Difference between revisions of "FAQ english"

From Fail2ban
Jump to: navigation, search
(Configuration)
(Removed link spam)
Line 1: Line 1:
comment5
 
http://lana-turner.btyure.us lana turner
 
http://donna-feldman.btyure.us donna feldman
 
http://state-of-wyoming.btyure.us state of wyoming
 
http://cobra-starship.btyure.us gabe saporta
 
http://pet-airways.btyure.us pet airways
 
http://murat-theater-indianapolis.btyure.us murat theater indianapolis
 
http://coach-fired-for-playboy-pics.btyure.us carlie christine pictures
 
http://victor-village.btyure.us bbcpashto
 
http://ayl.btyure.us federacion patronal
 
http://chevy-cruze.btyure.us chevy cruze
 
http://my-familycom.btyure.us ancestry uk
 
http://cherry-creek-school-district.btyure.us spark city
 
http://count-basie-theater.btyure.us ticke
 
http://bitter-liqueur.btyure.us bitter liqueur
 
http://hud-mellencamp.btyure.us hud mellencamp
 
http://ace-capone.btyure.us ace capone
 
http://waterboarding-definition.btyure.us janine garofalo
 
http://edith-bouvier-beale.btyure.us edie beale
 
http://forbidden-kingdom.btyure.us forbidden kingdom
 
http://bvsd.btyure.us bvsd
 
http://onesecondafter.btyure.us electromagnetic pulse
 
http://mark-consuelos.btyure.us mark consuelos
 
http://petruchio-s-wife.btyure.us hogshead
 
http://kwtx.btyure.us kxxv
 
http://bobby-charlton.btyure.us bobby charlton
 
http://piratebay.btyure.us piratebay
 
http://dcsd.btyure.us dcsd
 
http://steven-a-smith.btyure.us steven a smith
 
http://count-basie-theater.btyure.us carter finley stadium seating chart
 
http://ancestrycom-login.btyure.us ancestry.com login
 
http://grey-gardens-documentary.btyure.us grey garden
 
http://steven-a-smith.btyure.us stephen a. smith
 
http://c-stock.btyure.us aib stock
 
http://waking-up-canadian.btyure.us waking up canadian
 
http://twitter-ashton-kutcher.btyure.us twitter contest
 
http://dcsdk12org.btyure.us dcsdk12.org
 
http://french-quarter-festival-2009.btyure.us french quarter festival
 
http://carlie-becker-photos.btyure.us carlie becker playboy
 
http://.btyure.us steven rattner
 
http://thunder-over-louisville-2009.btyure.us thunder over louisville
 
http://cute-things-falling-asleep.btyure.us craigs list killer
 
http://tous-primeurs.btyure.us tous primeurs
 
http://laramie-mountains.btyure.us milo of barbarella
 
http://rootsweb.btyure.us ancestry.com
 
http://ngg.btyure.us drys
 
http://squire-david-wowhead.btyure.us wow squire david
 
http://oprah-susan-boyle.btyure.us cnn twitter
 
http://kxan.btyure.us kvue
 
http://kvuecom.btyure.us langley federal credit union
 
http://99x.btyure.us 99x
 
http://shiba-inu.btyure.us gamba osaka
 
http://maya-nut.btyure.us maya nut
 
http://count-basie-theater.btyure.us carter finley stadium
 
http://faraday-cage.btyure.us onesecondafter
 
http://craigslist-delaware.btyure.us craigslist killer
 
http://allen-andrade.btyure.us allen andrade
 
http://janeane-garofalo.btyure.us janeane garofalo
 
http://tyler-hamilton.btyure.us tyler hamilton
 
http://littleton-public-schools.btyure.us littleton public schools
 
http://citigroup-news.btyure.us citigroup investor relations
 
http://kwtx.btyure.us kwtx weather
 
http://starwood-sues-hilton.btyure.us starwood sues hilton
 
http://corky-romano.btyure.us corky romano
 
http://inter-exam-results.btyure.us manabadi
 
http://blood-falls-antarctica.btyure.us blood falls antarctica
 
http://gobsmacked-meaning.btyure.us susan boyle on oprah
 
http://onesecondaftercom.btyure.us onesecondafter.com
 
http://how-much-is-my-house-worth.btyure.us propertysnake
 
http://ancestrycomau.btyure.us ancestry.com.au
 
http://brady-green.btyure.us brady green
 
http://cotton-plant-from-peru.btyure.us chemistry nobelist otto
 
http://ricky-smiley-morning-show.btyure.us rickey smiley morning show
 
http://boulder-valley-school-district.btyure.us boulder valley school district
 
http://summit-of-the-americas-2009.btyure.us summit of the americas
 
http://king-kong-defense.btyure.us king kong defense
 
http://dogwood-festival-atlanta.btyure.us dogwood festival
 
http://godsmacked.btyure.us gobsmacked
 
http://citi-stock.btyure.us citigroup results
 
http://cherry-creek-school-district.btyure.us cherry creek school district
 
http://servsafe.btyure.us servsafe
 
http://douglas-county-schools.btyure.us douglas county schools
 
http://lender-processing-services.btyure.us lender processing services
 
http://soleil-moon-frye.btyure.us soleil moon frye
 
http://eddie-vedder.btyure.us lyric opera house
 
http://ancestry.btyure.us rootsweb
 
http://drys.btyure.us fitb
 
http://barbara-keesling.btyure.us barbara keesling
 
http://my-familycom.btyure.us ancestry
 
http://wiz-khalifa-flight-school.btyure.us wiz khalifa flight school
 
http://state-of-play-movie-review.btyure.us columbine massacre
 
http://ge-quote.btyure.us ge
 
http://gagosian-gallery.btyure.us gagosian gallery
 
http://derek-piazza.btyure.us derek piazza
 
http://paul-mooney.btyure.us paul mooney
 
http://cheerleading-coach.btyure.us cheerleader coach playboy
 
http://dictum.btyure.us manhattan area above houston street
 
http://siri.btyure.us qtm
 
http://end-times.btyure.us end times
 
http://c.btyure.us ge quote
 
http://oxytocin.btyure.us oxytocin
 
 
 
== '''Security''' ==
 
== '''Security''' ==
  

Revision as of 21:28, 17 April 2009

Security

What do I have to consider when using Fail2ban?

Especially on systems which provide SSH/CGI/PHP services to unknown users, it is possible to block other users from ssh and probably other services. How would a user do so? The user could issue:

logger -p auth.warning -t 'sshd[123]' 'Illegal user user1 from 1.2.3.4'

Or the malicious user may write via PHP's openlog()/syslog() to syslog.

Solution #1: This security hazard can be handled via ownership/permissions of /dev/log, which allows logging to all the users by default. Just add a group log, add all daemons and root to that group and be happy.

What about log injection?

Fail2ban parses log files of other services and thus it can be vulnerable to log injection. Daniel B. Cid describes this kind of issues in Attacking Log analysis tools. I strongly suggest that you read this article. We will always try to provide safe configuration files. However, you can use fail2ban-regex to test your configuration files against forged log lines.

Troubleshooting

I have Postfix on my system but no "mail" command. How can I get e-mail notifications?

As of version 0.8.1, "mail" actions are deprecated. Please use the "sendmail" ones instead. E.g. sendmail-whois instead of mail-whois in your jail.[conf|local].

You probably have the sendmail command. Copy /etc/fail2ban/action.d/mail-whois.conf to /etc/fail2ban/action.d/mail-whois.local, edit this file and replace mail with sendmail. Here is an example:

actionban = echo -en "From:root <fail2ban>
            To: <dest>
            Subject: [Fail2Ban] <name>: banned <ip>
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here are more information about <ip>:\n
            `whois <ip>`\n
            Regards,\n
            Fail2Ban"|sendmail -t  

mail.conf can be modified too.

Why do my CVS users using SSH getting blocked?

If you are using the Eclipse CVS integration with SSH, then each access of the CVS results in a failed access before a valid one is done. As a consequence your CVS users get banned from time to time.

I get the error "Please check the format and your locale settings"

The error looks like this:

ERROR: time data did not match format: data=Mar 21 10:00:50 fmt=%b %d %H:%M:%S
ERROR: Please check the format and your locale settings.

This is a known bug. Since 0.6.1, Fail2ban uses your locale settings for date and time format. However, some daemons do not take care of locale and write their log messages using the POSIX standard. Please look at this bug for more details.

You can try to override the LANG variable:

# LANG=en_US /etc/init.d/fail2ban restart

You can get all the available locale with:

# locale -a

How do I increase verbosity?

In order to increase the verbosity of Fail2ban, use the command line option -vvv for fail2ban-client and fail2ban (only for 0.6.x). Set loglevel to 4 in /etc/fail2ban/fail2ban.conf (only for > 0.6.x).

Fail2ban is running but not banning SSH bruteforce

NB:This example is based on a Debian system, but can be easily done on any distro.

The package is well installed:

# dpkg -l |grep fail                                               
ii  fail2ban                      0.8.1-2                         bans IPs that 
cause multiple authentication

The service is running:

# /etc/init.d/fail2ban status                                      
Status of authentication failure monitor: fail2ban is running

SSH jail is set up and ready:

# fail2ban-client status                                           
Status                                                                          
|- Number of jail:      1                                                       
`- Jail list:           ssh

SSH bruteforce logs are identified by fail2ban:

# fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
....
Success, the total number of match is 30

So, check that all your logs are synchronized: all logs files (auth.log, syslog,..) must use the same time reference (if your server is not very busy, there will probably be an important difference between the output of [1]date command and the last event logged in syslog. You can force to generate a log in syslog using the logger command and check then with the output of date command)

# date                                                             
Wed Nov 28 13:49:02 CET 2007                                                    
# tail -2 /var/log/auth.log                                        
Nov 28 13:39:12 <SERVERNAME> sudo: pam_unix(sudo:session): session opened for user roo
t by <user>(uid=0)                                                              
Nov 28 13:39:12 <SERVERNAME> sudo: pam_unix(sudo:session): session closed for user roo
t

If time reference is not the same everywhere, then fail2ban won't ban any IP!