Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am running Slackware 13.0 and I have installed fail2ban. I am trying to setup fail2ban to work with proftpd 1.32. I have iptables already running with no rules and sendmail works like a charm. I removed my email in the jail.local for privacy reasons.
In the directory /etc/fail2ban I have created duplicates of jail.conf and
fail2ban.conf (jail.local and fail2ban.local) as instructed by the manual. I make all the changes on the local files, those files are read in after the *.conf ones. So in the jail.local file I have this
Code:
[proftpd-iptables]
enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=xxxxxxxx@xxxxx.com]
logpath = /var/log/proftpd.log
maxretry = 6
# This jail forces the backend to "polling".
I make no changes to fail2ban.local, then I start fail2ban with
Code:
fail2ban-client start
Then in the /var/log/fail2ban.log I see this
Code:
2009-12-11 13:31:25,897 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2009-12-11 13:31:25,898 fail2ban.jail : INFO Creating new jail 'proftpd-iptables'
2009-12-11 13:31:25,912 fail2ban.jail : INFO Jail 'proftpd-iptables' uses Gamin
2009-12-11 13:31:25,997 fail2ban.filter : INFO Added logfile = /var/log/proftpd.log
2009-12-11 13:31:25,999 fail2ban.filter : INFO Set maxRetry = 6
2009-12-11 13:31:26,000 fail2ban.filter : INFO Set findtime = 600
2009-12-11 13:31:26,001 fail2ban.actions: INFO Set banTime = 600
2009-12-11 13:31:26,014 fail2ban.server : ERROR Unexpected communication error
2009-12-11 13:31:26,015 fail2ban.server : ERROR Unexpected communication error
2009-12-11 13:31:26,016 fail2ban.server : ERROR Unexpected communication error
2009-12-11 13:31:26,017 fail2ban.server : ERROR Unexpected communication error
2009-12-11 13:31:26,018 fail2ban.server : ERROR Unexpected communication error
2009-12-11 13:31:26,019 fail2ban.server : ERROR Unexpected communication error
2009-12-11 13:31:26,021 fail2ban.server : ERROR Unexpected communication error
2009-12-11 13:31:26,022 fail2ban.server : ERROR Unexpected communication error
2009-12-11 13:31:26,023 fail2ban.server : ERROR Unexpected communication error
2009-12-11 13:31:26,025 fail2ban.server : ERROR Unexpected communication error
2009-12-11 13:31:26,026 fail2ban.server : ERROR Unexpected communication error
2009-12-11 13:31:26,027 fail2ban.server : ERROR Unexpected communication error
2009-12-11 13:31:26,028 fail2ban.server : ERROR Unexpected communication error
2009-12-11 13:31:26,029 fail2ban.server : ERROR Unexpected communication error
2009-12-11 13:31:26,030 fail2ban.server : ERROR Unexpected communication error
2009-12-11 13:31:26,031 fail2ban.server : ERROR Unexpected communication error
2009-12-11 13:31:26,033 fail2ban.jail : INFO Jail 'proftpd-iptables' started
2009-12-11 13:31:26,042 fail2ban.server : ERROR Unexpected communication error
I also remember reading that fail2ban uses /var/run/fail2ban/fail2ban.sock to communicate with client. I checked the sock file and it looks like 'fail2ban.sock=', why does it have an equal sign?
I have python 2.6.2 and I have tried changing the python shibang in
/usr/bin/fail2ban-server
from #!/usr/bin/python
to
#!/usr/sbin/python2.6
and still nothing.
I also do not want to use proftpd's ban mod, which prevents banned users from logging into ftp server but not from connected to the server, so my proftpd.log will still be filled with user/pass attempts.
If I can't get this working, I may give Snort a go, it just seems very intimidating.
I'm a little confused, there are two binaries, fail2ban-client and fail2ban-server. Surprisingly they seem to be the same thing. The manuals say to use the client but for experimentation, I tried starting the server first, then the client and when I tried doing the client it said that server was already up.
Anyhow, any ideas?
fail2ban-0.8.3 does not work with python 2.6 (here), so I guess you're using an old version and you need to upgrade.
Quote:
I have python 2.6.2 and I have tried changing the python shibang in
/usr/bin/fail2ban-server
from #!/usr/bin/python
to
#!/usr/sbin/python2.6
and still nothing.
The correct path is /usr/bin/python2.6.
Mind that /usr/bin/python is actually a symlink to /usr/bin/python2.6, so there was no need to change the shebang.
I spoke too soon. I no longer have 'unexpected errors' in my fail2ban.log, however, fail2ban doesn't seem to be working. When I enter fail2ban-client status, I get
bathory, you think I should just try snort instead? I'd be a great program to learn in terms of getting a job. Then again, I would like to understand why fail2ban is not working.
I removed/reinstalled the package and now I see a new script /etc/rc.d/rc.fail2ban.new
I tried that one and lo and behold it works now hehe. I get no errors at all and fail2ban-client status works fine.
However, I can't seem to get it to jail an ftp user that I've been testing.
I use my roommates computer and login via ftp as the same user with wrong passwords 6 times in a row and nothing happens.
jail.local
Code:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 617 $
#
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto
# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
[ssh-iptables]
enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
logpath = /var/log/sshd.log
maxretry = 5
[proftpd-iptables]
enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=root@server.com]
logpath = /var/log/proftpd.log
maxretry = 3
fail2ban.local
Code:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 629 $
#
[Definition]
# Option: loglevel
# Notes.: Set the log level output.
# 1 = ERROR
# 2 = WARN
# 3 = INFO
# 4 = DEBUG
# Values: NUM Default: 3
#
loglevel = 4
# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
# Only one log target can be specified.
# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log
# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
# not remove this file when Fail2ban runs. It will not be possible to
# communicate with the server afterwards.
# Values: FILE Default: /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock
I noticed while testing that if I try to bruteforce a valid ftp user account, then my ip will not get banned.
In the proftpd log file, the failed login is logged as
Code:
User xxx (Login failed): Incorrect password.
which matches up exactly with the 2nd phrase in the regex in /etc/fail2ban/filter.d/proftpd.conf
Code:
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 677 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$
\(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$
\(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$
\(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
/var/log/fail2ban.log
Code:
2009-12-13 23:15:35,287 fail2ban.comm : DEBUG Command: ['status']
2009-12-13 23:15:58,461 fail2ban.filter : DEBUG Got event: 1 for /var/log/proftpd.log
2009-12-13 23:15:58,461 fail2ban.filter : DEBUG File changed: /var/log/proftpd.log
2009-12-13 23:15:58,462 fail2ban.filter.datedetector: DEBUG Sorting the template list
2009-12-13 23:16:01,468 fail2ban.filter : DEBUG Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:01,468 fail2ban.filter : DEBUG File changed: /var/log/proftpd.log
2009-12-13 23:16:01,468 fail2ban.filter.datedetector: DEBUG Sorting the template list
2009-12-13 23:16:04,475 fail2ban.filter : DEBUG Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:04,475 fail2ban.filter : DEBUG File changed: /var/log/proftpd.log
2009-12-13 23:16:04,475 fail2ban.filter.datedetector: DEBUG Sorting the template list
2009-12-13 23:16:07,482 fail2ban.filter : DEBUG Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:07,482 fail2ban.filter : DEBUG File changed: /var/log/proftpd.log
2009-12-13 23:16:07,482 fail2ban.filter.datedetector: DEBUG Sorting the template list
2009-12-13 23:16:17,795 fail2ban.comm : DEBUG Command: ['status']
2009-12-13 23:16:22,513 fail2ban.filter : DEBUG Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:22,513 fail2ban.filter : DEBUG File changed: /var/log/proftpd.log
2009-12-13 23:16:22,513 fail2ban.filter.datedetector: DEBUG Sorting the template list
2009-12-13 23:16:39,547 fail2ban.filter : DEBUG Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:39,548 fail2ban.filter : DEBUG File changed: /var/log/proftpd.log
2009-12-13 23:16:39,549 fail2ban.filter : DEBUG Found a match for '3:16:37 server proftpd[4301] server.darkstar.net (192.168.1.106[192.168.1.106]): USER xbox (Login$
' but no valid date/time found for '3:16:37 server proftpd[4301] server.darkstar.net (192.168.1.106[192.168.1.106]): USER xbox (Login failed): Incorrect password.
'. Please contact the author in order to get support for this format
2009-12-13 23:16:39,549 fail2ban.filter.datedetector: DEBUG Sorting the template list
2009-12-13 23:16:41,552 fail2ban.filter : DEBUG Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:41,553 fail2ban.filter : DEBUG File changed: /var/log/proftpd.log
2009-12-13 23:16:41,553 fail2ban.filter : DEBUG Found 192.168.1.106
2009-12-13 23:16:41,554 fail2ban.filter.datedetector: DEBUG Sorting the template list
2009-12-13 23:16:44,559 fail2ban.filter : DEBUG Got event: 1 for /var/log/proftpd.log
2009-12-13 23:16:44,560 fail2ban.filter : DEBUG File changed: /var/log/proftpd.log
2009-12-13 23:16:44,560 fail2ban.filter : DEBUG Found 192.168.1.106
2009-12-13 23:16:44,561 fail2ban.filter.datedetector: DEBUG Sorting the template list
2009-12-13 23:17:03,598 fail2ban.filter : DEBUG Got event: 1 for /var/log/proftpd.log
2009-12-13 23:17:03,599 fail2ban.filter : DEBUG File changed: /var/log/proftpd.log
2009-12-13 23:17:03,599 fail2ban.filter.datedetector: DEBUG Sorting the template list
As you can see I logged twice, each time trying 3 user/pass with the same user.
Why isn't fail2ban recognizing the phrase?
I'm thinking maybe the format works out different if it's an IP from within my internal network instead of coming in from outside my router(gateway).
After doing like 13 incorrect user/pass, fail2ban finally recognized the pattern and banned the IP. For typical bruteforcing bots out there on the net, it'll do. I can finally sleep well at nite .
I'd like to setup a jail for my postgresql database. This is the log lines that I would like to capture. The first is when I enter a user that does not exist, the second is why I enter a valid user but an incorrect password.
/home/postgres/serverlog
Code:
FATAL: no pg_hba.conf entry for host "127.0.0.1", user "sick", database "darkstar"
FATAL: password authentication failed for user "marty"
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 677 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex =FATAL: no pg_hba.conf entry for host "S+", user "USER", database "darkstar"
FATAL: password authentication failed for user "USER"
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
when I run lsof -i
I can see that postmaster(postgresql) has four instances all running on udp:49891
However, on the second type of log I want to capture 'FATAL: password authentication failed for user "marty"' will I have a problem since there is no IP listed on that line?
Come to think of it I don't think the
postgresql jail will work. This server runs an apache web server that has a postgresql database attached to it via php. Users go to the website and login to the database which is obviously on the same machine. So when a user trues to sign in the IP address will alwaya be the IP address of the web server 127.0.0.1. I wouldn't want to block my loopback. Any thoughts? I don't want to move my database onto another computer.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
.
