LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-07-2012, 10:02 PM   #1
lineman60
Member
 
Registered: Oct 2003
Location: New Mexico
Distribution: CentOS, Ubnutu,
Posts: 35

Rep: Reputation: 15
Fail2Ban running but not working


Fail2Ban appears to be running:
running # iptatbles -L -v shows
Code:
Chain INPUT (policy ACCEPT 2883 packets, 312K bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                         
  294 25990 fail2ban-ssh  tcp  --  any    any     anywhere             anywhere                                                                                                    multiport dports ssh

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                         

Chain OUTPUT (policy ACCEPT 2318 packets, 673K bytes)
 pkts bytes target     prot opt in     out     source               destination                                                                                         

Chain fail2ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source               destination                                                                                         
  294 25990 RETURN     all  --  any    any     anywhere             anywhere
# fail2ban-client status
Code:
Status
|- Number of jail:      1
`- Jail list:           ssh
When i run $ fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
Code:
- Number of matches:
   [1] 0 match(es)
   [2] 0 match(es)
   [3] 18 match(es)
   [4] 0 match(es)
   [5] 0 match(es)
   [6] 0 match(es)
   [7] 0 match(es)
   [8] 0 match(es)
   [9] 0 match(es)
   [10] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
[2]
[3]
    10.1.1.146 (Mon Nov 05 20:04:23 2012)
    10.1.1.146 (Mon Nov 05 20:04:29 2012)
    10.1.1.146 (Mon Nov 05 20:11:40 2012)
    10.1.1.146 (Mon Nov 05 20:11:47 2012)
    
    10.1.1.148 (Tue Nov 06 19:08:00 2012)
    10.1.1.148 (Tue Nov 06 19:08:33 2012)
    10.1.1.148 (Tue Nov 06 19:28:51 2012)
    10.1.1.146 (Wed Nov 07 06:39:45 2012)
    10.1.1.148 (Wed Nov 07 18:13:02 2012)
    10.1.1.146 (Wed Nov 07 18:31:34 2012)
    10.1.1.146 (Wed Nov 07 18:31:47 2012)
    10.1.1.148 (Wed Nov 07 19:52:16 2012)
    10.1.1.148 (Wed Nov 07 19:52:19 2012)
[4]
[5]
[6]
[7]
[8]
[9]
[10]

Date template hits:
7808 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 18

However, look at the above section 'Running tests' which could contain important
information.
But if i attempt to login with the wrong password several time then attempt to login with the right password it lets me ssh in. I ran the iptables -L -v at the top as soon as i logged in after about 6 failed attempts. My ip was not in iptables.
# /var/log/auth.log
Code:
Nov  7 19:52:16 ubuntu sshd[4696]: Failed password for user from 10.1.1.148 port 51346 ssh2
Nov  7 19:52:17 ubuntu sshd[4696]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.1.148  user=user
Nov  7 19:52:19 ubuntu sshd[4696]: Failed password for user from 10.1.1.148 port 51346 ssh2
Nov  7 19:52:33 ubuntu sshd[4696]: last message repeated 4 times
Nov  7 19:52:33 ubuntu sshd[4696]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.1.1.148  user=user
Nov  7 19:52:33 ubuntu sshd[4696]: PAM service(sshd) ignoring max retries; 5 > 3
Nov  7 19:52:56 ubuntu sshd[4699]: Accepted password for user from 10.1.1.148 port 51348 ssh2
Nov
and my ssh setting from jail.conf/jail.local
Code:

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
findtime = 500
bantime  = 600
maxretry = 3


#backend = polling
#tryed both
backend = auto

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

banaction = iptables-multiport

mta = sendmail

# Default protocol
protocol = tcp

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
 
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section 
action = %(action_)s


[ssh]

enabled = true
port	= ssh
filter	= sshd
logpath  = /var/log/auth.log
maxretry = 3

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter	= pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 3

[xinetd-fail]

enabled   = false
filter    = xinetd-fail
port      = all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2


[ssh-ddos]

enabled = false
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 3

#
# HTTP servers
#

[apache]

enabled = false
port	= http,https
filter	= apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = false
port	  = http,https
filter	  = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6

[apache-noscript]

enabled = false
port    = http,https
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled = false
port    = http,https
filter  = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2

#
# FTP servers
#

[vsftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log

maxretry = 6


[proftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


[wuftpd]

enabled  = false
port	 = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


[postfix]

enabled  = false
port	 = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled  = false
port	 = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log


[courierauth]

enabled  = false
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log


[sasl]

enabled  = false
port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl

logpath  = /var/log/mail.log
[named-refused-udp]

enabled  = false
port     = domain,953
protocol = udp
filter   = named-refused
logpath  = /var/log/named/security.log

[named-refused-tcp]

enabled  = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log
Any suggestions on why it's not working would be appreciated

Last edited by lineman60; 11-08-2012 at 09:59 PM. Reason: added Full Jail.local file
 
Old 11-08-2012, 04:40 PM   #2
londy
LQ Newbie
 
Registered: Feb 2009
Distribution: openSUSE 11.4
Posts: 28

Rep: Reputation: 3
Is that really the entire ssh section of jail.local? It's missing some basic stuff like 'enabled = true'. If you have that already, perhaps post the entire section.
 
Old 11-08-2012, 09:56 PM   #3
lineman60
Member
 
Registered: Oct 2003
Location: New Mexico
Distribution: CentOS, Ubnutu,
Posts: 35

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by londy View Post
Is that really the entire ssh section of jail.local? It's missing some basic stuff like 'enabled = true'. If you have that already, perhaps post the entire section.
No it was not, but I added it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Fail2Ban Patrick032986 Linux - Software 7 09-18-2011 04:01 PM
Fail2ban apache-pma script not working baldur2630 Linux - Security 2 09-07-2010 12:58 AM
I need help with fail2ban... trist007 Linux - Newbie 15 12-14-2009 03:22 AM
Fail2Ban not working properly with Slackware Biggen Linux - Security 1 06-19-2009 11:59 AM
Fail2ban, is it working? SuperDude123 Linux - Security 7 02-17-2009 09:09 PM


All times are GMT -5. The time now is 08:59 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration