Fail2Ban not working

Discussion in 'Installation/Configuration' started by bswinnerton, May 8, 2008.

  1. bswinnerton

    bswinnerton New Member

    Ever since I updated to Ubuntu 8.04, I cannot get Fail2Ban to work. I have removed it and re-installed it but still no luck. I am using a jail.local as opposed to just the jail.conf.

    I followed the debian how-to here on howtoforge.

    Here is my jail.local:

    Code:
    # Fail2Ban configuration file.
    #
    # This file was composed for Debian systems from the original one
    #  provided now under /usr/share/doc/fail2ban/examples/jail.conf
    #  for additional examples.
    #
    # To avoid merges during upgrades DO NOT MODIFY THIS FILE
    # and rather provide your changes in /etc/fail2ban/jail.local
    #
    # Author: Yaroslav O. Halchenko <[email protected]>
    #
    # $Revision: 281 $
    #
    
    # The DEFAULT allows a global definition of the options. They can be override
    # in each jail afterwards.
    
    [DEFAULT]
    
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host
    ignoreip = 127.0.0.1 (More are listed, removed for privacy)
    bantime  = 600
    maxretry = 3
    
    # "backend" specifies the backend used to get files modification. Available
    # options are "gamin", "polling" and "auto".
    # yoh: For some reason Debian shipped python-gamin didn't work as expected
    #      This issue left ToDo, so polling is default backend for now
    backend = polling
    
    #
    # Destination email address used solely for the interpolations in
    # jail.{conf,local} configuration files.
    destemail = [email protected]
    
    #
    # ACTIONS
    #
    
    # Default banning action (e.g. iptables, iptables-new,
    # iptables-multiport, shorewall, etc) It is used to define 
    # action_* variables. Can be overriden globally or per 
    # section within jail.local file
    banaction = iptables-multiport
    
    # email action. Since 0.8.1 upstream fail2ban uses sendmail
    # MTA for the mailing. Change mta configuration parameter to mail
    # if you want to revert to conventional 'mail'.
    mta = sendmail
    
    # Default protocol
    protocol = tcp
    
    #
    # Action shortcuts. To be used to define action parameter
    
    # The simplest action to take: ban only
    action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
    
    # ban & send an e-mail with whois report to the destemail.
    action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
                  %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]
    
    # ban & send an e-mail with whois report and relevant log lines
    # to the destemail.
    action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
                   %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
     
    # Choose default action.  To change, just override value of 'action' with the
    # interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
    # globally (section [DEFAULT]) or per specific section 
    action = %(action_)s
    
    #
    # JAILS
    #
    
    # Next jails corresponds to the standard configuration in Fail2ban 0.6 which
    # was shipped in Debian. Enable any defined here jail by including
    #
    # [SECTION_NAME] 
    # enabled = true
    
    #
    # in /etc/fail2ban/jail.local.
    #
    # Optionally you may override any other parameter (e.g. banaction,
    # action, port, logpath, etc) in that section within jail.local
    
    [ssh]
    
    enabled = true
    port	= ssh,sftp
    filter	= sshd
    logpath  = /var/log/auth.log
    maxretry = 3
    
    # Generic filter for pam. Has to be used with action which bans all ports
    # such as iptables-allports, shorewall
    [pam-generic]
    
    enabled = false
    # pam-generic filter can be customized to monitor specific subset of 'tty's
    filter	= pam-generic
    # port actually must be irrelevant but lets leave it all for some possible uses
    port = all
    banaction = iptables-allports
    port     = anyport
    logpath  = /var/log/auth.log
    maxretry = 6
    
    
    [ssh-ddos]
    
    enabled = false
    port    = ssh,sftp
    filter  = sshd-ddos
    logpath  = /var/log/auth.log
    maxretry = 6
    
    #
    # HTTP servers
    #
    
    [apache]
    
    enabled = true
    port	= http,https
    filter	= apache-auth
    logpath = /var/log/apache*/*access.log
    maxretry = 6
    
    # default action is now multiport, so apache-multiport jail was left
    # for compatibility with previous (<0.7.6-2) releases
    [apache-multiport]
    
    enabled   = false
    port	  = http,https
    filter	  = apache-auth
    logpath   = /var/log/apache*/*access.log
    maxretry  = 6
    
    [apache-noscript]
    
    enabled = false
    port    = http,https
    filter  = apache-noscript
    logpath = /var/log/apache*/*error.log
    maxretry = 6
    
    #
    # FTP servers
    #
    
    [vsftpd]
    
    enabled  = false
    port	 = ftp,ftp-data,ftps,ftps-data
    filter   = vsftpd
    logpath  = /var/log/vsftpd.log
    # or overwrite it in jails.local to be
    # logpath = /var/log/auth.log
    # if you want to rely on PAM failed login attempts
    # vsftpd's failregex should match both of those formats
    maxretry = 6
    
    
    [proftpd]
    
    enabled  = true
    port	 = ftp,ftp-data,ftps,ftps-data
    filter   = proftpd
    logpath  = /var/log/proftpd/proftpd.log
    maxretry = 5
    
    
    [wuftpd]
    
    enabled  = false
    port	 = ftp,ftp-data,ftps,ftps-data
    filter   = wuftpd
    logpath  = /var/log/auth.log
    maxretry = 6
    
    
    #
    # Mail servers
    #
    
    [postfix]
    
    enabled  = false
    port	 = smtp,ssmtp
    filter   = postfix
    logpath  = /var/log/mail.log
    
    
    [couriersmtp]
    
    enabled  = false
    port	 = smtp,ssmtp
    filter   = couriersmtp
    logpath  = /var/log/mail.log
    
    
    #
    # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
    # all relevant ports get banned
    #
    
    [courierauth]
    
    enabled  = false
    port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    filter   = courierlogin
    logpath  = /var/log/mail.log
    
    
    [sasl]
    
    enabled  = true
    port	 = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    filter   = sasl
    logpath  = /var/log/mail.log
    maxretry = 5
    
    
    # DNS Servers
    
    # Mention: by default logging is off with bind installation.
    # Need smth like
    # logging {
    #         channel lame-servers_file { file "/var/log/named/lame-servers.log" versions 3 size 30m; severity dynamic; print-time yes; };
    # 		category lame-servers { lame-servers_file; };
    # }
    # in your named.conf to provide proper logging
    
    # Word of Caution:
    # Given filter can lead to DoS attack against your DNS server
    # since there is no way to assure that UDP packets come from the
    # real source IP
    [named-refused-udp]
    
    enabled  = false
    port     = domain,953
    protocol = udp
    filter   = named-refused
    logpath  = /var/log/named/lame-servers.log
    
    [named-refused-tcp]
    
    enabled  = false
    port     = domain,953
    protocol = tcp
    filter   = named-refused
    logpath  = /var/log/named/lame-servers.log
    
    
    
    The logs look normal, beside the fact that it won't pick up hack-in attempts (all that i have seen so far is ssh)

    Any help is much appreciated.
     
  2. falko

    falko Super Moderator ISPConfig Developer

  3. bswinnerton

    bswinnerton New Member

    Alright, I tried it out. Now I'm just going to try to re-enact a break in ..Or just wait the couple seconds it takes to have someone else try =P
     
  4. bswinnerton

    bswinnerton New Member

    =( Still nothing. If I look in the fail2ban log it is running, because it detects log rotations, but it won't block any failed attempts :confused:
     
  5. bswinnerton

    bswinnerton New Member

    Code:
    sudo /etc/init.d/fail2ban restart
     * Restarting authentication failure monitor fail2ban
       ...fail!
    
    What log can I look in to see why it failed? fail2ban.log doesn't have any changes.
     
  6. falko

    falko Super Moderator ISPConfig Developer

    Try syslog.
     
  7. bswinnerton

    bswinnerton New Member

    Nothing in Syslog, but now I have a new problem. I did a apt-get remove fail2ban and then deleted all instances of it using the comand locate. I deleted everything besides the stuff in /var/lib/dpkg/info/ and now when I go to install it, it will say

    Code:
    Building dependency tree       
    Reading state information... Done
    Suggested packages:
      mailx python-gamin
    The following NEW packages will be installed:
      fail2ban
    0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
    Need to get 0B/82.4kB of archives.
    After this operation, 614kB of additional disk space will be used.
    Selecting previously deselected package fail2ban.
    (Reading database ... 31636 files and directories currently installed.)
    Unpacking fail2ban (from .../fail2ban_0.8.2-2_all.deb) ...
    Setting up fail2ban (0.8.2-2) ...
    
    
    But nothing is being created. When I look in /etc/fail2ban there are two folders but no scripts or config files.

    Here is the output of the current state of my machine when I search for fail2ban:

    Code:
    /etc/fail2ban
    /etc/fail2ban/action.d
    /etc/fail2ban/filter.d
    /usr/bin/fail2ban-client
    /usr/bin/fail2ban-regex
    /usr/bin/fail2ban-server
    /usr/share/fail2ban
    /usr/share/doc/fail2ban
    /usr/share/doc/fail2ban/NEWS.Debian.gz
    /usr/share/doc/fail2ban/README
    /usr/share/doc/fail2ban/README.Debian.gz
    /usr/share/doc/fail2ban/TODO
    /usr/share/doc/fail2ban/TODO.Debian
    /usr/share/doc/fail2ban/changelog.Debian.gz
    /usr/share/doc/fail2ban/changelog.gz
    /usr/share/doc/fail2ban/copyright
    /usr/share/doc/fail2ban/examples
    /usr/share/doc/fail2ban/examples/ipmasq-ZZZzzz|fail2ban.rul
    /usr/share/doc/fail2ban/examples/jail.conf.gz
    /usr/share/fail2ban/client
    /usr/share/fail2ban/common
    /usr/share/fail2ban/fail2ban-0.8.2.egg-info
    /usr/share/fail2ban/server
    /usr/share/fail2ban/client/__init__.py
    /usr/share/fail2ban/client/__init__.pyc
    /usr/share/fail2ban/client/actionreader.py
    /usr/share/fail2ban/client/actionreader.pyc
    /usr/share/fail2ban/client/beautifier.py
    /usr/share/fail2ban/client/beautifier.pyc
    /usr/share/fail2ban/client/configparserinc.py
    /usr/share/fail2ban/client/configparserinc.pyc
    /usr/share/fail2ban/client/configreader.py
    /usr/share/fail2ban/client/configreader.pyc
    /usr/share/fail2ban/client/configurator.py
    /usr/share/fail2ban/client/configurator.pyc
    /usr/share/fail2ban/client/csocket.py
    /usr/share/fail2ban/client/csocket.pyc
    /usr/share/fail2ban/client/fail2banreader.py
    /usr/share/fail2ban/client/fail2banreader.pyc
    /usr/share/fail2ban/client/filterreader.py
    /usr/share/fail2ban/client/filterreader.pyc
    /usr/share/fail2ban/client/jailreader.py
    /usr/share/fail2ban/client/jailreader.pyc
    /usr/share/fail2ban/client/jailsreader.py
    /usr/share/fail2ban/client/jailsreader.pyc
    /usr/share/fail2ban/common/__init__.py
    /usr/share/fail2ban/common/__init__.pyc
    /usr/share/fail2ban/common/protocol.py
    /usr/share/fail2ban/common/protocol.pyc
    /usr/share/fail2ban/common/version.py
    /usr/share/fail2ban/common/version.pyc
    /usr/share/fail2ban/server/__init__.py
    /usr/share/fail2ban/server/__init__.pyc
    /usr/share/fail2ban/server/action.py
    /usr/share/fail2ban/server/action.pyc
    /usr/share/fail2ban/server/actions.py
    /usr/share/fail2ban/server/actions.pyc
    /usr/share/fail2ban/server/asyncserver.py
    /usr/share/fail2ban/server/asyncserver.pyc
    /usr/share/fail2ban/server/banmanager.py
    /usr/share/fail2ban/server/banmanager.pyc
    /usr/share/fail2ban/server/datedetector.py
    /usr/share/fail2ban/server/datedetector.pyc
    /usr/share/fail2ban/server/datetemplate.py
    /usr/share/fail2ban/server/datetemplate.pyc
    /usr/share/fail2ban/server/faildata.py
    /usr/share/fail2ban/server/faildata.pyc
    /usr/share/fail2ban/server/failmanager.py
    /usr/share/fail2ban/server/failmanager.pyc
    /usr/share/fail2ban/server/failregex.py
    /usr/share/fail2ban/server/failregex.pyc
    /usr/share/fail2ban/server/filter.py
    /usr/share/fail2ban/server/filter.pyc
    /usr/share/fail2ban/server/filtergamin.py
    /usr/share/fail2ban/server/filtergamin.pyc
    /usr/share/fail2ban/server/filterpoll.py
    /usr/share/fail2ban/server/filterpoll.pyc
    /usr/share/fail2ban/server/jail.py
    /usr/share/fail2ban/server/jail.pyc
    /usr/share/fail2ban/server/jails.py
    /usr/share/fail2ban/server/jails.pyc
    /usr/share/fail2ban/server/jailthread.py
    /usr/share/fail2ban/server/jailthread.pyc
    /usr/share/fail2ban/server/mytime.py
    /usr/share/fail2ban/server/mytime.pyc
    /usr/share/fail2ban/server/server.py
    /usr/share/fail2ban/server/server.pyc
    /usr/share/fail2ban/server/ticket.py
    /usr/share/fail2ban/server/ticket.pyc
    /usr/share/fail2ban/server/transmitter.py
    /usr/share/fail2ban/server/transmitter.pyc
    /usr/share/man/man1/fail2ban-client.1.gz
    /usr/share/man/man1/fail2ban-regex.1.gz
    /usr/share/man/man1/fail2ban-server.1.gz
    /usr/share/pyshared-data/fail2ban
    /var/cache/apt/archives/fail2ban_0.8.2-2_all.deb
    /var/lib/dpkg/info/fail2ban.conffiles
    /var/lib/dpkg/info/fail2ban.list
    /var/lib/dpkg/info/fail2ban.md5sums
    /var/lib/dpkg/info/fail2ban.postinst
    /var/lib/dpkg/info/fail2ban.postrm
    /var/lib/dpkg/info/fail2ban.preinst
    /var/lib/dpkg/info/fail2ban.prerm
    /var/log/fail2ban.log
     
  8. falko

    falko Super Moderator ISPConfig Developer

    Try
    Code:
    apt-get remove --purge fail2ban
    and then install it again.
     
  9. bswinnerton

    bswinnerton New Member

    That worked! It created the config files and filled the log. Now I'll give it a try to see if it blocks again.
     
  10. bswinnerton

    bswinnerton New Member

    wohoo! It works.

    Falko,

    You're the man.
     
  11. bswinnerton

    bswinnerton New Member

    But now I have problems again LOL =(

    I just had to reboot my server and realized that fail2ban wasn't running. So I tried to manually start it and check its status and here is what i get:

    Code:
    admin@myserver:/$ sudo /etc/init.d/fail2ban start
    admin@myserver:/$ sudo /etc/init.d/fail2ban status
     * Status of authentication failure monitor
     *  fail2ban is not runni
    No errors in the logs or anything :confused:
     
  12. CavalierDeVache

    CavalierDeVache New Member

    If you look in the /etc/init.d/fail2ban script near the top of the file you will see that it is looking for the PID file in /tmp/. That has changed and the new location should be /var/run/fail2ban/
     
  13. bswinnerton

    bswinnerton New Member

    Is this what you are referring to?

    Code:
    # Ad-hoc way to parse out socket file name
    SOCKFILE=`grep -h '^[^#]*socket *=' /etc/$NAME/$NAME.conf /etc/$NAME/$NAME.loca$
              | tail -n 1 | sed -e 's/.*socket *= *//g' -e 's/ *$//g'`
    [ -z "$SOCKFILE" ] && SOCKFILE='/tmp/fail2ban.sock'
     
  14. bswinnerton

    bswinnerton New Member

    I changed it to this:

    Code:
    # Ad-hoc way to parse out socket file name
    SOCKFILE=`grep -h '^[^#]*socket *=' /etc/$NAME/$NAME.conf /etc/$NAME/$NAME.loca$
              | tail -n 1 | sed -e 's/.*socket *= *//g' -e 's/ *$//g'`
    [ -z "$SOCKFILE" ] && SOCKFILE='/var/run/fail2ban/fail2ban.sock'
    
    And it still doesn't run. There is no directory /var/run/fail2ban

    Code:
    admin@myserver:/$ ls -s -h /var/run/fail2ban
    ls: cannot access /var/run/fail2ban: No such file or directory
    
     
  15. bswinnerton

    bswinnerton New Member

    Okay!

    I found this bug

    And created /var/run/fail2ban and it was resolved!

    Fail2ban now works.

    (For now).
     
  16. CavalierDeVache

    CavalierDeVache New Member

    I'm sorry I wasn't more verbose, I was in the middle of sorting 3 or 4 things myself with 8.04.

    But there is 1 more problem you will have to deal with, the /var/run directory structure is wiped on every reboot so you will need to create /ver/run/fail2ban from within the init script with a check to see if it already exists.

    Here is a snippet of the script where you can see the changes I made to get it to work.
    Code:
    PATH=/usr/sbin:/usr/bin:/sbin:/bin
    DESC="authentication failure monitor"
    NAME=fail2ban
    
    # /var/run is emptied on reboot, need to create run directory on startup
    FAIL2BANRUNDIR=/var/run/fail2ban
    if [ -d $FAIL2BANRUNDIR ]; then
            #do nothing
            echo "Directory '$FAIL2BANRUNDIR' already exists."
    else
            mkdir -p $FAIL2BANRUNDIR
    fi
    
    # fail2ban-client is not a daemon itself but starts a daemon and
    # loads its with configuration
    DAEMON=/usr/bin/$NAME-client
    SCRIPTNAME=/etc/init.d/$NAME
    
    # Ad-hoc way to parse out socket file name
    SOCKFILE=`grep -h '^[^#]*socket *=' /etc/$NAME/$NAME.conf /etc/$NAME/$NAME.local 2>/dev/null \
              | tail -n 1 | sed -e 's/.*socket *= *//g' -e 's/ *$//g'`
    [ -z "$SOCKFILE" ] && SOCKFILE='/var/run/fail2ban/fail2ban.sock'
     
  17. wheelsofsteel

    wheelsofsteel New Member

    Strangely, I have found that when I log out and log back in the /var/run/fail2ban dir has gone.

    Consequently, I can't start to process. Re-creating the dir seems to do the trick though and the .sock file gets created as expected. Bit strange and never happened on pre 8.04 Ubuntu.
     
  18. bswinnerton

    bswinnerton New Member

    Yes its very odd. But I can confirm that CavalierDeVache's way does work. I think that its a bug in fail2ban and they haven't updated the repositories yet.
     

Share This Page