Yes, that was it; some jerk already got banned :-) $ su - Password: Last login: Tue Sep 8 12:58:17 CDT 2015 on pts/0 Last failed login: Tue Sep 8 13:13:56 CDT 2015 from 43.229.53.69 on ssh:notty *There were 4 failed login attempts* since the last successful login. # tail -f /var/log/fail2ban.log 2015-09-08 13:02:03,966 fail2ban.server.jail[25530]: INFO Jail 'sshd' started 2015-09-08 13:02:03,971 fail2ban.server.jail[25530]: INFO Jail 'sshd-ddos' started 2015-09-08 13:02:03,975 fail2ban.server.jail[25530]: INFO Jail 'dropbear' started 2015-09-08 13:02:03,976 fail2ban.server.jail[25530]: INFO Jail 'selinux-ssh' started 2015-09-08 13:13:50,720 fail2ban.server.filter[25530]: INFO [sshd] Found 43.229.53.69 2015-09-08 13:13:52,125 fail2ban.server.filter[25530]: INFO [sshd] Found 43.229.53.69 2015-09-08 13:13:54,148 fail2ban.server.filter[25530]: INFO [sshd] Found 43.229.53.69 2015-09-08 13:13:54,992 fail2ban.server.actions[25530]: NOTICE [sshd] *Ban 43.229.53.69* 2015-09-08 13:13:56,591 fail2ban.server.filter[25530]: INFO [sshd] Found 43.229.53.69 # iptables -L ... Chain f2b-sshd (1 references) target prot opt source destination REJECT all -- 43.229.53.69 anywhere reject-with icmp-port-unreachable
On Tue, Sep 8, 2015 at 1:10 PM, Michael Schwager <[email protected]> wrote: > Nice catch, thanks! That seems to be it... it eliminates my "too many > files" problem. Let's see if fail2ban now works on sshd. > > I appreciate your looking at this so diligently. > > On Mon, Aug 24, 2015 at 4:07 PM, Harrison Johnson <[email protected]> > wrote: > >> Missed this before in the default section of your jail.local you have >> enabled = true. Delete that line and the set enabled = true for each of the >> jails you have defined in the jail.local and see if that closes all the >> open files. >> >> On Mon, 2015-08-24 at 14:34 -0500, Michael Schwager wrote: >> >> It appears that there's some strange interaction between fail2ban and >> systemd. Thanks for the link but it talks about having a lot of files open. >> I'm wondering about why fail2ban would need to open them in the first >> place. ...Is the Fedora RPM broken?This is what's strange: I have a simple >> VM, running Fedora 20, and by simple I mean that it is running httpd and >> sshd only. And it's a sleepy little computer, very little going on with it >> (outside of the usual ssh root login attempts by hackers). >> >> netstat shows that there is only a single connection- me, via ssh. The >> error happens immediately upon start of fail2ban. >> >> >> >> So I do not have a lot of concurrent connections, nor am I running >> something that opens a lot of files but never closes them- except fail2ban >> itself. lsof shows A TON of files opened by fail2ban in /var/log/journal: >> >> >> >> fail2ban- 19511 19633 root 737r REG 252,1 >> 109051904 20638 >> /var/log/journal/11264912be38456483e63dfd21d402f4/system@f724c4fcb41c4dd09c9b814c3e159287-000000000049dceb-00051c23d11febc7.journal >> >> fail2ban- 19511 19633 root 738r REG 252,1 >> 100663296 20639 >> /var/log/journal/11264912be38456483e63dfd21d402f4/system@f724c4fcb41c4dd09c9b814c3e159287-000000000044db14-00051b85f6029c2c.journal >> >> fail2ban- 19511 19633 root 739r REG 252,1 >> 100663296 20611 >> /var/log/journal/11264912be38456483e63dfd21d402f4/system@c429c1a6e1044dd79b5d5e3089276833-0000000000715351-00051a2daf9bb2b7.journal >> >> >> >> If I run fail2ban by itself without using systemd, it seems to start >> fine: >> >> >> >> /usr/bin/python /usr/bin/fail2ban-server -b -s >> /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x >> >> >> >> If I removed files from /etc/fail2ban/filter.d I got some strange regular >> expression error. I just tried it again, and moved all files but sshd.conf >> and sshd-ddos.conf. It started without any messages to >> /var/log/fail2ban.log but this is what happens when I test: >> >> >> >> # fail2ban-client -d >> >> WARNING Wrong value for 'loglevel' in 'Definition'. Using default one: >> ''INFO'' >> >> ERROR Failed during configuration: Bad value substitution: >> >> section: [Definition] >> >> option : failregex >> >> key : __prefix_line >> >> rawval : (?:error: PAM: )?[aA]uthentication (?:failure|error) for >> .* from <HOST>( via \S+)?\s*$ >> >> >> >> ...It seems to work fine when all the files are left in place under >> filter.d. >> >> >> >> >> On Mon, Aug 24, 2015 at 1:49 PM, Harrison Johnson <[email protected]> >> wrote: >> >> You can remove files that are not being used in the filter.d and action.d >> directories I have done this to reduce the "noise" when I ls from a >> terminal the error is really the OS telling you that too many file are >> already open and it can't open another one. There are more reasons for this >> than you can shake a stick at to use a favorite phrase of my great grand >> mother. The first question I would have are you running a server that has a >> lot of concurrent connections? The second question is are you running a >> server or application that opens a lot of files but never closes them? The >> third question is are you using iptables as you firewall? >> Here is a quick thread on the open file limit subject: >> http://stackoverflow.com/questions/18280612/ioerror-errno-24-too-many-open-files >> >> >> >> On Mon, 2015-08-24 at 13:16 -0500, Michael Schwager wrote: >> >> Yes. >> >> >> systemd-208-26.fc20.x86_64 >> systemd-libs-208-26.fc20.x86_64 >> systemd-python-208-26.fc20.x86_64 >> >> >> >> On Mon, Aug 24, 2015 at 11:36 AM, Harrison Johnson <[email protected]> >> wrote: >> >> Did you install the systemd package? >> >> >> On Mon, 2015-08-24 at 08:57 -0500, Michael Schwager wrote: >> >> Hello, >> I have fail2ban 0.9 on Fedora 20. I notice in my log files that when I >> start fail2ban I get the following error messages. I think maybe it's >> because the /etc/fail2ban/filters.d directory has too much stuff in it...? >> But if I try to move things out of there I get some errors about the >> regex's. Or do I need to set ulimit? Any advice would be appreciated. I'll >> include my fail2ban.conf file after the following errors. >> >> >> I notice there's a whole lot of stuff in jail.conf that I don't need, but >> it says specifically to not edit it so I have not. >> >> >> Here are the errors: >> >> >> 2015-08-24 08:42:49,660 fail2ban.server.jail[19511]: INFO Initiated >> 'systemd' backend >> 2015-08-24 08:42:49,663 fail2ban.server.filter[19511]: INFO Set >> maxRetry = 3 >> 2015-08-24 08:42:49,665 fail2ban.server.actions[19511]: INFO Set >> banTime = 600 >> 2015-08-24 08:42:49,667 fail2ban.server.filter[19511]: INFO Set >> findtime = 600 >> 2015-08-24 08:42:49,670 fail2ban.server.filter[19511]: INFO Date >> pattern set to `'^L %d/%m/%Y - %H:%M:%S'`: `^L Da >> y/Month/Year - 24hour:Minute:Second` >> 2015-08-24 08:42:49,690 fail2ban.server.jail[19511]: INFO Jail 'sshd' >> started >> 2015-08-24 08:42:49,690 fail2ban.server.action[19511]: ERROR iptables >> -N f2b-sshd >> iptables -A f2b-sshd -j RETURN >> iptables -I INPUT -p tcp -m multiport --dports ssh -j f2b-sshd -- failed >> with [Errno 24] Too many open files >> 2015-08-24 08:42:49,690 fail2ban.server.actions[19511]: ERROR Failed to >> start jail 'sshd' action 'iptables-multipor >> t': local variable 'retcode' referenced before assignment >> 2015-08-24 08:42:49,696 fail2ban.server.jail[19511]: INFO Jail >> 'sshd-ddos' started >> 2015-08-24 08:42:49,698 fail2ban.server.actions[19511]: ERROR Failed to >> start jail 'sshd-ddos' action 'iptables-mul >> tiport': [Errno 24] Too many open files: '/tmp/fai2ban_Kfztgy.stderr' >> >> >> >> >> # grep -v "^#" /etc/fail2ban/fail2ban.conf >> >> >> [Definition] >> loglevel = INFO >> >> logtarget = /var/log/fail2ban.log >> >> socket = /var/run/fail2ban/fail2ban.sock >> >> pidfile = /var/run/fail2ban/fail2ban.pid >> >> dbfile = /var/lib/fail2ban/fail2ban.sqlite3 >> >> dbpurgeage = 86400 >> >> >> >> (notice that my IP address has been munged to protect me...) >> >> >> # grep -v '^#' /etc/fail2ban/jail.local >> [INCLUDES] >> >> >> [DEFAULT] >> ignoreip = 127.0.0.1/8 X.Y.Z.A >> bantime = 600 >> >> findtime = 600 >> >> maxretry = 3 >> >> backend = systemd >> >> usedns = no >> enabled = true >> filter = %(__name__)s >> destemail = root@localhost >> >> sender = root@localhost >> >> >> >> [sshd] >> >> port = ssh >> >> logpath = %(sshd_log)s >> enabled = true >> >> >> [sshd-ddos] >> port = ssh >> logpath = %(sshd_log)s >> >> >> [dropbear] >> port = ssh >> >> logpath = %(dropbear_log)s >> >> >> [selinux-ssh] >> >> port = ssh >> >> logpath = %(auditd_log)s >> maxretry = 5 >> >> >> -- >> -Mike Schwager >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Fail2ban-users mailing >> [email protected]https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> Fail2ban-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> >> >> >> >> -- >> -Mike Schwager >> >> >> >> >> >> >> >> -- >> >> -Mike Schwager >> >> >> > > > -- > -Mike Schwager > -- -Mike Schwager
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
