Hello:
Problem #1:
I just updated my Fail2Ban to version: 0.8.13.-1-nd12.04+1 from the Neuro
Dabian repository and now I see that when Fail2Ban detects a match to one
of my Jails, fail2ban erroneously drops the last digit off the offending IP
address and thus bans the wrong ip address.
Here is an example: Here is a line from my log file:
Sun Jun 28 10:53:12 2015 87.221.129.170:56512 - MBOX (root) bad login
But fail2ban reports banning IP address 87.221.129.17 (Note the missing
"0") Fail2ban should have banned 87.221.129.170.
When I look at my firewall (I use SHOREWALL) I see these lines.
-A dynamic -s 201.52.10.18/32 -j reject
-A dynamic -s 95.180.179.21/32 -j reject
-A dynamic -s 87.221.129.17/32 -j reject
-A dynamic -s 182.209.52.14/32 -j reject
Every last one is missing the last digit, so the wrong ip is banned. Here
are the correct ip addresses as seen in my log file.
Sun Jun 28 10:46:35 2015 201.52.10.189:39679 - MBOX (root) bad login
Sun Jun 28 10:42:04 2015 95.180.179.218:53539 - MBOX (root) bad login
Sun Jun 28 10:47:35 2015 87.221.129.170:53538 - MBOX (root) bad login
Sun Jun 28 10:49:34 2015 182.209.52.142:2935 - MBOX (support) bad login
Problem #2: I have my config in the jail set to email with with the WHOIS
as well as the offending lines in the log file (using: action =
%(action_mwl)s)
Yet when I get the email, it gives me the WHOIS, but no log lines are
included.
I am thinking it may not contain the actual offending logbook lines because
problem #1 above is capturing the incorrect IP address, thus there is no
match to report in the email. Just a guess though. Problem #1 would have to
be corrected, then see if problem #2 remains or is also fixed.
Problem #3:
I also noted that my previous version of fail2ban used "DROP" in shorewall,
which is what I prefer. The new update now uses "reject" instead. Is there
a way to change this in a config somewhere back to DROP?
Thanks,
Wm Lewis
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
