Hi,
I installed Fail2Ban 0.8.6-3~bpo60+1 from the backports on Debian 6.0 to
do a quick test and I encountered no issue with the dates of the emails
sent by Fail2Ban.
Below a sample of what I find in my mailbox:
Return-Path: <[email protected]>
X-Original-To: root
Delivered-To: [email protected]
Received: by fqdn.example.org (Postfix, from userid 0)
id B236E43A87; Thu, 13 Sep 2012 12:03:49 +0200 (CEST)
Subject: [Fail2Ban] ssh: banned 192.168.2.254
Date: jeu., 13 sept. 2012 10:03:49 +0000
From: Fail2Ban <[email protected]>
To: [email protected]
Message-Id: <[email protected]>
Hi,
The IP 192.168.2.254 has just been banned by Fail2Ban after
3 attempts against ssh.
[...]
Regards,
Fail2Ban
The date is not local since my timezone is +0200 but it is right. I also
tried on a Debian Wheezy installation and had the same result. Can you
try the same thing with the Wheezy package?
Fail2Ban is able to send the emails by using sendmail or mailutils so it
could be interesting if you give your Fail2Ban configuration. You can
dump it in a file with `fail2ban-client -d > /tmp/f2b_settings`. You may
also join your /etc/fail2ban/**/*.local files (or your .conf files if
you edit them).
I attach my own config to this mail (it is a SSH jail I made for this
bug study).
Regards,
--
Philippe
WARNING 'findtime' not defined in 'couriersmtp'. Using default value
WARNING 'findtime' not defined in 'apache-noscript'. Using default value
WARNING 'findtime' not defined in 'pam-generic'. Using default value
WARNING 'findtime' not defined in 'vsftpd'. Using default value
WARNING 'findtime' not defined in 'xinetd-fail'. Using default value
WARNING 'findtime' not defined in 'dovecot'. Using default value
WARNING 'findtime' not defined in 'ssh-ddos'. Using default value
WARNING 'findtime' not defined in 'apache-multiport'. Using default value
WARNING 'findtime' not defined in 'courierauth'. Using default value
WARNING 'findtime' not defined in 'dropbear'. Using default value
WARNING 'findtime' not defined in 'wuftpd'. Using default value
WARNING 'findtime' not defined in 'apache-overflows'. Using default value
WARNING 'findtime' not defined in 'ssh'. Using default value
WARNING 'findtime' not defined in 'sasl'. Using default value
WARNING 'findtime' not defined in 'apache'. Using default value
WARNING 'findtime' not defined in 'pure-ftpd'. Using default value
WARNING 'findtime' not defined in 'proftpd'. Using default value
WARNING 'findtime' not defined in 'named-refused-tcp'. Using default value
['set', 'loglevel', 3]
['set', 'logtarget', '/var/log/fail2ban.log']
['add', 'ssh', 'auto']
['set', 'ssh', 'addlogpath', '/var/log/auth.log']
['set', 'ssh', 'maxretry', 1]
['set', 'ssh', 'addignoreip', '127.0.0.1/8']
['set', 'ssh', 'findtime', 600]
['set', 'ssh', 'bantime', 5]
['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\]
)?(?:@vserver_\\S+
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error:
PAM: )?Authentication failure for .* from <HOST>\\s*$']
['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\]
)?(?:@vserver_\\S+
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*(?:error:
PAM: )?User not known to the underlying authentication module for .* from
<HOST>\\s*$']
['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\]
)?(?:@vserver_\\S+
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Failed
(?:password|publickey) for .* from <HOST>(?: port \\d*)?(?: ssh\\d*)?$']
['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\]
)?(?:@vserver_\\S+
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*ROOT
LOGIN REFUSED.* FROM <HOST>\\s*$']
['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\]
)?(?:@vserver_\\S+
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*[iI](?:llegal|nvalid)
user .* from <HOST>\\s*$']
['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\]
)?(?:@vserver_\\S+
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User
.+ from <HOST> not allowed because not listed in AllowUsers$']
['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\]
)?(?:@vserver_\\S+
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*authentication
failure; logname=\\S* uid=\\S* euid=\\S* tty=\\S* ruser=\\S*
rhost=<HOST>(?:\\s+user=.*)?\\s*$']
['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\]
)?(?:@vserver_\\S+
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*refused
connect from \\S+ \\(<HOST>\\)\\s*$']
['set', 'ssh', 'addfailregex', '^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\]
)?(?:@vserver_\\S+
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*Address
<HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\\s*$']
['set', 'ssh', 'addfailregex', "^\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\]
)?(?:@vserver_\\S+
)?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:)?\\s*User
.+ from <HOST> not allowed because none of user's groups are listed in
AllowGroups\\s*$"]
['set', 'ssh', 'addaction', 'iptables-multiport']
['set', 'ssh', 'actionban', 'iptables-multiport', 'iptables -I fail2ban-<name>
1 -s <ip> -j DROP']
['set', 'ssh', 'actionstop', 'iptables-multiport', 'iptables -D <chain> -p
<protocol> -m multiport --dports <port> -j fail2ban-<name>\niptables -F
fail2ban-<name>\niptables -X fail2ban-<name>']
['set', 'ssh', 'actionstart', 'iptables-multiport', 'iptables -N
fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I <chain> -p
<protocol> -m multiport --dports <port> -j fail2ban-<name>']
['set', 'ssh', 'actionunban', 'iptables-multiport', 'iptables -D
fail2ban-<name> -s <ip> -j DROP']
['set', 'ssh', 'actioncheck', 'iptables-multiport', 'iptables -n -L <chain> |
grep -q fail2ban-<name>']
['set', 'ssh', 'setcinfo', 'iptables-multiport', 'protocol', 'tcp']
['set', 'ssh', 'setcinfo', 'iptables-multiport', 'name', 'ssh']
['set', 'ssh', 'setcinfo', 'iptables-multiport', 'chain', 'INPUT']
['set', 'ssh', 'setcinfo', 'iptables-multiport', 'port', 'ssh']
['set', 'ssh', 'addaction', 'sendmail-whois-lines']
['set', 'ssh', 'actionban', 'sendmail-whois-lines', 'printf %b "Subject:
[Fail2Ban] <name>: banned <ip>\nDate: `date -u +"%a, %d %h %Y %T +0000"`\nFrom:
Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by
Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere are more
information about <ip>:\\n\n`/usr/bin/whois <ip>`\\n\\n\nLines containing
IP:<ip> in <logpath>\\n\n`/bin/grep \'\\<<ip>\\>\'
<logpath>`\\n\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender>
<dest>']
['set', 'ssh', 'actionstop', 'sendmail-whois-lines', 'printf %b "Subject:
[Fail2Ban] <name>: stopped\nDate: `date -u +"%a, %d %h %Y %T +0000"`\nFrom:
Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been
stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'ssh', 'actionstart', 'sendmail-whois-lines', 'printf %b "Subject:
[Fail2Ban] <name>: started\nDate: `date -u +"%a, %d %h %Y %T +0000"`\nFrom:
Fail2Ban <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started
successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender>
<dest>']
['set', 'ssh', 'actionunban', 'sendmail-whois-lines', '']
['set', 'ssh', 'actioncheck', 'sendmail-whois-lines', '']
['set', 'ssh', 'setcinfo', 'sendmail-whois-lines', 'dest', 'root']
['set', 'ssh', 'setcinfo', 'sendmail-whois-lines', 'logpath',
'/var/log/auth.log']
['set', 'ssh', 'setcinfo', 'sendmail-whois-lines', 'name', 'ssh']
['set', 'ssh', 'setcinfo', 'sendmail-whois-lines', 'chain', 'INPUT']
['set', 'ssh', 'setcinfo', 'sendmail-whois-lines', 'sender', 'fail2ban']
['start', 'ssh']
Paquet : fail2ban
État: installé
Automatiquement installé: non
Version : 0.8.6-3~bpo60+1
Priorité : optionnel
Section : net
Responsable : Yaroslav Halchenko <[email protected]>
Taille décompressée : 606 k
Dépend: python (>= 2.4), python-central (>= 0.6.11), lsb-base (>= 2.0-7)
Recommande: iptables, whois, python-gamin
Suggère: mailx
Description : ban hosts that cause multiple authentication errors
Fail2ban monitors log files (e.g. /var/log/auth.log,
/var/log/apache/access.log) and temporarily or persistently bans failure-prone
addresses by updating existing firewall rules. Fail2ban allows easy
specification of different actions to be taken such as to ban an IP using
iptables or hostsdeny rules, or simply to send a notification email.
By default, it comes with filter expressions for various services (sshd,
apache, qmail, proftpd, sasl etc.) but configuration can be easily extended for
monitoring any other text file. All filters and actions are given in the
config files, thus fail2ban can be adopted to be used with a variety of files
and firewalls.
Site : http://www.fail2ban.org
[DEFAULT]
action = %(action_mwl)s
destemail = root
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 1
bantime = 5
