Difference between revisions of "FAQ english"

From Fail2ban
Jump to: navigation, search
(Using -U (upgrade) instead of -i (install) prevents getting multiple versions of fail2ban on your system and also works when fail2ban is not installed yet.)
(I have Postfix on my system but no "mail" command. How can I get e-mail notifications?)
Line 112: Line 112:
 
=== I have Postfix on my system but no "mail" command. How can I get e-mail notifications? ===
 
=== I have Postfix on my system but no "mail" command. How can I get e-mail notifications? ===
  
You have probably the ''sendmail'' command. Copy ''/etc/fail2ban/action.d/mail-whois.conf'' to ''/etc/fail2ban/action.d/mail-whois.local'', edit this file and replace ''mail'' with ''sendmail''. Here is an example:
+
You probably have the ''sendmail'' command. Copy ''/etc/fail2ban/action.d/mail-whois.conf'' to ''/etc/fail2ban/action.d/mail-whois.local'', edit this file and replace ''mail'' with ''sendmail''. Here is an example:
  
 
  actionban = echo -en "From:root <fail2ban>
 
  actionban = echo -en "From:root <fail2ban>

Revision as of 20:52, 30 May 2007

General

What is Fail2ban?

Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address. These rules can be defined by the user. Fail2ban can read multiple log files such as sshd or Apache web server ones.

Is Fail2ban free software?

Fail2ban is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

What do you need to run Fail2ban?

Take a look at Requirements section

What does the version number of Fail2ban mean?

The structure of the version number is major.minor.revision. Currently the major number is 0. The policy for minor is:

  • odd numbers (0.5, 0.7, etc) are development versions.
  • even numbers (0.6, 0.8, etc) are stable versions.

New features, code refactoring, configuration or API changes are done mainly in development versions. Stable versions contains security fixes and small improvements that have few chance of breaking something.

Revisions are named alpha, beta, release candidate and stable. Stable versions with even minor versions are always named stable. Development versions are first called alpha, then when stability improves, beta and finally release candidate when the application is close to stabilization.

How to ask for help or submit a bug report or a feature request?

First of all, try to find an answer on this website. Read the FAQ, Manual and visit HOWTOs. Search the mailing lists archives and look at the trackers. If you did not found any answer, subscribe to this mailing list and ask your question there. Registration is required in order to avoid spam.

If you are convinced that you found a bug, you can directly create a new ticket here.

If you want to submit a feature request, create a new ticket here.

In both cases, please check first that no similar bug or request has already been submitted.

In any case, when asking for support, please provide the following information:

  • The version of Fail2ban you are running (use -V or --version)
  • The version of Python
  • How you installed Fail2ban (sources, .deb, .rpm, etc)
  • Relevant parts of the configuration files of Fail2ban
  • Logging output of Fail2ban using the DEBUG mode (-vvv and loglevel = 4)

And of course, do not forget to describe clearly your problem.

Installation

Are there RPM/DEB packages for Fail2ban?

Sure. Please take a look at Downloads section

How can I install Fail2ban from a RPM/DEB/gentoo package?

If you are using rpm:

rpm -Uvh fail2ban-X.X.X.rpm

If you are required to install a src.rpm (source package) please follow these instructions:

rpm --rebuild fail2ban-X.X.X.src.rpm

After that, binary rpm will be placed at /usr/src/RPM/RPMS/ix86

rpm -Uhv /usr/src/RPM/RPMS/ix86/fail2ban-X.X.X.rpm

Please check that your PATH is /usr/src/RPM/RPMS/ix86/ before doing anything else.

If you want to install Fail2ban from a .deb package:

dpkg -i fail2ban-X.X.X.deb

If you want to install Fail2ban on gentoo:

emerge fail2ban

Configuration

What is the main configuration file for Fail2ban?

Fail2ban configuration process is rather simple. There is only one configuration file, where Fail2ban can be whole configurated, this file is located at: /etc/fail2ban.conf

You are able to edit this file using any editor we want: vim, emacs, joe, ae...

Configuration file must be edited by root

How can Fail2ban be configured?

This step is fully detailed at HOWTOs chapter

Can I exclude failed logins for selected users from resulting in a ban?

(I don't know, perhaps that's a feature request.)

Edit: Cause fail2ban didn't know anything of the username format logged in the specific file(s) (if usernames even get logged), it is only possible to exclude selected users in the regex of the service section.

Security

What do I have to consider when using Fail2ban

Especially on systems which provide ssh/CGI/PHP services to unknown users, it is possible to block other users from ssh and probably other services. How would a user do so? The user could issue:

logger -p auth.warning -t 'sshd[123]' 'Illegal user user1 from 1.2.3.4'

Or the malicious user may write via PHP's openlog()/syslog() to syslog.

Solution #1: This security hazard can be handled via ownership/permissions of /dev/log, which allows logging to all the users by default. Just add a group log, add all daemons and root to that group and be happy.

Troubleshooting

I have Postfix on my system but no "mail" command. How can I get e-mail notifications?

You probably have the sendmail command. Copy /etc/fail2ban/action.d/mail-whois.conf to /etc/fail2ban/action.d/mail-whois.local, edit this file and replace mail with sendmail. Here is an example:

actionban = echo -en "From:root <fail2ban>
            To: <dest>
            Subject: [Fail2Ban] <name>: banned <ip>
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here are more information about <ip>:\n
            `whois <ip>`\n
            Regards,\n
            Fail2Ban"|sendmail -t  

mail.conf can be modified too.

Why do my CVS users using SSH getting blocked?

If your are using the Eclipse CVS integration with SSH, then each access of the CVS results in a failed access before a valid one is done. As a consequence your CVS users get banned from time to time.

I get the error "Please check the format and your locale settings"

The error looks like this:

ERROR: time data did not match format: data=Mar 21 10:00:50 fmt=%b %d %H:%M:%S
ERROR: Please check the format and your locale settings.

This is a known bug. Since 0.6.1, Fail2ban uses your locale settings for date and time format. However, some daemons do not take care of locale and write their log messages using the POSIX standard. Please look at this bug for more details.

You can try to override the LANG variable:

# LANG=en_US /etc/init.d/fail2ban restart

You can get all the available locale with:

# locale -a

How do I increase verbosity?

In order to increase the verbosity of Fail2ban, use the command line option -vvv for fail2ban-client and fail2ban (only for 0.6.x). Set loglevel to 4 in /etc/fail2ban/fail2ban.conf (only for > 0.6.x).