Fail2ban talk:Community Portal

From Fail2ban
Jump to: navigation, search

Contents

Misc Questions

RoB:

Hi, i try to make a fail2ban-package for a famous Opensource-Webhosting platform (www.bluequartz.org).

BQ is based on CentOS4 (python >=2.3), so we have to use fail2ban-0.6.x.
 unknown user:
 Jan 25 04:01:05 hostname proftpd[10476]: hostname.domain.com (1.2.3.4[1.2.3.4]) - USER xxxx: no such user found from 1.2.3.4 [1.2.3.4] to 2.3.4.5:21
 existing user, wrong pw:
 Jan 25 04:02:03 hostname proftpd[10495]: hostname.domain.com (1.2.3.4[1.2.3.4]) - USER rob (Login failed): Incorrect password.

But i didnt succeed. Maybe u can help me with that. I cant update to CentOS5 and/or python>=2.4.

Thanx for that wonderful tool :)



I am finding this error a few times on different scripts when installing on CentOS

byte-compiling /usr/share/fail2ban/server/mytime.py to mytime.pyc

 File "/usr/share/fail2ban/server/mytime.py", line 49
   @staticmethod
   ^

SyntaxError: invalid syntax

Any ideas


Are you sure that you have Python 2.4? Annotations are available since Python 2.4. --Lostcontrol 15:53, 8 May 2007 (CEST)


I got 2.4.3 root@usa2 [~]# python -V Python 2.4.3


I installed 2.5.1 and still the same problem.


Now it is working the version 0.6.2 installed from an RPM. I will try again 0.8.0 but later. Thanks

Can someone tell me why I´m getting these errors with fail2ban?

2007-07-07 17:22:09,608 fail2ban.actions.action: CRITICAL Unable to restore environment
2007-07-08 01:57:43,008 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp --dport http -j fail2ban-apache
iptables -F fail2ban-apache
iptables -X fail2ban-apache returned 100
2007-07-08 01:57:43,933 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp --dport ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 100

I´m using Debian Etch

Thanks!


I got similar errors on startup for iptables -N, iptables -A, and iptables -X and it turned out that the directory where the iptables executable resides (/sbin on my system) was was not included in the PATH environment variable. Adding /sbin to the PATH with:

 PATH=$PATH:/sbin

in the file /etc/init.d/fail2ban fixed the problem on my Redhat Enterprise Linux 5 system.

--Richard


Please use mailing-list for support next time. It seems that your iptables setup (related to fail2ban) get changed while fail2ban is running. Some firewall scripts/apps flush all rules when saving the changes. If fail2ban runs, it will not find its own chains anymore and will try to restore them. --Lostcontrol 09:57, 13 July 2007 (CEST)

Just tried to use latest build 0.8.1 and got thisd output

  1. fail2ban-client -h
 File "/usr/bin/fail2ban-client", line 360
   @staticmethod
   ^

SyntaxError: invalid syntax


I found a way to work around this problem with CentOS. Apparently CentOS has multiple versions of Python installed. Modify /usr/bin/fail2ban-client and /usr/bin/fail2ban-server so that the first line on each reads as follows:

#!/usr/local/bin/python2.4
(or wherever the direct executable for python2.4 is). By default it reads as #!/usr/bin/python, which is apparently an earlier version of python. If you don't know where python2.4 is located, you can find it by typing the following:
whereis python2

--rojo 14:36, 30 Oct 2007 (EST)


In the FAQ this line is not very clear

"You probably have the sendmail command. Copy /etc/fail2ban/action.d/mail-whois.conf to /etc/fail2ban/action.d/mail-whois.local, edit this file and replace mail with sendmail. Here is an example:"

which is "this" file mail-whois.local is what it sounds like


That's correct. You have to edit mail-whois.local. --Lostcontrol 10:17, 13 September 2007 (CEST)


Hello,

I have a CentOS 4 VPS with Python 2.3.

When I restart fail2ban I get this error:

" File "/usr/bin/fail2ban-client", line 360

  @staticmethod
   ^

SyntaxError: invalid syntax "


I made sure to change the paths to #!/usr/local/bin/python2.3 in both /usr/bin/fail2ban-client and /usr/bin/fail2ban-server but it still does not work.

Are there any other ideas?

Thanks

Client/Server Question

What is the purpose/reason to have the server and client separate? Couldn't find this in the wiki, maybe it should be placed in the FAQ?

Memory Usage (160MB for fail2ban-server)

Hi, i like the concept of fail2ban ... but i run it on a Virtul Box ...

The fail2ban-server Prozess need 160MB ... for what ??? its my config/system bugy ?? or its normal ??

I used it on Ubuntu 7.04 Phyton 2.5.3 and de Fail2Ban v0.8.3

  • update on the 20th of January 2011 (author SJL)

A Python application, like fain2ban, might consume a lot of memory only because of the relatively oversized default stack size on Linux.This can be changed by editing the /etc/default/fail2ban (on Debian, please change for your own installation) and appending this to the end of the file:

 ulimit -s 256

The file "/etc/default/fail2ban" will typically looks like this after installing Fail2Ban 8.4 on Debian 6 from the repository:

# This file is part of Fail2Ban.
#
# Fail2Ban is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Fail2Ban is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Fail2Ban; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# Author: Cyril Jaquier
# 
# $Revision: 1.2 $

# Command line options for Fail2Ban. Refer to "fail2ban-client -h" for
# valid options.
FAIL2BAN_OPTS=""

Add "ulimit -s 256" to a new line at the end of the file:

# This file is part of Fail2Ban.
#
# Fail2Ban is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Fail2Ban is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Fail2Ban; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# Author: Cyril Jaquier
# 
# $Revision: 1.2 $

# Command line options for Fail2Ban. Refer to "fail2ban-client -h" for
# valid options.
FAIL2BAN_OPTS=""
ulimit -s 256

It is not added to the FAIL2BAN_OPTS parameter.

Stopping and starting via "fail2ban-client" will not apply this value. You need to reboot your system or restart the daemon with:

# sudo /etc/init.d/fail2ban stop
# sudo /etc/init.d/fail2ban start

The values from "/etc/default/fail2ban" are applied at boot up. Stop and Starting Fail2Ban via "fail2ban-client" will not have this value applied and will revert back to the linux default stack frame used by the ulimit command and the old memory usage of 160MB+.

Before:

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      1026  0.0  0.0 150020  8004 ?        Sl   Jan12   0:07 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock

After:

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root     29688  1.0  0.0  35600  6528 ?        Sl   10:38   0:00 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock


The VSZ value has decreased from 150020kB to 35600kB.

I would like to implement this, although I don't seem to have /etc/default/fail2ban. Where else would I need to look to include this in my configuration? and where exactly in the actual file does it need to go? (that is if someone can help me find it)?

Christmas gift - version 0.9 these days ?

Hi - I heavily appreciate fail2ban. Just these days I am configuring 2 new servers opensuse and would love to include some of the new features listed by others above. Like server-IP as sender subject line or so mentioned earlier.

Since we have Christmas time, I was wondering if we may get a Christmas gift - version 0.9 these days ?? Traffic is drastically increasing day by day, so is hacker activity during the weeks before Christmas. Added security let's us sleep much better.

Log Prefix Regex

Can anyone tell me how to recognize this datestamp prefix? I recently upgraded rsyslogd and it changed my log format. I'd rather change fail2ban than change my log back to the old format. Do I have to edit the source code or can it be done in the filter? If it's only in the source code is there any good reason why it isn't done in the filter?

2009-01-15T20:59:46.201822-05:00 nro sshd[5978]: Failed password for invalid user antoine from 116.122.36.95 port 45379 ssh2

BTW Mine is a mail server and I have 50K to 80K bans in iptables. After I reboot I get hammered for days!


--84.80.180.42 09:52, 26 December 2010 (UTC)----

Good question. I just found out it was the rsyslog update that stopped my Fail2Ban from working. The rsyslog update uses a new date/time string. The new rsyslog also comes with a new conf file which contains the following:

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

It will use the old fashioned data/time string that Fail2Ban works fine with. So you won't have to change your sshd.conf filter. So just restart rsyslog with the new config file and you should be fine again.

Fail2ban on CentOS/RedHat Plesk

I have implemented fail2ban on our Plesk servers for Proftpd and Qmail (so far). I had to put the full path to iptables in the actions.d i.e. /pathtoiptables/iptables -N fail2ban-<name> etc. This is the relevant section of filters.d/proftpd.conf for Plesk users and the logfile is /var/log/messages:

failregex = .*proftpd\[\S+\]: \S+ \(\S+\[<HOST>\]\) - PAM\(\S+\): Authentication failure.$

           .*authentication failure.*rhost=<HOST>.*$'
           .*proftpd\[\S+\]: \S+ \(\S+\[<HOST>\]\) - no such user .*$

In jail.conf I set bantime = 600 and findtime = 30 and it works great. Thank you so much!

For Qmail, I started just trying to block brute force attempts to break into email accounts and here is the relevant section from qmail.conf:

failregex = .*password incorrect from \@ \[<HOST>\].*$

Also works great and the qmail logfile is /usr/local/psa/var/log/maillog.

What I am working on now, and what I would dearly like to get help with is blocking relay attempts. We get about 100K relay attempts per day and I have been trying to find a way to block these. For Plesk users here is the relevant regular expression in the qmail logfile for relay attempts:

.*relaylock: mail from <HOST>.*$

The problems I have is that the relaylock filter blocks genuine users because relaylock sometimes kicks in even for genuine users who have authenticated. This happens for users with PCs but even more frequently for users with Macs, and I am not sure why. Many of our users are assigned dynamic IPs by their ISPs. How can I stop them from getting blocked by this relaylock filter? I have tried putting the major ISPs e.g. aol.com, att.com etc. in ignoreip but some users still got blocked. My assumption is that aol.com is the same to ignoreip as *.aol.com since ignoreip just looks for matches. Is that right? If not, is it possible to use wildcards in ignore IP e.g. *.aol.com or is there an even better way? It would be ideal to be able to specify that: if an IP address matches a particular log entry then it should be automatically added to ignoreip e.g. if the log contains a line where the user successfully authenticated, then the IP they connected from is ignored by fail2ban. That would stop genuine users from being blocked without them having to contact us to let us know their IP address or ISP.[ Any help on this issue would be appreciated since its the main hurdle I need to overcome. If we still have problems with genuine users being blocked by the ed of the week I will just have to remove this filter which would be a shame since it really helps and I am sure it would help many more people with the same problem.

It would be also be nice to have a separate bantime and findtime in jail.conf for qmail, and other applications.

Any tips, pointers, and help, would be much appreciated.

Thanks for fail2ban!

@a

Repeated attempts at DNS lookup

Hey I keep getting lines in the log file that say:

      WARNING Unable to find a corresponding IP address for iblazegreen.rpi.edu

Trying to get rid of that in the logs, but it keeps popping up even though there was only one attempt from that host, almost a month ago. What option can I use to stop it from trying to DNS lookup that host?


Thanks a lot

-Brian

A potential answer: See if the log fail2ban is watching can log IP addresses rather than DNS names. An example: Link to VSFTPD fix

Emails from fail2ban not containing whois info help needed.

Example of an email I received from fail2ban when testing (IP'S edited but were from outside my lan).

Hi,

The IP xx.xx.xx.xx has just been banned by Fail2Ban after 4 attempts against ssh.


Here are more information about xx.xx.xx.xx:


Lines containing IP:xx.xx.xx.xx in /var/log/auth.log

Apr 6 11:55:05 user sshd[8884]: Invalid user dg from xx.xx.xx.xx Apr 6 11:55:05 user sshd[8884]: Failed none for invalid user dg from xx.xx.xx.xx port 57992 ssh2 Apr 6 11:55:09 user sshd[8884]: Failed password for invalid user dg from xx.xx.xx.xx port 57992 ssh2 Apr 6 11:55:13 user sshd[8884]: Failed password for invalid user dg from xx.xx.xx.xx port 57992 ssh2 Apr 6 13:42:53 user sshd[13938]: Invalid user kjhgfd from xx.xx.xx.xx Apr 6 13:42:53 user sshd[13938]: Failed none for invalid user kjhgfd from xx.xx.xx.xx port 59527 ssh2 Apr 6 13:42:59 user sshd[13938]: Failed password for invalid user kjhgfd from xx.xx.xx.xx port 59527 ssh2 Apr 6 13:43:03 user sshd[13938]: Failed password for invalid user kjhgfd from xx.xx.xx.xx port 59527 ssh2


Regards,

Fail2Ban

fail2ban.actions.action ERROR on startup/restart

I had multiple fail2ban.actions.action ERROR on startup/restart. It seems there was a "race" condition with iptables. I solved the problem completely on my system by editing /usr/bin/fail2ban-client and adding a time.sleep(0.1)

def __processCmd(self, cmd, showRet = True):
	beautifier = Beautifier()
	for c in cmd:
		time.sleep(0.1)
		beautifier.setInputCmd(c)
  • Thanks. This patch solved the problem on my server. :) --110.164.236.98 11:55, 13 November 2010 (UTC)
  • Add my thanks. I was having random fail2ban.actions.action ERRORs when doing a restart, but when I executed the same iptables commands by hand they worked fine. Adding your pacing line seems to fix the problem.
  • confirm this fix, it works great for multiple lines of iptables command 122.116.40.15 18:50, 12 January 2011 (UTC)
  • Thanks to 81.149.240.63 and Google. Can't make Fail2ban work after I install a new fresh Debian 6 / Squeeze on my server :( . Adding this "sleep" fix solved the problem. --180.183.210.70 08:07, 19 February 2011 (UTC)
  • worked for me on debian 6 squeeze (without it, random iptables rules were missing) --213.215.116.98 20:40, 12 June 2011 (UTC)
  • Thanks this also helped me fix it, but I needed to add time.sleep(0.3) on my ubuntu 8.04 server or the last rule was still failing. (5 August 2011)
  • Did not work --Mat 16:54, 11 January 2012 (CET)
  • Did not work on VPS hosted Ubuntu 10.04 systems (15th August 2011). The fixed delay time is too regular and still caused the same race condition. A successful resolution was to modify only the relevant action config (in this case iptables-multiport.conf) and insert a random sleep (0.0000 to 2.9999 seconds) before the iptables action, so actionstart becomes:
 actionstart =   sleep `perl -e 'print rand(3);'`
             iptables -N fail2ban-<name>
             iptables -A fail2ban-<name> -j RETURN
             iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
Right, but that's extremely inefficient. We have Fail2ban, a Python script, calling sh through exec() (or whatever it's name is in Python) which calls Perl, another interpreted language program, to run a script to actually do the random number generation. The solution would be, of course, to actually fix Fail2ban: Comment in Debian bugtracker. --82.131.35.108 16:37, 12 September 2011 (CEST)
  • Adding a sleep command directly in fail2ban code makes thing work properly:

In /usr/share/fail2ban/server/action.py` (Debian) just add a sleep(1):

 def execActionStart(self):
   startCmd = Action.replaceTag(self.__actionStart, self.__cInfo)
   sleep(1)
   return Action.executeCmd(startCmd)
  • Thanks, the above code works flawlessly on Ubuntu Lucid (10.04) i686 2.6.32-37-generic-pae

Antonio J. de Oliveira

  • The above (Debian) method fails to work in CentOS6 when the server is rebooted, instead the following method worked for me:

In /usr/share/fail2ban/server/action.py at the top, add time to the import:

 import time, logging, os

Then add time.sleep(1) to execActionStart:

 def execActionStart(self):
   startCmd = Action.replaceTag(self.__actionStart, self.__cInfo)
   time.sleep(1)
   return Action.executeCmd(startCmd)

fail2ban ban distribution to multiple servers

I'm using fail2ban for blocking misconfigured mailservers on couple of servers:

 File "/etc/fail2ban/filter.d/postfix-badhelo.conf":
 ...
 failregex = reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1 (.*) Helo command rejected: Host not found
 ...
 File "/etc/fail2ban/filter.d/postfix-nohostname.conf":
 ...
 failregex = reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1 Client host rejected: cannot find your hostname
 ...

Currently my servers are using separate netfilter policies (and each checks it's own /var/log/maillog). I'd like fail2ban to "push" the ban and unban action to remote servers (so fail2ban-server would be aware of it and block/unblock accordingly).

What kind of action would you suggest? I have a couple of ideas but none is good enough:

  • distribute ssh pubkeys between the servers and save them to /root/.ssh/authorized_keys and use ssh action that would connect to the rest of the servers, using iptables remotely... It's really a shame fail2ban-client doesn't support manually banning/unbanning IPs from console)
  • distribute mail logs to multiple servers, which can be a bit awkward

Need help for sendmail+sasl+pam fail2ban config (CentOS/RHEL 5)

I'm on CentOS/RHEL 5, using sendmail 8.13.8 and cyrus-sasl 2.1.22. I'm trying to figure out how to use fail2ban to properly protect against SMTP attacks. Right now, I've implemented the suggestion from theether.net, but that relies on sendmail identifying the SMTP attack... a number of attack methods can completely bypass this and go undetected.

I would prefer to ban based on SASL authentication failures (just like for ssh, etc.). sasl is configured to use PAM, but for some reason, it doesn't log the rhost IP. (sshd, imapd, etc. will all log the rhost IP via pam, but saslauthd won't - it leaves the rhost field blank.). Sendmail doesn't log when an sasl auth failure occurs, so basically I've got a useless log from sasl and no log from sendmail. There are _some_ cotemporal entries from sendmail in the maillog, e.g. the remote host didn't issue VRFY/EXPN/etc.... but those lines can occur legitimately under many circumstances, so should not be used for banning. The spam failure line would be the best, but is useless without an rhost IP.

Does anyone know how I can get saslauthd to properly log the rhost ip via pam? Or, how I can get sendmail to log when an sasl auth failure occurs (including the remote IP)? Extensive googling has revealed nothing, unfortunately. Thanks in advance.

Fail2ban failing to ban when log timestamp is not in the same timezone

Here is a tip for configure Postfix in the same timezone as server:

http://www.afp548.com/article.php?story=20041004001014397

Multiple logpath

Hello How can I configure many logpath for the same rule ? Thanks background check

Personal tools