LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 06-19-2009, 08:43 AM   #1
Biggen
Member
 
Registered: Sep 2004
Location: Panama City Beach FL
Distribution: Slackware 12.2
Posts: 199

Rep: Reputation: 31
Fail2ban and Slack


I posted this, originally, in the security section. But I haven't had any replys there so I wanted to post here. I have used fail2ban for years with Suse, but I'm having some trouble getting it implemented in Slackware.

Having some problems getting fail2ban to actually properly ban ip's that fail authentication when trying to SSH. Fail2ban client is up and running properly. I am feeding it the correct log file for slackware (/var/log/messages). I made sure to "enable" sshd-iptables in the jail.conf file. Here is a "status" to make sure fail2ban is running:


Code:
bash-3.1# fail2ban-client status
Status
|- Number of jail:	1
`- Jail list:		ssh-iptables
Then, I'll attempt to log on incorrectly to ssh and fail2ban will recognize the incorrect attempts. It will then ban that IP causing the failure. Here is proof that fail2ban is TRYING to work properly:


Code:
bash-3.1# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- filter
|  |- File list:	/var/log/messages 
|  |- Currently failed:	1
|  `- Total failed:	9
`- action
   |- Currently banned:	1
   |  `- IP list:	192.168.1.3 
   `- Total banned:	1
As you can see, it banned 192.168.1.3. At least it thought it did... However, I can still connect to my server (192.168.1.2) with no problems. I can still ssh to it, check mail, etc... That address is NOT banned. I have already verified iptables is working by doing a:

"iptables -I INPUT -s 192.168.1.3 -j DROP"

If I do the above commands, 192.168.1.3 is banned. So I know iptables is working if I can manually type that in and get it to work that way.

I dunno what is up. Any one else have any problems?
 
Old 06-19-2009, 08:54 AM   #2
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,467
Blog Entries: 11

Rep: Reputation: 184Reputation: 184
Also I'm not using Slackware on a regular basis also not using fail2ban here is some tips how you got get behind the reason for fail2ban not doing what it's suppose to be.

Maybe you can get some more info of the fail2ban-server. In a seperate shell start the server with
Code:
fail2ban-server -b
to have it run in foreground. I bet it'll print some nice logs onto the screen.

Another thing is if you might have an iptables rule where all the clients from the 192.168.0.0/24 network are allowed. This sure should be above the iptables rule from fail2ban. Also I doubt that is the case cause you can ban the ip manualy.
But are you sure fail2ban uses iptables to block access? Maybe it just used the tcpwrapper file /etc/hosts.deny and /etc/hosts.allow.

Hope some of this can get you further.
 
Old 06-19-2009, 10:23 AM   #3
tuxrules
Senior Member
 
Registered: Jun 2004
Location: Chicago
Distribution: Slackware64 14.1
Posts: 1,141

Rep: Reputation: 55
Biggen,

fail2ban actually uses regex to match the failure message in the logs. Did you check the offending's IP's failure message in logs and see if your fail2ban regex actually matches to that. Check fail-regex option in the config files.

Other problem may be much lower ban time, you can configure the actual time (mins/hrs/days) to ban a particular type of login/cracking attempt.
 
Old 06-19-2009, 11:30 AM   #4
Biggen
Member
 
Registered: Sep 2004
Location: Panama City Beach FL
Distribution: Slackware 12.2
Posts: 199

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by zhjim View Post
Also I'm not using Slackware on a regular basis also not using fail2ban here is some tips how you got get behind the reason for fail2ban not doing what it's suppose to be.

Maybe you can get some more info of the fail2ban-server. In a seperate shell start the server with
Code:
fail2ban-server -b
to have it run in foreground. I bet it'll print some nice logs onto the screen.

Another thing is if you might have an iptables rule where all the clients from the 192.168.0.0/24 network are allowed. This sure should be above the iptables rule from fail2ban. Also I doubt that is the case cause you can ban the ip manualy.
But are you sure fail2ban uses iptables to block access? Maybe it just used the tcpwrapper file /etc/hosts.deny and /etc/hosts.allow.

Hope some of this can get you further.
Thanks for the response. I'm not in front of my server right now so I'll try that command later. I don't believe Slack uses tcpwrapper. And, if I do an "iptables -L" after making sure fail2ban is running, I can see that fail2ban added a chain in iptables so that it can ban and unban when it needs. So it is definately "talking" to iptables.

Quote:
Originally Posted by tuxrules
Biggen,

fail2ban actually uses regex to match the failure message in the logs. Did you check the offending's IP's failure message in logs and see if your fail2ban regex actually matches to that. Check fail-regex option in the config files.

Other problem may be much lower ban time, you can configure the actual time (mins/hrs/days) to ban a particular type of login/cracking attempt.
Yeah, I issued the "regex" command on the fail2ban page that tests the system to make sure it is reading log file properly and it I.D. the IP causing the failures. I'm not in front of my server now, so I can't show the output. When I get home later, I'll post that output.

What is crazy is that I get an email from fail2ban saying it banned the IP and I see a chain showing it banned it, but it simply isn't banned. I'll do the regex command later and copy and paste that here. Then I'll try to incorrectly log onto SSH and get it to ban my client and then copy and paste the chain so that you guys can have a look at it...
 
Old 06-19-2009, 12:06 PM   #5
bgeddy
Senior Member
 
Registered: Sep 2006
Location: Liverpool - England
Distribution: slackware64 13.37 and -current, Dragonfly BSD
Posts: 1,810

Rep: Reputation: 227Reputation: 227Reputation: 227
Quote:
I don't believe Slack uses tcpwrapper.
Sure does - tcp_wrappers-7.6-i481-1 on a Slackware 12.2 system. From the package :
Code:
tcp_wrappers (TCP/IP daemon wrapper library and utilities)

With this package you can monitor and filter incoming requests for network services for access control, and detection things like host
tcp_wrappers: name spoofing and host address spoofing.  Nearly all the network daemons on Slackware are "wrapped" using this library, and most daemons in /etc/inetd.conf use tcp_wrappers' tcpd wrapper daemon. If you plan to do much networking, you will need tcp_wrappers.
tcp_wrappers was written by Wietse Venema.
Not sure this relates to your problem though.
 
Old 06-19-2009, 12:59 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,543
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
Quote:
Originally Posted by Biggen View Post
I posted this, originally, in the security section. But I haven't had any replys there so I wanted to post here.
Please do not crosspost threads.
 
Old 06-20-2009, 12:28 AM   #7
Biggen
Member
 
Registered: Sep 2004
Location: Panama City Beach FL
Distribution: Slackware 12.2
Posts: 199

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by unSpawn View Post
Please do not crosspost threads.
Ummm.. I'm not sure what you expect when I don't get any suggestions in one forum. Of course I am going to try in another forum...
 
Old 06-20-2009, 01:03 AM   #8
Biggen
Member
 
Registered: Sep 2004
Location: Panama City Beach FL
Distribution: Slackware 12.2
Posts: 199

Original Poster
Rep: Reputation: 31
Success!!

Well I figured it out. I forgot that I changed the port on my sshd to a nonstandard port, but in the jail.conf, I still had the port listed as "port=ssh" and NOT my new port. Fail2ban was banning that IP on the standard ssh port of 22 and NOT my new port I selected in my sshd.conf file.

What is crazy is that I have had about 6 beers at a family party and I just got home to work on it and I figured it out... Guess I need to do that more often when I work on my server.



Thanks guys for your suggestions!
 
Old 06-20-2009, 06:10 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,543
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
Quote:
Originally Posted by Biggen View Post
Ummm.. I'm not sure what you expect when I don't get any suggestions in one forum. Of course I am going to try in another forum...
Crossposting threads is a violation of the LQ rules (rule #7) you agreed to adhere to when you signed up.
No exceptions.

LQ expects you to either refrain from doing that or ask a moderator to move your thread to a more appropriate forum.
Waiting 24 hours before doing something seems reasonable.

Let me know if you disagree with or don't understand the reasoning behind this all.
 
Old 06-20-2009, 09:23 AM   #10
Biggen
Member
 
Registered: Sep 2004
Location: Panama City Beach FL
Distribution: Slackware 12.2
Posts: 199

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by unSpawn View Post
Crossposting threads is a violation of the LQ rules (rule #7) you agreed to adhere to when you signed up.
No exceptions.

LQ expects you to either refrain from doing that or ask a moderator to move your thread to a more appropriate forum.
Waiting 24 hours before doing something seems reasonable.

Let me know if you disagree with or don't understand the reasoning behind this all.
I agree with you. Cross posting can be problematic. I was thinking I waited a day before I posted again in the Slack Forums. But the time stamp from my first post to my second post shows only 40 minutes which seems strange. I could have swore I gave it a full day... If not, then that was my fault.
 
Old 06-20-2009, 09:30 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,543
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
NP, you're aware now how it should be done and that's what matters most, right? Have fun!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Fail2ban, is it working? SuperDude123 Linux - Security 7 02-17-2009 10:09 PM
Need help with fail2ban regex jakev383 Linux - Security 6 12-07-2008 10:35 AM
Fail2ban and Firestarter baldur2630 Linux - Software 2 09-29-2008 06:46 AM
Fail2Ban Question nomb Debian 0 05-21-2007 08:28 AM
fail2ban and proftpd 1.3 reeseslover531 Linux - Security 4 02-14-2007 08:10 AM


All times are GMT -5. The time now is 04:40 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration