Hi,
I think it is not the problem. One can define jails either in separate
files or single file.
I was wondering, why I only get e-mail once but not on repeated failed
attempts...
Cheers
On 18.01.2016 08:07, kuncho pencho wrote:
HI,
I'm sorry, but my english is worst. I mean "my config". :)
I think, you should have sshd.conf in jail.d/. In my jail.local all
rules are set to "false" and i have 3 files in jail.d/ , sshd.conf,
exim.conf, dovecot.conf and there i set "true". I'll paste my sshd.conf:
[ssh]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected],
[email protected], sendername="Fail2Ban"]
logpath = /var/log/sshd/current
maxretry = 5
bantime = 2592000
findtime = 144000
Cheers
>-------- Оригинално писмо --------
>От: "YouGenom ." [email protected]
>Относно: Re: [Fail2ban-users] Fail2Ban sends mails only once
>До: kuncho pencho <[email protected]>
>Изпратено на: 18.01.2016 02:50
Hi,
Sorry about that. There is actually "]" at the end. I have somehow
mistakenly deleted it. Actual file has it.
jail.d directory is completely empty.
What do you mean with "Main config"? Is the suggested/correct way of
using sendmail-whois this: sendmail-whois[name=SSH, dest=
[email protected], sender=
[email protected], sendername="Fail2Ban"] ?
Thanks a lot for the assistance!
On Sun, Jan 17, 2016 at 5:49 PM, kuncho pencho
<[email protected]> wrote:
Hi,
Could you try to set sender in ssh section in jail.conf?
Yours config is "sendmail-whois[name=ssh, dest=
[email protected]" , here is missing "]" simbol and sender.
Main config is with this line:
sendmail-whois[name=SSH, dest=
[email protected], sender=
[email protected], sendername="Fail2Ban"]
Do you have sshd.conf in jail.d ?
>-------- Оригинално писмо -------- >От: "YouGenom ."
[email protected] >Относно: Re: [Fail2ban-users] Fail2Ban sends
mails only once
>До: kuncho pencho <
[email protected]>
>Изпратено на: 17.01.2016 16:50
Hi,
I did not get any error message after setting up exim4 (but before
that I did not get any mail at all anyway). So at the (first,) second
and further failed logins there are no errors. But I only get the
warning mail at the first failed login. Here is my configuration file
(jail.local) attached.
Thanks!
On Sun, Jan 17, 2016 at 1:45 PM, kuncho pencho
<[email protected]> wrote:
Hi,
Could you paste your jail.conf and jail.d/sshd.conf? Is there an error
in fail2ban.log?
>-------- Оригинално писмо --------
>От: "YouGenom ."
[email protected]
>Относно: [Fail2ban-users] Fail2Ban sends mails only once
>До:
[email protected]
>Изпратено на: 17.01.2016 13:39
Hi,
I have been trying to set up fail2ban. I have only edited for the SSH
jail to warn me in case of failed login. Other jails/actions/filters
are at default. Then I tried from another machine a failed login (6
times with wrong password). I have got the mail with whois info. So
this is what I was expecting. Then I have waited for the ban to expire
(10 mins) and retried to failed login. I did not get any mail this
time. In logs, it was mentioned, that a ban was issued for the client
IP address. Interestingly, by using another IP address (through VPN) I
could get again an e-mail warning for the first time but not second
time. It seems to me fail2ban sends e-mail warning only once per
IP-address. Moreover, I changed log level to 4 (DEBUG) and ran
fail2ban-client reload. Then I tried a failed login with the old (once
banned) IP address. It did not send any mail but I found this in the
logs:
2016-01-17 12:32:08,961 fail2ban.actions.action[21573]: DEBUG printf
%b "Subject: [Fail2Ban] ssh: banned 192.168.0.11 from `uname -n`
Date: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To:
[email protected]\n
Hi,\n
The IP 192.168.0.11 has just been banned by Fail2Ban after
6 attempts against ssh.\n\n
Here is more information about
192.168.0.11:\n
`/usr/bin/whois 192.168.0.11 || echo missing whois program`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban
[email protected]
2016-01-17 12:32:09,491 fail2ban.actions.action[21573]: DEBUG printf
%b "Subject: [Fail2Ban] ssh: banned 192.168.0.11 from `uname -n`
Date: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban <fail2ban>
To:
[email protected]\n
Hi,\n
The IP 192.168.0.11 has just been banned by Fail2Ban after
6 attempts against ssh.\n\n
Here is more information about
192.168.0.11:\n
`/usr/bin/whois 192.168.0.11 || echo missing whois program`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban
[email protected] returned successfully
I am not sure, if the issue is because of my GMail account blocking
the mails or is it a feature in Fail2Ban to prevent e-mail flood?
Best wishes!
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
