Difference between revisions of "Fail2ban talk:Community Portal"
m (→fail2ban ban distribution to multiple servers)
(→Need help for sendmail+sasl+pam fail2ban config (CentOS/RHEL 5))
|Line 383:||Line 383:|
Revision as of 07:15, 5 September 2011
- 1 Misc Questions
- 2 Client/Server Question
- 3 Memory Usage (160MB for fail2ban-server)
- 4 Christmas gift - version 0.9 these days ?
- 5 Log Prefix Regex
- 6 Fail2ban on CentOS/RedHat Plesk
- 7 Repeated attempts at DNS lookup
- 8 Emails from fail2ban not containing whois info help needed.
- 9 fail2ban.actions.action ERROR on startup/restart
- 10 fail2ban ban distribution to multiple servers
- 11 Need help for sendmail+sasl+pam fail2ban config (CentOS/RHEL 5)
Hi, i try to make a fail2ban-package for a famous Opensource-Webhosting platform loan modification (www.bluequartz.org).
BQ is based on CentOS4 (python >=2.3), so we have to use fail2ban-0.6.x.
unknown user: Jan 25 04:01:05 hostname proftpd: hostname.domain.com (184.108.40.206[220.127.116.11]) - USER xxxx: no such user found from 18.104.22.168 [22.214.171.124] to 126.96.36.199:21
existing user, wrong pw: Jan 25 04:02:03 hostname proftpd: hostname.domain.com (188.8.131.52[184.108.40.206]) - USER rob (Login failed): Incorrect password.
But i didnt succeed. Maybe u can help me with that. I cant update to CentOS5 and/or python>=2.4.
Thanx for that wonderful tool :)
I am finding this error a few times on different scripts when installing on CentOS
byte-compiling /usr/share/fail2ban/server/mytime.py to mytime.pyc
File "/usr/share/fail2ban/server/mytime.py", line 49 @staticmethod ^
SyntaxError: invalid syntax
Are you sure that you have Python 2.4? Annotations are available since Python 2.4. --Lostcontrol 15:53, 8 May 2007 (CEST)
I got 2.4.3 root@usa2 [~]# python -V Python 2.4.3
I installed 2.5.1 and still the same problem.
Now it is working the version 0.6.2 installed from an RPM. I will try again 0.8.0 but later. Thanks
Can someone tell me why I´m getting these errors with fail2ban?
2007-07-07 17:22:09,608 fail2ban.actions.action: CRITICAL Unable to restore environment 2007-07-08 01:57:43,008 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport http -j fail2ban-apache iptables -F fail2ban-apache iptables -X fail2ban-apache returned 100 2007-07-08 01:57:43,933 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-ssh iptables -F fail2ban-ssh iptables -X fail2ban-ssh returned 100
I´m using Debian Etch
I got similar errors on startup for iptables -N, iptables -A, and iptables -X and it turned out that the directory where the iptables executable resides (/sbin on my system) was was not included in the PATH environment variable. Adding /sbin to the PATH with:
in the file /etc/init.d/fail2ban fixed the problem on my Redhat Enterprise Linux 5 system.
Please use mailing-list for support next time. It seems that your iptables setup (related to fail2ban) get changed while fail2ban is running. Some firewall scripts/apps flush all rules when saving the changes. If fail2ban runs, it will not find its own chains anymore and will try to restore them. --Lostcontrol 09:57, 13 July 2007 (CEST)
Just tried to use latest build 0.8.1 and got thisd output
- fail2ban-client -h
File "/usr/bin/fail2ban-client", line 360 @staticmethod ^
SyntaxError: invalid syntax
I found a way to work around this problem with CentOS. Apparently CentOS has multiple versions of Python installed. Modify /usr/bin/fail2ban-client and /usr/bin/fail2ban-server so that the first line on each reads as follows:
#!/usr/local/bin/python2.4(or wherever the direct executable for python2.4 is). By default it reads as #!/usr/bin/python, which is apparently an earlier version of python. If you don't know where python2.4 is located, you can find it by typing the following:
--rojo 14:36, 30 Oct 2007 (EST)
In the FAQ this line is not very clear
"You probably have the sendmail command. Copy /etc/fail2ban/action.d/mail-whois.conf to /etc/fail2ban/action.d/mail-whois.local, edit this file and replace mail with sendmail. Here is an example:"
which is "this" file mail-whois.local is what it sounds like
That's correct. You have to edit mail-whois.local. --Lostcontrol 10:17, 13 September 2007 (CEST)
I have a CentOS 4 VPS with Python 2.3.
When I restart fail2ban I get this error:
" File "/usr/bin/fail2ban-client", line 360
SyntaxError: invalid syntax "
I made sure to change the paths to #!/usr/local/bin/python2.3 in both /usr/bin/fail2ban-client and /usr/bin/fail2ban-server but it still does not work.
Are there any other ideas?
What is the purpose/reason to have the server and client separate? Couldn't find this in the wiki, maybe it should be placed in the FAQ?
Memory Usage (160MB for fail2ban-server)
Hi, i like the concept of fail2ban ... but i run it on a Virtul Box ...
The fail2ban-server Prozess need 160MB ... for what ??? its my config/system bugy ?? or its normal ??
I used it on Ubuntu 7.04 Phyton 2.5.3 and de Fail2Ban v0.8.3
- update on the 20th of January 2011 (author SJL)
A Python application, like fain2ban, might consume a lot of memory only because of the relatively oversized default stack size on Linux.This can be changed by editing the /etc/default/fail2ban (on Debian, please change for your own installation) and appending this to the end of the file:
ulimit -s 256
The file "/etc/default/fail2ban" will typically looks like this after installing Fail2Ban 8.4 on Debian 6 from the repository:
# This file is part of Fail2Ban. # # Fail2Ban is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Fail2Ban is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Fail2Ban; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # Author: Cyril Jaquier # # $Revision: 1.2 $ # Command line options for Fail2Ban. Refer to "fail2ban-client -h" for # valid options. FAIL2BAN_OPTS=""
Add "ulimit -s 256" to a new line at the end of the file:
# This file is part of Fail2Ban. # # Fail2Ban is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Fail2Ban is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Fail2Ban; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # Author: Cyril Jaquier # # $Revision: 1.2 $ # Command line options for Fail2Ban. Refer to "fail2ban-client -h" for # valid options. FAIL2BAN_OPTS="" ulimit -s 256
It is not added to the FAIL2BAN_OPTS parameter.
Stopping and starting via "fail2ban-client" will not apply this value. You need to reboot your system or restart the daemon with:
# sudo /etc/init.d/fail2ban stop # sudo /etc/init.d/fail2ban start
The values from "/etc/default/fail2ban" are applied at boot up. Stop and Starting Fail2Ban via "fail2ban-client" will not have this value applied and will revert back to the linux default stack frame used by the ulimit command and the old memory usage of 160MB+.
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1026 0.0 0.0 150020 8004 ? Sl Jan12 0:07 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 29688 1.0 0.0 35600 6528 ? Sl 10:38 0:00 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock
The VSZ value has decreased from 150020kB to 35600kB.
I would like to implement this, although I don't seem to have /etc/default/fail2ban. Where else would I need to look to include this in my configuration? and where exactly in the actual file does it need to go? (that is if someone can help me find it)?
Christmas gift - version 0.9 these days ?
Hi - I heavily appreciate fail2ban. Just these days I am configuring 2 new servers opensuse and would love to include some of the new features listed by others above. Like server-IP as sender subject line or so mentioned earlier.
Since we have Christmas time, I was wondering if we may get a Christmas gift - version 0.9 these days ?? Traffic is drastically increasing day by day, so is hacker activity during the weeks before Christmas. Added security let's us sleep much better.
Log Prefix Regex
Can anyone tell me how to recognize this datestamp prefix? I recently upgraded rsyslogd and it changed my log format. I'd rather change fail2ban than change my log back to the old format. Do I have to edit the source code or can it be done in the filter? If it's only in the source code is there any good reason why it isn't done in the filter?
2009-01-15T20:59:46.201822-05:00 nro sshd: Failed password for invalid user antoine from 220.127.116.11 port 45379 ssh2
BTW Mine is a mail server and I have 50K to 80K bans in iptables. After I reboot I get hammered for days!
--18.104.22.168 09:52, 26 December 2010 (UTC)----
Good question. I just found out it was the rsyslog update that stopped my Fail2Ban from working. The rsyslog update uses a new date/time string.Affordable logo design The new rsyslog also comes with a new conf file which contains the following:
It will use the old fashioned data/time string that Fail2Ban works fine with. So you won't have to change your sshd.conf filter. So just restart rsyslog with the new config file and you should be fine again.
Fail2ban on CentOS/RedHat Plesk
I have implemented fail2ban on our Plesk servers for Proftpd and Qmail (so far). I had to put the full path to iptables in the actions.d i.e. /pathtoiptables/iptables -N fail2ban-<name> etc. This is the relevant section of filters.d/proftpd.conf for Plesk users and the logfile is /var/log/messages:
failregex = .*proftpd\[\S+\]: \S+ \(\S+\[<HOST>\]\) - PAM\(\S+\): Authentication failure.$
.*authentication failure.*rhost=<HOST>.*$' .*proftpd\[\S+\]: \S+ \(\S+\[<HOST>\]\) - no such user .*$
In jail.conf I set bantime = 600 and findtime = 30 and it works great. Thank you so much!
For Qmail, I started just trying to block brute force attempts to break into email accounts and here is the relevant section from qmail.conf:
failregex = .*password incorrect from \@ \[<HOST>\].*$
Also works great and the qmail logfile is /usr/local/psa/var/log/maillog.
What I am working on now, and what I would dearly like to get help with is blocking relay attempts. We get about 100K relay attempts per day and I have been trying to find a way to block these. For Plesk users here is the relevant regular expression in the qmail logfile for relay attempts:
.*relaylock: mail from <HOST>.*$
The problems I have is that the relaylock filter blocks genuine users because relaylock sometimes kicks in even for genuine users who have authenticated. This happens for users with PCs but even more frequently for users with Macs, and I am not sure why. Many of our users are assigned dynamic IPs by their ISPs. How can I stop them from getting blocked by this relaylock filter? I have tried putting the major ISPs e.g. aol.com, att.com etc. in ignoreip but some users still got blocked. My assumption is that aol.com is the same to ignoreip as *.aol.com since ignoreip just looks for matches. Is that right? If not, is it possible to use wildcards in ignore IP e.g. *.aol.com or is there an even better way? It would be ideal to be able to specify that: if an IP address matches a particular log entry then it should be automatically added to ignoreip e.g. if the log contains a line where the user successfully authenticated, then the IP they connected from is ignored by fail2ban. That would stop genuine users from being blocked without them having to contact us to let us know their IP address or ISP.[ Any help on this issue would be appreciated since its the main hurdle I need to overcome. If we still have problems with genuine users being blocked by the ed of the week I will just have to remove this filter which would be a shame since it really helps and I am sure it would help many more people with the same problem.
It would be also be nice to have a separate bantime and findtime in jail.conf for qmail, and other applications.
Any tips, pointers, and help, would be much appreciated.
Thanks for fail2ban!
Repeated attempts at DNS lookup
Hey I keep getting lines in the log file that say:
WARNING Unable to find a corresponding IP address for iblazegreen.rpi.edu
Trying to get rid of that in the logs, but it keeps popping up even though there was only one attempt from that host, almost a month ago. What option can I use to stop it from trying to DNS lookup that host?
Thanks a lot
A potential answer: See if the log fail2ban is watching can log IP addresses rather than DNS names. An example: Link to VSFTPD fix
Emails from fail2ban not containing whois info help needed.
Example of an email I received from fail2ban when testing (IP'S edited but were from outside my lan).
The IP xx.xx.xx.xx has just been banned by Fail2Ban after 4 attempts against ssh.
Here are more information about xx.xx.xx.xx:
Lines containing IP:xx.xx.xx.xx in /var/log/auth.log
Apr 6 11:55:05 user sshd: Invalid user dg from xx.xx.xx.xx Apr 6 11:55:05 user sshd: Failed none for invalid user dg from xx.xx.xx.xx port 57992 ssh2 Apr 6 11:55:09 user sshd: Failed password for invalid user dg from xx.xx.xx.xx port 57992 ssh2 Apr 6 11:55:13 user sshd: Failed password for invalid user dg from xx.xx.xx.xx port 57992 ssh2 Apr 6 13:42:53 user sshd: Invalid user kjhgfd from xx.xx.xx.xx Apr 6 13:42:53 user sshd: Failed none for invalid user kjhgfd from xx.xx.xx.xx port 59527 ssh2 Apr 6 13:42:59 user sshd: Failed password for invalid user kjhgfd from xx.xx.xx.xx port 59527 ssh2 Apr 6 13:43:03 user sshd: Failed password for invalid user kjhgfd from xx.xx.xx.xx port 59527 ssh2
fail2ban.actions.action ERROR on startup/restart
I had multiple fail2ban.actions.action ERROR on startup/restart. It seems there was a "race" condition with iptables. I solved the problem completely on my system by editing /usr/bin/fail2ban-client and adding a time.sleep(0.1)
def __processCmd(self, cmd, showRet = True): beautifier = Beautifier() for c in cmd: time.sleep(0.1) beautifier.setInputCmd(c)
- Thanks. This patch solved the problem on my server. :) --22.214.171.124 11:55, 13 November 2010 (UTC)
- Add my thanks. I was having random fail2ban.actions.action ERRORs when doing a restart, but when I executed the same iptables commands by hand they worked fine. Adding your pacing line seems to fix the problem.
- confirm this fix, it works great for multiple lines of iptables command 126.96.36.199 18:50, 12 January 2011 (UTC)
- Thanks to 188.8.131.52 and Google. Can't make Fail2ban work after I install a new fresh Debian 6 / Squeeze on my server :( . Adding this "sleep" fix solved the problem. --184.108.40.206 08:07, 19 February 2011 (UTC)
- worked for me on debian 6 squeeze (without it, random iptables rules were missing) --220.127.116.11 20:40, 12 June 2011 (UTC)
- Thanks this also helped me fix it, but I needed to add time.sleep(0.3) on my ubuntu 8.04 server or the last rule was still failing. (5 August 2011)
- Did not work on VPS hosted Ubuntu 10.04 systems (15th August 2011). The fixed delay time is too regular and still caused the same race condition. A successful resolution was to modify only the relevant action config (in this case iptables-multiport.conf) and insert a random sleep (0.0000 to 2.9999 seconds) before the iptables action, so actionstart becomes:
actionstart = sleep `perl -e 'print rand(3);'` iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
fail2ban ban distribution to multiple servers
I'm using fail2ban for blocking misconfigured mailservers on couple of servers:
File "/etc/fail2ban/filter.d/postfix-badhelo.conf": ... failregex = reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1 (.*) Helo command rejected: Host not found ...
File "/etc/fail2ban/filter.d/postfix-nohostname.conf": ... failregex = reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1 Client host rejected: cannot find your hostname ...
Currently my servers are using separate netfilter policies (and each checks it's own /var/log/maillog). I'd like fail2ban to "push" the ban and unban action to remote servers (so fail2ban-server would be aware of it and block/unblock accordingly).
What kind of action would you suggest? I have a
- distribute ssh pubkeys between the servers and save them to /root/.ssh/authorized_keys and use ssh action that would connect to the rest of the servers, using iptables remotely... It's really a shame fail2ban-client doesn't support manually banning/unbanning IPs from console)
- distribute mail logs to multiple servers, which can be a bit awkward
Need help for sendmail+sasl+pam fail2ban config (CentOS/RHEL 5)
I'm on CentOS/RHEL 5, using sendmail 8.13.8 and cyrus-sasl 2.1.22. I'm trying to figure out how to use fail2ban to properly protect against SMTP attacks. Right now, I've implemented the suggestion from theether.net, but that relies on sendmail identifying the SMTP attack... a number of attack methods can completely bypass this and go undetected.
I would prefer to ban based on SASL authentication failures (just like for ssh, etc.). sasl is configured to use PAM, but for some reason, it doesn't log the rhost IP. (sshd, imapd, etc. will all log the rhost IP via pam, but saslauthd won't - it leaves the rhost field blank.). Sendmail doesn't log when an sasl auth failure occurs, so basically I've got a useless log from sasl and no log from sendmail. There are _some_ cotemporal entries from sendmail in the maillog, e.g. the remote host didn't issue VRFY/EXPN/etc.... but those lines can occur legitimately under many circumstances, so should not be used for banning. The pam failure line would be the best, but is useless without an rhost IP.
Does anyone know how I can get saslauthd to properly log the rhost ip via pam? Or, how I can get sendmail to log when an sasl auth failure occurs (including the remote IP)? Extensive googling has revealed nothing, unfortunately. Thanks in advance.
Fail2ban failing to ban when log timestamp is not in the same timezone
Here is a tip for configure Postfix in the same timezone as server: