Slackbuild and it works like charm. Thank you bathory for pointing that out.
 
Old 12-12-2009, 09:19 PM   #6
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,004

Original Poster
Rep: Reputation: 67
I spoke too soon. I no longer have 'unexpected errors' in my fail2ban.log, however, fail2ban doesn't seem to be working. When I enter fail2ban-client status, I get
Code:
ERROR  Unable to contact server. Is it running?
 
Old 12-13-2009, 12:38 PM   #7
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,970

Rep: Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343
Check if fail2ban is running:
Code:
ps -ef|grep fail2ban
If it runs, stop it:
Code:
/etc/rc.d/rc.fail2ban stop
Check if the socket exists and delete it:
Code:
rm /var/run/fail2ban/fail2ban.sock
Restart it and see if it works.
 
Old 12-13-2009, 02:33 PM   #8
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,004

Original Poster
Rep: Reputation: 67
If I
Code:
rc.fail2ban stop
Then there is no fail2ban.socket in /var/run/fail2ban

However, fail2ban.socket does exists when fail2ban is started via

Code:
rc.fail2ban start
I stopped and restarted, and still I get the same 'ERROR Unable to contact server. It it running?' error.
 
Old 12-13-2009, 02:53 PM   #9
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,970

Rep: Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343Reputation: 1343
What is the output of
Code:
ps aux|grep fail2
Mine looks like this
Quote:
/usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -x
in Slackware (I've used the sources and not the Slackware package)
 
Old 12-13-2009, 05:44 PM   #10
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,004

Original Poster
Rep: Reputation: 67
Mine looks exactly like yours.
 
Old 12-13-2009, 08:46 PM   #11
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,004

Original Poster
Rep: Reputation: 67
bathory, you think I should just try snort instead? I'd be a great program to learn in terms of getting a job. Then again, I would like to understand why fail2ban is not working.
 
Old 12-13-2009, 11:58 PM   #12
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,004

Original Poster
Rep: Reputation: 67
I removed/reinstalled the package and now I see a new script /etc/rc.d/rc.fail2ban.new

I tried that one and lo and behold it works now hehe. I get no errors at all and fail2ban-client status works fine.

However, I can't seem to get it to jail an ftp user that I've been testing.

I use my roommates computer and login via ftp as the same user with wrong passwords 6 times in a row and nothing happens.

jail.local
Code:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 617 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled  = false
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
logpath  = /var/log/sshd.log
maxretry = 5

[proftpd-iptables]

enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=root@server.com]
logpath  = /var/log/proftpd.log
maxretry = 3
fail2ban.local
Code:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 629 $
#

[Definition]

# Option:  loglevel
# Notes.:  Set the log level output.
#          1 = ERROR
#          2 = WARN
#          3 = INFO
#          4 = DEBUG
# Values:  NUM  Default:  3
#
loglevel = 4

# Option:  logtarget
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#          Only one log target can be specified.
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log

# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
#         not remove this file when Fail2ban runs. It will not be possible to
#         communicate with the server afterwards.
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock

Last edited by trist007; 12-14-2009 at 12:10 AM.
 
Old 12-14-2009, 12:03 AM   #13
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,004

Original Poster
Rep: Reputation: 67
woohoo it works!!!!

I noticed while testing that if I try to bruteforce a valid ftp user account, then my ip will not get banned.

In the proftpd log file, the failed login is logged as

Code:
User xxx (Login failed): Incorrect password.
which matches up exactly with the 2nd phrase in the regex in /etc/fail2ban/filter.d/proftpd.conf

Code:
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 677 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$
            \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$
            \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$
            \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
/var/log/fail2ban.log
Code:
2009-12-13 23:15:35,287 fail2ban.comm   : DEBUG  Command: ['status']
2009-12-13 23:15:58,461 fail2ban.filter : DEBUG  Got event: 1 for /var/log/proftpd.log
2009-12-13 23:15:58,461 fail2ban.filter : DEBUG  File changed: /var/log/proftpd.log
2009-12-13 23:15:58,462 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2009-12-13 23:16:01,468 fail2ban.filter : DEBUG  Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:01,468 fail2ban.filter : DEBUG  File changed: /var/log/proftpd.log
2009-12-13 23:16:01,468 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2009-12-13 23:16:04,475 fail2ban.filter : DEBUG  Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:04,475 fail2ban.filter : DEBUG  File changed: /var/log/proftpd.log
2009-12-13 23:16:04,475 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2009-12-13 23:16:07,482 fail2ban.filter : DEBUG  Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:07,482 fail2ban.filter : DEBUG  File changed: /var/log/proftpd.log
2009-12-13 23:16:07,482 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2009-12-13 23:16:17,795 fail2ban.comm   : DEBUG  Command: ['status']
2009-12-13 23:16:22,513 fail2ban.filter : DEBUG  Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:22,513 fail2ban.filter : DEBUG  File changed: /var/log/proftpd.log
2009-12-13 23:16:22,513 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2009-12-13 23:16:39,547 fail2ban.filter : DEBUG  Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:39,548 fail2ban.filter : DEBUG  File changed: /var/log/proftpd.log
2009-12-13 23:16:39,549 fail2ban.filter : DEBUG  Found a match for '3:16:37 server proftpd[4301] server.darkstar.net (192.168.1.106[192.168.1.106]): USER xbox (Login$
' but no valid date/time found for '3:16:37 server proftpd[4301] server.darkstar.net (192.168.1.106[192.168.1.106]): USER xbox (Login failed): Incorrect password.
'. Please contact the author in order to get support for this format
2009-12-13 23:16:39,549 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2009-12-13 23:16:41,552 fail2ban.filter : DEBUG  Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:41,553 fail2ban.filter : DEBUG  File changed: /var/log/proftpd.log
2009-12-13 23:16:41,553 fail2ban.filter : DEBUG  Found 192.168.1.106
2009-12-13 23:16:41,554 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2009-12-13 23:16:44,559 fail2ban.filter : DEBUG  Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:44,560 fail2ban.filter : DEBUG  File changed: /var/log/proftpd.log
2009-12-13 23:16:44,560 fail2ban.filter : DEBUG  Found 192.168.1.106
2009-12-13 23:16:44,561 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2009-12-13 23:17:03,598 fail2ban.filter : DEBUG  Got event: 1 for /var/log/proftpd.log
2009-12-13 23:17:03,599 fail2ban.filter : DEBUG  File changed: /var/log/proftpd.log
2009-12-13 23:17:03,599 fail2ban.filter.datedetector: DEBUG  Sorting the template list
As you can see I logged twice, each time trying 3 user/pass with the same user.

Why isn't fail2ban recognizing the phrase?
I'm thinking maybe the format works out different if it's an IP from within my internal network instead of coming in from outside my router(gateway).

After doing like 13 incorrect user/pass, fail2ban finally recognized the pattern and banned the IP. For typical bruteforcing bots out there on the net, it'll do. I can finally sleep well at nite .

Last edited by trist007; 12-14-2009 at 12:47 AM.
 
Old 12-14-2009, 01:17 AM   #14
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,004

Original Poster
Rep: Reputation: 67
I'd like to setup a jail for my postgresql database. This is the log lines that I would like to capture. The first is when I enter a user that does not exist, the second is why I enter a valid user but an incorrect password.

/home/postgres/serverlog
Code:
FATAL:  no pg_hba.conf entry for host "127.0.0.1", user "sick", database "darkstar"
FATAL:  password authentication failed for user "marty"
jail.local
Code:
[postgresql-iptables]

enabled  = true
filter   = postgresql
action   = iptables[name=Postgresql, port=49891, protocol=udp]
           sendmail-whois[name=Postgresql, dest=root@server.com]
logpath  = /home/postgres/serverlog
maxretry = 3
filter.d/postgresql.conf
Code:
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 677 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex =FATAL:   no pg_hba.conf entry for host "S+", user "USER", database "darkstar" 
           FATAL:   password authentication failed for user "USER"

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
when I run lsof -i
I can see that postmaster(postgresql) has four instances all running on udp:49891
However, on the second type of log I want to capture 'FATAL: password authentication failed for user "marty"' will I have a problem since there is no IP listed on that line?
 
Old 12-14-2009, 01:29 AM   #15
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,004

Original Poster
Rep: Reputation: 67
Come to think of it I don't think the
postgresql jail will work. This server runs an apache web server that has a postgresql database attached to it via php. Users go to the website and login to the database which is obviously on the same machine. So when a user trues to sign in the IP address will alwaya be the IP address of the web server 127.0.0.1. I wouldn't want to block my loopback. Any thoughts? I don't want to move my database onto another computer.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban and qmail Xnake Linux - Server 8 08-19-2009 06:42 AM
Fail2ban and Slack Biggen Slackware 10 06-20-2009 09:30 AM
Fail2ban, is it working? SuperDude123 Linux - Security 7 02-17-2009 10:09 PM
Need help with fail2ban regex jakev383 Linux - Security 6 12-07-2008 10:35 AM
Fail2ban and Firestarter baldur2630 Linux - Software 2 09-29-2008 06:46 AM


All times are GMT -5. The time now is 03:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration