I need some help and clarity on what I need to do. I went through centos 5.3 perfect server setup. So, iptables is off and fail2ban is on. I turned on the default firewall ports for the server in ipsconfig 3 admin. It works, I tested it by opening and closing a few ports. ISP Config 3 tells me "fail2ban is not installed at this server. See more (for debian) here..." I try to ssh in as root and use bad passwords over and over, then after about 6 or 7 tries I get the boot, then I can go right back and try again. Why is my IP not banned? And why does ISPConfig 3 say "fail2ban is not installed at this server" Thanks!!! vi /etc/fail2ban/filter.d/sshd.conf Code: # Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision: 663 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = sshd # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$ ^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$ ^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$ ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$ ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = vi /etc/fail2ban/jail.conf (with new "logpath = /var/log/secure" path) Code: # Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision: 617 $ # # The DEFAULT allows a global definition of the options. They can be override # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". This option can be overridden in # each jail too (use "gamin" for a jail and "polling" for another). # # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin # is not installed, Fail2ban will use polling. # polling: uses a polling algorithm which does not require external libraries. # auto: will choose Gamin if available and polling otherwise. backend = auto # This jail corresponds to the standard configuration in Fail2ban 0.6. # The mail-whois action send a notification e-mail with a whois request # in the body. [ssh-iptables] enabled = false filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, [email protected], [email protected]] logpath = /var/log/secure maxretry = 3 [proftpd-iptables] enabled = false filter = proftpd action = iptables[name=ProFTPD, port=ftp, protocol=tcp] sendmail-whois[name=ProFTPD, [email protected]] logpath = /var/log/proftpd/proftpd.log "/etc/fail2ban/jail.conf" 205L, 5658C My log file as I try to break in as root: Code: Aug 13 05:17:35 server sshd[10791]: PAM 7 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.42.154.202 Aug 13 05:17:35 server sshd[10791]: PAM service(sshd) ignoring max retries; 8 > 3 Aug 13 05:17:47 server sshd[10828]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT! Aug 13 05:17:47 server sshd[10828]: Accepted password for root from 66.42.154.202 port 35685 ssh2 Aug 13 05:17:47 server sshd[10828]: pam_unix(sshd:session): session opened for user root by (uid=0) Aug 13 05:23:17 server sshd[10828]: pam_unix(sshd:session): session closed for user root Aug 13 05:25:13 server sshd[11212]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT! Aug 13 05:25:13 server sshd[11212]: Accepted password for root from 66.42.154.202 port 39441 ssh2 Aug 13 05:25:13 server sshd[11212]: pam_unix(sshd:session): session opened for user root by (uid=0) Aug 13 05:32:15 server sshd[11212]: pam_unix(sshd:session): session closed for user root Aug 13 05:42:50 server sshd[12434]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT! Aug 13 05:42:50 server sshd[12434]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.42.154.202 user=root Aug 13 05:42:53 server sshd[12434]: Failed password for root from 66.42.154.202 port 48067 ssh2 Aug 13 05:43:27 server last message repeated 7 times Aug 13 05:43:27 server sshd[12435]: Disconnecting: Too many authentication failures for root Aug 13 05:43:27 server sshd[12434]: PAM 7 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.42.154.202 user=root Aug 13 05:43:27 server sshd[12434]: PAM service(sshd) ignoring max retries; 8 > 3 Aug 13 05:43:38 server sshd[12472]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT! Aug 13 05:43:38 server sshd[12472]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.42.154.202 user=root Aug 13 05:43:41 server sshd[12472]: Failed password for root from 66.42.154.202 port 48627 ssh2 Aug 13 05:43:45 server sshd[12473]: fatal: Read from socket failed: Connection reset by peer Aug 13 05:45:01 server sshd[12515]: reverse mapping checking getaddrinfo for fuse-dedicated-66-42-154-202.fuse.net failed - POSSIBLE BREAK-IN ATTEMPT! Aug 13 05:45:01 server sshd[12515]: Accepted password for root from 66.42.154.202 port 49833 ssh2 Aug 13 05:45:01 server sshd[12515]: pam_unix(sshd:session): session opened for user root by (uid=0)
I did find 1 error on my part "enabled = false" needs to be "enabled = true" in the jail config. It still takes 7 failed attempts to get dropped, and does NOT ban my IP at all, so I can try to hack in all day. It also shows up in my log now inside ISPConfig 3. Code: 2009-08-13 11:42:58,295 fail2ban.jail : INFO Using Gamin 2009-08-13 11:42:58,301 fail2ban.filter : INFO Created Filter 2009-08-13 11:42:58,302 fail2ban.filter : INFO Created FilterGamin 2009-08-13 11:42:58,302 fail2ban.filter : INFO Added logfile = /var/log/secure 2009-08-13 11:42:58,305 fail2ban.filter : INFO Set maxRetry = 3 2009-08-13 11:42:58,306 fail2ban.filter : INFO Set findtime = 600 2009-08-13 11:42:58,306 fail2ban.actions: INFO Set banTime = 600 2009-08-13 11:42:58,329 fail2ban.actions.action: INFO Set actionBan = iptables -I fail2ban- 1 -s -j DROP 2009-08-13 11:42:58,329 fail2ban.actions.action: INFO Set actionStop = iptables -D INPUT -p --dport -j fail2ban- iptables -F fail2ban- iptables -X fail2ban- 2009-08-13 11:42:58,330 fail2ban.actions.action: INFO Set actionStart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN iptables -I INPUT -p --dport -j fail2ban- 2009-08-13 11:42:58,330 fail2ban.actions.action: INFO Set actionUnban = iptables -D fail2ban- -s -j DROP 2009-08-13 11:42:58,331 fail2ban.actions.action: INFO Set actionCheck = iptables -n -L INPUT | grep -q fail2ban- 2009-08-13 11:42:58,332 fail2ban.actions.action: INFO Set actionBan = printf %b "Subject: [Fail2Ban] : banned From: Fail2Ban <> To: \n Hi,\n The IP has just been banned by Fail2Ban after attempts against .\n\n Here are more information about :\n `/usr/bin/whois `\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f 2009-08-13 11:42:58,333 fail2ban.actions.action: INFO Set actionStop = printf %b "Subject: [Fail2Ban] : stopped From: Fail2Ban <> To: \n Hi,\n The jail has been stopped.\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f 2009-08-13 11:42:58,333 fail2ban.actions.action: INFO Set actionStart = printf %b "Subject: [Fail2Ban] : started From: Fail2Ban <> To: \n Hi,\n The jail has been started successfully.\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f 2009-08-13 11:42:58,334 fail2ban.actions.action: INFO Set actionUnban = 2009-08-13 11:42:58,334 fail2ban.actions.action: INFO Set actionCheck = 2009-08-13 11:42:58,335 fail2ban.jail : INFO Using Gamin 2009-08-13 11:42:58,335 fail2ban.filter : INFO Created Filter 2009-08-13 11:42:58,335 fail2ban.filter : INFO Created FilterGamin 2009-08-13 11:42:58,336 fail2ban.filter : INFO Set maxRetry = 3 2009-08-13 11:42:58,337 fail2ban.filter : INFO Set findtime = 600 2009-08-13 11:42:58,337 fail2ban.actions: INFO Set banTime = 300 2009-08-13 11:42:58,338 fail2ban.actions.action: INFO Set actionBan = IP= && printf %b "ALL: $IP\n" >> 2009-08-13 11:42:58,339 fail2ban.actions.action: INFO Set actionStop = 2009-08-13 11:42:58,339 fail2ban.actions.action: INFO Set actionStart = 2009-08-13 11:42:58,340 fail2ban.actions.action: INFO Set actionUnban = IP= && sed -i.old /ALL:\ $IP/d 2009-08-13 11:42:58,340 fail2ban.actions.action: INFO Set actionCheck = 2009-08-13 11:42:58,341 fail2ban.actions.action: INFO Set actionBan = printf %b "Subject: [Fail2Ban] : banned From: Fail2Ban <> To: \n Hi,\n The IP has just been banned by Fail2Ban after attempts against .\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f 2009-08-13 11:42:58,341 fail2ban.actions.action: INFO Set actionStop = printf %b "Subject: [Fail2Ban] : stopped From: Fail2Ban <> To: \n Hi,\n The jail has been stopped.\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f 2009-08-13 11:42:58,342 fail2ban.actions.action: INFO Set actionStart = printf %b "Subject: [Fail2Ban] : started From: Fail2Ban <> To: \n Hi,\n The jail has been started successfully.\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f 2009-08-13 11:42:58,342 fail2ban.actions.action: INFO Set actionUnban = 2009-08-13 11:42:58,343 fail2ban.actions.action: INFO Set actionCheck = 2009-08-13 11:42:58,344 fail2ban.jail : INFO Using Gamin 2009-08-13 11:42:58,344 fail2ban.filter : INFO Created Filter 2009-08-13 11:42:58,345 fail2ban.filter : INFO Created FilterGamin 2009-08-13 11:42:58,345 fail2ban.filter : INFO Set maxRetry = 3 2009-08-13 11:42:58,346 fail2ban.comm : WARNING Invalid command: ['set', 'ssh-tcpwrapper', 'ignoreregex', 'for myuser from']
One more question, I see sendmail is used to email the admin if someone was banned, ISPConfig 3 does not use sendmail right? Can this be changed to use mail server used by ISPConfig 3? Thanks
