- 1 General
- 2 Installation
- 3 Configuration
- 4 Security
- 5 Troubleshooting
- 5.1 I have Postfix on my system but no "mail" command. How can I get e-mail notifications?
- 5.2 Why do my CVS users using SSH getting blocked?
- 5.3 I get the error "Please check the format and your locale settings"
- 5.4 How do I increase verbosity?
- 5.5 Fail2ban is running but not banning SSH bruteforce
What is Fail2ban?
Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address. These rules can be defined by the user. Fail2ban can read multiple log files such as sshd or Apache web server ones.
Is Fail2ban free software?
Fail2ban is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
What do you need to run Fail2ban?
Take a look at Requirements section
What does the version number of Fail2ban mean?
The structure of the version number is major.minor.revision. Currently the major number is 0. The policy for minor is:
- odd numbers (0.5, 0.7, etc) are development versions.
- even numbers (0.6, 0.8, etc) are stable versions.
New features, code refactoring, configuration or API changes are done mainly in development versions. Stable versions contains security fixes and small improvements that have few chance of breaking something.
Revisions are named alpha, beta, release candidate and stable. Stable versions with even minor versions are always named stable. Development versions are first called alpha, then when stability improves, beta and finally release candidate when the application is close to stabilization.
What is the purpose of having the client and the server separate?
Since 0.8, Fail2ban has two separate processes: a client and a server. Here are some advantages of this client/server design:
- Better separation of the concepts. The server has no knowledge of the configuration layout (/etc/fail2ban/). Thus, it would be possible to write a new client with e.g. XML configuration files without having to change a single line in the server code.
- It is possible to interact with the server while it is running. You can change the configuration without having to stop and restart the process, ask for statistics, etc.
- Using an INET socket (not implemented (yet)), it would be possible to remotely control the server.
Of course, they are some disadvantages too:
- More complicated. A protocol between the client and the server is required.
- Can only run in standalone mode. It is not possible to start the server periodically using e.g. cron.
How to ask for help or submit a bug report or a feature request?
First of all, try to find an answer on this website. Read the FAQ, Manual and visit HOWTOs. Search the mailing lists archives and look at the trackers. If you did not found any answer, subscribe to this mailing list and ask your question there. Registration is required in order to avoid spam.
If you are convinced that you found a bug, you can directly create a new ticket here.
If you want to submit a feature request, create a new ticket here.
In both cases, please check first that no similar bug or request has already been submitted.
In any case, when asking for support, please provide the following information:
- The version of Fail2ban you are running (use -V or --version)
- The version of Python
- How you installed Fail2ban (sources, .deb, .rpm, etc)
- Relevant parts of the configuration files of Fail2ban
- Logging output of Fail2ban using the DEBUG mode (-vvv and loglevel = 4)
And of course, do not forget to describe clearly your problem.
Are there RPM/DEB packages for Fail2ban?
Sure. Please take a look at Downloads section
How can I install Fail2ban from a RPM/DEB/gentoo package?
If you are using rpm:
rpm -Uvh fail2ban-X.X.X.rpm
If you are required to install a src.rpm (source package) please follow these instructions:
rpm --rebuild fail2ban-X.X.X.src.rpm
After that, binary rpm will be placed at /usr/src/RPM/RPMS/ix86
rpm -Uhv /usr/src/RPM/RPMS/ix86/fail2ban-X.X.X.rpm
Please check that your PATH is /usr/src/RPM/RPMS/ix86/ before doing anything else.
If you want to install Fail2ban from a .deb package:
dpkg -i fail2ban-X.X.X.deb
If you want to install Fail2ban on gentoo:
How can I run Fail2ban without installation?
It is possible to run Fail2ban without installation. Fail2ban is written in Python and does not need to be compiled. If you want to quickly test Fail2ban or if you have it already installed and want to test a new version, please follow these steps (for 0.7.x and above):
- Download a source tarball (release or nightly).
- Unpack it somewhere on your system.
- You should have a directory named fail2ban-*. Go into this directory.
- Edit the configuration in config/.
- Change the option socket in fail2ban.conf.
- Change the option logtarget in fail2ban.conf.
- Do not forget to edit jail.conf too.
- Use fail2ban-client to start fail2ban-server. Do not forget to tell it where to find the configuration:
./fail2ban-client -c config/ start
- Always use the -c option for other calls to fail2ban-client. Do not forget the ./ before too. Here is another example:
./fail2ban-client -c config/ status
- Shutdown Fail2ban with:
./fail2ban-client -c config/ stop
People who wants to hack on Fail2ban can also use this procedure in order to quickly test their changes.
What is the main configuration file for Fail2ban?
Fail2ban configuration process is rather simple. There is only one configuration file, where Fail2ban can be fully configured, this file is located at: /etc/fail2ban/fail2ban.conf
You are able to edit this file using any editor you want: vim, emacs, joe, ae...
Configuration file must be edited by root.
How can Fail2ban be configured?
This step is fully detailed at HOWTOs chapter
Can I exclude failed logins for selected users from resulting in a ban?
(I don't know, perhaps that's a feature request.)
Edit: Cause fail2ban didn't know anything of the username format logged in the specific file(s) (if usernames even get logged), it is only possible to exclude selected users in the regex of the service section.
What do I have to consider when using Fail2ban?
Especially on systems which provide SSH/CGI/PHP services to unknown users, it is possible to block other users from ssh and probably other services. How would a user do so? The user could issue:
logger -p auth.warning -t 'sshd' 'Illegal user user1 from 22.214.171.124'
Or the malicious user may write via PHP's openlog()/syslog() to syslog.
Solution #1: This security hazard can be handled via ownership/permissions of /dev/log, which allows logging to all the users by default. Just add a group log, add all daemons and root to that group and be happy.
What about log injection?
Fail2ban parses log files of other services and thus it can be vulnerable to log injection. Daniel B. Cid describes this kind of issues in Attacking Log analysis tools. I strongly suggest that you read this article. We will always try to provide safe configuration files. However, you can use fail2ban-regex to test your configuration files against forged log lines.
I have Postfix on my system but no "mail" command. How can I get e-mail notifications?
As of version 0.8.1, "mail" actions are deprecated. Please use the "sendmail" ones instead. E.g. sendmail-whois instead of mail-whois in your jail.[conf|local].
You probably have the sendmail command. Copy /etc/fail2ban/action.d/mail-whois.conf to /etc/fail2ban/action.d/mail-whois.local, edit this file and replace mail with sendmail. Here is an example:
actionban = echo -en "From:root <fail2ban> To: <dest> Subject: [Fail2Ban] <name>: banned <ip> Hi,\n The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>.\n\n Here are more information about <ip>:\n `whois <ip>`\n Regards,\n Fail2Ban"|sendmail -t
mail.conf can be modified too.
Why do my CVS users using SSH getting blocked?
If you are using the Eclipse CVS integration with SSH, then each access of the CVS results in a failed access before a valid one is done. As a consequence your CVS users get banned from time to time.
I get the error "Please check the format and your locale settings"
The error looks like this:
ERROR: time data did not match format: data=Mar 21 10:00:50 fmt=%b %d %H:%M:%S ERROR: Please check the format and your locale settings.
This is a known bug. Since 0.6.1, Fail2ban uses your locale settings for date and time format. However, some daemons do not take care of locale and write their log messages using the POSIX standard. Please look at this bug for more details.
You can try to override the LANG variable:
# LANG=en_US /etc/init.d/fail2ban restart
You can get all the available locale with:
# locale -a
How do I increase verbosity?
In order to increase the verbosity of Fail2ban, use the command line option -vvv for fail2ban-client and fail2ban (only for 0.6.x). Set loglevel to 4 in /etc/fail2ban/fail2ban.conf (only for > 0.6.x).
Fail2ban is running but not banning SSH bruteforce
NB:This exemple is based on a Debian system, but can be easily realised on any distro.
The package is well installed:
# dpkg -l |grep fail ii fail2ban 0.8.1-2 bans IPs that cause multiple authentication
The service is running:
# /etc/init.d/fail2ban status Status of authentication failure monitor: fail2ban is running
SSH jail is set up and ready:
# fail2ban-client status Status |- Number of jail: 1 `- Jail list: ssh
SSH bruteforce logs are identified by fail2ban:
# fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf .... Success, the total number of match is 30
So, check that all your logs are synchronized: all logs files (auth.log, syslog,..) must use the same time reference (if your server is not very busy, there will probably be an important difference between the output of date command and the last event logged in syslog. You can force to generate a log in syslog using the logger command and check then with the output of date command)
# date Wed Nov 28 13:49:02 CET 2007 # tail -2 /var/log/auth.log Nov 28 13:39:12 <SERVERNAME> sudo: pam_unix(sudo:session): session opened for user roo t by <user>(uid=0) Nov 28 13:39:12 <SERVERNAME> sudo: pam_unix(sudo:session): session closed for user roo t
If time reference is not the same everywhere, then fail2ban won't ban any IP !