Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi guys I have just started using fail2ban with iptables and fail to ban seams to be doing its job but when the rule is added to iptables it is still serving webpages to the ip address that is banned.
Couple of things.
What version of fail2ban is this?
Which jail is causing you concern?
What does /var/log/fail2ban.log say is happening?
Possibly being "unbanned"?
Post the entries from /etc/fail2ban/jail.local please.
# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]
enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 2
action = hostsdeny[name=fail2ban, port=80, protocol=tcp]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.log
Failregex
|- Regular expressions:
| [1] ^\[[^]]+\] \[error\] \[client <HOST>\] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
| [2] ^\[[^]]+\] \[error\] \[client <HOST>\] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
|
`- Number of matches:
[1] 0 match(es)
[2] 77 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
I'm using Fail2Ban v0.8.10 so you're not that far "behind" and 0.9.0 (2014/03/15) is the latest.
I also suggest using
Code:
loglevel = 3
in your /etc/fail2ban/fail2ban.conf to reduce the extraneous output in your /var/log/fail2ban.log such as all those DEBUGs.
You'll need to restart fail2ban for either or both edits. This will flush your iptables, so save them with
Code:
service iptables save
or
Code:
iptables-save > /path/to/saved.rules
What are the contents of /etc/fail2ban/filter.d/apache-noscript.conf ?
it did not work....could it be an issue with iptables?
You'll have to be a bit more descriptive than "didn't work".
The issue is NOT with iptables, I don't think.
But this is very curious
Code:
Currently have failures from 1 IPs: [u'124.197.23.113']
The curious is in red.
Code:
WARNING [apache-noscript] Unban 124.197.23.113
You can fix this in 2 ways, set a default "bantime = " in /etc/fail2ban/jail.local under the
[DEFAULT] stanza, and/or set an explicit one in the "[apache-noscript]" stanza
bantime is in seconds.
Under [DEFAULT] this value would be for any stanza that does not have an explicit "bantime =" declared in the jail.
And none of your jails appear to have "bantime =" in them, so [DEFAULT]
Also, DEBUG mode is unnecessary at this time.
Edit /etc/fail2ban/fail2ban.conf and set
Code:
loglevel = 3
Modify /etc/fail2ban/jail.local and use:
Code:
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
banaction = apache-noscript
logpath = /var/log/apache*/*error.log
bantime = 31556926 ; 1 year in seconds
maxretry = 2
Code:
; 1 year in seconds
is a comment. You can leave it out or include it as you see it here.
Restart fail2ban
If that doesn't solve the issue, post the entirety of your /etc/fail2ban/jail.local file, sanitize any sensitive IPs, if necessary.
Let us know!
You'll have to be a bit more descriptive than "didn't work".
The issue is NOT with iptables, I don't think.
But this is very curious
Code:
Currently have failures from 1 IPs: [u'124.197.23.113']
The curious is in red.
Code:
WARNING [apache-noscript] Unban 124.197.23.113
You can fix this in 2 ways, set a default "bantime = " in /etc/fail2ban/jail.local under the
[DEFAULT] stanza, and/or set an explicit one in the "[apache-noscript]" stanza
bantime is in seconds.
Under [DEFAULT] this value would be for any stanza that does not have an explicit "bantime =" declared in the jail.
And none of your jails appear to have "bantime =" in them, so [DEFAULT]
Also, DEBUG mode is unnecessary at this time.
Edit /etc/fail2ban/fail2ban.conf and set
Code:
loglevel = 3
Modify /etc/fail2ban/jail.local and use:
Code:
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
banaction = apache-noscript
logpath = /var/log/apache*/*error.log
bantime = 31556926 ; 1 year in seconds
maxretry = 2
Code:
; 1 year in seconds
is a comment. You can leave it out or include it as you see it here.
Restart fail2ban
If that doesn't solve the issue, post the entirety of your /etc/fail2ban/jail.local file, sanitize any sensitive IPs, if necessary.
Let us know!
Thank you
I have changed the bantime, logging was already at level 3. Restarted Fail2ban and I am still receiving the same message in the log "2014-07-06 00:32:40,434 fail2ban.actions: WARNING [apache-noscript] 124.197.23.113 already banned"
however this ip can still access the page. Here is my complete jail.conf
Quote:
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision$
#
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8
bantime = 31556926
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = auto
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
#
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
#
# Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
#
# JAILS
#
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]
enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 2
action = hostsdeny[name=fail2ban, port=80, protocol=tcp]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.log
# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
#
# in your named.conf to provide proper logging
# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archive...-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled = false
#port = domain,953
#protocol = udp
#filter = named-refused
#logpath = /var/log/named/security.log
What's in /usr/share/doc/fail2ban/examples/jail.conf?
You installed this, how?
Package Manager (apt-get), or from source?
If from a package manager, any reason you could not remove that and install from a source file download and start over?
There's some stuff you posted in your jail.conf that is not in the source file download, eg:
Code:
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
