Hello Bill,
> fail2ban's actions are in /etc/fail2ban/action.d/
>
> filters are in /etc/fail2ban/filter.d/
Thank you. I found /etc/fail2ban/action.d/iptables-allports.conf which has
configuration like this.
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <deb...@onerussian.com>
# made active on all ports from original iptables.conf
#
#
[INCLUDES]
before = iptables-common.conf
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = <iptables> -N f2b-<name>
<iptables> -A f2b-<name> -j <returntype>
<iptables> -I <chain> -p <protocol> -j f2b-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name>
<iptables> -F f2b-<name>
<iptables> -X f2b-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
[Init]
> You seem to be missing the filter for [recidive]
>
Actually, I have not changed [recidive] configuration since installing by
apt-get.
And, my fail2ban has /etc/fail2ban/jail.d/defaults-debian.conf and there is
[recidive] also in this file like this.
[sshd]
enabled = true
[pam-generic]
enabled = true
[sshd-ddos]
enabled = true
[postfix-rbl]
enabled = true
[recidive]
enabled = true
> Have you looked at:
https://www.dghost.com/techno/internet/the-power-of-fail2ban
> [recidive]
> enabled = true
> filter = recidive
> logpath = /var/log/fail2ban.log
> action = iptables-allports[name=recidive]
> sendmail-whois-lines[name=recidive,
logpath=/var/log/fail2ban.log]
> bantime = 604800 ; 1 week
> findtime = 86400 ; 1 day
> maxretry = 5
I try this configuration in my /etc/fail2ban/jail.local.
Yusui Tomikawa
2017-11-27 2:52 GMT+09:00 Bill Shirley <bshir...@openmri-scottsboro.com>:
> fail2ban's actions are in /etc/fail2ban/action.d/
>
> filters are in /etc/fail2ban/filter.d/
>
> You seem to be missing the filter for [recidive]
>
> Have you looked at: https://www.dghost.com/techno/
> internet/the-power-of-fail2ban
>
> [recidive]
> enabled = true
> filter = recidive
> logpath = /var/log/fail2ban.log
> action = iptables-allports[name=recidive]
> sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
> bantime = 604800 ; 1 week
> findtime = 86400 ; 1 day
> maxretry = 5
>
>
> Bill
>
>
> On 11/26/2017 11:28 AM, Yusui Tomikawa wrote:
>
> Hello,
>
> > Post your jail config section for [recidive] and your
> 'iptables-allports' action.
>
> [recidive] section are as follows and I could not find configuration for
> 'iptables-allports'... Where is it?
>
> [recidive]
>
> logpath = /var/log/fail2ban.log
> banaction = iptables-allports
> bantime = 1209600 ; 2 weeks
> findtime = 604800 ; 1 week
> maxretry = 3
>
>
> # Generic filter for PAM. Has to be used with action which bans all
> # ports such as iptables-allports, shorewall
>
> > Is XX.XX.XX.XX in
> > 2017-11-16 07:59:07,449 fail2ban.actions [641]: NOTICE
> [recidive] Ban XX.XX.XX.XX
> > an obfuscated public IP address?
>
> Yes. XX.XX.XX.XX is a public IP address which should be blocked.
>
> > Why are your log file entries out of order?
>
> Fail2ban.log seems to be in order like this but log entries are not in
> order with unknown reason...
>
> 2017-11-14 20:18:36,788 fail2ban.filter [641]: INFO [sshd]
> Found XX.XX.XX.XX
> 2017-11-14 20:18:36,797 fail2ban.filter [641]: INFO [sshd]
> Found XX.XX.XX.XX
> 2017-11-14 20:18:36,809 fail2ban.filter [641]: INFO
> [pam-generic] Found XX.XX.XX.XX
> 2017-11-14 20:18:38,902 fail2ban.filter [641]: INFO [sshd]
> Found XX.XX.XX.XX
> 2017-11-14 20:18:40,981 fail2ban.filter [641]: INFO [sshd]
> Found XX.XX.XX.XX
> 2017-11-14 20:18:42,979 fail2ban.filter [641]: INFO [sshd]
> Found XX.XX.XX.XX
> 2017-11-14 20:18:43,887 fail2ban.actions [641]: NOTICE [sshd] Ban
> XX.XX.XX.XX
> 2017-11-14 20:18:43,889 fail2ban.filter [641]: INFO [recidive]
> Found XX.XX.XX.XX
> 2017-11-14 20:18:44,111 fail2ban.actions [641]: ERROR Failed to
> execute ban jail 'sshd' action 'iptables-multiport' info
> 'CallingMap({'time': 1510690723.8871074, 'matches': 'Nov 14 20:18:36 okapi
> sshd[27019]: Invalid user belltcg from XX.XX.XX.XX\nNov 14 20:18:36 okapi
> sshd[27019]: pam_unix(sshd:auth): authentication failure; logname= uid=0
> euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX\nNov 14 20:18:38 okapi sshd[27019]:
> Failed password for invalid user belltcg from XX.XX.XX.XX port 47689
> ssh2\nNov 14 20:18:40 okapi sshd[27019]: Failed password for invalid user
> belltcg from XX.XX.XX.XX port 47689 ssh2\nNov 14 20:18:42 okapi
> sshd[27019]: Failed password for invalid user belltcg from 104.236.129.6
> port 47689 ssh2', 'ipfailures': <function Actions.__checkBan.<locals>.<lambda>
> at 0x7fa01e843840>, 'ipjailfailures': <function
> Actions.__checkBan.<locals>.<lambda> at 0x7fa01e843f28>, 'ipmatches':
> <function Actions.__checkBan.<locals>.<lambda> at 0x7fa01e843b70>,
> 'failures': 5, 'ipjailmatches': <function Actions.__checkBan.<locals>.<lambda>
> at 0x7fa01e8436a8>, 'ip': 'XX.XX.XX.XX'})': Error stopping action
> 2017-11-15 20:18:43,929 fail2ban.actions [641]: NOTICE [sshd]
> Unban XX.XX.XX.XX
> 2017-11-15 20:18:44,156 fail2ban.actions [641]: ERROR Failed to
> execute unban jail 'sshd' action 'iptables-multiport' info '{'time':
> 1510690723.8871074, 'failures': 5, 'matches': 'Nov 14 20:18:36 okapi
> sshd[27019]: Invalid user belltcg from XX.XX.XX.XXNov 14 20:18:36 okapi
> sshd[27019]: pam_unix(sshd:auth): authentication failure; logname= uid=0
> euid=0 tty=ssh ruser= rhost=XX.XX.XX.XXNov 14 20:18:38 okapi sshd[27019]:
> Failed password for invalid user belltcg from XX.XX.XX.XX port 47689
> ssh2Nov 14 20:18:40 okapi sshd[27019]: Failed password for invalid user
> belltcg from XX.XX.XX.XX port 47689 ssh2Nov 14 20:18:42 okapi sshd[27019]:
> Failed password for invalid user belltcg from XX.XX.XX.XX port 47689 ssh2',
> 'ip': 'XX.XX.XX.XX'}': Error stopping action
> 2017-11-16 07:59:01,109 fail2ban.filter [641]: INFO [sshd]
> Found XX.XX.XX.XX
> 2017-11-16 07:59:01,114 fail2ban.filter [641]: INFO [sshd]
> Found XX.XX.XX.XX
> 2017-11-16 07:59:01,115 fail2ban.filter [641]: INFO
> [pam-generic] Found XX.XX.XX.XX
> 2017-11-16 07:59:03,066 fail2ban.filter [641]: INFO [sshd]
> Found XX.XX.XX.XX
> 2017-11-16 07:59:05,012 fail2ban.filter [641]: INFO [sshd]
> Found XX.XX.XX.XX
> 2017-11-16 07:59:06,918 fail2ban.filter [641]: INFO [sshd]
> Found XX.XX.XX.XX
> 2017-11-16 07:59:06,944 fail2ban.actions [641]: NOTICE [sshd] Ban
> XX.XX.XX.XX
> 2017-11-16 07:59:06,949 fail2ban.filter [641]: INFO [recidive]
> Found XX.XX.XX.XX
> 2017-11-16 07:59:07,165 fail2ban.actions [641]: ERROR Failed to
> execute ban jail 'sshd' action 'iptables-multiport' info
> 'CallingMap({'time': 1510819146.9440994, 'matches': 'Nov 16 07:59:01 okapi
> sshd[3714]: Invalid user admin from XX.XX.XX.XX\nNov 16 07:59:01 okapi
> sshd[3714]: pam_unix(sshd:auth): authentication failure; logname= uid=0
> euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX\nNov 16 07:59:03 okapi sshd[3714]:
> Failed password for invalid user admin from XX.XX.XX.XX port 43794
> ssh2\nNov 16 07:59:05 okapi sshd[3714]: Failed password for invalid user
> admin from XX.XX.XX.XX port 43794 ssh2\nNov 16 07:59:06 okapi sshd[3714]:
> Failed password for invalid user admin from XX.XX.XX.XX port 43794 ssh2',
> 'ipfailures': <function Actions.__checkBan.<locals>.<lambda> at
> 0x7fa01c6b79d8>, 'ipjailfailures': <function
> Actions.__checkBan.<locals>.<lambda>
> at 0x7fa01c6b7488>, 'ipmatches': <function
> Actions.__checkBan.<locals>.<lambda>
> at 0x7fa01c6b76a8>, 'failures': 5, 'ipjailmatches': <function
> Actions.__checkBan.<locals>.<lambda> at 0x7fa01c6b7950>, 'ip':
> 'XX.XX.XX.XX'})': Error stopping action
> 2017-11-16 07:59:07,449 fail2ban.actions [641]: NOTICE [recidive]
> Ban XX.XX.XX.XX
> 2017-11-16 07:59:07,671 fail2ban.actions [641]: ERROR Failed to
> execute ban jail 'recidive' action 'iptables-allports' info
> 'CallingMap({'time': 1510819147.4490871, 'matches': '2017-11-12
> 03:23:00,898 fail2ban.actions [641]: NOTICE [sshd] Ban
> XX.XX.XX.XX\n2017-11-14 20:18:43,887 fail2ban.actions [641]: NOTICE
> [sshd] Ban XX.XX.XX.XX\n2017-11-16 07:59:06,944 fail2ban.actions
> [641]: NOTICE [sshd] Ban XX.XX.XX.XX', 'ipfailures': <function
> Actions.__checkBan.<locals>.<lambda> at 0x7fa01c6b7488>,
> 'ipjailfailures': <function Actions.__checkBan.<locals>.<lambda> at
> 0x7fa01c6b79d8>, 'ipmatches': <function Actions.__checkBan.<locals>.<lambda>
> at 0x7fa01c6b7950>, 'failures': 3, 'ipjailmatches': <function
> Actions.__checkBan.<locals>.<lambda> at 0x7fa01c6b76a8>, 'ip':
> 'XX.XX.XX.XX'})': Error stopping action
> 2017-11-17 07:59:07,179 fail2ban.actions [641]: NOTICE [sshd]
> Unban XX.XX.XX.XX
> 2017-11-17 07:59:07,406 fail2ban.actions [641]: ERROR Failed to
> execute unban jail 'sshd' action 'iptables-multiport' info '{'time':
> 1510819146.9440994, 'failures': 5, 'matches': 'Nov 16 07:59:01 okapi
> sshd[3714]: Invalid user admin from XX.XX.XX.XXNov 16 07:59:01 okapi
> sshd[3714]: pam_unix(sshd:auth): authentication failure; logname= uid=0
> euid=0 tty=ssh ruser= rhost=XX.XX.XX.XXNov 16 07:59:03 okapi sshd[3714]:
> Failed password for invalid user admin from XX.XX.XX.XX port 43794 ssh2Nov
> 16 07:59:05 okapi sshd[3714]: Failed password for invalid user admin from
> XX.XX.XX.XX port 43794 ssh2Nov 16 07:59:06 okapi sshd[3714]: Failed
> password for invalid user admin from XX.XX.XX.XX port 43794 ssh2', 'ip':
> 'XX.XX.XX.XX'}': Error stopping action
>
> 2017-11-27 0:37 GMT+09:00 Bill Shirley <bshir...@openmri-scottsboro.com>:
>
>> Post your jail config section for [recidive] and your 'iptables-allports'
>> action.
>>
>> Is XX.XX.XX.XX in
>> 2017-11-16 07:59:07,449 fail2ban.actions [641]: NOTICE [recidive]
>> Ban XX.XX.XX.XX
>> an obfuscated public IP address?
>>
>> Why are your log file entries out of order?
>>
>> Bill
>>
>>
>> On 11/26/2017 8:54 AM, Smart Goldman wrote:
>>
>> Hello.
>>
>> I often got fail2ban's error mails like this:
>>
>> 2017-11-16 07:59:07,449 fail2ban.actions [641]: NOTICE [recidive]
>> Ban XX.XX.XX.XX
>> 2017-11-16 07:59:07,671 fail2ban.actions [641]: ERROR Failed to
>> execute ban jail 'recidive' action 'iptables-allports' info
>> 'CallingMap({'time': 1510819147.4490871, 'matches': '2017-11-12
>> 03:23:00,898 fail2ban.actions [641]: NOTICE [sshd] Ban XX.XX.XX.XX
>> 2017-11-14 20:18:43,887 fail2ban.actions [641]: NOTICE [sshd] Ban
>> XX.XX.XX.XX
>> 2017-11-16 07:59:06,944 fail2ban.actions [641]: NOTICE [sshd] Ban
>> XX.XX.XX.XX', 'ipfailures': <function Actions.__checkBan.<locals>.<lambda>
>> at 0x7fa01c6b7488>, 'ipjailfailures': <function
>> Actions.__checkBan.<locals>.<lambda> at 0x7fa01c6b79d8>, 'ipmatches':
>> <function Actions.__checkBan.<locals>.<lambda> at 0x7fa01c6b7950>,
>> 'failures': 3, 'ipjailmatches': <function
>> Actions.__checkBan.<locals>.<lambda>
>> at 0x7fa01c6b76a8>, 'ip': 'XX.XX.XX.XX'})': Error stopping action
>>
>> It means failure of IP ban?
>> How can I fix this error?
>>
>> OS: Ubuntu 16.04 LTS
>>
>> Thank you.
>>
>> Yusui
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> _______________________________________________
>> Fail2ban-users mailing
>> listFail2ban-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>>
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users