LinuxQuestions.org
Help answer threads with 0 replies.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Problem fail2ban
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-11-2010, 04:52 PM   #1
zoneech
LQ Newbie
 
Registered: Aug 2010
Posts: 3

Rep: Reputation: 0
Problem fail2ban

Hello

First sorry for my English, I'm French.

I am looking for some time how to set up fail2ban, I installed via apt-get install fail2ban but it does not work.

Here is an example of banishment has apparently not worked:

Code:
2010-08-02 14:45:56,227 fail2ban.actions.action: ERROR  iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 100
2010-08-02 14:45:59,238 fail2ban.actions: WARNING [ssh] Ban 219.139.243.236
2010-08-02 14:45:59,252 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-ssh returned 100
2010-08-02 14:45:59,253 fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
2010-08-02 14:45:59,266 fail2ban.actions.action: ERROR  iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 100
2010-08-02 14:45:59,271 fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q fail2ban-ssh returned 100
2010-08-02 14:45:59,271 fail2ban.actions.action: CRITICAL Unable to restore environment
2010-08-02 14:46:10,313 fail2ban.actions: WARNING [ssh] 219.139.243.236 already banned
2010-08-02 14:46:20,353 fail2ban.actions: WARNING [ssh] 219.139.243.236 already banned
I installed fail2ban works correctly on another machine, I copy the configuration files that I put on the machine today, but after such a restart without success

Code:
2010-08-02 16:54:59,587 fail2ban.jail   : INFO   Jail 'ssh' started
2010-08-02 16:54:59,648 fail2ban.actions.action: ERROR  iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 100
Thank you
 
Old 08-11-2010, 05:18 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by zoneech View Post
Code:
iptables (..) fail2ban (..) returned 100
From the fail2ban.org Wiki: "It seems that your iptables setup (related to fail2ban) get changed while fail2ban is running. Some firewall scripts/apps flush all rules when saving the changes. If fail2ban runs, it will not find its own chains anymore and will try to restore them.". If that's not a sufficient answer, does your fail2ban.log show more clues? And if you set loglevel = 4 in fail2ban.conf?
Last edited by unSpawn; 08-12-2010 at 05:25 PM. Reason: //tag cleanup
 
Old 08-12-2010, 03:53 AM   #3
zoneech
LQ Newbie
 
Registered: Aug 2010
Posts: 3

Original Poster
Rep: Reputation: 0
Hello

I put loglevel = 4 in fail2ban.conf

Here's what I get after a restart of fail2ban:
Code:
2010-08-12 10:48:05,723 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 100
2010-08-12 10:48:06,487 fail2ban.jail   : INFO   Jail 'ssh' stopped
2010-08-12 10:48:08,922 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2010-08-12 10:48:08,923 fail2ban.comm   : DEBUG  Command: ['add', 'ssh', 'polling']
2010-08-12 10:48:08,923 fail2ban.jail   : INFO   Creating new jail 'ssh'
2010-08-12 10:48:08,923 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2010-08-12 10:48:08,969 fail2ban.filter : DEBUG  Created Filter
2010-08-12 10:48:08,970 fail2ban.filter : DEBUG  Created FilterPoll
2010-08-12 10:48:08,970 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addlogpath', '/var/log/auth.log']
2010-08-12 10:48:08,970 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2010-08-12 10:48:08,971 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'maxretry', '6']
2010-08-12 10:48:08,971 fail2ban.filter : INFO   Set maxRetry = 6
2010-08-12 10:48:08,972 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addignoreip', '127.0.0.1']
2010-08-12 10:48:08,972 fail2ban.filter : DEBUG  Add 127.0.0.1 to ignore list
2010-08-12 10:48:08,972 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'findtime', '600']
2010-08-12 10:48:08,972 fail2ban.filter : INFO   Set findtime = 600
2010-08-12 10:48:08,973 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'bantime', '600']
2010-08-12 10:48:08,973 fail2ban.actions: INFO   Set banTime = 600
2010-08-12 10:48:08,974 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error: PAM: )?Authentication failure for .* from <HOST>\\s*$']
2010-08-12 10:48:08,977 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\\s*$']
2010-08-12 10:48:08,982 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Failed (?:password|publickey) for .* from <HOST>(?: port \\d*)?(?: ssh\\d*)?$']
2010-08-12 10:48:08,987 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*ROOT LOGIN REFUSED.* FROM <HOST>\\s*$']
2010-08-12 10:48:08,993 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*[iI](?:llegal|nvalid) user .* from <HOST>\\s*$']
2010-08-12 10:48:09,001 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User .+ from <HOST> not allowed because not listed in AllowUsers$']
2010-08-12 10:48:09,010 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', "^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*$"]
2010-08-12 10:48:09,022 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*authentication failure; logname=\\S* uid=\\S* euid=\\S* tty=\\S* ruser=\\S* rhost=<HOST>(?:\\s+user=.*)?\\s*$']
2010-08-12 10:48:09,037 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*refused connect from \\S+ \\(<HOST>\\)\\s*$']
2010-08-12 10:48:09,054 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT\\s*$']
2010-08-12 10:48:09,073 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addaction', 'iptables-multiport']
2010-08-12 10:48:09,073 fail2ban.actions.action: DEBUG  Created Action
2010-08-12 10:48:09,074 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'actionban', 'iptables-multiport', 'iptables -I fail2ban-<name> 1 -s <ip> -j DROP']
2010-08-12 10:48:09,074 fail2ban.actions.action: DEBUG  Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2010-08-12 10:48:09,075 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'actionstop', 'iptables-multiport', 'iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>']
2010-08-12 10:48:09,075 fail2ban.actions.action: DEBUG  Set actionStop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2010-08-12 10:48:09,075 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'actionstart', 'iptables-multiport', 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>']
2010-08-12 10:48:09,076 fail2ban.actions.action: DEBUG  Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
2010-08-12 10:48:09,076 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'actionunban', 'iptables-multiport', 'iptables -D fail2ban-<name> -s <ip> -j DROP']
2010-08-12 10:48:09,076 fail2ban.actions.action: DEBUG  Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2010-08-12 10:48:09,077 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'actioncheck', 'iptables-multiport', 'iptables -n -L INPUT | grep -q fail2ban-<name>']
2010-08-12 10:48:09,077 fail2ban.actions.action: DEBUG  Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2010-08-12 10:48:09,078 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'setcinfo', 'iptables-multiport', 'protocol', 'tcp']
2010-08-12 10:48:09,079 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'setcinfo', 'iptables-multiport', 'name', 'ssh']
2010-08-12 10:48:09,079 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'setcinfo', 'iptables-multiport', 'port', 'ssh']
2010-08-12 10:48:09,080 fail2ban.comm   : DEBUG  Command: ['start', 'ssh']
2010-08-12 10:48:09,080 fail2ban.jail   : INFO   Jail 'ssh' started
2010-08-12 10:48:09,080 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2010-08-12 10:48:09,183 fail2ban.actions.action: DEBUG  iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
2010-08-12 10:48:09,191 fail2ban.actions.action: ERROR  iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 100
2010-08-12 10:48:10,324 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2010-08-12 10:49:02,532 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2010-08-12 10:49:02,532 fail2ban.filter.datedetector: DEBUG  Sorting the template list
Thank you
 
Old 08-12-2010, 04:41 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
No, that doesn't show me any clues. If you stop fail2ban, run 'iptables -n --line-numbers -v -x -L INPUT', then start fail2ban and then run 'iptables -n --line-numbers -v -x -L INPUT' what gets shown?
 
Old 08-13-2010, 04:49 AM   #5
zoneech
LQ Newbie
 
Registered: Aug 2010
Posts: 3

Original Poster
Rep: Reputation: 0
I do not really see what it matches, but here is what I get:

Code:
server:~# /etc/init.d/fail2ban stop
server:~# iptables -n --line-numbers -v -x -L INPUT
Chain INPUT (policy ACCEPT 9185 packets, 1436537 bytes)
num      pkts      bytes target     prot opt in     out     source               destination
server:~# /etc/init.d/fail2ban start
server:~# iptables -n --line-numbers -v -x -L INPUT
Chain INPUT (policy ACCEPT 11791 packets, 1850608 bytes)
num      pkts      bytes target     prot opt in     out     source               destination
server:~#
In the log file (/var/log/fail2ban.log):



Code:
2010-08-13 11:41:58,655 fail2ban.actions.action: DEBUG  iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh
2010-08-13 11:41:58,661 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 100
2010-08-13 11:41:58,661 fail2ban.actions: DEBUG  ssh: action terminated
2010-08-13 11:41:58,662 fail2ban.jail   : INFO   Jail 'ssh' stopped
2010-08-13 11:41:58,662 fail2ban.server : DEBUG  Removed socket file /var/run/fail2ban/fail2ban.sock
2010-08-13 11:41:58,662 fail2ban.server : DEBUG  Socket shutdown
2010-08-13 11:42:16,674 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2010-08-13 11:42:16,674 fail2ban.comm   : DEBUG  Command: ['add', 'ssh', 'polling']
2010-08-13 11:42:16,674 fail2ban.jail   : INFO   Creating new jail 'ssh'
2010-08-13 11:42:16,674 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2010-08-13 11:42:16,689 fail2ban.filter : DEBUG  Created Filter
2010-08-13 11:42:16,689 fail2ban.filter : DEBUG  Created FilterPoll
2010-08-13 11:42:16,690 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addlogpath', '/var/log/auth.log']
2010-08-13 11:42:16,690 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2010-08-13 11:42:16,691 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'maxretry', '6']
2010-08-13 11:42:16,691 fail2ban.filter : INFO   Set maxRetry = 6
2010-08-13 11:42:16,691 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addignoreip', '127.0.0.1']
2010-08-13 11:42:16,691 fail2ban.filter : DEBUG  Add 127.0.0.1 to ignore list
2010-08-13 11:42:16,692 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'findtime', '600']
2010-08-13 11:42:16,692 fail2ban.filter : INFO   Set findtime = 600
2010-08-13 11:42:16,693 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'bantime', '600']
2010-08-13 11:42:16,693 fail2ban.actions: INFO   Set banTime = 600
2010-08-13 11:42:16,694 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error: PAM: )?Authentication failure for .* from <HOST>\\s*$']
2010-08-13 11:42:16,697 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\\s*$']
2010-08-13 11:42:16,702 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Failed (?:password|publickey) for .* from <HOST>(?: port \\d*)?(?: ssh\\d*)?$']
2010-08-13 11:42:16,708 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*ROOT LOGIN REFUSED.* FROM <HOST>\\s*$']
2010-08-13 11:42:16,714 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*[iI](?:llegal|nvalid) user .* from <HOST>\\s*$']
2010-08-13 11:42:16,721 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User .+ from <HOST> not allowed because not listed in AllowUsers$']
2010-08-13 11:42:16,731 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', "^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*$"]
2010-08-13 11:42:16,742 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*authentication failure; logname=\\S* uid=\\S* euid=\\S* tty=\\S* ruser=\\S* rhost=<HOST>(?:\\s+user=.*)?\\s*$']
2010-08-13 11:42:16,757 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*refused connect from \\S+ \\(<HOST>\\)\\s*$']
2010-08-13 11:42:16,773 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT\\s*$']
2010-08-13 11:42:16,792 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'addaction', 'iptables-multiport']
2010-08-13 11:42:16,792 fail2ban.actions.action: DEBUG  Created Action
2010-08-13 11:42:16,792 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'actionban', 'iptables-multiport', 'iptables -I fail2ban-<name> 1 -s <ip> -j DROP']
2010-08-13 11:42:16,793 fail2ban.actions.action: DEBUG  Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2010-08-13 11:42:16,793 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'actionstop', 'iptables-multiport', 'iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>']
2010-08-13 11:42:16,793 fail2ban.actions.action: DEBUG  Set actionStop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2010-08-13 11:42:16,794 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'actionstart', 'iptables-multiport', 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>']
2010-08-13 11:42:16,794 fail2ban.actions.action: DEBUG  Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
2010-08-13 11:42:16,795 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'actionunban', 'iptables-multiport', 'iptables -D fail2ban-<name> -s <ip> -j DROP']
2010-08-13 11:42:16,795 fail2ban.actions.action: DEBUG  Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2010-08-13 11:42:16,795 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'actioncheck', 'iptables-multiport', 'iptables -n -L INPUT | grep -q fail2ban-<name>']
2010-08-13 11:42:16,795 fail2ban.actions.action: DEBUG  Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
2010-08-13 11:42:16,796 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'setcinfo', 'iptables-multiport', 'protocol', 'tcp']
2010-08-13 11:42:16,797 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'setcinfo', 'iptables-multiport', 'name', 'ssh']
2010-08-13 11:42:16,797 fail2ban.comm   : DEBUG  Command: ['set', 'ssh', 'setcinfo', 'iptables-multiport', 'port', 'ssh']
2010-08-13 11:42:16,798 fail2ban.comm   : DEBUG  Command: ['start', 'ssh']
2010-08-13 11:42:16,798 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2010-08-13 11:42:16,798 fail2ban.jail   : INFO   Jail 'ssh' started
2010-08-13 11:42:16,803 fail2ban.actions.action: DEBUG  iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
2010-08-13 11:42:16,820 fail2ban.actions.action: ERROR  iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 100
2010-08-13 11:42:17,292 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2010-08-13 11:42:18,296 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2010-08-13 11:42:18,296 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2010-08-13 11:42:19,303 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2010-08-13 11:42:19,304 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2010-08-13 11:42:21,312 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2010-08-13 11:42:21,312 fail2ban.filter.datedetector: DEBUG  Sorting the template list
[...]
2010-08-13 11:44:29,826 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
2010-08-13 11:44:29,827 fail2ban.filter.datedetector: DEBUG  Sorting the template list
I get this line here since I put a loglevel 4:
Code:
2010-08-13 11:42:39,384 fail2ban.filter.datedetector: DEBUG  Sorting the template list
2010-08-13 11:42:40,387 fail2ban.filter : DEBUG  /var/log/auth.log has been modified
 
Old 08-14-2010, 02:20 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Since you cut your iptables output there is no way telling if fail2ban set up the required chains. Resort to testing your setup works, search the http://sourceforge.net/mailarchive/f...fail2ban-users or ask on the https://lists.sourceforge.net/lists/...fail2ban-users.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Fail2ban problem or normal? SuperDude123 Linux - Security 3 02-26-2016 04:16 PM
I need help with fail2ban... trist007 Linux - Newbie 15 12-14-2009 03:22 AM
Strange problem with fail2ban markoh Linux - Security 0 02-29-2008 01:41 AM
fail2ban and proftpd 1.3 reeseslover531 Linux - Security 4 02-14-2007 07:10 AM
Weird problem with fail2ban miza Linux - Software 0 10-28-2006 09:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:27 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration