I had to unistall fail2ban because I delited the wrong file. I reinstalled. when i got to the place were I was to create the file jail.local, i copied the the file from your install, pasted it to word. added my ip address for my laptop. then pasted it in the new file jail.local. when I restarted the program I got this error. HTML: server1:~# vi /etc/fail2ban/jail.local server1:~# /etc/init.d/fail2ban restart Restarting authentication failure monitor: fail2banTraceback (most recent call l ast): File "/usr/bin/fail2ban-client", line 333, in ? if client.start(sys.argv): File "/usr/bin/fail2ban-client", line 311, in start return self.__processCommand(args) File "/usr/bin/fail2ban-client", line 175, in __processCommand self.__readConfig() File "/usr/bin/fail2ban-client", line 315, in __readConfig self.__configurator.readAll() File "/usr/share/fail2ban/client/configurator.py", line 56, in readAll self.__jails.read() File "/usr/share/fail2ban/client/jailsreader.py", line 41, in read ConfigReader.read(self, "jail") File "/usr/share/fail2ban/client/configreader.py", line 57, in read SafeConfigParser.read(self, [bConf, bLocal]) File "/usr/lib/python2.4/ConfigParser.py", line 267, in read self._read(fp, filename) File "/usr/lib/python2.4/ConfigParser.py", line 462, in _read raise MissingSectionHeaderError(fpname, lineno, line) ConfigParser.MissingSectionHeaderError: File contains no section headers. file: /etc/fail2ban/jail.local, line: 4 'ignoreip = 127.0.0.1 192.168.1.101\n' failed! What dose this all mean. It sounded like all I had to change was to add my ip to the ignoreip line.
here you go HTML: [[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 192.168.1.101 192.168.1.102 bantime = 600 maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". # yoh: For some reason Debian shipped python-gamin didn't work as expected # This issue left ToDo, so polling is default backend for now backend = polling # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = root@localhost # Default action to take: ban only action = iptables[name=%(__name__)s, port=%(port)s] [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 5 [apache] enabled = true port = http filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 5 [apache-noscript] enabled = false port = http filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 5 [vsftpd] enabled = false port = ftp filter = vsftpd logpath = /var/log/auth.log maxretry = 5 [proftpd] enabled = true port = ftp filter = proftpd logpath = /var/log/auth.log failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST> maxretry = 5 [wuftpd] enabled = false port = ftp filter = wuftpd logpath = /var/log/auth.log maxretry = 5 [postfix] enabled = false port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 5 [courierpop3] enabled = true port = pop3 filter = courierlogin failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\] logpath = /var/log/mail.log maxretry = 5 [courierimap] enabled = true port = imap2 filter = courierlogin failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\] logpath = /var/log/mail.log maxretry = 5 [sasl] enabled = true port = smtp filter = sasl failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed logpath = /var/log/mail.log maxretry = 5/HTML] this is the file I had copied to a text doc. when I checked the file in /etc/fail3ban/jail.local it had a missing part in the front of the file. I fixed it and then restarted it and got this. Is this corect responce after the restart? (Restarting authentication failure monitor: fail2ban) then it ends up at the comand promp.
Can you check the output of Code: ps aux to see if it's running? If it is, I think you're good to go.
results from ps aux I do not see it on here. HTML: larry@server1:~$ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.2 1944 652 ? Ss 09:55 0:01 init [2] root 2 0.0 0.0 0 0 ? S 09:55 0:00 [migration/0] root 3 0.0 0.0 0 0 ? SN 09:55 0:00 [ksoftirqd/0] root 4 0.0 0.0 0 0 ? S< 09:55 0:00 [events/0] root 5 0.0 0.0 0 0 ? S< 09:55 0:00 [khelper] root 6 0.0 0.0 0 0 ? S< 09:55 0:00 [kthread] root 9 0.0 0.0 0 0 ? S< 09:55 0:00 [kblockd/0] root 10 0.0 0.0 0 0 ? S< 09:55 0:00 [kacpid] root 81 0.0 0.0 0 0 ? S< 09:55 0:00 [kseriod] root 117 0.0 0.0 0 0 ? S 09:55 0:00 [pdflush] root 118 0.0 0.0 0 0 ? S 09:55 0:00 [pdflush] root 119 0.0 0.0 0 0 ? S< 09:55 0:00 [kswapd0] root 120 0.0 0.0 0 0 ? S< 09:55 0:00 [aio/0] root 574 0.0 0.0 0 0 ? S< 09:55 0:00 [khubd] root 937 0.0 0.0 0 0 ? S< 09:55 0:00 [kjournald] root 1114 0.0 0.2 2176 612 ? S<s 09:55 0:00 udevd --daemon root 1414 0.0 0.0 0 0 ? S< 09:55 0:00 [kpsmoused] root 1721 0.0 0.0 0 0 ? S< 09:55 0:00 [kmirrord] daemon 1908 0.0 0.1 1688 376 ? Ss 09:55 0:00 /sbin/portmap root 2111 0.0 0.2 1624 564 ? Ss 09:55 0:00 /sbin/syslogd - root 2117 0.0 0.1 1580 388 ? Ss 09:55 0:00 /sbin/klogd -x root 2191 0.0 0.5 2672 1340 ? S 09:55 0:00 /bin/sh /usr/bi mysql 2228 0.0 6.7 127276 17412 ? Sl 09:55 0:00 /usr/sbin/mysql root 2229 0.0 0.1 1564 512 ? S 09:55 0:00 logger -p daemo root 2341 0.0 0.2 1572 560 ? Ss 09:55 0:00 /usr/sbin/acpid root 2345 0.0 0.1 1756 404 ? S 09:55 0:00 /usr/sbin/couri root 2346 0.0 0.2 1908 604 ? S 09:55 0:00 /usr/lib/courie root 2353 0.0 0.1 1908 272 ? S 09:55 0:00 /usr/lib/courie root 2354 0.0 0.1 1908 272 ? S 09:55 0:00 /usr/lib/courie root 2355 0.0 0.1 1908 272 ? S 09:55 0:00 /usr/lib/courie root 2356 0.0 0.1 1908 272 ? S 09:55 0:00 /usr/lib/courie root 2357 0.0 0.1 1908 272 ? S 09:55 0:00 /usr/lib/courie root 2361 0.0 0.1 1752 328 ? S 09:55 0:00 /usr/sbin/couri root 2362 0.0 0.2 1852 552 ? S 09:55 0:00 /usr/sbin/couri root 2373 0.0 0.1 1756 332 ? S 09:55 0:00 /usr/sbin/couri root 2374 0.0 0.2 1852 556 ? S 09:55 0:00 /usr/sbin/couri root 2379 0.0 0.1 1856 508 ? S 09:55 0:00 /usr/sbin/couri root 2385 0.0 0.1 1620 316 ? S 09:55 0:00 /usr/sbin/couri root 2392 0.0 0.1 1752 328 ? S 09:55 0:00 /usr/sbin/couri root 2393 0.0 0.2 1852 552 ? S 09:55 0:00 /usr/sbin/couri root 2402 0.0 0.2 1752 568 ? Ss 09:55 0:00 /usr/sbin/inetd root 2481 0.0 0.3 7216 984 ? Ss 09:55 0:00 /usr/sbin/sasla root 2482 0.0 0.2 7216 540 ? S 09:55 0:00 /usr/sbin/sasla root 2483 0.0 0.1 7216 360 ? S 09:55 0:00 /usr/sbin/sasla root 2484 0.0 0.1 7216 360 ? S 09:55 0:00 /usr/sbin/sasla root 2485 0.0 0.1 7216 360 ? S 09:55 0:00 /usr/sbin/sasla root 2491 0.0 0.4 4924 1088 ? Ss 09:55 0:00 /usr/sbin/sshd statd 2531 0.0 0.2 1756 740 ? Ss 09:55 0:00 /sbin/rpc.statd ntp 2548 0.0 0.5 4132 1336 ? Ss 09:55 0:00 /usr/sbin/ntpd daemon 2572 0.0 0.1 1828 412 ? Ss 09:55 0:00 /usr/sbin/atd root 2579 0.0 0.3 2192 876 ? Ss 09:55 0:00 /usr/sbin/cron root 2614 0.0 1.5 121336 4008 ? Sl 09:55 0:00 python2.4 /usr/ root 2823 0.0 3.4 14612 8732 ? Ss 09:56 0:00 /root/ispconfig root 2824 0.0 0.4 2644 1268 ? S 09:56 0:00 /bin/bash /root 1001 2829 0.0 2.9 14612 7500 ? S 09:56 0:00 /root/ispconfig root 2844 0.0 4.7 36376 12160 ? Ss 09:56 0:00 /usr/sbin/apach root 2845 0.0 0.1 1488 288 ? S 09:56 0:00 /root/ispconfig www-data 2865 0.0 2.1 36508 5464 ? S 09:56 0:00 /usr/sbin/apach www-data 2866 0.0 2.0 36376 5324 ? S 09:56 0:00 /usr/sbin/apach www-data 2867 0.0 2.0 36376 5320 ? S 09:56 0:00 /usr/sbin/apach www-data 2868 0.0 2.0 36376 5320 ? S 09:56 0:00 /usr/sbin/apach www-data 2869 0.0 2.0 36376 5320 ? S 09:56 0:00 /usr/sbin/apach root 2930 0.0 0.6 4812 1624 ? Ss 09:56 0:00 /usr/lib/postfi postfix 2939 0.0 0.6 4820 1576 ? S 09:56 0:00 pickup -l -t fi postfix 2940 0.0 0.6 4856 1616 ? S 09:56 0:00 qmgr -l -t fifo bind 2960 0.0 1.0 30268 2744 ? Ssl 09:56 0:00 /usr/sbin/named proftpd 2981 0.0 0.5 9152 1508 ? Ss 09:56 0:00 proftpd: (accep 1001 2990 0.0 0.4 2496 1064 ? Ss 09:56 0:00 /home/admispcon root 3016 0.0 0.1 1576 496 tty1 Ss+ 09:56 0:00 /sbin/getty 384 root 3017 0.0 0.1 1576 496 tty2 Ss+ 09:56 0:00 /sbin/getty 384 root 3018 0.0 0.1 1572 492 tty3 Ss+ 09:56 0:00 /sbin/getty 384 root 3019 0.0 0.1 1572 492 tty4 Ss+ 09:56 0:00 /sbin/getty 384 root 3020 0.0 0.1 1572 492 tty5 Ss+ 09:56 0:00 /sbin/getty 384 root 3023 0.0 0.1 1572 492 tty6 Ss+ 09:56 0:00 /sbin/getty 384 root 3464 0.2 0.8 7700 2288 ? Ss 10:16 0:00 sshd: larry [pr larry 3468 0.0 0.6 7700 1588 ? S 10:16 0:00 sshd: larry@pts larry 3469 3.6 1.1 5384 2916 pts/0 Ss 10:16 0:00 -bash root 3489 0.0 0.1 1564 400 ? S 10:16 0:00 sleep 10 larry 3490 0.0 0.3 3428 1000 pts/0 R+ 10:16 0:00 ps aux I might be missing it for some reason.
I don't see it either. Any errors in your logs? What's in var/log/fail2ban.log? What's in /etc/init.d/fail2ban?
copying files in PuTTY How do I copy the whole file in PuTTY? I understand that I need to past it into word or some other doc program to be able to work with the file. I tried to highlite it, but I can only get so much of the file. Thanks for the help.
You can copy the file over to your desktop (for example with WinSCP) and then open it in your favourite text editor.
/etc/init.d/fail2ban file [HTML#! /bin/sh ### BEGIN INIT INFO # Provides: fail2ban # Required-Start: $local_fs $remote_fs # Required-Stop: $local_fs $remote_fs # Should-Start: $time $network $syslog iptables firehol shorewall ipmasq # Should-Stop: $network $syslog iptables firehol shorewall ipmasq # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start/stop fail2ban # Description: Start/stop fail2ban, a daemon scanning the log files and # banning potential attackers. ### END INIT INFO # Author: Aaron Isotton <[email protected]> # Modified: by Yaroslav Halchenko <[email protected]> # reindented + minor corrections + to work on sarge without modifications # PATH=/usr/sbin:/usr/bin:/sbin:/bin DESC="authentication failure monitor" NAME=fail2ban # fail2ban-client is not a daemon itself but starts a daemon and # loads its with configuration DAEMON=/usr/bin/$NAME-client SOCKFILE=/tmp/$NAME.sock SCRIPTNAME=/etc/init.d/$NAME # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 # Read configuration variable file if it is present [ -r /etc/default/$NAME ] && . /etc/default/$NAME DAEMON_ARGS="$FAIL2BAN_OPTS" # Load the VERBOSE setting and other rcS variables [ -f /etc/default/rcS ] && . /etc/default/rcS # Predefine what can be missing from lsb source later on -- necessary to run # on sarge. Just present it in a bit more compact way from what was shipped log_daemon_msg () { [ -z "$1" ] && return 1 echo -n "$1:" [ -z "$2" ] || echo -n " $2" } # Define LSB log_* functions. # Depend on lsb-base (>= 3.0-6) to ensure that this file is present. # Actually has to (>=2.0-7) present in sarge. log_daemon_msg is predefined # so we must be ok . /lib/lsb/init-functions # # Function that starts the daemon/service # do_start() { # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started do_status && return 1 start-stop-daemon --start --quiet --chuid root --exec $DAEMON -- \ $DAEMON_ARGS start > /dev/null\ || return 2 } # # Shortcut function for abnormal init script interruption # report_bug() { echo $* echo "Please submit a bug report to Debian BTS (reportbug fail2ban)" exit 1 } # # Function that checks the status of fail2ban and returns # corresponding code # do_status() { $DAEMON status > /dev/null case $? in 0) return 0 ;; 255) if [ -S $SOCKFILE ]; then if [ -r $SOCKFILE ]; then return 1 else return 4 fi else return 3 fi ;; *) report_bug "Unknown return code from fail2ban." esac } # # Function that stops the daemon/service # do_stop() { # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred $DAEMON status > /dev/null || return 1 $DAEMON stop > /dev/null || return 2 return 0 } # # Function to reload configuration # do_reload() { $DAEMON reload > /dev/null && return 0 || return 1 return 0 } # yoh: # shortcut function to don't duplicate case statements and to don't use # bashisms (arrays). Fixes #368218 # log_end_msg_wrapper() { [ $1 -lt $2 ] && value=0 || value=1 log_end_msg $value } case "$1" in start) [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" do_start [ "$VERBOSE" != no ] && log_end_msg_wrapper $? 2 ;; stop) [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" do_stop [ "$VERBOSE" != no ] && log_end_msg_wrapper $? 2 ;; restart|force-reload) log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in 0|1) # now we need actually to wait a bit since it might take time # for server to react on client's stop request count=1 while do_status && [ $count -lt 10 ]; do sleep 1 count=$(($count+1)) done [ $count -lt 10 ] || log_end_msg 1 # failed to stop do_start log_end_msg_wrapper $? 1 ;; *) # Failed to stop log_end_msg 1 ;; esac ;; reload|force-reload) log_daemon_msg "Reloading $DESC" "$NAME" do_reload log_end_msg $? ;; status) log_daemon_msg "Status of $DESC" do_status case $? in 0) log_success_msg " $NAME is running" ;; 1) log_failure_msg " $NAME is not running but $SOCKFILE exists" ;; 3) log_warning_msg " $NAME is not running" ;; 4) log_failure_msg " $SOCKFILE not readable, status of $NAME unknown";; *) report_bug "Unknown status code" esac ;; *) echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2 exit 3 ;; esac : ][/HTML] The log file you reqiested has two files. what file do I post? fail2ban.log or faIl2ban.log1
What's the output of Code: ls -l /usr/bin/fail2ban-client ? Take a look at both. fail2ban.log is the current log file, fail2ban.log1 the old one.
Can you try Code: /etc/init.d/fail2ban restart again? Do you get any error messages? Do you see fail2ban then in the output of Code: ps aux ? Any errors in the logs?
restart HTML: Restarting authentication failure monitor: fail2ban this is what I get when trying to restart. the program is not running when I enter ps aux. I found this error in the log file HTML: t maxRetry = 5 2007-07-20 10:47:50,077 fail2ban.filter : INFO Set findtime = 600 2007-07-20 10:47:50,081 fail2ban.actions: INFO Set banTime = 600 2007-07-20 10:47:50,091 fail2ban.filter : INFO Set failregex = (?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P<host>\S+) 2007-07-20 10:47:50,094 fail2ban.filter : INFO Set ignoreregex = 2007-07-20 10:47:50,101 fail2ban.actions.action: INFO Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP 2007-07-20 10:47:50,105 fail2ban.actions.action: INFO Set actionStop = iptables -D INPUT -p <protocol> --dport <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> 2007-07-20 10:47:50,109 fail2ban.actions.action: INFO Set actionStart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN i root log refused.
