I need help with fail2ban...
I am running Slackware 13.0 and I have installed fail2ban. I am trying to setup fail2ban to work with proftpd 1.32. I have iptables already running with no rules and sendmail works like a charm. I removed my email in the jail.local for privacy reasons.
In the directory /etc/fail2ban I have created duplicates of jail.conf and fail2ban.conf (jail.local and fail2ban.local) as instructed by the manual. I make all the changes on the local files, those files are read in after the *.conf ones. So in the jail.local file I have this Code:
[proftpd-iptables] Code:
fail2ban-client start Code:
2009-12-11 13:31:25,897 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3 I have python 2.6.2 and I have tried changing the python shibang in /usr/bin/fail2ban-server from #!/usr/bin/python to #!/usr/sbin/python2.6 and still nothing. I also do not want to use proftpd's ban mod, which prevents banned users from logging into ftp server but not from connected to the server, so my proftpd.log will still be filled with user/pass attempts. If I can't get this working, I may give Snort a go, it just seems very intimidating. I'm a little confused, there are two binaries, fail2ban-client and fail2ban-server. Surprisingly they seem to be the same thing. The manuals say to use the client but for experimentation, I tried starting the server first, then the client and when I tried doing the client it said that server was already up. Anyhow, any ideas? |
|
I've tried that, I still get the unexpected communication error.
|
fail2ban-0.8.3 does not work with python 2.6 (here), so I guess you're using an old version and you need to upgrade.
Quote:
Mind that /usr/bin/python is actually a symlink to /usr/bin/python2.6, so there was no need to change the shebang. Regards |
Excellent, got the fail2ban 0.8.4 Slackbuild and it works like charm. Thank you bathory for pointing that out.
|
I spoke too soon. I no longer have 'unexpected errors' in my fail2ban.log, however, fail2ban doesn't seem to be working. When I enter fail2ban-client status, I get
Code:
ERROR Unable to contact server. Is it running? |
Check if fail2ban is running:
Code:
ps -ef|grep fail2ban Code:
/etc/rc.d/rc.fail2ban stop Code:
rm /var/run/fail2ban/fail2ban.sock |
If I
Code:
rc.fail2ban stop However, fail2ban.socket does exists when fail2ban is started via Code:
rc.fail2ban start |
What is the output of
Code:
ps aux|grep fail2 Quote:
|
Mine looks exactly like yours.
|
bathory, you think I should just try snort instead? I'd be a great program to learn in terms of getting a job. Then again, I would like to understand why fail2ban is not working.
|
I removed/reinstalled the package and now I see a new script /etc/rc.d/rc.fail2ban.new
I tried that one and lo and behold it works now hehe. I get no errors at all and fail2ban-client status works fine. However, I can't seem to get it to jail an ftp user that I've been testing. I use my roommates computer and login via ftp as the same user with wrong passwords 6 times in a row and nothing happens. jail.local Code:
# Fail2Ban configuration file Code:
# Fail2Ban configuration file |
woohoo it works!!!!
I noticed while testing that if I try to bruteforce a valid ftp user account, then my ip will not get banned. In the proftpd log file, the failed login is logged as Code:
User xxx (Login failed): Incorrect password. Code:
# Fail2Ban configuration file Code:
2009-12-13 23:15:35,287 fail2ban.comm : DEBUG Command: ['status'] Why isn't fail2ban recognizing the phrase? I'm thinking maybe the format works out different if it's an IP from within my internal network instead of coming in from outside my router(gateway). After doing like 13 incorrect user/pass, fail2ban finally recognized the pattern and banned the IP. For typical bruteforcing bots out there on the net, it'll do. I can finally sleep well at nite :). |
I'd like to setup a jail for my postgresql database. This is the log lines that I would like to capture. The first is when I enter a user that does not exist, the second is why I enter a valid user but an incorrect password.
/home/postgres/serverlog Code:
FATAL: no pg_hba.conf entry for host "127.0.0.1", user "sick", database "darkstar" Code:
[postgresql-iptables] Code:
# Fail2Ban configuration file I can see that postmaster(postgresql) has four instances all running on udp:49891 However, on the second type of log I want to capture 'FATAL: password authentication failed for user "marty"' will I have a problem since there is no IP listed on that line? |
Come to think of it I don't think the
postgresql jail will work. This server runs an apache web server that has a postgresql database attached to it via php. Users go to the website and login to the database which is obviously on the same machine. So when a user trues to sign in the IP address will alwaya be the IP address of the web server 127.0.0.1. I wouldn't want to block my loopback. Any thoughts? I don't want to move my database onto another computer. |
All times are GMT -5. The time now is 10:13 PM. |