hi all, i am installing fail2ban on my VPS running Ubunti Feisty Fawn server i have followed tutorial here http://www.howtoforge.com/fail2ban_debian_etch however, i am getting this exception from fail2ban.log fail2ban.comm : WARNING Invalid command:['set','proftpd', 'failregex', 'proftpd:\\(pam_unix\\) authentication failure would it be because i don't have proftpd? thanks and regards marco
Hello, i realized maybe if i post more information.... my problem will seem clearer. here's my jail.local Code: # Fail2Ban configuration file. # # This file was composed for Debian systems from the original one # provided now under /usr/share/doc/fail2ban/examples/jail.conf # for additional examples. # # To avoid merges during upgrades DO NOT MODIFY THIS FILE # and rather provide your changes in /etc/fail2ban/jail.local # # Author: Yaroslav O. Halchenko <[email protected]> # # $Revision: 281 $ # # The DEFAULT allows a global definition of the options. They can be override # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 82.113.128.42 bantime = 600 maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". # yoh: For some reason Debian shipped python-gamin didn't work as expected # This issue left ToDo, so polling is default backend for now backend = polling # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = [email protected] # # ACTIONS # action = iptables[name=%(__name__)s, port=%(port)s] [ssh] enabled = true port = ssh,sftp filter = sshd logpath = /var/log/auth.log maxretry = 6 [ssh-ddos] enabled = false port = ssh,sftp filter = sshd-ddos logpath = /var/log/auth.log maxretry = 6 # # HTTP servers # [apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 # default action is now multiport, so apache-multiport jail was left # for compatibility with previous (<0.7.6-2) releases [apache-multiport] enabled = false port = http,https filter = apache-auth logpath = /var/log/apache*/*access.log maxretry = 6 [apache-noscript] enabled = false port = http,https filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 6 # # FTP servers # [vsftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = vsftpd logpath = /var/log/.log logpath = /var/log/auth.log # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats maxretry = 6 [proftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data filter = proftpd logpath = /var/log/auth.log maxretry = 6 [wuftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = wuftpd logpath = /var/log/auth.log maxretry = 6 # # Mail servers # [postfix] enabled = false port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log [couriersmtp] enabled = false port = smtp,ssmtp filter = couriersmtp logpath = /var/log/mail.log # # Mail servers authenticators: might be used for smtp,ftp,imap servers, so # all relevant ports get banned # [courierpop3] enabled = true port = pop3 filter = courierlogin failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\] logpath = /var/log/mail.log maxretry = 5 [courierimap] enabled = true port = imap2 filter = courierlogin failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\] logpath = /var/log/mail.log maxretry = 5 [sasl] #enabled = true #port = smtp #filter = sasl #failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-#MD5) authentication failed #logpath = /var/log/mail.log #maxretry = 5 [sasl] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl logpath = /var/log/mail.log and here's my fail2ban.log Code: 2008-03-02 12:24:33,477 fail2ban.actions.action: INFO Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP 2008-03-02 12:24:33,478 fail2ban.actions.action: INFO Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> 2008-03-02 12:24:33,480 fail2ban.actions.action: INFO Set actionStart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name> 2008-03-02 12:24:33,481 fail2ban.actions.action: INFO Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP 2008-03-02 12:24:33,482 fail2ban.actions.action: INFO Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name> 2008-03-02 12:24:33,485 fail2ban.jail : INFO Using poller 2008-03-02 12:24:33,485 fail2ban.filter : INFO Created Filter 2008-03-02 12:24:33,485 fail2ban.filter : INFO Created FilterPoll 2008-03-02 12:24:33,486 fail2ban.filter : INFO Added logfile = /var/log/mail.log 2008-03-02 12:24:33,487 fail2ban.filter : INFO Set maxRetry = 5 2008-03-02 12:24:33,488 fail2ban.comm : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]'] anyone could help me for fixing the regex expression (as it seems to me that that is the problem) regards marco
oh, and here's my fail2ban.log Code: 008-03-02 12:22:25,423 fail2ban.server : INFO Exiting Fail2ban 2008-03-02 12:24:33,461 fail2ban.jail : INFO Using poller 2008-03-02 12:24:33,469 fail2ban.filter : INFO Created Filter 2008-03-02 12:24:33,469 fail2ban.filter : INFO Created FilterPoll 2008-03-02 12:24:33,470 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2008-03-02 12:24:33,471 fail2ban.filter : INFO Set maxRetry = 6 2008-03-02 12:24:33,473 fail2ban.filter : INFO Set findtime = 600 2008-03-02 12:24:33,474 fail2ban.actions: INFO Set banTime = 600 2008-03-02 12:24:33,477 fail2ban.actions.action: INFO Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP 2008-03-02 12:24:33,478 fail2ban.actions.action: INFO Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> 2008-03-02 12:24:33,480 fail2ban.actions.action: INFO Set actionStart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I INPUT -p <protocol> --dport <port> -j fail2ban-<name> 2008-03-02 12:24:33,481 fail2ban.actions.action: INFO Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP 2008-03-02 12:24:33,482 fail2ban.actions.action: INFO Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name> 2008-03-02 12:24:33,485 fail2ban.jail : INFO Using poller 2008-03-02 12:24:33,485 fail2ban.filter : INFO Created Filter 2008-03-02 12:24:33,485 fail2ban.filter : INFO Created FilterPoll 2008-03-02 12:24:33,486 fail2ban.filter : INFO Added logfile = /var/log/mail.log 2008-03-02 12:24:33,487 fail2ban.filter : INFO Set maxRetry = 5 2008-03-02 12:24:33,488 fail2ban.comm : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]'] regards marco
falko, thanks for replying on a sunday here's what's in proftpd.conf Code: # Fail2Ban configuration file # # Author: Yaroslav Halchenko # # $Revision: 510 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = HOwver to avoid problem i have 'disabled' all *ftp, in order to track down the problem. Now its' failing with courierpop3 and here's the most recent failure, courierpop3 Code: 2008-03-02 14:57:47,249 fail2ban.comm : WARNING Invalid command: ['set', 'courierpop3', 'failregex', 'courierpop3login: LOGIN FAILED.*ip=\\[.*:<HOST>\\]'] here's what's in courierlogin.conf Code: # Fail2Ban configuration file # # Author: Christoph Haas # Modified by: Cyril Jaquier # # $Revision: 510 $ # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = LOGIN FAILED, .*, ip=\[<HOST>\]$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = what am i missing? regards marco
Looks ok. Can you see anything like "\\(pam_unix\\) authentication failure" in any of the fail2ban configuration files?
falko, not in mail.log i have some in auth.log, it looks like this Code: (pam_unix) authentication failure; logname=uid=0 euid=0 i m still keeping denyhost running, but it looks like when no auth failure is in the mail.log, i got the exception below and then it seems like fail2ban refuse to run.... i might try to disable denyhost for a while and see how fail2ban perform, but it seems weird to me that fail2ban still does not update iptables based on , e.g., auth.log any more hints on what can cause the problem? if everything i have done looks ok, i'll try to disable denyhosts and have fail2ban run, to see if it work thanks and regards marco
falko, just to make sure i undestand your question when you talk about fail2ban conf files, are you referring to all the logpath i am configurin in jail.local? regards marco
