Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
08-11-2010, 04:52 PM
#1
LQ Newbie
Registered: Aug 2010
Posts: 3
Rep:
Problem fail2ban
Hello
First sorry for my English, I'm French.
I am looking for some time how to set up fail2ban, I installed via apt-get install fail2ban but it does not work.
Here is an example of banishment has apparently not worked:
Code:
2010-08-02 14:45:56,227 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 100
2010-08-02 14:45:59,238 fail2ban.actions: WARNING [ssh] Ban 219.139.243.236
2010-08-02 14:45:59,252 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-ssh returned 100
2010-08-02 14:45:59,253 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment
2010-08-02 14:45:59,266 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 100
2010-08-02 14:45:59,271 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-ssh returned 100
2010-08-02 14:45:59,271 fail2ban.actions.action: CRITICAL Unable to restore environment
2010-08-02 14:46:10,313 fail2ban.actions: WARNING [ssh] 219.139.243.236 already banned
2010-08-02 14:46:20,353 fail2ban.actions: WARNING [ssh] 219.139.243.236 already banned
I installed fail2ban works correctly on another machine, I copy the configuration files that I put on the machine today, but after such a restart without success
Code:
2010-08-02 16:54:59,587 fail2ban.jail : INFO Jail 'ssh' started
2010-08-02 16:54:59,648 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 100
Thank you
08-11-2010, 05:18 PM
#2
Moderator
Registered: May 2001
Posts: 29,415
Quote:
Originally Posted by
zoneech
Code:
iptables (..) fail2ban (..) returned 100
From the fail2ban.org Wiki:
"It seems that your iptables setup (related to fail2ban) get changed while fail2ban is running. Some firewall scripts/apps flush all rules when saving the changes. If fail2ban runs, it will not find its own chains anymore and will try to restore them.". If that's not a sufficient answer, does your fail2ban.log show more clues? And if you set
loglevel = 4 in fail2ban.conf?
Last edited by unSpawn; 08-12-2010 at 05:25 PM .
Reason: //tag cleanup
08-12-2010, 03:53 AM
#3
LQ Newbie
Registered: Aug 2010
Posts: 3
Original Poster
Rep:
Hello
I put loglevel = 4 in fail2ban.conf
Here's what I get after a restart of fail2ban:
Code:
2010-08-12 10:48:05,723 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 100
2010-08-12 10:48:06,487 fail2ban.jail : INFO Jail 'ssh' stopped
2010-08-12 10:48:08,922 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2010-08-12 10:48:08,923 fail2ban.comm : DEBUG Command: ['add', 'ssh', 'polling']
2010-08-12 10:48:08,923 fail2ban.jail : INFO Creating new jail 'ssh'
2010-08-12 10:48:08,923 fail2ban.jail : INFO Jail 'ssh' uses poller
2010-08-12 10:48:08,969 fail2ban.filter : DEBUG Created Filter
2010-08-12 10:48:08,970 fail2ban.filter : DEBUG Created FilterPoll
2010-08-12 10:48:08,970 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addlogpath', '/var/log/auth.log']
2010-08-12 10:48:08,970 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2010-08-12 10:48:08,971 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'maxretry', '6']
2010-08-12 10:48:08,971 fail2ban.filter : INFO Set maxRetry = 6
2010-08-12 10:48:08,972 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addignoreip', '127.0.0.1']
2010-08-12 10:48:08,972 fail2ban.filter : DEBUG Add 127.0.0.1 to ignore list
2010-08-12 10:48:08,972 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'findtime', '600']
2010-08-12 10:48:08,972 fail2ban.filter : INFO Set findtime = 600
2010-08-12 10:48:08,973 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'bantime', '600']
2010-08-12 10:48:08,973 fail2ban.actions: INFO Set banTime = 600
2010-08-12 10:48:08,974 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error: PAM: )?Authentication failure for .* from <HOST>\\s*$']
2010-08-12 10:48:08,977 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\\s*$']
2010-08-12 10:48:08,982 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Failed (?:password|publickey) for .* from <HOST>(?: port \\d*)?(?: ssh\\d*)?$']
2010-08-12 10:48:08,987 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*ROOT LOGIN REFUSED.* FROM <HOST>\\s*$']
2010-08-12 10:48:08,993 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*[iI](?:llegal|nvalid) user .* from <HOST>\\s*$']
2010-08-12 10:48:09,001 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User .+ from <HOST> not allowed because not listed in AllowUsers$']
2010-08-12 10:48:09,010 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', "^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*$"]
2010-08-12 10:48:09,022 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*authentication failure; logname=\\S* uid=\\S* euid=\\S* tty=\\S* ruser=\\S* rhost=<HOST>(?:\\s+user=.*)?\\s*$']
2010-08-12 10:48:09,037 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*refused connect from \\S+ \\(<HOST>\\)\\s*$']
2010-08-12 10:48:09,054 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT\\s*$']
2010-08-12 10:48:09,073 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addaction', 'iptables-multiport']
2010-08-12 10:48:09,073 fail2ban.actions.action: DEBUG Created Action
2010-08-12 10:48:09,074 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionban', 'iptables-multiport', 'iptables -I fail2ban-<name> 1 -s <ip> -j DROP']
2010-08-12 10:48:09,074 fail2ban.actions.action: DEBUG Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2010-08-12 10:48:09,075 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionstop', 'iptables-multiport', 'iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>']
2010-08-12 10:48:09,075 fail2ban.actions.action: DEBUG Set actionStop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2010-08-12 10:48:09,075 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionstart', 'iptables-multiport', 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>']
2010-08-12 10:48:09,076 fail2ban.actions.action: DEBUG Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
2010-08-12 10:48:09,076 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionunban', 'iptables-multiport', 'iptables -D fail2ban-<name> -s <ip> -j DROP']
2010-08-12 10:48:09,076 fail2ban.actions.action: DEBUG Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2010-08-12 10:48:09,077 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actioncheck', 'iptables-multiport', 'iptables -n -L INPUT | grep -q fail2ban-<name>']
2010-08-12 10:48:09,077 fail2ban.actions.action: DEBUG Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2010-08-12 10:48:09,078 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'setcinfo', 'iptables-multiport', 'protocol', 'tcp']
2010-08-12 10:48:09,079 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'setcinfo', 'iptables-multiport', 'name', 'ssh']
2010-08-12 10:48:09,079 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'setcinfo', 'iptables-multiport', 'port', 'ssh']
2010-08-12 10:48:09,080 fail2ban.comm : DEBUG Command: ['start', 'ssh']
2010-08-12 10:48:09,080 fail2ban.jail : INFO Jail 'ssh' started
2010-08-12 10:48:09,080 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2010-08-12 10:48:09,183 fail2ban.actions.action: DEBUG iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
2010-08-12 10:48:09,191 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 100
2010-08-12 10:48:10,324 fail2ban.filter.datedetector: DEBUG Sorting the template list
2010-08-12 10:49:02,532 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2010-08-12 10:49:02,532 fail2ban.filter.datedetector: DEBUG Sorting the template list
Thank you
08-12-2010, 04:41 PM
#4
Moderator
Registered: May 2001
Posts: 29,415
No, that doesn't show me any clues. If you stop fail2ban, run 'iptables -n --line-numbers -v -x -L INPUT', then start fail2ban and then run 'iptables -n --line-numbers -v -x -L INPUT' what gets shown?
08-13-2010, 04:49 AM
#5
LQ Newbie
Registered: Aug 2010
Posts: 3
Original Poster
Rep:
I do not really see what it matches, but here is what I get:
Code:
server:~# /etc/init.d/fail2ban stop
server:~# iptables -n --line-numbers -v -x -L INPUT
Chain INPUT (policy ACCEPT 9185 packets, 1436537 bytes)
num pkts bytes target prot opt in out source destination
server:~# /etc/init.d/fail2ban start
server:~# iptables -n --line-numbers -v -x -L INPUT
Chain INPUT (policy ACCEPT 11791 packets, 1850608 bytes)
num pkts bytes target prot opt in out source destination
server:~#
In the log file (/var/log/fail2ban.log):
Code:
2010-08-13 11:41:58,655 fail2ban.actions.action: DEBUG iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh
2010-08-13 11:41:58,661 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 100
2010-08-13 11:41:58,661 fail2ban.actions: DEBUG ssh: action terminated
2010-08-13 11:41:58,662 fail2ban.jail : INFO Jail 'ssh' stopped
2010-08-13 11:41:58,662 fail2ban.server : DEBUG Removed socket file /var/run/fail2ban/fail2ban.sock
2010-08-13 11:41:58,662 fail2ban.server : DEBUG Socket shutdown
2010-08-13 11:42:16,674 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2010-08-13 11:42:16,674 fail2ban.comm : DEBUG Command: ['add', 'ssh', 'polling']
2010-08-13 11:42:16,674 fail2ban.jail : INFO Creating new jail 'ssh'
2010-08-13 11:42:16,674 fail2ban.jail : INFO Jail 'ssh' uses poller
2010-08-13 11:42:16,689 fail2ban.filter : DEBUG Created Filter
2010-08-13 11:42:16,689 fail2ban.filter : DEBUG Created FilterPoll
2010-08-13 11:42:16,690 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addlogpath', '/var/log/auth.log']
2010-08-13 11:42:16,690 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2010-08-13 11:42:16,691 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'maxretry', '6']
2010-08-13 11:42:16,691 fail2ban.filter : INFO Set maxRetry = 6
2010-08-13 11:42:16,691 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addignoreip', '127.0.0.1']
2010-08-13 11:42:16,691 fail2ban.filter : DEBUG Add 127.0.0.1 to ignore list
2010-08-13 11:42:16,692 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'findtime', '600']
2010-08-13 11:42:16,692 fail2ban.filter : INFO Set findtime = 600
2010-08-13 11:42:16,693 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'bantime', '600']
2010-08-13 11:42:16,693 fail2ban.actions: INFO Set banTime = 600
2010-08-13 11:42:16,694 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error: PAM: )?Authentication failure for .* from <HOST>\\s*$']
2010-08-13 11:42:16,697 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\\s*$']
2010-08-13 11:42:16,702 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Failed (?:password|publickey) for .* from <HOST>(?: port \\d*)?(?: ssh\\d*)?$']
2010-08-13 11:42:16,708 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*ROOT LOGIN REFUSED.* FROM <HOST>\\s*$']
2010-08-13 11:42:16,714 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*[iI](?:llegal|nvalid) user .* from <HOST>\\s*$']
2010-08-13 11:42:16,721 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User .+ from <HOST> not allowed because not listed in AllowUsers$']
2010-08-13 11:42:16,731 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', "^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*$"]
2010-08-13 11:42:16,742 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*authentication failure; logname=\\S* uid=\\S* euid=\\S* tty=\\S* ruser=\\S* rhost=<HOST>(?:\\s+user=.*)?\\s*$']
2010-08-13 11:42:16,757 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*refused connect from \\S+ \\(<HOST>\\)\\s*$']
2010-08-13 11:42:16,773 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT\\s*$']
2010-08-13 11:42:16,792 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'addaction', 'iptables-multiport']
2010-08-13 11:42:16,792 fail2ban.actions.action: DEBUG Created Action
2010-08-13 11:42:16,792 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionban', 'iptables-multiport', 'iptables -I fail2ban-<name> 1 -s <ip> -j DROP']
2010-08-13 11:42:16,793 fail2ban.actions.action: DEBUG Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2010-08-13 11:42:16,793 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionstop', 'iptables-multiport', 'iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>']
2010-08-13 11:42:16,793 fail2ban.actions.action: DEBUG Set actionStop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2010-08-13 11:42:16,794 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionstart', 'iptables-multiport', 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>']
2010-08-13 11:42:16,794 fail2ban.actions.action: DEBUG Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
2010-08-13 11:42:16,795 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionunban', 'iptables-multiport', 'iptables -D fail2ban-<name> -s <ip> -j DROP']
2010-08-13 11:42:16,795 fail2ban.actions.action: DEBUG Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2010-08-13 11:42:16,795 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actioncheck', 'iptables-multiport', 'iptables -n -L INPUT | grep -q fail2ban-<name>']
2010-08-13 11:42:16,795 fail2ban.actions.action: DEBUG Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2010-08-13 11:42:16,796 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'setcinfo', 'iptables-multiport', 'protocol', 'tcp']
2010-08-13 11:42:16,797 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'setcinfo', 'iptables-multiport', 'name', 'ssh']
2010-08-13 11:42:16,797 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'setcinfo', 'iptables-multiport', 'port', 'ssh']
2010-08-13 11:42:16,798 fail2ban.comm : DEBUG Command: ['start', 'ssh']
2010-08-13 11:42:16,798 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2010-08-13 11:42:16,798 fail2ban.jail : INFO Jail 'ssh' started
2010-08-13 11:42:16,803 fail2ban.actions.action: DEBUG iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
2010-08-13 11:42:16,820 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 100
2010-08-13 11:42:17,292 fail2ban.filter.datedetector: DEBUG Sorting the template list
2010-08-13 11:42:18,296 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2010-08-13 11:42:18,296 fail2ban.filter.datedetector: DEBUG Sorting the template list
2010-08-13 11:42:19,303 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2010-08-13 11:42:19,304 fail2ban.filter.datedetector: DEBUG Sorting the template list
2010-08-13 11:42:21,312 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2010-08-13 11:42:21,312 fail2ban.filter.datedetector: DEBUG Sorting the template list
[...]
2010-08-13 11:44:29,826 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2010-08-13 11:44:29,827 fail2ban.filter.datedetector: DEBUG Sorting the template list
I get this line here since I put a loglevel 4:
Code:
2010-08-13 11:42:39,384 fail2ban.filter.datedetector: DEBUG Sorting the template list
2010-08-13 11:42:40,387 fail2ban.filter : DEBUG /var/log/auth.log has been modified
All times are GMT -5. The time now is 11:27 AM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News