I am receiving an error message from my fail2ban configuration, and I am wondering if anyone can help me with this. Code: 2009-09-07 20:32:03,707 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3 2009-09-07 20:32:03,717 fail2ban.jail : INFO Creating new jail 'courierpop3' 2009-09-07 20:32:03,717 fail2ban.jail : INFO Jail 'courierpop3' uses poller 2009-09-07 20:32:03,782 fail2ban.filter : INFO Added logfile = /var/log/mail.log 2009-09-07 20:32:03,783 fail2ban.filter : INFO Set maxRetry = 5 2009-09-07 20:32:03,784 fail2ban.comm : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:\\]'] I copied exactly the information from falko's tutorial. It can be found here. HTML: http://www.howtoforge.com/fail2ban_debian_etch I am running on Debian Lenny. Thanks.
Here is what I have in the file. It is exactly what you posted in your configuration. Code: [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 192.168.1.100 bantime = 600 maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". # yoh: For some reason Debian shipped python-gamin didn't work as expected # This issue left ToDo, so polling is default backend for now backend = polling # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = root@localhost # Default action to take: ban only action = iptables[name=%(__name__)s, port=%(port)s] [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 5 [apache] enabled = true port = http filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 5 [apache-noscript] enabled = false port = http filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 5 [vsftpd] enabled = false port = ftp filter = vsftpd logpath = /var/log/auth.log maxretry = 5 [proftpd] enabled = true port = ftp filter = proftpd logpath = /var/log/auth.log failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST> maxretry = 5 [wuftpd] enabled = false port = ftp filter = wuftpd logpath = /var/log/auth.log maxretry = 5 [postfix] enabled = false port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 5 [courierpop3] enabled = true port = pop3 filter = courierlogin failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\] logpath = /var/log/mail.log maxretry = 5 [courierimap] enabled = true port = imap2 filter = courierlogin failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\] logpath = /var/log/mail.log maxretry = 5 [sasl] enabled = true port = smtp filter = sasl failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed logpath = /var/log/mail.log maxretry = 5
Any update on this? An IP is attacking my ftp server, and it is not getting blocked. I would like to get this resolved. Falko, I guess that I really asking you for help.
I'm not very familiar with 'Fail2Ban' but I noticed in your configuration file, you seem to be missing [pureftpd]. You have a few other ftp's in there but not [pureftpd]. Could this be the problem?
I made the change to pureftpd. Tried to restart fail2ban, and it fails. Falko, Should you jail.local file work with Debain Lenny and ISPConfig 3.0.1.4. I thought that it should still be fine. I guess that I am doing something wrong.
It looks like it's fairly easy to setup but I can't even get it to start The log file for fail2ban is not telling me anything helpful either.. Whats up with that?
After investigating a little further into this, it appears that I am missing the 'fail2ban.sock' file which should be in /var/run/fail2ban directory. I've set the Log level to Debug but unfortunitly nothing is being logged, even when I stop, start or restart it. I can't find this file anywhere. My setup: Ubuntu 8.04, ISPCONFIG 3.0.1.4. Does anyone have any ideas what I should do from here?
afaik the fail2ban.sock file gets generated when successfully starting the process!? i would try to restore default configuration for fail2ban and then step by step insert the filters in your guide.
Does anyone have a working configuration of Fail2Ban on ISPConfig 3.0.1.4? If so, please post this so that I can see what I am doing wrong! Thanks, Drew
The Fial2ban config is not specific to ISPConfig. If you enter "fail2ban" in the search here on howtoforge, you will find several howtos from falko that explain the fail2ban configuration for different services and Linux distributions.
