Fail2ban talk:Community Portal

From Fail2ban
Revision as of 21:11, 4 September 2010 by 84.255.209.2 (Talk) (fail2ban ban distribution to multiple servers: new section)

Jump to: navigation, search

RoB:

Hi, i try to make a fail2ban-package for a famous Opensource-Webhosting platform (www.bluequartz.org). BQ is based on CentOS4 (python >=2.3), so we have to use fail2ban-0.6.x. It includes the proftpd-1.2.x, so i tried to figure out the correct regex for the following logentrys in /var/log/secure:

 unknown user:
 Jan 25 04:01:05 hostname proftpd[10476]: hostname.domain.com (1.2.3.4[1.2.3.4]) - USER xxxx: no such user found from 1.2.3.4 [1.2.3.4] to 2.3.4.5:21
 existing user, wrong pw:
 Jan 25 04:02:03 hostname proftpd[10495]: hostname.domain.com (1.2.3.4[1.2.3.4]) - USER rob (Login failed): Incorrect password.

But i didnt succeed. Maybe u can help me with that. I cant update to CentOS5 and/or python>=2.4.

Thanx for that wonderful tool :)



I am finding this error a few times on different scripts when installing on CentOS

byte-compiling /usr/share/fail2ban/server/mytime.py to mytime.pyc

 File "/usr/share/fail2ban/server/mytime.py", line 49
   @staticmethod
   ^

SyntaxError: invalid syntax

Any ideas


Are you sure that you have Python 2.4? Annotations are available since Python 2.4. --Lostcontrol 15:53, 8 May 2007 (CEST)


I got 2.4.3 root@usa2 [~]# python -V Python 2.4.3


I installed 2.5.1 and still the same problem.


Now it is working the version 0.6.2 installed from an RPM. I will try again 0.8.0 but later. Thanks

Can someone tell me why I´m getting these errors with fail2ban?

2007-07-07 17:22:09,608 fail2ban.actions.action: CRITICAL Unable to restore environment
2007-07-08 01:57:43,008 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp --dport http -j fail2ban-apache
iptables -F fail2ban-apache
iptables -X fail2ban-apache returned 100
2007-07-08 01:57:43,933 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp --dport ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 100

I´m using Debian Etch

Thanks!


Please use mailing-list for support next time. It seems that your iptables setup (related to fail2ban) get changed while fail2ban is running. Some firewall scripts/apps flush all rules when saving the changes. If fail2ban runs, it will not find its own chains anymore and will try to restore them. --Lostcontrol 09:57, 13 July 2007 (CEST)

Just tried to use latest build 0.8.1 and got thisd output

  1. fail2ban-client -h
 File "/usr/bin/fail2ban-client", line 360
   @staticmethod
   ^

SyntaxError: invalid syntax


I found a way to work around this problem with CentOS. Apparently CentOS has multiple versions of Python installed. Modify /usr/bin/fail2ban-client and /usr/bin/fail2ban-server so that the first line on each reads as follows:

#!/usr/local/bin/python2.4
(or wherever the direct executable for python2.4 is). By default it reads as #!/usr/bin/python, which is apparently an earlier version of python. If you don't know where python2.4 is located, you can find it by typing the following:
whereis python2

--rojo 14:36, 30 Oct 2007 (EST)


In the FAQ this line is not very clear

"You probably have the sendmail command. Copy /etc/fail2ban/action.d/mail-whois.conf to /etc/fail2ban/action.d/mail-whois.local, edit this file and replace mail with sendmail. Here is an example:"

which is "this" file mail-whois.local is what it sounds like


That's correct. You have to edit mail-whois.local. --Lostcontrol 10:17, 13 September 2007 (CEST)


Hello,

I have a CentOS 4 VPS with Python 2.3.

When I restart fail2ban I get this error:

" File "/usr/bin/fail2ban-client", line 360

  @staticmethod
   ^

SyntaxError: invalid syntax "


I made sure to change the paths to #!/usr/local/bin/python2.3 in both /usr/bin/fail2ban-client and /usr/bin/fail2ban-server but it still does not work.

Are there any other ideas?

Thanks



Client/Server Question

What is the purpose/reason to have the server and client separate? Couldn't find this in the wiki, maybe it should be placed in the FAQ?

Memory Usage (160MB for fail2ban-server)

Hi, i like the concept of fail2ban ... but i run it on a Virtul Box ...

The fail2ban-server Prozess need 160MB ... for what ??? its my config/system bugy ?? or its normal ??

I used it on Ubuntu 7.04 Phyton 2.5.3 and de Fail2Ban v0.8.3

Christmas gift - version 0.9 these days ?

Hi - I heavily appreciate fail2ban. Just these days I am configuring 2 new servers opensuse and would love to include some of the new / wish features listed by others above. Like server-IP as sender subject line or so mentioned earlier.

Since we have Christmas time, I was wondering if we may get a Christmas gift - version 0.9 these days ?? Traffic is drastically increasing day by day, so is hacker activity during the weeks before Christmas. Added security let's us sleep much better.

Log Prefix Regex

Can anyone tell me how to recognize this datestamp prefix? I recently upgraded rsyslogd and it changed my log format. I'd rather change fail2ban than change my log back to the old format. Do I have to edit the source code or can it be done in the filter? If it's only in the source code is there any good reason why it isn't done in the filter?

2009-01-15T20:59:46.201822-05:00 nro sshd[5978]: Failed password for invalid user antoine from 116.122.36.95 port 45379 ssh2

BTW Mine is a mail server and I have 50K to 80K bans in iptables. After I reboot I get hammered for days!

Fail2ban on CentOS/RedHat Plesk

I have implemented fail2ban on our Plesk servers for Proftpd and Qmail (so far). I had to put the full path to iptables in the actions.d i.e. /pathtoiptables/iptables -N fail2ban-<name> etc. This is the relevant section of filters.d/proftpd.conf for Plesk users and the logfile is /var/log/messages:

failregex = .*proftpd\[\S+\]: \S+ \(\S+\[<HOST>\]\) - PAM\(\S+\): Authentication failure.$

           .*authentication failure.*rhost=<HOST>.*$'
           .*proftpd\[\S+\]: \S+ \(\S+\[<HOST>\]\) - no such user .*$

In jail.conf I set bantime = 600 and findtime = 30 and it works great. Thank you so much!

For Qmail, I started just trying to block brute force attempts to break into email accounts and here is the relevant section from qmail.conf:

failregex = .*password incorrect from \@ \[<HOST>\].*$

Also works great and the qmail logfile is /usr/local/psa/var/log/maillog.

What I am working on now, and what I would dearly like to get help with is blocking relay attempts. We get about 100K relay attempts per day and I have been trying to find a way to block these. For Plesk users here is the relevant regular expression in the qmail logfile for relay attempts:

.*relaylock: mail from <HOST>.*$

The problems I have is that the relaylock filter blocks genuine users because relaylock sometimes kicks in even for genuine users who have authenticated. This happens for users with PCs but even more frequently for users with Macs, and I am not sure why. Many of our users are assigned dynamic IPs by their ISPs. How can I stop them from getting blocked by this relaylock filter? I have tried putting the major ISPs e.g. aol.com, att.com etc. in ignoreip but some users still got blocked. My assumption is that aol.com is the same to ignoreip as *.aol.com since ignoreip just looks for matches. Is that right? If not, is it possible to use wildcards in ignore IP e.g. *.aol.com or is there an even better way? It would be ideal to be able to specify that: if an IP address matches a particular log entry then it should be automatically added to ignoreip e.g. if the log contains a line where the user successfully authenticated, then the IP they connected from is ignored by fail2ban. That would stop genuine users from being blocked without them having to contact us to let us know their IP address or ISP. Any help on this issue would be appreciated since its the main hurdle I need to overcome. If we still have problems with genuine users being blocked by the ed of the week I will just have to remove this filter which would be a shame since it really helps and I am sure it would help many more people with the same problem.

It would be also be nice to have a separate bantime and findtime in jail.conf for qmail, and other applications.

Any tips, pointers, and help, would be much appreciated.

Thanks for fail2ban!

@a

Repeated attempts at DNS lookup

Hey I keep getting lines in the log file that say:

      WARNING Unable to find a corresponding IP address for iblazegreen.rpi.edu

Trying to get rid of that in the logs, but it keeps popping up even though there was only one attempt from that host, almost a month ago. What option can I use to stop it from trying to DNS lookup that host? Thanks a lot

-Brian

Emails from fail2ban not containing whois info help needed.

Example of an email I received from fail2ban when testing (IP'S edited but were from outside my lan).

Hi,

The IP xx.xx.xx.xx has just been banned by Fail2Ban after 4 attempts against ssh.


Here are more information about xx.xx.xx.xx:


Lines containing IP:xx.xx.xx.xx in /var/log/auth.log

Apr 6 11:55:05 user sshd[8884]: Invalid user dg from xx.xx.xx.xx Apr 6 11:55:05 user sshd[8884]: Failed none for invalid user dg from xx.xx.xx.xx port 57992 ssh2 Apr 6 11:55:09 user sshd[8884]: Failed password for invalid user dg from xx.xx.xx.xx port 57992 ssh2 Apr 6 11:55:13 user sshd[8884]: Failed password for invalid user dg from xx.xx.xx.xx port 57992 ssh2 Apr 6 13:42:53 user sshd[13938]: Invalid user kjhgfd from xx.xx.xx.xx Apr 6 13:42:53 user sshd[13938]: Failed none for invalid user kjhgfd from xx.xx.xx.xx port 59527 ssh2 Apr 6 13:42:59 user sshd[13938]: Failed password for invalid user kjhgfd from xx.xx.xx.xx port 59527 ssh2 Apr 6 13:43:03 user sshd[13938]: Failed password for invalid user kjhgfd from xx.xx.xx.xx port 59527 ssh2


Regards,

Fail2Ban

fail2ban.action.action ERROR on startup/restart

I had multiple fail2ban.action.action ERROR on startup/restart. It seems there was a "race" condition with iptables. I solved the problem completely on my system by editing /usr/bin/fail2ban-client and adding a time.sleep(0.1)

def __processCmd(self, cmd, showRet = True): beautifier = Beautifier() for c in cmd: time.sleep(0.1) beautifier.setInputCmd(c)

fail2ban ban distribution to multiple servers

I'm using fail2ban for blocking misconfigured mailservers on couple of servers:

 File "/etc/fail2ban/filter.d/postfix-badhelo.conf":
 ...
 failregex = reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1 (.*) Helo command rejected: Host not found
 ...
 File "/etc/fail2ban/filter.d/postfix-nohostname.conf":
 ...
 failregex = reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1 Client host rejected: cannot find your hostname
 ...

Currently my servers are using separate netfilter policies (and each checks it's own /var/log/maillog). I'd like fail2ban to "push" the ban and unban action to remote servers (so fail2ban-server would be aware of it and block/unblock accordingly).

What kind of action would you suggest? I have a couple of ideas but none is good enough:

  • distribute ssh pubkeys between the servers and save them to /root/.ssh/authorized_keys and use ssh action that would connect to the rest of the servers, using iptables remotely... It's really a shame fail2ban-client doesn't support manually banning/unbanning IPs from console)
  • distribute mail logs to multiple servers, which can be a bit awkward