Re: [Fail2ban-users] "Already banned" makes no sense

[Tom Hendrikx]

Hi,

Apparently the ip-address 'should' be banned according to fail2ban's 
internal administration, but there is still activity coming in, 
triggering new bans.


This can happen if your banning technique is broken, the configuration 
is broken, etc.


F.i. you could configure the apache jail to black all traffic to port 80 
using iptables. After some research, you'll notice that you also needed 
to block access to port 443, but you simply forgot to include it.


Please post full configuration if you're not sure what to look for. I 
have no idea what 'suricata' is though ;)


Kind regards,
Tom

On 13-07-2021 01:33, James Moe via Fail2ban-users wrote:

fail2ban v1.0.1.1
opensuse tumbleweed, linux v5.13.0

Messages as shown below occasionally are in the log. It does not make much
sense. If the IP is banned, how can it be detected in the target log?

2021-07-11 16:15:31,136 fail2ban.filter [10710]: INFO[suricata-1]
Found 65.205.231.167 - 2021-07-11 16:15:31

2021-07-11 16:15:31,357 fail2ban.actions[10710]: WARNING [suricata-1]
65.205.231.167 already banned





___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Getting CRITICAL error after 'unban'

[Tom Hendrikx]

On 26-09-2020 23:29, Chris Green wrote:

I have just installed fail2ban on a virtual server I run on Gandi
Internet in France.

The virtual server runs Ubuntu 8.04.5 LTS and I installed fail2ban
from the standard repositories, version 0.10.2-2.

I haven't changed the configuration at all, I just went with what 'apt
install fai2ban' did for me.

It seems to be working (I installed it because I'm seeing crazy
numbers of attempted ssh logins) but I'm getting CRITICAL errors when
it tries to unban someone.  As follows:-


2020-09-26 16:24:54,491 fail2ban.actions[1563]: NOTICE  [sshd] Unban 
51.68.44.154
2020-09-26 16:24:54,530 fail2ban.utils  [1563]: Level 39 7f20226c35e0 
-- exec: iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]'
2020-09-26 16:24:54,531 fail2ban.utils  [1563]: ERROR   7f20226c35e0 -- 
stderr: 'modprobe: FATAL: Module ip_tables not found in directory 
/lib/modules/3.10.107-xenU-36-37a7b05-x86_64'
2020-09-26 16:24:54,531 fail2ban.utils  [1563]: ERROR   7f20226c35e0 -- stderr: 
"iptables v1.6.1: can't initialize iptables table `filter': Table does not exist (do 
you need to insmod?)"
2020-09-26 16:24:54,531 fail2ban.utils  [1563]: ERROR   7f20226c35e0 -- 
stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-09-26 16:24:54,531 fail2ban.utils  [1563]: ERROR   7f20226c35e0 -- 
returned 1
2020-09-26 16:24:54,532 fail2ban.CommandAction  [1563]: ERROR   Invariant check 
failed. Trying to restore a sane environment
2020-09-26 16:24:54,576 fail2ban.utils  [1563]: Level 39 7f20226c35e0 
-- exec: iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]'
2020-09-26 16:24:54,577 fail2ban.utils  [1563]: ERROR   7f20226c35e0 -- 
stderr: 'modprobe: FATAL: Module ip_tables not found in directory 
/lib/modules/3.10.107-xenU-36-37a7b05-x86_64'
2020-09-26 16:24:54,577 fail2ban.utils  [1563]: ERROR   7f20226c35e0 -- stderr: 
"iptables v1.6.1: can't initialize iptables table `filter': Table does not exist (do 
you need to insmod?)"
2020-09-26 16:24:54,578 fail2ban.utils  [1563]: ERROR   7f20226c35e0 -- 
stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-09-26 16:24:54,578 fail2ban.utils  [1563]: ERROR   7f20226c35e0 -- 
returned 1
2020-09-26 16:24:54,578 fail2ban.CommandAction  [1563]: CRITICAL Unableto 
restore environment
2020-09-26 16:24:54,578 fail2ban.actions[1563]: ERROR   Failed to 
execute unban jail 'sshd' action 'iptables-multiport' info 'ActionInfo({'ip': 
'51.68.44.154', 'family': 'inet4', 'ip-rev': '154.44.68.51.', 'ip-host': 
'154.ip-51-68-44.eu', 'fid': '51.68.44.154', 'failures': 5, 'time': 
1601129694.0, 'matches': 'Sep 26 16:06:35 isbdGandi sshd[3573]: Failedpassword 
for invalid user escaner from 51.68.44.154 port 55371 ssh2\nSep26 16:14:54 
isbdGandi sshd[3800]: Failed password for invalid user r00t from 51.68.44.154 
port 38711 ssh2', 'restored': 0, 'F-*': {'matches': ['Sep 26 16:06:35 isbdGandi 
sshd[3573]: Failed password for invalid user escaner from 51.68.44.154 port 
55371 ssh2', 'Sep 26 16:14:54 isbdGandi sshd[3800]: Failed password for invalid 
user r00t from 51.68.44.154 port 38711ssh2'], 'failures': 5, 'mlfid': ' 
isbdGandi sshd[3573]: ', 'user': 'escaner', 'ip4': '51.68.44.154'}, 
'ipmatches': 'Sep 26 15:05:48 isbdGandi sshd[2730]: Failed password for invalid 
user rohit fro
   m 51.68.44.154 port 53114 ssh2\nSep 26 15:09:54 isbdGandi sshd[2813]:Failed 
password for invalid user esadmin from 51.68.44.154 port 58900 ssh2\nSep 26 
15:17:47 isbdGandi sshd[2918]: Failed password for invalid user anonymous from 
51.68.44.154 port 42243 ssh2\nSep 26 15:25:55 isbdGandi sshd[3030]: Failed 
password for invalid user tibero from 51.68.44.154 port 53972 ssh2\nSep 26 
15:42:10 isbdGandi sshd[3270]: Failed password for invalid user admin from 
51.68.44.154 port 48886 ssh2\nSep 26 15:46:16 isbdGandi sshd[3302]: Failed 
password for invalid user martin from 51.68.44.154 port 54672 ssh2\nSep 26 
15:54:21 isbdGandi sshd[3408]: Failed passwordfor invalid user jeff from 
51.68.44.154 port 38013 ssh2\nSep 26 16:02:30isbdGandi sshd[3506]: Failed 
password for invalid user user1 from 51.68.44.154 port 49586 ssh2\nSep 26 
16:06:35 isbdGandi sshd[3573]: Failed password for invalid user escaner from 
51.68.44.154 port 55371 ssh2\nSep 26 16:14:54 isbdGandi sshd[3800]: Failed 
password for in
   valid user r00t from 51.68.44.154 port 38711 ssh2', 'ipjailmatches': 'Sep 26 
15:05:48 isbdGandi sshd[2730]: Failed password for invalid user rohit from 
51.68.44.154 port 53114 ssh2\nSep 26 15:09:54 isbdGandi sshd[2813]: Failed 
password for invalid user esadmin from 51.68.44.154 port 58900 ssh2\nSep 26 
15:17:47 isbdGandi sshd[2918]: Failed password for invaliduser anonymous from 
51.68.44.154 port 42243 ssh2\nSep 26 15:25:55 isbdGandi sshd[3030]: Failed 
password for invalid user tibero from 51.68.44.154port 53972 ssh2\nSep 26 
15:42:10 isbdGandi sshd[3270]: Failed password for invalid user admin 

Re: [Fail2ban-users] recidive jail set, but IP still gets in

[Tom Hendrikx]

Hi Yassine,

The shorewall action does not ban on a per-jail basis, but puts all 
ip-addresses on a single blacklist, as that is how shorewall works.


In the original recidive implementation (which I wrote) it was 
especially mentioned that you shouldn't use the same jail action for the 
recidive jail as for the other jails just because of this: I used the 
shorewall jail too.


In short: don't use the 'shorewall' action, or use the 'iptables' action 
for the recidive jail (and 'shorewall' for the regular jails).


Kind regards,
Tom

On 07-07-2020 15:22, Yassine Chaouche wrote:

Thank you Peter, that was much appreciated.

Maybe the problem comes from the shorewall action I am using, which 
isn't as feature-rich as the iptables action. Compare :


root@messagerie[10.10.10.19] ~ # removeblanks 
/etc/fail2ban/action.d/iptables.conf

[INCLUDES]
before = iptables-blocktype.conf
[Definition]
actionstart = iptables -N fail2ban-
   iptables -A fail2ban- -j RETURN
   iptables -I  -p  --dport  -j 
fail2ban-
actionstop = iptables -D  -p  --dport  -j 
fail2ban-

  iptables -F fail2ban-
  iptables -X fail2ban-
actioncheck = iptables -n -L  | grep -q 'fail2ban-[ \t]'
actionban = iptables -I fail2ban- 1 -s  -j 
actionunban = iptables -D fail2ban- -s  -j 
[Init]
name = default
port = ssh
protocol = tcp
chain = INPUT
root@messagerie[10.10.10.19] ~ # removeblanks 
/etc/fail2ban/action.d/shorewall.conf

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = shorewall  
actionunban = shorewall allow 
[Init]
blocktype = reject
root@messagerie[10.10.10.19] ~ #


(removeblanks is just an alias)

root@messagerie[10.10.10.19] ~ # type removeblanks
removeblanks is aliased to `egrep -v '(^[[:space:]]*#|^$|^[[:space:]]*//)''
root@messagerie[10.10.10.19] ~ #

This explains why there are no fail2ban-* chains in iptable, everything 
seems to done in the dynamic chain.


root@messagerie[10.10.10.19] ~ # iptables -vnL | grep fail
root@messagerie[10.10.10.19] ~ #


Yassine.

Le 2020-07-07 13:35, Peter Heirich a écrit :



Am 07.07.2020 um 13:32 schrieb Yassine Chaouche:


Let us examine what f2b logs for 185.143.72.27 say :

1. Is is banned/unbanned by *postfix-sasl* 4 times

2. on the fifth occurence, it is first banned by the *postfix-sasl* 
jail then by the *recidive* jail. Curiously, the *recidive* jail 
doesn't detect that it has already been banned before. Maybe because 
each ban is related to a jail. Since the *recidive* jail hasn't seen 
this IP before, it bans it.


3. After 10 minutes, the ban set by *postfix-sasl* expires, and that 
jail unbans the IP, cancelling the *recidive* jail ban ?




Dont't worry !

No jail does know about another one.

recidive jail only scans the log of fail2ban for "NOTICE [ xx] Ban 
"


However, xx may not be "revidive" to prevent a loop. That's the 
(?!%(_jailname)s\]) part in filter.


Because _jailname is defined as "recidive" some lines above 
%(_jailname)s expands to recidive.


So finaly (?!recidive\]) is used. That is a negative forward lookup, 
if found "recidive]" the whole regex fails


All other Ban 's ( note: not Restore Ban ) are counted within the 
findtime window, if exceeds maxretry= the ip is banned within the 
recidive jail.



So, you are seeing right, first ban ist postfix-sasl (probably false 
password for smtp), log entry is done for that. And this log entry 
triggers the recidive ban.


After the bantime of postfix-sasl ip is removed from posfix-sasl jail. 
But that doesn't mean to be removed from recidive jail.


However a faulty setup ( one ip-set for all jails ) can cause 
mailfunction, because the first unban removes ip from ipset.


Usualy each jail has its own ipset or chain in ip-tables.

I, for myself, found a problem also with jailing a ip longer then 55h 
on my Centos 6 within ipset. Therefor i'm jailing recidive ip's within 
2 chains in iptables.


(2 chains: one for input, one for output, output to make live hard for 
a hacker, who already started code on my system[maybe by 
stackoverflow]. In this case, maybe a "call-to-home" program should be 
prevented from call to home; OK in real they are 4 chains: 2 for IPv4 
and 2 for IPv6 of course)


Try "ipset list" command, if you are run ipset based jails, "iptables 
-vn -L" otherwise


You should find some f2b- ipsets or chains in iptables, i.e. 
f2b-postfix-sasl and f2b-recidive too.


Peter






___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users





___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Mail notifications not including whois info

[Tom Hendrikx]

Hi,

The whois binary from busybox is typically very simple, which explains 
the lack of features.


Normally, for an Ubuntu-based docker container, you could just add 'RUN 
apt-get install -Y whois' to the dockerfile, and you'd be done.


But from both the dockerfile and the website of linuxserver.io, I can't 
even make out which distro it is based on. So you'd better ask your 
question in a linuxserver.io related forum.


Kind regards,
Tom

On 02-05-2020 19:40, arsdale...@gmail.com wrote:

When I run:

sudo docker exec -it letsencrypt ls -la /usr/bin

This is what I get:

lrwxrwxrwx   1 root root  12 Mar 26 18:40  whois -> /bin/busybox

*From:* Tom Hendrikx 
*Sent:* Saturday, May 2, 2020 10:10 AM
*To:* fail2ban-users@lists.sourceforge.net
*Subject:* Re: [Fail2ban-users] Mail notifications not including whois info

Hi,

there are may dofferent whois clients (it's a simply binary which can 
query various whois servers around the world. Not all whois clients 
support all features. It seems that (from your example) the whois client 
on your docker host supports querying by ip-address, but the whois 
binary inside the 'letsencrypt' docker container doesn't.


Maybe you can install a different whois package in the container, this 
depends on the distro the container was based on. My ubuntu 18.04 
desktop lists at least 3 commandline whois clients in the default 
repository.


Kind regards,

     Tom

On 02-05-2020 15:42, arsdale...@gmail.com <mailto:arsdale...@gmail.com> 
wrote:


Hello,

I recently installed Fail2Ban along with nginx using the
linuxserver/letsencrpt docker.  I love it.  It has solved a long
term problem for me and made my network run much smoother.  I have
ironed out all my install problems but one, which has been driving
me crazy.

In jail.local, I use action = %(action_mwl)s as my default action
and after tailoring e-mail notification settings in
sendmail-whois-lines.local with

Fail2Ban" ) | /usr/sbin/sendmail -t -v -H 'exec openssl s_client
-quiet -tls1 -starttls smtp -connect smtp.gmail.com:587'
-aumyusername -apmyapppassword   it works great except for one
issue.

I believe the default action uses sendmail-whois-lines.conf

This is what I always get in the response:

[Querying whois.iana.org:43 '122.166.7.73'] [Querying
whois.iana.org:43 'domain 122.166.7.73'] [whois.iana.org] % IANA
WHOIS server % for more information on IANA, visit
http://www.iana.org % % Error: Invalid query domain 122.166.7.73

In an effort to figure things out, I have tried

 1. /usr/bin/whois 107.33.23.17 which is successful
 2. sudo docker exec -it letsencrypt whois google.com which is
successful
 3. sudo docker exec -it letsencrypt whois 122.166.7.73 which fails
with the above error message.

I am relatively new to docker, but here is my docker-compose:

version: "2"

services:

   letsencrypt: # https://github.com/linuxserver/docker-letsencrypt

     container_name: letsencrypt

     image: linuxserver/letsencrypt:latest

     restart: unless-stopped

     cap_add:

   - NET_ADMIN

     volumes:

   - /home/user/docker/letsencrypt/config:/config

   - /etc/localtime:/etc/localtime:ro

     environment:

   - PGID=

   - PUID=

   - EMAIL=my_em...@gmail.com <mailto:EMAIL=my_em...@gmail.com>

   - URL=myduckdns.duckdns.org

   - SUBDOMAINS=wildcard

   - VALIDATION=duckdns

   - TZ=America/New_york

   - DUCKDNSTOKEN=myxduckdnsxtoken

     ports:

   - "80:80"

   - "443:443"

Any help would be greatly appreciated.

Thanks,

Dan




___

Fail2ban-users mailing list

Fail2ban-users@lists.sourceforge.net  
<mailto:Fail2ban-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/fail2ban-users



___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users





___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Mail notifications not including whois info

[Tom Hendrikx]

Hi,

there are may dofferent whois clients (it's a simply binary which can 
query various whois servers around the world. Not all whois clients 
support all features. It seems that (from your example) the whois client 
on your docker host supports querying by ip-address, but the whois 
binary inside the 'letsencrypt' docker container doesn't.


Maybe you can install a different whois package in the container, this 
depends on the distro the container was based on. My ubuntu 18.04 
desktop lists at least 3 commandline whois clients in the default 
repository.


Kind regards,

    Tom

On 02-05-2020 15:42, arsdale...@gmail.com wrote:


Hello,

I recently installed Fail2Ban along with nginx using the 
linuxserver/letsencrpt docker.  I love it.  It has solved a long term 
problem for me and made my network run much smoother.  I have ironed 
out all my install problems but one, which has been driving me crazy.


In jail.local, I use action = %(action_mwl)s as my default action and 
after tailoring e-mail notification settings in 
sendmail-whois-lines.local with


Fail2Ban" ) | /usr/sbin/sendmail -t -v -H 'exec openssl s_client 
-quiet -tls1 -starttls smtp -connect smtp.gmail.com:587' -aumyusername 
-apmyapppassword   it works great except for one issue.


I believe the default action uses sendmail-whois-lines.conf

This is what I always get in the response:

[Querying whois.iana.org:43 '122.166.7.73'] [Querying 
whois.iana.org:43 'domain 122.166.7.73'] [whois.iana.org] % IANA WHOIS 
server % for more information on IANA, visit http://www.iana.org % % 
Error: Invalid query domain 122.166.7.73


In an effort to figure things out, I have tried

 1. /usr/bin/whois 107.33.23.17 which is successful
 2. sudo docker exec -it letsencrypt whois google.com which is successful
 3. sudo docker exec -it letsencrypt whois 122.166.7.73 which fails
with the above error message.

I am relatively new to docker, but here is my docker-compose:

version: "2"

services:

  letsencrypt: # https://github.com/linuxserver/docker-letsencrypt

    container_name: letsencrypt

    image: linuxserver/letsencrypt:latest

    restart: unless-stopped

    cap_add:

  - NET_ADMIN

    volumes:

  - /home/user/docker/letsencrypt/config:/config

  - /etc/localtime:/etc/localtime:ro

    environment:

  - PGID=

  - PUID=

  - EMAIL=my_em...@gmail.com

  - URL=myduckdns.duckdns.org

  - SUBDOMAINS=wildcard

  - VALIDATION=duckdns

  - TZ=America/New_york

  - DUCKDNSTOKEN=myxduckdnsxtoken

    ports:

  - "80:80"

  - "443:443"

Any help would be greatly appreciated.

Thanks,

Dan



___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Block external ip address issue at fail2ban with docker & owncloud

[Tom Hendrikx]

Hi,

Please reply to the list only.

You're not showing the full iptables output. Chainging the chain name 
should alter the place where the "f2b-owncloud" chain is linked into the 
default inputs of iptables, this is not visible in the "f2b-owncloud" 
chain itself. Show full iptables -L -n output, or show:


sudo iptables -L  INPUT
sudo iptables -L  FORWARD

Kind regards,

Tom

On 30-03-2020 06:37, SeaTigerIII wrote:

Hi Tom,

Thanks for your suggestion.

I had tried it at my end but it does not work.

it still cannot block any external ip address.

$ sudo iptables -L f2b-owncloud -n
Chain f2b-owncloud (1 references)
target prot opt source   destination
REJECT all  --  152.0.34.125  0.0.0.0/0reject-with
icmp-port-unreachable
RETURN all  --  0.0.0.0/00.0.0.0/0

I worried that it maybe iptables chain related problem per your
suggestion. I would take time to read iptables firstly.

Thank you for your hints.

Regards

Miss Poon



On Sun, Mar 29, 2020 at 10:29 AM Tom Hendrikx  wrote:


Hi,

Probably you need to use a different iptables chain to block the
requests to your docker instance. In
/etc/fail2ban/action.d/iptables-common.conf, the iptables chain that is
used is defined. By default this is "INPUT", but in your case this
should probably be changed to "FORWARD".

I'm unsure if this is due to the fact that your server is behind a
firewall and in a LAN, or because the traffic goes to a docker instance
(over the docker network stack) and not to a service directly running on
a port on the machine itself: I don't know anymore (sorry, it's been a
while since I had a setup similar to this).

Kind regards,

  Tom


On 29-03-2020 14:23, SeaTigerIII wrote:


Hi,

I have installed below at my home server and have issue to block
external connection to my owncloud (docker).

Below is my environment settings.

Ubuntu Server 18.0.4
Fail2Ban 0.10.2
Docker 19.03.8
ownCloud 10.3.2.2 (in docker)

I have setup fail2ban to check owncloud log file and detect failed login.
it can detect and ban ip address at fail2ban correctly.

if i use my internal ip address, it can block the owncloud access correctly
however, if i use external connection with external ip address,
fail2ban can detect it and marked to block that external ip address.
But it seems that iptables would not block and go on to allow access.

Below is my status result.

$ sudo fail2ban-client status owncloud
Status for the jail: owncloud
|- Filter
|  |- Currently failed: 1
|  |- Total failed: 45
|  `- File list:/home/ubuntu/owncloud/owncloud.log
`- Actions
 |- Currently banned: 3
 |- Total banned: 4
 `- Banned IP list:   152.0.158.112 152.0.153.189 192.168.1.20

I can see that it have already ban ip address 152.0.158.112,
152.0.153.189 & 192.168.1.20

device with ip address 192.168.1.20 would not able to access owncloud any more
device with ip address 152.0.158.112 or 152.0.153.189 would go on to
access owncloud

Below is iptables chain list.

$ sudo iptables -L DOCKER-USER
Chain DOCKER-USER (1 references)
target prot opt source   destination
f2b-owncloud  tcp  --  anywhere anywhere
RETURN all  --  anywhere anywhere

$ sudo iptables -L f2b-owncloud
Chain f2b-owncloud (1 references)
target prot opt source   destination
REJECT all  --  192.168.1.20anywhere
reject-with icmp-port-unreachable
REJECT all  --  152.0.158.112  anywhere reject-with
icmp-port-unreachable
REJECT all  --  152.0.153.189  anywhere reject-with
icmp-port-unreachable
RETURN all  --  anywhere anywhere
RETURN all  --  anywhere anywhere
RETURN all  --  anywhere anywhere

Is it anything wrong at the iptables?

Actually, I have tried to add below rule direct at DOCKER-USER but
device with external ip address still able to access my owncloud.

$ sudo iptables -I DOCKER-USER -i eth0 -s 152.0.158.112 -j REJECT


Please advise.

Many Thanks

Miss Poon


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users




--
Best Regards

SeaTigerIII
WeChat - seatiger...@gmail.com
Google Talk: seatiger...@gmail.com





___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Block external ip address issue at fail2ban with docker & owncloud

[Tom Hendrikx]

Hi,

Probably you need to use a different iptables chain to block the 
requests to your docker instance. In 
/etc/fail2ban/action.d/iptables-common.conf, the iptables chain that is 
used is defined. By default this is "INPUT", but in your case this 
should probably be changed to "FORWARD".


I'm unsure if this is due to the fact that your server is behind a 
firewall and in a LAN, or because the traffic goes to a docker instance 
(over the docker network stack) and not to a service directly running on 
a port on the machine itself: I don't know anymore (sorry, it's been a 
while since I had a setup similar to this).


Kind regards,

    Tom


On 29-03-2020 14:23, SeaTigerIII wrote:


Hi,

I have installed below at my home server and have issue to block
external connection to my owncloud (docker).

Below is my environment settings.

Ubuntu Server 18.0.4
Fail2Ban 0.10.2
Docker 19.03.8
ownCloud 10.3.2.2 (in docker)

I have setup fail2ban to check owncloud log file and detect failed login.
it can detect and ban ip address at fail2ban correctly.

if i use my internal ip address, it can block the owncloud access correctly
however, if i use external connection with external ip address,
fail2ban can detect it and marked to block that external ip address.
But it seems that iptables would not block and go on to allow access.

Below is my status result.

$ sudo fail2ban-client status owncloud
Status for the jail: owncloud
|- Filter
|  |- Currently failed: 1
|  |- Total failed: 45
|  `- File list:/home/ubuntu/owncloud/owncloud.log
`- Actions
|- Currently banned: 3
|- Total banned: 4
`- Banned IP list:   152.0.158.112 152.0.153.189 192.168.1.20

I can see that it have already ban ip address 152.0.158.112,
152.0.153.189 & 192.168.1.20

device with ip address 192.168.1.20 would not able to access owncloud any more
device with ip address 152.0.158.112 or 152.0.153.189 would go on to
access owncloud

Below is iptables chain list.

$ sudo iptables -L DOCKER-USER
Chain DOCKER-USER (1 references)
target prot opt source   destination
f2b-owncloud  tcp  --  anywhere anywhere
RETURN all  --  anywhere anywhere

$ sudo iptables -L f2b-owncloud
Chain f2b-owncloud (1 references)
target prot opt source   destination
REJECT all  --  192.168.1.20anywhere
reject-with icmp-port-unreachable
REJECT all  --  152.0.158.112  anywhere reject-with
icmp-port-unreachable
REJECT all  --  152.0.153.189  anywhere reject-with
icmp-port-unreachable
RETURN all  --  anywhere anywhere
RETURN all  --  anywhere anywhere
RETURN all  --  anywhere anywhere

Is it anything wrong at the iptables?

Actually, I have tried to add below rule direct at DOCKER-USER but
device with external ip address still able to access my owncloud.

$ sudo iptables -I DOCKER-USER -i eth0 -s 152.0.158.112 -j REJECT


Please advise.

Many Thanks

Miss Poon


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] details on updates?

[Tom Hendrikx]

Hi,

This is an open source project, so developer time is mostly put in by 
volunteers. They can only answer questions as time permits.


There is no reason to judge volunteers as "having a stuck up attitude" 
when they are just enjoying the weekend with their families (or any 
other pastime they might favour) just like you do. If you want a 
business-like response time to your questions, please buy a support 
subscription for your distribution of choice from a professional company 
such as Redhat (and see if they perform any better than this community).


Now, back to your question. Actual updates to the program code are 
available on github: https://github.com/fail2ban/fail2ban. In the 
repository is a file named "ChangeLog",  which summarizes changes. It 
works like this for almost any open-source project.


The moment when a distro updates a package is usually documented by the 
distro (as for the OP situation: EPEL package maintainers). I have no 
experience with RH-based distros and I'm not inclined to do your 
homework for you, so you'll need to find out yourself how and when EPEL 
packages are updated. Good luck.


Kind regards,
Tom

NB: I'm not a f2b developer, just someone who is annoyed with your 
expectations of the open source community.


On 09-02-2020 15:05, Wayne Sallee wrote:

Yes I agree, it would be nice to get updates on this list, as they happen.
It would also be nice if they would reply to the posts. But they seem to 
have a stuck up attitude.


Wayne Sallee
wa...@waynesallee.com
http://www.WayneSallee.com


 Original Message 
*Subject: *  [Fail2ban-users] details on updates?
*From: * Mike 
*To: * Fail2ban-users 
*CC: *
*Date: *  2020-2-7  09:15 AM

Is this mailing list in any way affilliated with the f2b dev team?

It would be nice to get notifications of changes and updates to the 
software as they happen.


For example, in the most recent update, a number of things seemed to 
change in the program code.  The name of the ipset groups for 
(retrieved for CentOS in the EPEL repository) as well as the log format.


It would be great to get more information on what's being altered.  If 
not here, where is the best source for that info?




___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users





___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users




___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban and roundcubemail on centos 8

[Tom Hendrikx]

Hi,

Your fail regex does not extract an IP address or host from the log 
line, so fail2ban will not know which host to ban.


try :

failregex = IMAP Error: Login failed for .* against localhost from \.

Kind regards,

    Tom

On 28-12-2019 15:48, Davide Perini wrote:

Hi all, guys.
Hope you are doing well on this holidays.

Is there someone who has fail2ban working on Centos 8 and roundcubemail?

My /var/log/roundcubemail/errors.log
looks like this
[28-Dec-2019 14:27:32 +]:  IMAP Error: Login failed for 
perini.davide against localhost from ::1. AUTHENTICATE PLAIN: 
Authentication failed. in 
/usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 
200 (POST /webmail/?_task=login&_action=login)


my roundcube.conf looks like this

[Definition]
failregex = (.*) IMAP Error: Login failed for .* from
ignoreregex =


What is the problem?
Any idea?

Thanks


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Regex not working

[Tom Hendrikx]

On 11-06-19 23:09, James Moe via Fail2ban-users wrote:

fail2ban v0.10.3
linux v4.12.14-lp150.12.58-default x86_64

   The second regex (...Error Code=unknown...) below is not matching the
second example. fail2ban-regex was not helpful even with --verbosity=4;
it only matched the date pattern.
   The first regex matches without a problem.
   Does anyone see what the error is?


# Capture dictionary attacks
# 20:24:51.463 1 IMAP-151473([114.104.162.36]:54046) failed to open
ACCOUNT(russell_first_n...@businessmastery.us) for
[114.104.162.36]:54046->[192.168.69.246]:993. Error Code=account is not
available on this system

# 17:49:22.641 1 SMTPI-025271([45.13.36.34]) failed to open
ACCOUNT(dan...@sma-inc.us) for
[45.13.36.34]:24620->[192.168.69.246]:465. Error Code=unknown user account
#
failregex = ^.*\(\[\]\:.*\).*?Error Code=account is not available.*$
 ^.*\(\[\]\:.*\).*?Error Code=unknown user account*$

datepattern = %%H:%%M:%%S




The first failure line has ":" after the ip adress, but the second 
line hasn't, but your regex requires the colon. Remove the requirement 
for the colon and you're good.


Kind regards,
Tom


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban ban's being dropped/disappear without noticed

[Tom Hendrikx]

Hi,

The shorewall jail is a just a command that tells the running shorewall 
instance to ban the ip adress. Depending on the version of shorewall 
you're using, the ban might never be stored on disk. See 
http://shorewall.org/blacklisting_support.htm#idm43 for details.


If there is anything that applies changes to iptables outside of 
shorewall, that might cause the jail/ban to be removed also.


Kind regards,
Tom

On 22-05-19 12:12, Steven Barthen via Fail2ban-users wrote:

Hello

I'm using fail2ban with shorewall to get rid some nasty scanners.

As the amount is getting worse, I increased the time for my bans on SSHD 
to 7 days as I recently got 1400+ connections a day and I wanted it to stop.


But I experienced that even with that 7 days ban, the keep connecting 
every ~ 10min.

Still ending up with 30-40 connections per IP.

So I cleaned my jail.local an only kept default, sshd and the issues 
stay same.

Im using "shorewall" as banaction, and it works well for the most part.

I can use "shorewall show dynamic" to see all the IP that are banned 
ending up there.
BUT after some time, ~9min the ban just disappears from "shorewall show 
dynamic" list. And the fail2ban doesnt show an "unban" event. Shortly 
after that the IP connects, is detected and banned again.


I manually added IP's to the shorewall banlist and I can say that they 
don't disappear the same way the fail2ban IP's do.


so for examle this list with custom and fail2ban IP's

Chain dynamic (5 references)
  pkts bytes target     prot opt in     out     source  
  destination
     0     0 DROP       all  --  *      *       192.0.0.1 0.0.0.0/0 

   316 18960 DROP       all  --  *      *       118.25.xxx.98 0.0.0.0/0 

     0     0 DROP       all  --  *      *       134.119.xxx.37 0.0.0.0/0 

     0     0 DROP       all  --  *      *       177.101.xxx.26 0.0.0.0/0 

     0     0 DROP       all  --  *      *       182.162.xxx.185 
0.0.0.0/0 
0     0 DROP       all  --  *      *       192.0.0.2 0.0.0.0/0 



(manually added 192.0.0) will look like

Chain dynamic (5 references)
  pkts bytes target     prot opt in     out     source  
  destination
     0     0 DROP       all  --  *      *       192.0.0.1 0.0.0.0/0 

     0     0 DROP       all  --  *      *       192.0.0.2 0.0.0.0/0 

     0     0 DROP       all  --  *      *       118.25.xxx.98 0.0.0.0/0 

     0     0 DROP       all  --  *      *       134.119.xxx.37 0.0.0.0/0 

     0     0 DROP       all  --  *      *       177.101.xxx.26 0.0.0.0/0 

     0     0 DROP       all  --  *      *       182.162.xxx.185 
0.0.0.0/0 


after some minutes and NO unban anywhere on the fail2ban-logs

So currently there are 125 IP's "banned" by fail2ban SSH but only ~30 
actually appear in the shorewall banlist.


my jail.local:

#
[DEFAULT]
bantime = 3600
banaction = shorewall
banaction_allports = shorewall
ignoreip = 127.0.0.1
maxretry = 3

[sshd]
enabled = true
port    = ssh
bantime = 423360
findtime = 3600
maxretry = 1
#

I'm using fail2ban-client version: 0.9.6

Any ideas what could cause the ban's to disappear? I checked all 
logfiles for dropped IP's/bans but couldn't find anything...



Regards

Steven


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users





___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Odd Fail2ban email alert issue

[Tom Hendrikx]

On 12-04-19 15:33, David Shuman wrote:

Good morning,


I'm an amateur with linux and toy around with a VPS for a few years 
now.  I've used Fail2ban to help protect it and have for many years.  
I've never had this issue before, but now all my emails sent about 
blocks have the wrong hostname in the subject line.  Right now running 
the latest ubuntu.



The issue my domain name is abc.com so before around early March I would 
see an email subject line similar to the below:



[Fail2Ban] sshd: banned xxx.xxx.xx.xxx from abc.com


*NOW*


[Fail2Ban] sshd: banned xxx.xxx.xx.xxx from *xyz.com*


This coincided when I did an apt-get update/upgrade around early March, 
which I believe updated my Fail2Ban as well.  I dont believe this 
changed my personalized settings and I checked and dont recall anything 
out place.  Ironically enough, this only happens on my SSHD alerts, I 
just noticed that i have recent apache alerts that have the correct 
domain in the subject line.  I've searched the entire filesystem for 
xyz.com and cant find any trace of it in anything.  I've run linux 
security scanners to check no malware/hack.  Just odd.



The next strange thing is I opened a ticket with my VPS host and they 
indicated they didn't see anything wrong as my headers were showing the 
correct hostname, and their info showed the correct hostname, but this 
new hostname that started showing up was the *HOSTNAME FROM THE CUSTOMER 
THAT WAS ON THE VPS BEFORE ME*




On my ubuntu 16.04 using fail2ban 0.9.3 from default packages, both the 
"mail-*" and "sendmail-*" actions use the value of 'uname -n' in the 
subject. It's hard to debug this without some more details.


Could you give us a bit more information?

- version of fail2ban
- which mail action are you using? How does it set the subject?
- output of the shell commands 'uname -n' and 'uname -a'
- output of the shell command 'hostname -f'
- the actual hostname you expect to see
- the actual hostname you are seeing in the email subjects

Kind regards,
Tom



___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] config to enable honeypot banning?

[Tom Hendrikx]

On 04-03-19 00:01, Mike wrote:


I am seeing various entries in my secure log like:

Mar  3 05:23:58 sd2 auth: pam_unix(dovecot:auth): authentication 
failure; logname= uid=0 euid=0 tty=dovecot 
ruser=svetlana37...@mydomain.com rhost=178.252.80.73


Mar  3 05:23:58 sd2 auth: pam_unix(dovecot:auth): authentication 
failure; logname= uid=0 euid=0 tty=dovecot ruser=webmas...@mydomain.com 
rhost=178.252.80.73


Mar  3 05:23:58 sd2 auth: pam_unix(dovecot:auth): authentication 
failure; logname= uid=0 euid=0 tty=dovecot ruser=i...@myotherdomain.com 
rhost=178.252.80.73


All of these are invalid attempts to probe IMAP/POP3 obviously.

What I want to do is create a set of rules that ban IPs based, after one 
try, on certain login credentials they're using for Dovecot.  The rules 
would follow these basic steps:


1.  Ban any failed POP3/IMAP attempt to login attempt using the name 
"svetlana" prefix   (I don't have anybody by that name on my server, and 
I can see a bot is adding extra numbers and random domains, presumably 
to prove for other vulnerabilities during login)


2.  Ban any instance of a login attempt of webmaster@(any domain) since 
any accounts like that are aliases and not actual mailboxes.


3.  Ban any instance of a login attempt of anyth...@specificdomain.com 
because that domain is either not mapped to this server, or has no 
IMAP/POP3 accounts associated with it.


Am I correct in assuming that in order to do this, I can do the 
following steps?


1.  copy filter.d/dovecot.conf to another name like 
filter.d/dovecot-honeypot.conf
2.  then make a copy of the [dovecot] configuration in jail.local but 
rename [dovecot] to [dovecot-honeypot] and tweak bantime appropriately
3.  modify filter.d/dovecot-honeypot.conf and make these the rules under 
failregex =:


^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication 
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=svetlana\S* 
rhost=(?:\s+user=\S*)?\s*$


^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication 
failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=webmaster@\S* 
rhost=(?:\s+user=\S*)?\s*$


^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication 
failure; logname=\S* uid=\S* euid=\S* tty=dovecot 
ruser=\S*@specificdomain.com rhost=(?:\s+user=\S*)?\s*$



Would this be the proper approach towards implementing this additional 
filter?




This list quickly grows in an unreadable mess, with a regex for each 
name. Since you're already using regexes, why don't you use something like:


^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication 
failure; logname=\S* uid=\S* euid=\S* tty=dovecot 
ruser=(svetlana|webmaster|another)@\S* rhost=(?:\s+user=\S*)?\s*$


^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication 
failure; logname=\S* uid=\S* euid=\S* tty=dovecot 
ruser=\S*@(specificdomain.com|example.org|anotherexample.com) 
rhost=(?:\s+user=\S*)?\s*$


I.e. one regex for all user parts before the @, and one other regex for 
all domains you want to block.



Am I leaving something out?

Is there anything else I need to consider?


You're talking about honeypot here, but most people think aboout a 
different kind of setup when they read 'honeypot setup', so be careful 
in your naming.




Thanks!

- Mike


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users





___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] IP's in recidive jail with bantime=-1 gets unbanned

[Tom Hendrikx]

On 23-01-19 20:05, Robert Kudyba wrote:
> Is there something wrong with our configuration? Why would any IP that
> gets permanently banned get unbanned? jail.local is below, logs showing
> unban and recidive is as follows. Is there some overlap in the findtime
> option?

The sshd jail bans and unbans according to your configuration.

Your logging shows that the recidive jail found 3 tries. Configaion for
the recidive jail says you want to allow 5 retries before baning, so
there no ban yet for the recidive jail. Just like the logs tellyou: no
bans and no unbans for the recidive jail (yet).

Maybe you misunderstand how the recidive jail is supposed to work? Or
you misread the logs?

Kind regards,
Tom



> 
> fail2ban-0.10.4-1.fc29.noarc>
> 2019-01-22 19:55:15,551 fail2ban.actions        [46998]: NOTICE  [sshd]
> Ban 218.92.1.156
> 2019-01-22 19:55:15,949 fail2ban.filter         [46998]: INFO   
> [recidive] Found 218.92.1.156 - 2019-01-22 19:55:15
> 2019-01-22 21:15:15,134 fail2ban.actions        [46998]: NOTICE  [sshd]
> Unban 218.92.1.156
> 2019-01-22 21:15:39,083 fail2ban.filter         [46998]: INFO   
> [pam-generic] Found 218.92.1.156 - 2019-01-22 21:15:39
> 2019-01-22 21:15:41,154 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 21:15:40
> 2019-01-22 21:15:43,360 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 21:15:42
> 2019-01-22 21:15:47,368 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 21:15:46
> 2019-01-22 21:16:27,350 fail2ban.filter         [46998]: INFO   
> [pam-generic] Found 218.92.1.156 - 2019-01-22 21:16:26
> 2019-01-22 21:16:29,439 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 21:16:28
> 2019-01-22 21:16:30,643 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 21:16:30
> 2019-01-22 21:16:33,250 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 21:16:32
> 2019-01-22 21:16:33,258 fail2ban.actions        [46998]: NOTICE  [sshd]
> Ban 218.92.1.156
> 2019-01-22 21:16:33,306 fail2ban.filter         [46998]: INFO   
> [recidive] Found 218.92.1.156 - 2019-01-22 21:16:33
> 2019-01-22 22:36:32,835 fail2ban.actions        [46998]: NOTICE  [sshd]
> Unban 218.92.1.156
> 2019-01-22 22:37:09,381 fail2ban.filter         [46998]: INFO   
> [pam-generic] Found 218.92.1.156 - 2019-01-22 22:37:08
> 2019-01-22 22:37:11,387 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 22:37:10
> 2019-01-22 22:37:13,392 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 22:37:12
> 2019-01-22 22:37:17,202 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 22:37:16
> 2019-01-22 22:37:58,455 fail2ban.filter         [46998]: INFO   
> [pam-generic] Found 218.92.1.156 - 2019-01-22 22:37:57
> 2019-01-22 22:37:59,662 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 22:37:59
> 2019-01-22 22:38:03,870 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 22:38:03
> 2019-01-22 22:38:07,077 fail2ban.filter         [46998]: INFO    [sshd]
> Found 218.92.1.156 - 2019-01-22 22:38:06
> 2019-01-22 22:38:07,213 fail2ban.actions        [46998]: NOTICE  [sshd]
> Ban 218.92.1.156
> 2019-01-22 22:38:07,414 fail2ban.filter         [46998]: INFO   
> [recidive] Found 218.92.1.156 - 2019-01-22 22:38:07
> 2019-01-22 23:58:06,298 fail2ban.actions        [46998]: NOTICE  [sshd]
> Unban 218.92.1.156
> 
> jail.local
> [INCLUDES]
> #before = paths-distro.conf
> before = paths-fedora.conf
> 
> [DEFAULT]
> bantime = 4800
> sender = fail2ban
> destemail = root
> action = %(action_mwl)s
> ignoreip = 127.0.0.1 192.168.1.0/24 
> mta = sendmail
> maxretry = 6
> backend  = polling
> [sshd]
> enabled = true
> filter = sshd[mode=aggressive]
> port = ssh
> logpath  = /var/log/secure*
> backend  = polling
> #journalmatch =
> banaction = iptables-multiport
> action = %(action_)s
> 
> [pam-generic]
> enabled  = true
> # pam-generic filter can be customized to monitor specific subset of 'tty's
> filter   = pam-generic
> # port actually must be irrelevant but lets leave it all for some
> possible uses
> port     = all
> logpath  = /var/log/secure
> maxretry = 3
> backend  = polling
> 
> [sendmail-auth2]
> enabled  = true
> filter   = sendmail-auth2
> backend = polling
> action   = iptables-allports[name=sendmail-auth,port="smtp,smtps",
> protocol=tcp]
> logpath  = /var/log/maillog
> maxretry = 4
> 
> [recidive]
> enabled  = true
> filter   = recidive
> action   = iptables-allports[name=recidive]
>            sendmail-whois-lines[name=recidive, dest=root, sender=root,
> logpath=/var/log/fail2ban.log]
> bantime = -1
> #bantime  = 43200  ; 1 week
> findtime = 14400   ; 1 day
> maxretry = 5
> 
> 
> 
> 
> ___
> Fail2ban-users mailing list
> Fail2b

Re: [Fail2ban-users] Filter DNS DoS with Fail2Ban

[Tom Hendrikx]

On 07-12-18 15:15, James Bellegarde wrote:
> Hello,
> 
> Actually, I'm looking for a way to configure dnsmasq against DNS DoS
> attack.
> 
> Fail2ban is one of the must famous service that provide this type of
> filter but only for BIND services. Is there a filter working with the
> dnsmasq's logs ?
> 
> Looking forward to hearing from you.
> 

Please post some logs from such an attack and we might be able to help
you. F2b can support many services by just adding configuration, but we
need to see the logging first.

BTW I think it's weird your dnsmasq is suffering from a DOS, as dnsmasq
is not a service you'd expose to th epublic internet, but only to your LAN.

Kind regards,

Tom






signature.asc
Description: OpenPGP digital signature
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] jail for sendmail greylisting?

[Tom Hendrikx]

Hi,

That is not a good idea, maybe you don't understand greylisting?

When a new host connects and tries to deliver a message, the host is
greylisted and told to return some time later. MTAs don't understand the
actual time that is communicated, they just try again later based on
their own configuration.

When a greylisted host returns too soon, it is still blocked by the
greylisting milter, and told to come back later. You could in theory try
to apply f2b to the logs and block hosts at the firewall level that
retry too soon too often, but they are already being blocked by the
greylisting milter, so why bother?

Using f2b, you could potentially block a bonafide server with settings
that are a bit too enthusiastic, but you don't win anything when you
block a spammer (because it is already being blocked).

Kind regards,
Tom


On 06-11-18 20:57, Robert Kudyba wrote:
> Is there a jail that would cover logs like these from /var/log/maillog?
> 
> Nov  6 06:31:03 dsm milter-greylist[852]: wA6BUrNX018110: addr =
> apn-151-0-76-15.vodafone.hu
> [151.0.76.15], from =
> <*u...@ourdomain.edu *>, rcpt =
> <*u...@ourdomain.edu *>
> Nov  6 06:31:03 dsm milter-greylist[852]: Mail from=<*u...@ourdomain.edu
> *>, rcpt=<*u...@ourdomain.edu
> *>, addr=apn-151-0-76-15.vodafone.hu
> [151.0.76.15] is matched by entry
> racl 131 continue from_re /.*/ [addheader "X-Greylist: inspected by %V
> for IP:'%i' DOMAIN:'%d' HELO:'%h' FROM:'%f' RCPT:'%r'"]
> Nov  6 06:31:03 dsm milter-greylist[852]: Mail from=<*u...@ourdomain.edu
> *>, rcpt=<*u...@ourdomain.edu
> *>, addr=apn-151-0-76-15.vodafone.hu
> [151.0.76.15] is matched by entry
> racl 146 greylist [maxpeek -1] default
> Nov  6 06:31:03 dsm milter-greylist[852]: created:  151.0.76.15 from
> <*u...@ourdomain.edu *> to
> <*u...@ourdomain.edu *> delayed for 00:30:00
> Nov  6 06:31:03 dsm milter-greylist[852]: wA6BUrNX018110: addr
> apn-151-0-76-15.vodafone.hu
> [151.0.76.15] from
> <*u...@ourdomain.edu *> to
> <*u...@ourdomain.edu *> delayed for 00:30:00
> (ACL 146)
> Nov  6 06:31:03 dsm sendmail[18110]: wA6BUrNX018110: Milter:
> to=<*u...@ourdomain.edu *>, reject=451 4.7.1
> Greylisting in action, please come back later
> Nov  6 06:31:04 dsm sendmail[18110]: wA6BUrNX018110:
> from=<*u...@ourdomain.edu *>, size=0,
> class=0, nrcpts=0, proto=ESMTP, daemon=MTA,
> relay=apn-151-0-76-15.vodafone.hu 
> [151.0.76.15]
> Nov  6 06:31:04 dsm milter-greylist[852]: (local): 58.175.243.70 from
> <*u...@ourdomain.edu *> to
> <*u...@ourdomain.edu *>: greylisted entry
> timed out
> Nov  6 06:31:19 dsm milter-greylist[852]: wA6BV9tS018148: addr =
> apn-151-0-76-15.vodafone.hu
> [151.0.76.15], from =
> <*u...@ourdomain.edu *>, rcpt =
> <*u...@ourdomain.edu *>
> Nov  6 06:31:19 dsm milter-greylist[852]: Mail from=<*u...@ourdomain.edu
> *>, rcpt=<*u...@ourdomain.edu
> *>, addr=apn-151-0-76-15.vodafone.hu
> [151.0.76.15] is matched by entry
> racl 131 continue from_re /.*/ [addheader "X-Greylist: inspected by %V
> for IP:'%i' DOMAIN:'%d' HELO:'%h' FROM:'%f' RCPT:'%r'"]
> Nov  6 06:31:19 dsm milter-greylist[852]: Mail from=<*u...@ourdomain.edu
> *>, rcpt=<*u...@ourdomain.edu
> *>, addr=apn-151-0-76-15.vodafone.hu
> [151.0.76.15] is matched by entry
> racl 146 greylist [maxpeek -1] default
> Nov  6 06:31:19 dsm milter-greylist[852]: wA6BV9tS018148: addr
> apn-151-0-76-15.vodafone.hu
> [151.0.76.15] from
> <*u...@ourdomain.edu *> to
> <*u...@ourdomain.edu *> delayed for 00:29:44
> (ACL 146)
> Nov  6 06:31:19 dsm sendmail[18148]: wA6BV9tS018148: Milter:
> to=<*u...@ourdomain.edu *>, reject=451 4.7.1
> Greylisting in action, please come back later
> Nov  6 06:31:20 dsm sendmail[18148]: wA6BV9tS018148:
> from=<*u...@ourdomain.edu *>, size=0,
> class=0, nrcpts=0, proto=ESMTP, daemon=MTA,
> relay=apn-151-0-76-15.vodafone.hu 
> [151.0.76.15]
> Nov  6 06:31:30 dsm milter-greylist[852]: wA6BVKfk018169: addr =
> apn-151-0-76-15.vodafone.hu
> [151.0.76.15], from =
> <*u...@ourdomain.edu

Re: [Fail2ban-users] fail2ban + geoip ?

[Tom Hendrikx]

On 13-10-18 01:56, Mark Costlow wrote:
> I have a jail which blocks IPs if they fail too many auth to our
> mail servers.  I want to add a separate jail which does the same
> but with more aggressive thresholds (like maxretry=2 instead of
> maxretry=10) but only if the IP is from outside our country (or
> maybe some other factors too).
> 
> I think I have found the "common hack" that several people are using
> to do this: insert geoiplookup in the "actionban" so that the
> firewall only gets modified if the IP meets the geographic criteria
> you have set.
> 
> For example:
> https://munkjensen.net/wiki/index.php/Access_control_using_Fail2Ban_and_geoip
> 
> This seems like it will work OK, but it will leave the fail2ban
> state and the firewall state out of sync with each other (fail2ban
> will report some IPs are banned which are not in fact being blocked).
> 
> Am I silly to be concerned about this?  Has anyone thought of a way
> around it?
> 
> I think a more natural place for this would be a dynamic whitelist in
> the filter, instead of pushing it to the banaction.  I don't think that
> is possible in current fail2ban though. And if you were going to go
> to that much trouble, perhaps it would be better to just add a geoip
> support to the whitelist instead of a generic dynamic whitelist facility.
> 
> Thanks,
> 
> Mark
> 

From jail.conf man page (0.9.3):

ignorecommand

command that is executed to determine if the  current candidate IP  for
banning should not be banned. IP will not be banned if command returns
successfully (exit code 0).  Like ACTION  FILES, tags  likeare
can be included in the ignorecommand value and will be substituted
before execution. Currently only  is supported however more will be
added later.

Seems that this is created just for your needs, no hacks required.

Kind regards,

Tom



signature.asc
Description: OpenPGP digital signature
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] recidive filter ignores ignoreregex?

[Tom Hendrikx]

Hi Michael,

Please show your actual config, both .conf and .local.

The 'ignoreregex' is supposed to be a regular expression that ignores
log lines. When you want to ignore specific ip addresses, you should set
'ignoreip'.

Kind regards,

Tom


On 03-08-18 00:57, Michael Fox wrote:
> Any ideas?
> 
> Michael
> 
> 
>> -Original Message-
>> From: Michael Fox 
>> Sent: Wednesday, August 1, 2018 7:14 PM
>> To: Fail2Ban-Users Distribution List > us...@lists.sourceforge.net>
>> Subject: [Fail2ban-users] recidive filter ignores ignoreregex?
>>
>> I'm trying to configure an ignoreregex in the recidive.local filter to
>> ignore some IPs.  But the ignoreregex in recidive seems to be ... ignored.
>>
>> When I try:
>>   fail2ban-regex /var/log/fail2ban.log
>> /etc/fail2ban/filter.d/recidive.local
>> /etc/fail2ban/filter.d/recidive.local
>>
>> . it appears to work correctly.  Namely, failregex = 0 and ignoreregex
>> shows
>> all of the matches that I configured.
>>
>> But, when I restart fail2ban, the ignored IPs are banned by recidive
>> anyway.
>>
>> ignoreregex works in other .local files.  But I can't get it to
>> work
>> in recidive.local.
>>
>> Ideas?
>>
>> Thanks,
>> Michael
>>
> 
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Stuck here

[Tom Hendrikx]

On 30-03-18 09:54, Tom Hendrikx wrote:
> 
> 
> On 29-03-18 20:54, Ben Coleman wrote:
>> On 3/29/2018 5:35 AM, Jaydeep Zala wrote:
>>> Hello guys,
>>> How can I whitelist my IP's dynamically, means from SQL query..?
>>> anyone have an idea about this?
>>
>> I think you'd have to generate a local .conf file (perhaps in jail.d)
>> that contains an ignore-id setting with all of the IP's you'd like to
>> whitelist, then have fail2ban reload.  I've taken a similar approach to
>> configuring the addresses that nagios-nrpe will accept queries from (in
>> my case, the nagios server was sitting behind a dynamic home connection).
>>
> 
> The problemen here might be that every time your whitelist changes, you
> have to reload fail2ban to get the new entries into fail2ban.
> 

Replying to myself here, but you could probably work around this by
creating an ignorecommand that queries your database directly. I
couldn't find  a lot of documentation on that feature, but there's one
implementation available at
https://github.com/fail2ban/fail2ban/tree/0.11/config/filter.d/ignorecommands

Kind regards,

Tom

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Stuck here

[Tom Hendrikx]

On 29-03-18 20:54, Ben Coleman wrote:
> On 3/29/2018 5:35 AM, Jaydeep Zala wrote:
>> Hello guys,
>> How can I whitelist my IP's dynamically, means from SQL query..?
>> anyone have an idea about this?
> 
> I think you'd have to generate a local .conf file (perhaps in jail.d)
> that contains an ignore-id setting with all of the IP's you'd like to
> whitelist, then have fail2ban reload.  I've taken a similar approach to
> configuring the addresses that nagios-nrpe will accept queries from (in
> my case, the nagios server was sitting behind a dynamic home connection).
> 

The problemen here might be that every time your whitelist changes, you
have to reload fail2ban to get the new entries into fail2ban.

Kind regards,
Tom

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] dovecot and postfix jail with extra SSL logging

[Tom Hendrikx]

Hi,

Please keep replies on-list, don't e-mail me privately.

Can you post:
- OS version you're running
- fail2ban version you're running
- contents of the /etc/fail2ban/filter.d/dovecot.conf file, so we can
extend the current regex

For nginx, please create a new thread and supply the same information,
along with some sample log lines.

Kind regards,

Tom


On 12-03-18 21:03, Sophie Loewenthal wrote:
> Hi,  Thanks for the fail2ban-regex checker. I checked nginx and this also 
> seemed not to work.  Again I have the ciphers listed when they connect.
> 
> 
> 
>  NGINX *
> # fail2ban-regex mx10.example.co.uk_access.log '^ \- \S+ \[\] 
> \"(GET|POST|HEAD) \/ \S+\" 404 .+$'
> Running tests
> =
> Use   failregex line : ^ \- \S+ \[\] \"(GET|POST|HEAD) \/ \S...
> Use log file : mx10.example.co.uk_access.log
> Use encoding : UTF-8
> 
> Results
> ===
> Failregex: 0 total
> Ignoreregex: 0 total
> Date template hits:
> |- [# of hits] date format
> |  [10] Day(?P<_sep>[-/])MON(?P=_sep)Year[ 
> :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
> `-
> 
> Lines: 10 lines, 0 ignored, 0 matched, 10 missed
> [processed in 0.00 sec]
> 
> |- Missed line(s):
> |  207.46.13.127 - - [12/Mar/2018:11:52:42 +] 
> TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET / HTTP/1.1" 302 5 "-" "Mozilla/5.0 
> (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
> |  184.105.247.194 - - [12/Mar/2018:14:25:42 +] 
> TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256 "GET / HTTP/1.1" 302 5 "-" "-"
> |  183.129.160.229 - - [12/Mar/2018:15:21:21 +] 
> TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET 
> /farm/libs/modules/tween/tween.min.js HTTP/1.1" 404 162 "-" "Mozilla/5.0 
> (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0"
> |  207.46.13.104 - - [12/Mar/2018:15:48:45 +] 
> TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET / HTTP/1.1" 302 5 "-" "Mozilla/5.0 
> (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
> |  207.46.13.127 - - [12/Mar/2018:16:15:41 +] 
> TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET / HTTP/1.1" 302 5 "-" "Mozilla/5.0 
> (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
> |  66.249.75.148 - - [12/Mar/2018:16:37:47 +] 
> TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET /robots.txt HTTP/1.1" 404 162 "-" 
> "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
> |  66.249.75.144 - - [12/Mar/2018:16:37:47 +] 
> TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET /ads.txt HTTP/1.1" 404 162 "-" 
> "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
> |  207.46.13.45 - - [12/Mar/2018:19:01:28 +] 
> TLSv1.2/DHE-RSA-AES256-GCM-SHA384 "GET /robots.txt HTTP/1.1" 404 162 "-" 
> "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
> |  207.46.13.45 - - [12/Mar/2018:19:01:29 +] 
> TLSv1.2/DHE-RSA-AES256-GCM-SHA384 "GET /robots.txt HTTP/1.1" 404 162 "-" 
> "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
> |  40.77.167.54 - - [12/Mar/2018:19:01:34 +] 
> TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET / HTTP/1.1" 302 5 "-" "Mozilla/5.0 
> (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
> `-
> 
> 
> 
> 
> 
> * DOVECOT **
> # fail2ban-regex /var/log/mail.log '^%(__prefix_line)s(?:pop3|imap)-login: 
> (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth 
> failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ 
> auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=(?:, lip=\S+)?(?:, TLS(?: 
> handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL 
> routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, 
> session=<\S+>)?\s*$'
> 
> Running tests
> =
> Use   failregex line : ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?...
> Use log file : /var/log/mail.log
> Use encoding : UTF-8
> 
> Results
> ===
> Failregex: 0 total
> Ignoreregex: 0 total
> Date template hits:
> |- [# of hits] date format
> |  [3014] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
> `-
> 
> Lines: 3014 lines, 0 ignored, 0 matched, 3014 missed
> [processed in 0.38 sec]
> Missed line(s): too many to print.  Use --print-all-missed to print all 3014 
> lines
> 
> 
> 
> best,
> Sophie 
> 
> 
> 
> 
> 
>>

Re: [Fail2ban-users] dovecot and postfix jail with extra SSL logging

[Tom Hendrikx]

Hi,


you can test this using the fail2ban-regex tool. When I use one of your
example lines, it doesn't match on my setup (ubuntu 16.04, fail2ban
0.9.3). The similar logline from own setup doesn match:

Feb 19 03:02:33 alison dovecot: imap-login: Disconnected (auth failed, 1
attempts in 7 secs): user=, method=PLAIN,
rip=127.0.0.1, lip=127.0.0.1, TLS, session=

The latest config file for dovecot in github is completely different
from the one I'm using, but also lacks support for this AFAICS.

I guess we could come up with a regex that would support your log lines too.

Kind regards,
Tom

On 12-03-18 10:02, Sophie Loewenthal wrote:
> Hi, 
> 
> Sorry for the delay. Flu.
> 
> Will fail2ban act on these example lines below with the extra cipher details?
> 
> I know the lines below would not trigger actions because there are not enough 
> failures in the log. Normally dovecot does not have the TLS/cipher part 
> logged. Will the regexes still matched correctly?
> 
> 
> Mar 11 08:52:04 mx10 dovecot: imap-login: Disconnected (auth failed, 1 
> attempts in 2 secs): hid...@example.co.uk>, method=PLAIN, rip=125.69.11.254, 
> lip=10.1.1.100, TLS: Disconnected, TLSv1 with cipher DHE-RSA-AES256-SHA 
> (256/256 bits)
> Mar 11 10:18:24 mx10 dovecot: imap-login: Disconnected (auth failed, 1 
> attempts in 2 secs): ju...@example.co.uk>, method=PLAIN, rip=37.59.8.29, 
> lip=10.1.1.100, TLS: Disconnected, TLSv1 with cipher ECDHE-RSA-AES256-SHA 
> (256/256 bits)
> Mar 11 11:48:04 mx10 dovecot: imap-login: Disconnected (auth failed, 1 
> attempts in 2 secs): neoc...@example.co.uk>, method=PLAIN, rip=178.216.98.75, 
> lip=10.1.1.100, TLS: Disconnected, TLSv1 with cipher ECDHE-RSA-AES256-SHA 
> (256/256 bits)
> Mar 11 13:37:39 mx10 dovecot: imap-login: Aborted login (auth failed, 4 
> attempts in 26 secs): junk4>, method=PLAIN, rip=71.213.169.18, 
> lip=10.1.1.100, TLS, TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
> Mar 11 13:37:40 mx10 dovecot: imap-login: Aborted login (auth failed, 4 
> attempts in 26 secs): junk4>, method=PLAIN, rip=187.67.197.100, 
> lip=10.1.1.100, TLS, TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
> Mar 11 22:35:24 mx10 dovecot: imap-login: Disconnected (auth failed, 1 
> attempts in 2 secs): hid...@example.co.uk>, method=PLAIN, rip=182.100.218.83, 
> lip=10.1.1.100, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> 
> 
> The jails are enabled in the config. I’ve not see a match for 3 months since 
> I installed the server.
> [dovecot]
> port= imap,imaps,sieve
> logpath = %(dovecot_log)s
> backend = %(dovecot_backend)s
> 
> [sieve]
> port   = smtp,465,submission
> logpath = %(dovecot_log)s
> backend = %(dovecot_backend)s
> 
> 
> 
> 
>> On 6 Mar 2018, at 10:50, Tom Hendrikx  wrote:
>>
>>
>>
>> On 06-03-18 08:59, Sophie Loewenthal wrote:
>>> Morning, 
>>>
>>> My logging from and postfix dovecot is in this format:
>>>
>>> Mar  6 07:49:45 mx dovecot: imap-login: Login: sop...@example.com>, 
>>> method=PLAIN, rip=94.19.2.3, lip=1.31.1.3, mpid=10655, TLS, TLSv1.2 with 
>>> cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>>
>>> Mar  6 07:55:36 mx postfix/smtpd[10793]: Anonymous TLS connection 
>>> established from unknown[94.19.2.3]: TLSv1.2 with cipher 
>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>>
>>> How can I adapt the filter to pick this up? I don’t think the regex in  
>>> filter.d/postfix.conf|dovecot.conf will pick these changed lines up because 
>>> they have the ciphers included, will they?
>>
>> Lines that are not understood/matched by fail2ban are ignored.
>>
>> I don't think these lines signify anything that fail2ban should act on,
>> but please explain what you would like fail2ban to do, based on those
>> log lines?
>>
>>>
>>> Best wishes,
>>>
>>> Sophie 
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> ___
>>> Fail2ban-users mailing list
>>> Fail2ban-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>>
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.li

Re: [Fail2ban-users] dovecot and postfix jail with extra SSL logging

[Tom Hendrikx]

On 06-03-18 08:59, Sophie Loewenthal wrote:
> Morning, 
> 
> My logging from and postfix dovecot is in this format:
> 
> Mar  6 07:49:45 mx dovecot: imap-login: Login: sop...@example.com>, 
> method=PLAIN, rip=94.19.2.3, lip=1.31.1.3, mpid=10655, TLS, TLSv1.2 with 
> cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> 
> Mar  6 07:55:36 mx postfix/smtpd[10793]: Anonymous TLS connection established 
> from unknown[94.19.2.3]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 
> (256/256 bits)
> 
> How can I adapt the filter to pick this up? I don’t think the regex in  
> filter.d/postfix.conf|dovecot.conf will pick these changed lines up because 
> they have the ciphers included, will they?

Lines that are not understood/matched by fail2ban are ignored.

I don't think these lines signify anything that fail2ban should act on,
but please explain what you would like fail2ban to do, based on those
log lines?

> 
> Best wishes,
> 
> Sophie 
> 
> 
> 
> 
> 
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[Fail2ban-users] Fwd: Re: Fehler zwischen Fail2Ban und Python

[Tom Hendrikx]

 Forwarded Message 
Subject:Re: [Fail2ban-users] Fehler zwischen Fail2Ban und Python
Date:   Thu, 8 Feb 2018 19:02:16 +0100
From:   itsebiGaming 
To: Tom Hendrikx 



Solved the problem.
I deleted the file in usr/local/bin
After the installation it works. 

Am 08.02.2018 18:58 schrieb "Tom Hendrikx" mailto:t...@whyscream.net>>:

Hi,

after doing the pip uninstall, there shouldn't be any fail2ban-client or
fail2ban-server binary on your machine. If there is, find it using
which, locate, find or whatever your favourite tool is.

If you find something, please report the location. You probably need to
remove it, and the accompanying python library files too.

Ow, and please keep replies on the list, others might be interested in
resolving similar problems.

Kind regards,

        Tom

On 08-02-18 18:46, itsebiGaming wrote:
>
> Hey, 
>
> So I tryed your steps. 
>
> It doesn't work. 
>
> 1) I installed python-pip
> 2) remove fail2ban with apt
> 3) remove fail2ban with pip 
> 4) install fail2ban with apt 
> 5) status fail2ban - error 
>
> Unsupported pickle protocol. 
>
> Is it possible to clean the packages or something else? 
>
> itsebiGaming 
>
> Am 08.02.2018 18:31 schrieb "Tom Hendrikx" mailto:t...@whyscream.net>
> <mailto:t...@whyscream.net <mailto:t...@whyscream.net>>>:
>
>     Hi,
>
>     Yes, the files in /usr/local are from a manual install.
Probably you can
>     remove the install using pip: sudo pip uninstall fail2ban. To
avoid
>     messing up your ubuntu install, consider to uninstall the
ubuntu package
>     first, then remove the manual install, then reinstall the
ubuntu package
>     again.
>
>     Good luck,
>
>             Tom
>
>     On 08-02-18 18:02, itsebiGaming wrote:
>     > Hey,
>     > so.. i check your message in Dutch. Both, the fail2ban
server and
>     client
>     > are in /usr/local/bin/fail2ban-server/client installed.
>     > So it is a manuell installation ? How should i remove the
>     installation ?
>     > (I installed the version with "sudo apt install fail2ban ")
>     >
>     > itsebiGaming
>     >
>     > Am 8. Februar 2018 um 17:43 schrieb itsebiGaming
>     mailto:itsebigam...@gmail.com>
<mailto:itsebigam...@gmail.com <mailto:itsebigam...@gmail.com>>
>     > <mailto:itsebigam...@gmail.com
<mailto:itsebigam...@gmail.com> <mailto:itsebigam...@gmail.com
<mailto:itsebigam...@gmail.com>>>>:
>     >
>     >     Okay...
>     >     Hello, i have an problem with my linux Server and the
fail2ban
>     >     installation.
>     >     The server makes an update and after this the command "sudo
>     >     fail2ban-client status" says " unsupported pickle
protocol: 4".
>     >     After an research i found out that the problem must be
Python.
>     >     Before the Update from Ubuntu (Server: 16.04.03 LTS) it
works but
>     >     now it does not work.
>     >     Is there any fix for this ? What informaton do you need
from me  ?
>     >
>     >     itsebiGaming
>     >
>     >     Am 8. Februar 2018 um 16:57 schrieb itsebiGaming
>     >     mailto:itsebigam...@gmail.com>
<mailto:itsebigam...@gmail.com <mailto:itsebigam...@gmail.com>>
>     <mailto:itsebigam...@gmail.com <mailto:itsebigam...@gmail.com>
<mailto:itsebigam...@gmail.com <mailto:itsebigam...@gmail.com>>>>:
>     >
>     >         Beiträge: 3
>     <https://forum.ubuntuusers.de/author/itsebiGaming/
<https://forum.ubuntuusers.de/author/itsebiGaming/>
>     <https://forum.ubuntuusers.de/author/itsebiGaming/
<https://forum.ubuntuusers.de/author/itsebiGaming/>>>
>     >
>     >
>     >         Zitieren
<https://forum.ubuntuusers.de/post/8936481/quote/
<https://forum.ubuntuusers.de/post/8936481/quote/>
>     <https://forum.ubuntuusers.de/post/8936481/quote/
<https://forum.ubuntuusers.de/post/8936481/quote/>>>
>     >         Beitrag <https://forum.ubuntuusers.de/post/8936481/
<https://forum.ubuntuusers.de/post/8936481/>
>     <https://forum.ubuntuusers.de/post/8936481/
<https://forum.ubuntuusers.de/post/8936481/>>> 7. Februa

Re: [Fail2ban-users] Fehler zwischen Fail2Ban und Python

[Tom Hendrikx]

Hi,

after doing the pip uninstall, there shouldn't be any fail2ban-client or
fail2ban-server binary on your machine. If there is, find it using
which, locate, find or whatever your favourite tool is.

If you find something, please report the location. You probably need to
remove it, and the accompanying python library files too.

Ow, and please keep replies on the list, others might be interested in
resolving similar problems.

Kind regards,

Tom

On 08-02-18 18:46, itsebiGaming wrote:
> 
> Hey, 
> 
> So I tryed your steps. 
> 
> It doesn't work. 
> 
> 1) I installed python-pip
> 2) remove fail2ban with apt
> 3) remove fail2ban with pip 
> 4) install fail2ban with apt 
> 5) status fail2ban - error 
> 
> Unsupported pickle protocol. 
> 
> Is it possible to clean the packages or something else? 
> 
> itsebiGaming 
> 
> Am 08.02.2018 18:31 schrieb "Tom Hendrikx"  <mailto:t...@whyscream.net>>:
> 
> Hi,
> 
> Yes, the files in /usr/local are from a manual install. Probably you can
> remove the install using pip: sudo pip uninstall fail2ban. To avoid
> messing up your ubuntu install, consider to uninstall the ubuntu package
> first, then remove the manual install, then reinstall the ubuntu package
> again.
> 
> Good luck,
> 
>         Tom
> 
> On 08-02-18 18:02, itsebiGaming wrote:
> > Hey,
> > so.. i check your message in Dutch. Both, the fail2ban server and
> client
> > are in /usr/local/bin/fail2ban-server/client installed.
> > So it is a manuell installation ? How should i remove the
> installation ?
> > (I installed the version with "sudo apt install fail2ban ")
> >
> > itsebiGaming
> >
> > Am 8. Februar 2018 um 17:43 schrieb itsebiGaming
> mailto:itsebigam...@gmail.com>
> > <mailto:itsebigam...@gmail.com <mailto:itsebigam...@gmail.com>>>:
> >
> >     Okay...
> >     Hello, i have an problem with my linux Server and the fail2ban
> >     installation.
> >     The server makes an update and after this the command "sudo
> >     fail2ban-client status" says " unsupported pickle protocol: 4".
> >     After an research i found out that the problem must be Python.
> >     Before the Update from Ubuntu (Server: 16.04.03 LTS) it works but
> >     now it does not work.
> >     Is there any fix for this ? What informaton do you need from me  ?
> >
> >     itsebiGaming
> >
> >     Am 8. Februar 2018 um 16:57 schrieb itsebiGaming
> >     mailto:itsebigam...@gmail.com>
> <mailto:itsebigam...@gmail.com <mailto:itsebigam...@gmail.com>>>:
> >
> >         Beiträge: 3
> <https://forum.ubuntuusers.de/author/itsebiGaming/
> <https://forum.ubuntuusers.de/author/itsebiGaming/>>
> >
> >
> >         Zitieren <https://forum.ubuntuusers.de/post/8936481/quote/
> <https://forum.ubuntuusers.de/post/8936481/quote/>>
> >         Beitrag <https://forum.ubuntuusers.de/post/8936481/
> <https://forum.ubuntuusers.de/post/8936481/>> 7. Februar
> >         2018 21:54 (zuletzt bearbeitet: 7. Februar 2018 21:55)
> >
> >         Hallo zusammen, ich habe ein kleines Problem mit meinem Linux
> >         Server (Version Linux 4.4.0-112-generic #135-Ubuntu SMP x86_64
> >         x86_64 x86_64 GNU/Linux / 16.04.03 ). Auf diesem hatte ich
> >         bereits Fail2Ban laufen, nachdem ich Updates eingespielt und
> >         Fail2Ban deinstalliert und wieder installiert hatte
> (wollte eine
> >         Blockliste einbinden...), kann ich Fail2Ban zwar installieren,
> >         aber wenn ich den Befehl "fail2ban-client status "
> eingebe, dann
> >         habe ich das Problem,dass folgende Fehlermeldung erscheint:
> >         "unsupported pickle protocol: 4".
> >
> >         Nach einer Internetrecherche habe ich feststellen
> müssen,dass es
> >         etwas mit Python zu tun haben muss. Fail2Ban (V.0.9.x)
> wird mit
> >         Python installiert und nicht mit python3. Nun habe ich das
> >         Problem, dass ich sowohl Python als auch Python 3 installiert
> >         habe, und Fail2Ban- Server oder Client auf Python 3 und / oder
> >         auf Python reagiert und diese somit nicht kommunizieren
> können.
> >
> >     

Re: [Fail2ban-users] Fehler zwischen Fail2Ban und Python

[Tom Hendrikx]

Hi,

Yes, the files in /usr/local are from a manual install. Probably you can
remove the install using pip: sudo pip uninstall fail2ban. To avoid
messing up your ubuntu install, consider to uninstall the ubuntu package
first, then remove the manual install, then reinstall the ubuntu package
again.

Good luck,

Tom

On 08-02-18 18:02, itsebiGaming wrote:
> Hey,
> so.. i check your message in Dutch. Both, the fail2ban server and client
> are in /usr/local/bin/fail2ban-server/client installed.
> So it is a manuell installation ? How should i remove the installation ?
> (I installed the version with "sudo apt install fail2ban ")
> 
> itsebiGaming
> 
> Am 8. Februar 2018 um 17:43 schrieb itsebiGaming  >:
> 
> Okay...
> Hello, i have an problem with my linux Server and the fail2ban
> installation.
> The server makes an update and after this the command "sudo
> fail2ban-client status" says " unsupported pickle protocol: 4".
> After an research i found out that the problem must be Python.
> Before the Update from Ubuntu (Server: 16.04.03 LTS) it works but
> now it does not work.
> Is there any fix for this ? What informaton do you need from me  ?
> 
> itsebiGaming
> 
> Am 8. Februar 2018 um 16:57 schrieb itsebiGaming
> mailto:itsebigam...@gmail.com>>:
> 
> Beiträge: 3 
> 
>   
> Zitieren 
> Beitrag  7. Februar
> 2018 21:54 (zuletzt bearbeitet: 7. Februar 2018 21:55)
> 
> Hallo zusammen, ich habe ein kleines Problem mit meinem Linux
> Server (Version Linux 4.4.0-112-generic #135-Ubuntu SMP x86_64
> x86_64 x86_64 GNU/Linux / 16.04.03 ). Auf diesem hatte ich
> bereits Fail2Ban laufen, nachdem ich Updates eingespielt und
> Fail2Ban deinstalliert und wieder installiert hatte (wollte eine
> Blockliste einbinden...), kann ich Fail2Ban zwar installieren,
> aber wenn ich den Befehl "fail2ban-client status " eingebe, dann
> habe ich das Problem,dass folgende Fehlermeldung erscheint:
> "unsupported pickle protocol: 4".
> 
> Nach einer Internetrecherche habe ich feststellen müssen,dass es
> etwas mit Python zu tun haben muss. Fail2Ban (V.0.9.x) wird mit
> Python installiert und nicht mit python3. Nun habe ich das
> Problem, dass ich sowohl Python als auch Python 3 installiert
> habe, und Fail2Ban- Server oder Client auf Python 3 und / oder
> auf Python reagiert und diese somit nicht kommunizieren können.
> 
> Könnte mir jemand helfen, wie bekomme ich Fail2Ban wieder an´s
> laufen ? Vor diesem letzten Update und der Neuinstallation ging
> es einwandfrei.
> 
> Fail2Ban habe ich auch schon mit den Befehlen "sudo apt --purge
> remove fail2ban und sudo apt-get autoremove" deinstalliert. nach
> einer erneuten Installation konnte ich das Problem wiederherstellen.
> 
> Es wäre wirklich wichtig, dass es wieder geht :D
> 
> Danke !
> 
> itsebiGaming
> 
> 
> 
> 
> 
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> 
> 
> 
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Fehler zwischen Fail2Ban und Python

[Tom Hendrikx]

On 08-02-18 16:57, itsebiGaming wrote:
> Beiträge: 3 
> 
>   
> Zitieren 
> Beitrag  7. Februar 2018
> 21:54 (zuletzt bearbeitet: 7. Februar 2018 21:55)
> 
> Hallo zusammen, ich habe ein kleines Problem mit meinem Linux Server
> (Version Linux 4.4.0-112-generic #135-Ubuntu SMP x86_64 x86_64 x86_64
> GNU/Linux / 16.04.03 ). Auf diesem hatte ich bereits Fail2Ban laufen,
> nachdem ich Updates eingespielt und Fail2Ban deinstalliert und wieder
> installiert hatte (wollte eine Blockliste einbinden...), kann ich
> Fail2Ban zwar installieren, aber wenn ich den Befehl "fail2ban-client
> status " eingebe, dann habe ich das Problem,dass folgende Fehlermeldung
> erscheint: "unsupported pickle protocol: 4".

Het lijkt erop dat je installatie een mix is van een python3
installatie, en een handmatige installatie die niet correct verwijderd
is, en die geinstalleerd was met python2. Zou je het resultaat kunnnen
weergeven van de volgende commando's:

$ which fail2ban-client
$ which fail2ban-server

Mijn gok is dat je fail2ban-client in /usr/local staat. Dit is een
handmatige installatie m.b.v. python2 geweest, en die zul je moeten
verwijderen.

> 
> Nach einer Internetrecherche habe ich feststellen müssen,dass es etwas
> mit Python zu tun haben muss. Fail2Ban (V.0.9.x) wird mit Python
> installiert und nicht mit python3. Nun habe ich das Problem, dass ich
> sowohl Python als auch Python 3 installiert habe, und Fail2Ban- Server
> oder Client auf Python 3 und / oder auf Python reagiert und diese somit
> nicht kommunizieren können.
> 
> Könnte mir jemand helfen, wie bekomme ich Fail2Ban wieder an´s laufen ?
> Vor diesem letzten Update und der Neuinstallation ging es einwandfrei.
> 
> Fail2Ban habe ich auch schon mit den Befehlen "sudo apt --purge remove
> fail2ban und sudo apt-get autoremove" deinstalliert. nach einer erneuten
> Installation konnte ich das Problem wiederherstellen.
> 
> Es wäre wirklich wichtig, dass es wieder geht :D
> 
> Danke !

Jij ook bedankt.

> 
> itsebiGaming
> 


Yes, that is Dutch. If you can't understand, you're probably in the same
boat as many others on this mailing list who never understood you german
post. Please use English on this international mailing list :)

Kind regards,

Tom



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Fail2ban tailing symlinked log files

[Tom Hendrikx]

On 27-01-18 13:32, Roman Pikalo wrote:
> Hello 
> 
> I am trying to run fail2ban on my machine.
> I have configured it to tail a docker container log file: 
> 
> [nginx-http-auth]
> 
> enabled = true
> filter  = nginx-http-auth
> port    = http,https
> logpath = /var/log/docker/nginx.log
> 
> /var/log/docker/nginx.log is a symlink to real file: 
> 
> user@server:~$ ls -la /var/log/docker/nginx.log 
> lrwxrwxrwx 1 td-agent td-agent 52 Jan 27 08:31 /var/log/docker/nginx.log
> -> /var/log/docker/nginx.20180127.b563bdd89a926a0a2.log
> 
> Logfile is being handled by td-agent and symlinked to another file at
> midnight and during the day. 
>   
>     type file
>     path /var/log/docker/nginx.*.log
>     symlink_path /var/log/docker/nginx.log
>     time_slice_format %Y%m%d
>     time_slice_wait 1m
>     append true
>     format single_value
>     message_key log
>   
> 
> The issue is that every time nginx.log file gets symlinked to another
> file fail2ban gets confused: 
> 2018-01-27 00:01:54,459 fail2ban.filter : ERROR  Unable to open
> /var/log/docker/nginx.log
> 2018-01-27 00:01:54,459 fail2ban.filter : ERROR  [Errno 2] No such file
> or directory: '/var/log/docker/nginx.log'
> Traceback (most recent call last):
>   File "/usr/share/fail2ban/server/filter.py", line 491, in getFailures
>     has_content = container.open()
>   File "/usr/share/fail2ban/server/filter.py", line 569, in open
>     self.__handler = open(self.__filename)
> IOError: [Errno 2] No such file or directory: ‘/var/log/docker/nginx.log'
> 
> Any ideas how to make fail2ban to follow the new symlinked file ? 
> 
> 
> Ubuntu 14.04.4 LTS
> Fail2Ban v0.8.11
> 


Maybe this issue might have some useful hints for you?

https://github.com/fail2ban/fail2ban/issues/1797

KInd regards,

Tom



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] my dovecot filter not working

[Tom Hendrikx]

Hi,

The default jail does not check on the lines you mention.

Not really weird, since the log message explicitly states that no auth
attempt is performed. Somebody is connecting but did not send auth
details, and your dovecot didn't tell them whether the auth credentials
were working or not. This could be a bot (albeit a very stupid or simple
one, because it does not try to use TLS), or it could be a user that has
his IMAP client configured incorrectly.

Anyway: no auth details, so no dictionary attack. Feel free to add
custom regexes on your own system though.

Kind regards,
Tom

On 13-12-17 18:46, Gao wrote:
> Hi list,
> 
> My mail server using dovecot v2.2.33 on CentOS 7. I installed fail2ban
> v0.9.7 from EPEL repo. I just noticed the dovecot filter seems not
> working. My maillog have entries:
> Dec 11 22:14:00 mail dovecot: imap-login: Disconnected (no auth attempts
> in 0 secs): user=<>, rip=208.100.26.233, lip=10.11.22.68, TLS
> handshaking: SSL_accept() failed: error:1408A0C1:SSL
> routines:ssl3_get_client_hello:no shared cipher, session=
> Dec 12 03:10:02 mail dovecot: pop3-login: Disconnected (no auth attempts
> in 0 secs): user=<>, rip=208.100.26.235, lip=10.11.22.68, TLS
> handshaking: SSL_accept() failed: error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=
> 
> But the test show no match:
> # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf
> 
> Running tests
> =
> 
> Use   failregex filter file : dovecot, basedir: /etc/fail2ban
> Use log file : /var/log/maillog
> Use encoding : UTF-8
> 
> Results
> ===
> *Failregex: 0 total*
> 
> Ignoreregex: 0 total
> 
> Date template hits:
> |- [# of hits] date format
> |  [24406] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?:
> Year)?
> `-
> 
> Lines: 24406 lines, 0 ignored, *0 matched*, 24406 missed
> [processed in 3.56 sec]
> 
> Missed line(s): too many to print.  Use --print-all-missed to print all
> 24406 lines
> 
> I enabled dovecot in jail.local:
> [dovecot]
> enabled = true
> port    = pop3,pop3s,imap,imaps,submission,465,sieve
> logpath = %(dovecot_log)s
> backend = %(dovecot_backend)s
> 
> I just use the default dovecot filter:
> # cat /etc/fail2ban/filter.d/dovecot.conf
> # Fail2Ban filter Dovecot authentication and pop3/imap server
> #
> 
> [INCLUDES]
> 
> before = common.conf
> 
> [Definition]
> 
> _daemon = (auth|dovecot(-auth)?|auth-worker)
> 
> failregex =
> ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication
> failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S*
> rhost=(?:\s+user=\S*)?\s*$
>     ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted
> login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(
> in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):(
> user=<[^>]+>,)?( method=\S+,)? rip=(?:, lip=\S+)?(?:, TLS(?:
> handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL
> routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(:
> Disconnected)?)?(, session=<\S+>)?\s*$
>     ^%(__prefix_line)s(?:Info|dovecot:
> auth\(default\)|auth-worker\(\d+\)): pam\(\S+,\):
> pam_authenticate\(\) failed: (User not known to the underlying
> authentication module: \d+ Time\(s\)|Authentication failure \(password
> mismatch\?\))\s*$
>     ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)):
> (?:pam|passwd-file)\(\S+,\): unknown user\s*$
>     ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info:
> ldap\(\S*,,\S*\): invalid credentials\s*$
> 
> ignoreregex =
> 
> [Init]
> 
> journalmatch = _SYSTEMD_UNIT=dovecot.service
> 
> 
> Could someone help me on this? I must missed something here. BTW other
> filters work fine.
> 
> Thanks.
> 
> Gao
> 
> 
> 
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> 
> 
> 
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] IP isn't banned even after maxretry

[Tom Hendrikx]

Hi,

you [problem is shorewall.

The shorewall block method only takes a single input: the ip address. It
is not able to differ between multiple jails (unlike f.i. iptables).

That means that when 187.178.172.36 connects, it is probable banned by
postfix-sasl after a few times. After a short while it is unbenned, and
promptly returns. After a few times of baning/unbanning by postfix-sasl,
it will also be banned by postfix-sasl-long. Now the address is banned
by 2 jails.

Then it is unbanned again by postfix-sasl, and thus removed from the
shorewall blacklist. Fail2ban thinks that postfix-sasl-long is still
banning this, but shorewall doesn't block it. Now the address can keep
coming back and fail2ban won't block it again.

Shorewall is a dumb jail, don't use it when you want to do sophisticated
things like short and long blocks for the same port, or f.i. using
recidive jail.


Kind regards,
Tom

On 29-10-17 14:17, chaouche yacine via Fail2ban-users wrote:
> 
> Update
> 
> 
> The IP has been banned today at 13:43, but it should have been banned earlier 
> as I explained in my previous mail.
> 
> 
> 2017-10-29 13:43:36,637 fail2ban.actions[23538]: WARNING [postfix-sasl-long] 
> Ban 187.178.172.36
> 
> 
> On Sunday, October 29, 2017 12:42 PM, Tom Hendrikx  wrote:
>> Does your regex work when you test it using fail2ban-regex?
> 
> I use the default postfix-sasl regex which had 700+ matches
> 
> Here's postfix-sasl-long
> 
> root@messagerie[10.10.10.19] ~ # fail2ban-client get postfix-sasl-long 
> failregex 
> The following regular expression are defined:
> `- [0]: ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] 
> )?(?:@vserver_\S+ 
> )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
>  \d+ \S+\])?\s*warning: [-._\w]+\[(?:::f{4,6}:)?(?P[\w\-.^_]*\w)\]: 
> SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ 
> A-Za-z0-9+/]*={0,2})?\s*$
> root@messagerie[10.10.10.19] ~ #
> 
> Here's postfix-sasl
> 
> root@messagerie[10.10.10.19] ~ # fail2ban-client get postfix-sasl failregex 
> The following regular expression are defined:
> `- [0]: ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] 
> )?(?:@vserver_\S+ 
> )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
>  \d+ \S+\])?\s*warning: [-._\w]+\[(?:::f{4,6}:)?(?P[\w\-.^_]*\w)\]: 
> SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ 
> A-Za-z0-9+/]*={0,2})?\s*$
> root@messagerie[10.10.10.19] ~ #
> 
> 
> Proof they're the same
> 
> root@messagerie[10.10.10.19] ~ # diff <(fail2ban-client get postfix-sasl 
> failregex)  <(fail2ban-client get postfix-sasl-long failregex)
> 
> 
> Proof it matches
> 
> root@messagerie[10.10.10.19] ~ # fail2ban-regex /var/log/mail.warn 
> /etc/fail2ban/filter.d/postfix-sasl.conf 
> 
> Running tests
> =
> 
> Use   failregex file : /etc/fail2ban/filter.d/postfix-sasl.conf
> Use log file : /var/log/mail.warn
> 
> 
> Results
> ===
> 
> Failregex: 753 total
> |-  #) [# of hits] regular expression
> |   1) [753] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] 
> )?(?:@vserver_\S+ 
> )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID
>  \d+ \S+\])?\s*warning: [-._\w]+\[\]: SASL 
> (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ 
> A-Za-z0-9+/]*={0,2})?\s*$
> `-
> 
> Ignoreregex: 0 total
> 
> Date template hits:
> |- [# of hits] date format
> |  [1146] MONTH Day Hour:Minute:Second
> `-
> 
> Lines: 1146 lines, 0 ignored, 753 matched, 393 missed
> Missed line(s): too many to print.  Use --print-all-missed to print all 393 
> lines
> root@messagerie[10.10.10.19] ~ # 
> 
> 
> 
> 
> 
> 
> 
> 
>> What does f2b log when your jail starts up?
> 
> Here's a complete restart session : 
> 
> 2017-10-29 14:01:13,781 fail2ban.server [23538]: INFOStopping all jails
> 2017-10-29 14:01:14,050 fail2ban.actions[23538]: WARNING [postfix-sasl] Unban 
> 113.121.246.35
> 2017-10-29 14:01:14,086 fail2ban.actions[23538]: WARNING [postfix-sasl] Unban 
> 185.165.29.27
> 2017-10-29 14:01:14,122 fail2ban.actions[23538]: WARNING [postfix-sasl] Unban 
> 185.165.29.83
> 2017-10-29 14:01:14,158 fail2ban.jail   [23538]: INFOJail 'postfix-sasl' 
> stopped
> 2017-10-29 14:01:14,424 fail2ban.jail   [23538]: INFOJail 'ssh' stopped
> 2017-10-29 14:01:14,515 fail2ban.jail   [23538]: INFOJail 'dovecot' 
> sto

Re: [Fail2ban-users] IP isn't banned even after maxretry

[Tom Hendrikx]

On 29-10-17 12:10, chaouche yacine via Fail2ban-users wrote:
> 
> I configured my postfix-long jail to read from mail.warn : 
> 
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # fail2ban-client get 
> postfix-sasl-long logpath 
> Current monitored log file(s):
> `- /var/log/mail.warn
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # 
> 
> 
> I'd like to ban after 10 attempts in 24 hours :
> 
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # fail2ban-client get 
> postfix-sasl-long maxretry
> 10
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # fail2ban-client get 
> postfix-sasl-long findtime
> 86400
> root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # 
> 
> 
> Here are the logged failures in mail.warn. 
> 
> root@messagerie[10.10.10.19] ~ # egrep 187.178.172.36 /var/log/mail.warn* | nl
> 1  /var/log/mail.warn:Oct 27 19:47:21 messagerie postfix/smtpd[43215]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 2  /var/log/mail.warn:Oct 27 20:17:43 messagerie postfix/smtpd[46012]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 3  /var/log/mail.warn:Oct 27 21:18:18 messagerie postfix/smtpd[47974]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 4  /var/log/mail.warn:Oct 27 22:09:36 messagerie postfix/smtpd[48979]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 5  /var/log/mail.warn:Oct 28 07:17:06 messagerie postfix/smtpd[3820]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 6  /var/log/mail.warn:Oct 28 09:47:43 messagerie postfix/smtpd[7036]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 7  /var/log/mail.warn:Oct 28 14:29:46 messagerie postfix/smtpd[17325]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 8  /var/log/mail.warn:Oct 28 16:03:36 messagerie postfix/smtpd[21266]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 9  /var/log/mail.warn:Oct 28 16:40:52 messagerie postfix/smtpd[23872]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 10  /var/log/mail.warn:Oct 28 20:35:57 messagerie postfix/smtpd[30183]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 11  /var/log/mail.warn:Oct 28 23:16:20 messagerie postfix/smtpd[36002]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 12  /var/log/mail.warn:Oct 29 01:05:18 messagerie postfix/smtpd[42070]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 13  /var/log/mail.warn:Oct 29 02:03:15 messagerie postfix/smtpd[44450]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 14  /var/log/mail.warn:Oct 29 02:06:38 messagerie postfix/smtpd[44450]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 15  /var/log/mail.warn:Oct 29 02:37:19 messagerie postfix/smtpd[45572]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 16  /var/log/mail.warn:Oct 29 05:55:14 messagerie postfix/smtpd[51964]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 17  /var/log/mail.warn:Oct 29 08:14:57 messagerie postfix/smtpd[60387]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 18  /var/log/mail.warn:Oct 29 09:51:40 messagerie postfix/smtpd[3024]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> root@messagerie[10.10.10.19] ~ # 
> 
> 
> The 10 attacks in 24 hour span begins at the fifth attempt on Oct 28 07:17 
> until Oct 29 02:06 : 
> 
> 5  /var/log/mail.warn:Oct 28 07:17:06 messagerie postfix/smtpd[3820]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 6  /var/log/mail.warn:Oct 28 09:47:43 messagerie postfix/smtpd[7036]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 7  /var/log/mail.warn:Oct 28 14:29:46 messagerie postfix/smtpd[17325]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc3dvcmQ6
> 8  /var/log/mail.warn:Oct 28 16:03:36 messagerie postfix/smtpd[21266]: 
> warning: 187-178-172-36.dynamic.axtel.net[187.178.172.36]: SASL LOGIN 
> authentication failed: UGFzc

Re: [Fail2ban-users] fail2ban-regex -- ERROR: failed to read

[Tom Hendrikx]

Hi Ken,

maybe fail2ban was upgraded recently on your machine? My ubuntu 16.04
machine (fail2ban version 0.9.3-1) won't read config files too unless I
hand it a full path. This however works for me:

$ cd /etc.fail2ban/filters.d
$ fail2ban-regex /var/log/whatever.log $PWD/myfilter.conf

Kind regards,
Tom


On 20-10-17 00:08, Ken Johnson wrote:
> Hello,
> 
> fail2ban-regex seems to have changed how it works, and I am baffled why.
> 
> It worked differently, I think, prior to last system restart.
> 
> Previously, if my current working directory was the location of the
> filter conf file, I could specify the filter file by name alone.
> Now, I need to specify the full path to the filter file.
> 
> It doesn't seem to matter which filter file I use from this directory.
> 
> Running as root, on files owned by root.  'more' can open the file,
> why not fail2ban-regex?
> 
> Suggestions?
> 
> Thanks.
> 
> Ken
> 
> 
> === session grab begins 
> root@newmail:/etc/fail2ban/filter.d# whoami
> root
> root@newmail:/etc/fail2ban/filter.d# ls -la
> total 40
> drwxr-xr-x 4 root root 4096 Oct 19 15:54 .
> drwxr-xr-x 6 root root 4096 Oct 19 15:25 ..
> -rw-r--r-- 1 root root  263 Oct 19 14:26 apache-404.conf
> -rw-r--r-- 1 root root  252 Oct 19 14:30 apache-408.conf
> -rw-r--r-- 1 root root  340 Oct 19 14:38 apache-any-error.conf
> -rw-r--r-- 1 root root  321 Oct 19 15:48 apache-badmethod.conf
> -rw-r--r-- 1 root root  268 Oct 19 14:31 apache-OpenVAS.conf
> -rw-r--r-- 1 root root  393 Oct 19 14:35 apache-proxy.conf
> drwxr-xr-x 2 root root 4096 Oct 19 15:44 dist-confs
> drwxr-xr-x 2 root root 4096 Oct 18 15:40 ignorecommands
> root@newmail:/etc/fail2ban/filter.d# more apache-404.conf
> # Fail2Ban Configuration File
> #
> # apache-404
> #
> # Author: Ken Johnson
> # Revision: 16 Sep 2016
> #   19 Oct 2017 - for new mailserver
> #
> # Match failed requests
> #
> #
> [Definition]
> 
> failregex = ^ \S* \S* \[.*\] "(GET|POST|HEAD).*" 404 .*$
> 
> root@newmail:/etc/fail2ban/filter.d# fail2ban-regex -v /root/alog/a1.log
> apache-404.conf
> 
> Running tests
> =
> 
> Use   failregex file : apache-404.conf
> ERROR: failed to read apache-404.conf
> root@newmail:/etc/fail2ban/filter.d# 
> 
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] urban still happening when recidive bantime = -1

[Tom Hendrikx]

On 16-08-17 15:46, Robert Kudyba wrote:
> We are using the custom-firewalld
> at https://github.com/fail2ban/fail2ban/issues/1474#issuecomment-272659488.
> You can see from the logs below that unbans are still happening even
> though bantime  = -1. This is Fedora 26  rpm -q fail2ban:
> fail2ban-0.9.7-2.fc26.noarch. Here are the related jail.local options
> and log snips. Is there some overlap with the ‘findtime' value?
> 
> bantime = 3600
> sender = fail2ban
> action = custom-firewalld
> backend = auto
> mta = sendmail
> 
> #[Definition]
> 
> [sshd]
> enabled = true
> filter   = sshd
> logpath  = /var/log/secure

bantime unset, so default value of 3600 applies

> 
> [sshd-ddos]
> enabled = true
> #port= ssh,sftp
> filter = sshd-ddos
> logpath  = /var/log/secure
> maxretry = 5
> 
> [pam-generic]
> enabled  = true
> # pam-generic filter can be customized to monitor specific subset of 'tty's
> filter   = pam-generic
> # port actually must be irrelevant but lets leave it all for some
> possible uses
> port = all
> banaction = iptables-allports
> logpath  = /var/log/secure
> maxretry = 3
> 
> [recidive]
> enabled  = true
> filter   = recidive
> logpath  = /var/log/fail2ban.log
> action   = custom-firewalld[name=recidive]
>sendmail-whois-lines[name=recidive,
> logpath=/var/log/fail2ban.log]
> bantime  = -1 ; forever
> findtime = 86400   ; 1 day
> maxretry = 5

bantime set, -1 applies

> 
>  cat /var/log/fail2ban.log| grep 164.215.170.34
> 2017-08-15 16:41:26,524 fail2ban.filter [1996]: INFO[sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:26,530 fail2ban.filter [1996]: INFO   
> [pam-generic] Found *164.215.170.34*
> 2017-08-15 16:41:26,534 fail2ban.filter [1996]: INFO[sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:29,132 fail2ban.filter [1996]: INFO[sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:31,763 fail2ban.filter [1996]: INFO[sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:35,006 fail2ban.filter [1996]: INFO[sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:35,744 fail2ban.actions[1996]: NOTICE  [sshd]
> Ban *164.215.170.34*

sshd jail banned

> 2017-08-15 16:41:35,746 fail2ban.filter [1996]: INFO   
> [recidive] Found *164.215.170.34*

recidive jail found, but not banned!

> 2017-08-15 16:41:36,811 fail2ban.filter [1996]: INFO[sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:39,525 fail2ban.filter [1996]: INFO[sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:42,563 fail2ban.filter [1996]: INFO[sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:45,622 fail2ban.filter [1996]: INFO[sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:48,273 fail2ban.filter [1996]: INFO[sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:48,277 fail2ban.filter [1996]: INFO[sshd]
> Found *164.215.170.34*
> 2017-08-15 16:41:48,527 fail2ban.actions[1996]: NOTICE  [sshd]
> *164.215.170.34*already banned

sshd jail banned again

> 2017-08-15 17:41:35,914 fail2ban.actions[1996]: NOTICE  [sshd]
> Unban *164.215.170.34*

sshd jail unbanned after 3600 seconds


recidive jail never banned this ip address, so no unbanning took place.
You mistook the sshd jail for the recidive jail.

Kind regards,
Tom



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] ProFtpd DROP net-fw TLS connection from client ftp

[Tom Hendrikx]

Hi,

There is a big difference between sftp (SSH file transfer) and ftps (FTP
over SSL).

For SFTP, port 115 seems to be reserved (but I believe most ssh
implementations just use the ssh port (22) for this).
For FTPS, ports 989 (data) and 990 are reserved. It depends on what you
configured in proftpd, maybe it can do both protocols.

The commmand "sudo netstat -tunlp | grep -i proftp" will show you on
which ports your running instance of proftpd is listening. Then decide
which ports you need to open in your firewall.

Anyway, this is no fail2ban question :)

Good luck,

    Tom Hendrikx

On 09-08-17 10:16, Davide Marchi wrote:
> Il 2017-08-08 21:55 Bill Shirley ha scritto:
>> Looks like you haven't opened up sftp(port 115) in Shorewall.  Post on
>> the
>> shorewall-us...@lists.sourceforge.net list.  Tom Eastep is very helpful.
> 
> 
> I've open the 115 port both with Shorewall and PROFTPD (and restart),
> but with no luck.
> Now I open a post to Shorewall-users!
> 
> 
>>
>> If it were fail2ban blocking traffic, you would see it in the log file.
>>
> 
> 
> Yes I know, but I had the fear of not having read well all the logs..
> 
> 
>> Note if you're not using fail2ban with ipsets actions instead of
>> iptables, you're
>> going to run into problems if you do a 'shorewall restart'.  It will
>> clear your bans.
>>
> 
> 
> I think I'm right in this situation! Obviously I would like to switch to
> Ipsets mode now that you warned me of the danger (and thank you very
> much for that!)
> Could you give me some documentation link to deepen the topic?
> 
> 
>> If you still think the problem could be fail2ban, post your config,
>> action, and log
>> files.
>>
>> Billlists.sourceforge.net/lists/listinfo/fail2ban-users
> 
> 
> 
> 
> Many thanks Bill!
> 
> --
> 
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Any way to increase ban probability for previously banned IPs?

[Tom Hendrikx]

Hi,

The recidive jail does this , to some extent. Maybe it's already enough
for what you need?

Kind regards,

Tom


On 01-06-17 07:34, Philip Warner wrote:
> I've set up a ban that runs for B time after F fails in T minutes.
> 
> After each IP is un-banned, what I would like to do is, say, decrement F
> (or even halve it) for each IP that was previously banned in a given
> window. Or double B. Or both.
> 
> For example:
> 
> - specific IP banned for 1 hour as a result of 10 fails in 30 min.
> - then un-banned after 1 hour
> 
> I would like something along the lines of:
> 
> - for the next 4 hours will be banned again for one hour for *FIVE*
> fails in 30 min.
> 
> or
> 
> - for the next 4 hours will be banned again for *TWO* hours for *FIVE*
> fails in 30 min.
> 
> etc
> 
> Is this easy/possible?
> 
> I imagine there would be a global 'horizon' setting, and each IP would
> have some kind of "ban severity level" incremented each time it gets
> banned again within the horizon, and decremented each time the horizon
> passes without a ban.
> 
> The ban duration would/could be affected by the "ban severity level" and
> the ban threshold could be similarly affected.
> 
> Does this sound useful?
> 
> 
> 
> 
> 
> 
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> 
> 
> 
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Is it possible for an ip to be locked again and again after being picked up by the RECIDIVE jail?

[Tom Hendrikx]

Hi,

This is probably the problem with asterisk: its UDP. Anyone can send you
packets that appear to come from the IP address that you pick up from
the logs, but there is no proof that that is the actual IP address that
sent the packets, because that is simply how UDP works.

So there is another ip address sending you asterisk packets that *seem*
to come from 195.154.16.40, but they actually come from somewhere else.
So the packets are not actually blocked by fail2ban, because the new
packets don't come from the blocked IP address.

You can test if your filter works OK by generating the bad logins
yourself, from an IP address you know. That should block your access
(and other regular users who have their credentials wrong). But it won't
stop crackers that fake the ip header in the UDP packet. This is the
main reason why an asterisk filter (or any UDP-based filter for that
matter) is not really useful.

It's probably a better idea to block asterisk access using tricks like
banning country ranges that you wouldn't expect any connections from,
but f2b is not the right tool for that.

Kind regards,
Tom

On 12-04-17 15:08, Lawrence wrote:
> Hello, sorry for my bad english.
> 
> I'm a bit confused with the functioning of fail2ban.
> I read a lot and made my own filter and jails to get several SIP
> attackers trying to authenticate devices. The log show lines like this:
> /​​[Apr 12 05:23:06] NOTICE[1645][C-0093] chan_sip.c: Failed to
> authenticate device 1001;tag=5ee3ff7a//
> //[Apr 12 05:28:35] NOTICE[1645][C-0094] chan_sip.c: Failed to
> authenticate device 222;tag=c2384eab/
> 
> Note that there have no IP from attacker.
> I found on google to enable the "security" to /var/log/asterisk/fail2ban
> on /etc/asterisk/logger.conf by add the flowing line to get more
> detailed log:
> /fail2ban => security,notice,warning,error/
> 
> Now I got the IP from attackers with something like this on my
> /etc/asterisk/fail2ban log file:
> /[Apr 11 19:17:53] SECURITY[1704] res_security_log.c:
> SecurityEvent="InvalidPassword",EventTV="2017-04-11T19:17:53.017-0300",Severity="Error",Service="SIP",EventVersion="2",AccountID="001448323395006",SessionID="0x7f16ac00aa08",LocalAddress="IPV4/UDP/10.0.2.15/5060",RemoteAddress="IPV4/UDP/*195.154.16.40*/5070",Challenge="",ReceivedChallenge="",ReceivedHash=""//
> //[Apr 11 19:27:42] SECURITY[1704] res_security_log.c:
> SecurityEvent="InvalidPassword",EventTV="2017-04-11T19:27:42.678-0300",Severity="Error",Service="SIP",EventVersion="2",AccountID="001548323395006",SessionID="0x7f16ac00a768",LocalAddress="IPV4/UDP/10.0.2.15/5060",RemoteAddress="IPV4/UDP/*195.154.16.40*/5070",Challenge="",ReceivedChallenge="",ReceivedHash=""/
> 
> I made an filter to get it and it's looks like work ok, because the
> attacker, after 3 times start to going to the iptables chains of my
> filter, and after 5 times on fist jail go to the RECIDIVE jail, that we
> can see with iptables -L -n:
> /Chain fail2ban-ast-dev-auth (1 references)//
> //target prot opt source   destination//
> //REJECT all  --  *195.154.16.40*  0.0.0.0/0   
> reject-with icmp-port-unreachable//
> //RETURN all  --  0.0.0.0/00.0.0.0/0  //
> //
> //Chain fail2ban-recidive (1 references)//
> //target prot opt source   destination//
> //REJECT all  --  *195.154.16.40*0.0.0.0/0   
> reject-with icmp-port-unreachable//
> //REJECT all  --  89.163.210.102   0.0.0.0/0   
> reject-with icmp-port-unreachable//
> //REJECT all  --  85.114.135.111   0.0.0.0/0   
> reject-with icmp-port-unreachable//
> //REJECT all  --  78.31.67.139 0.0.0.0/0   
> reject-with icmp-port-unreachable//
> //REJECT all  --  95.154.217.167   0.0.0.0/0   
> reject-with icmp-port-unreachable//
> //REJECT all  --  89.163.144.106   0.0.0.0/0   
> reject-with icmp-port-unreachable//
> //RETURN all  --  0.0.0.0/00.0.0.0/0  /
> 
> I think it's strange the same IP ​​195.154.16.40 on both Jails because
> the ban time for ast-dev-auth is 1 hour and RECIDIVE is 1 week.
> Thus I search on logs to understand if the ip 195.154.16.40 go into both
> jail at the same time, because I think it's not possible to get into ​​
> ast-dev-auth again, if the IP was already blocked in RECIDIVE, but...
> 
> /cat /var/log/fail2ban.log |grep 195.154.16.40//
> /*/1 time./*/
> //2017-04-11 14:33:30,843 fail2ban.actions[811]: WARNING
> [asterisk-device-auth] Ban 195.154.16.40//
> //2017-04-11 15:33:30,237 fail2ban.actions[811]: WARNING
> [asterisk-device-auth] Unban 195.154.16.40//
> /*/2 time./*/
> //2017-04-11 16:21:10,236 fail2ban.actions[14820]: WARNING
> [asterisk-device-auth] Ban 195.154.16.40//
> //2017-04-11 17:21:10,866 fail2ban.actions[14820]: WARNING
> [asterisk-device-auth] Unban 195.154.16.40//
> /*/3 time./*/
> //2017-04-11 18:04:19,238 fail2ban.actions[14

Re: [Fail2ban-users] Customized iptables action

[Tom Hendrikx]

On 28-12-16 17:16, Andrea wrote:
>>
>>
>> On 28-12-16 16:04, Andrea wrote:
>>> Hi all.
>>>
>>> I am trying to implement a custom ban action to integrate in my current
>>> iptables setup.
>>> I have created a dedicated chain in order to log connections at iptables
>>> level and I would like for fail2ban to use it as well.
>>> AFAIK what I have so far should work however it keeps giving me errors
>>> in
>>> the logfile:
>>>
>>> 2016-12-28 15:53:24,428 fail2ban.actions.action[19380]: ERROR   iptables
>>> -n -L INPUT | grep -q 'BLOCKED_IP_LOG' returned 100
>>> 2016-12-28 15:53:24,428 fail2ban.actions.action[19380]: ERROR
>>> Invariant
>>> check failed. Trying to restore a sane environment
>>> 2016-12-28 15:53:24,431 fail2ban.actions.action[19380]: ERROR   iptables
>>> -n -L INPUT | grep -q 'BLOCKED_IP_LOG' returned 100
>>> 2016-12-28 15:53:24,431 fail2ban.actions.action[19380]: CRITICAL Unable
>>> to
>>> restore environment
>>>
>>> I don't need actionstart/actionstop since the chain is created in the
>>> firewall script:
>>>
>>> /sbin/iptables -N BLOCKED_IP_LOG
>>> /sbin/iptables -A BLOCKED_IP_LOG -j LOG -m limit --limit 10/min
>>> --log-level 4 --log-prefix 'BLOCKED_IP_LOG: '
>>> /sbin/iptables -A BLOCKED_IP_LOG -j DROP
>>>
>>> This is my custom action configuration (derived from
>>> iptables-multiport):
>>>
>>> root@hpsrv:/etc/fail2ban/action.d# cat iptables-custom.conf
>>>
>>> [INCLUDES]
>>>
>>> before = iptables-blocktype.conf
>>>
>>> [Definition]
>>>
>>> actionstart =
>>>
>>> actionstop =
>>>
>>> # Option:  actioncheck
>>> # Notes.:  command executed once before each actionban command
>>> # Values:  CMD
>>> #
>>> actioncheck = iptables -n -L  | grep -q 'BLOCKED_IP_LOG'
>>>
>>> # Option:  actionban
>>> # Notes.:  command executed when banning an IP. Take care that the
>>> #  command is executed with Fail2Ban user rights.
>>> # Tags:See jail.conf(5) man page
>>> # Values:  CMD
>>> #
>>> actionban = iptables -I  1 -s  -j BLOCKED_IP_LOG
>>>
>>> # Option:  actionunban
>>> # Notes.:  command executed when unbanning an IP. Take care that the
>>> #  command is executed with Fail2Ban user rights.
>>> # Tags:See jail.conf(5) man page
>>> # Values:  CMD
>>> #
>>> actionunban = iptables -D  -s  -j BLOCKED_IP_LOG
>>>
>>> [Init]
>>>
>>> # Default name of the chain
>>> #
>>> name = default
>>>
>>> # Option:  port
>>> # Notes.:  specifies port to monitor
>>> # Values:  [ NUM | STRING ]  Default:
>>> #
>>> port = ssh
>>>
>>> # Option:  protocol
>>> # Notes.:  internally used by config reader for interpolations.
>>> # Values:  [ tcp | udp | icmp | all ] Default: tcp
>>> #
>>> protocol = tcp
>>>
>>> # Option:  chain
>>> # Notesspecifies the iptables chain to which the fail2ban rules
>>> should be
>>> #  added
>>> # Values:  STRING  Default: INPUT
>>> chain = INPUT
>>>
>>>
>>> What am I doing wrong?
>>
>> What happens when you run:
>> /sbin/iptables -N BLOCKED_IP_LOG
> 
> As I've mentioned in my previous mail, the chain is created at OS boot
> when the firewall is initialized.
> Hence BLOCKED_IP_LOG will exists before fail2ban starts.
> 
>> and then run execute the failing f2b check command:
>>
>> iptables -n -L INPUT | grep -q 'BLOCKED_IP_LOG'
> 
> The chain is not empty (a few rules are added on firewall init) but I
> don't see why this should be an issue for fail2ban.

The above command is what is used by fail2ban as the actioncheck
command, and it fails because the jump from INPUT to your custom chain
is not there. This is the problem that f2b is reporting in the error log.

You will need add that jump too in your firewall script, if you
configure f2b to do nothing upon starting the jail (actionstart=).

> 
>>
>> You probably need to alter the "chain = INPUT" variable to your contain
>> custom chain name.
>>
> 
> I'm afraid this will not work because what I need fail2ban to do is add
> the rule to the default INPUT chain with jump to BLOCKED_IP_LOG where the
> packets will be logged then dropped.
> The  parameter is correct.
> 
> Andrea
> 
> 
> --
> Check out the vibrant tech community on one of the world's most 
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Customized iptables action

[Tom Hendrikx]

On 28-12-16 16:04, Andrea wrote:
> Hi all.
> 
> I am trying to implement a custom ban action to integrate in my current
> iptables setup.
> I have created a dedicated chain in order to log connections at iptables
> level and I would like for fail2ban to use it as well.
> AFAIK what I have so far should work however it keeps giving me errors in
> the logfile:
> 
> 2016-12-28 15:53:24,428 fail2ban.actions.action[19380]: ERROR   iptables
> -n -L INPUT | grep -q 'BLOCKED_IP_LOG' returned 100
> 2016-12-28 15:53:24,428 fail2ban.actions.action[19380]: ERROR   Invariant
> check failed. Trying to restore a sane environment
> 2016-12-28 15:53:24,431 fail2ban.actions.action[19380]: ERROR   iptables
> -n -L INPUT | grep -q 'BLOCKED_IP_LOG' returned 100
> 2016-12-28 15:53:24,431 fail2ban.actions.action[19380]: CRITICAL Unable to
> restore environment
> 
> I don't need actionstart/actionstop since the chain is created in the
> firewall script:
> 
> /sbin/iptables -N BLOCKED_IP_LOG
> /sbin/iptables -A BLOCKED_IP_LOG -j LOG -m limit --limit 10/min
> --log-level 4 --log-prefix 'BLOCKED_IP_LOG: '
> /sbin/iptables -A BLOCKED_IP_LOG -j DROP
> 
> This is my custom action configuration (derived from iptables-multiport):
> 
> root@hpsrv:/etc/fail2ban/action.d# cat iptables-custom.conf
> 
> [INCLUDES]
> 
> before = iptables-blocktype.conf
> 
> [Definition]
> 
> actionstart =
> 
> actionstop =
> 
> # Option:  actioncheck
> # Notes.:  command executed once before each actionban command
> # Values:  CMD
> #
> actioncheck = iptables -n -L  | grep -q 'BLOCKED_IP_LOG'
> 
> # Option:  actionban
> # Notes.:  command executed when banning an IP. Take care that the
> #  command is executed with Fail2Ban user rights.
> # Tags:See jail.conf(5) man page
> # Values:  CMD
> #
> actionban = iptables -I  1 -s  -j BLOCKED_IP_LOG
> 
> # Option:  actionunban
> # Notes.:  command executed when unbanning an IP. Take care that the
> #  command is executed with Fail2Ban user rights.
> # Tags:See jail.conf(5) man page
> # Values:  CMD
> #
> actionunban = iptables -D  -s  -j BLOCKED_IP_LOG
> 
> [Init]
> 
> # Default name of the chain
> #
> name = default
> 
> # Option:  port
> # Notes.:  specifies port to monitor
> # Values:  [ NUM | STRING ]  Default:
> #
> port = ssh
> 
> # Option:  protocol
> # Notes.:  internally used by config reader for interpolations.
> # Values:  [ tcp | udp | icmp | all ] Default: tcp
> #
> protocol = tcp
> 
> # Option:  chain
> # Notesspecifies the iptables chain to which the fail2ban rules should be
> #  added
> # Values:  STRING  Default: INPUT
> chain = INPUT
> 
> 
> What am I doing wrong?

What happens when you run:
/sbin/iptables -N BLOCKED_IP_LOG

and then run execute the failing f2b check command:

iptables -n -L INPUT | grep -q 'BLOCKED_IP_LOG'

You probably need to alter the "chain = INPUT" variable to your contain
custom chain name.

> 
> Thanks
> 
> 
> --
> Check out the vibrant tech community on one of the world's most 
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Adjust fail2ban log to include affected domain

[Tom Hendrikx]

On 28-11-16 23:40, Matthew Demaree wrote:
> It's great the log tells me what bans and what is unbanned or what
> IPs were found to violate a jail, but I am really interested in
> knowing which domain the offense was triggered against.
> 
> Example:
> 
> Currently 2016-11-28 16:52:44,838 filter   [jail-example] Found
> 123.45.67.89
> 
> What I want to see: 2016-11-28 16:54:52,886 filter   [jail-example]
> Found 123.45.67.89 - example.com 
> 

Hi Matthew,

I guess you mean 'domain' in the context of a webserver? Your webserver
should then generate separate log files per domain, and you should
create a jail for each logfile. The jailname can refer to the domain you
are monitoring.

Regards,
Tom

--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Error running non-shared postrotate script for /var/log/fail2ban.log of '/var/log/fail2ban.log '

[Tom Hendrikx]

On 25-11-16 14:05, dan...@msw.it wrote:
> Il 2016-11-24 21:47 Tom Hendrikx ha scritto:
>>
>> You made a typo in the config file, which made fail2ban fail on an
>> earlier restart. The logrotate just tripped over the fact that f2b
>> wasn't running some days later.
>>
>> Please show us your jail and filter config for the postfix-disc jail,
>> but my first guess would be that you setup the jail using
>>
>> logfile=%(syslog_mail)s
>>
>> but the variable 'syslog_mail' is not defined anywhere.
>>
>> Kind regards,
>>  Tom
> 
> Well Tom!
> I've changed on "/etc/fail2ban/jail.conf"
> 
> from
> logfile=%(syslog_mail)s
> 
> to
> logpath  = /var/log/mail.log
> 
> then I've added the filter for postfix-disc:
> 
> [postfix-disc]
> 
> filter = postfix-disc
> 
> 
> now, on /etc/fail2ban/filter.d/postfix-disc.conf remain some errors:
> 
> nov 25 12:47:10 server fail2ban[32404]: ERROR  Failed during 
> configuration: File contains parsing errors: 
> /etc/fail2ban/filter.d/postfix-disc.conf
> nov 25 12:47:10 server fail2ban[32404]: [line 12]: 
> '(AUTH|STARTTLS|NOOP|EHLO|RCPT|UNKNOWN) from .*\\..*\\[\\]$\n'
> nov 25 12:47:10 server fail2ban[32404]: [line 13]: 
> '^%(__prefix_line)sdisconnect from unknown\\[\\]$\n'
> nov 25 12:47:10 server fail2ban[32404]: failed!
> 
> 
> This is my postfix-disc.conf:
> 
> 
> # Fail2Ban filter for postfix lost connections
> #
> [INCLUDES]
> 
> before = common.conf
> 
> [Definition]
> 
> _daemon = postfix/smtpd
> 
> failregex = ^%(__prefix_line)slost connection after
> (AUTH|STARTTLS|NOOP|EHLO|RCPT|UNKNOWN) from .*\..*\[\]$
> ^%(__prefix_line)sdisconnect from unknown\[\]$

This part is messed up. It should probably be something like:

failregex = ^%(__prefix_line)slost connection after
(AUTH|STARTTLS|NOOP|EHLO|RCPT|UNKNOWN) from .*\..*\[\]$
^%(__prefix_line)sdisconnect from unknown\[\]$

Note: these are two lines, not three (watch for wrapping lines)! First
line contains the complete regex for 'lost connection after AUTH ...
[}$', the next line is indented, and contains the regex for
'disconnect from unknown...'.

IMHO the second regex should not be monitored by f2b, but that's your call.

Kind regards,
Tom

> 
> ignoreregex =
> 
> # Author: Nick Howitt
> 
> 
> many many thanks for your help! :-)
> 
> 
> 
> 
> --
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 

--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Error running non-shared postrotate script for /var/log/fail2ban.log of '/var/log/fail2ban.log '

[Tom Hendrikx]

On 24-11-16 19:06, dan...@msw.it wrote:
> Hi friends,
> on my first VPS Debian Jessie and Postfix/Dovecot, and
> I've found this error on root mail:
> 
> 
> /etc/cron.daily/logrotate:
> ERROR  Unable to contact server. Is it running?
> error: error running non-shared postrotate script for 
> /var/log/fail2ban.log of '/var/log/fail2ban.log '
> run-parts: /etc/cron.daily/logrotate exited with return code 1
> 
> 
> 
> Then if I go to /var/log/fail2ban.log it's empty, and only 
> /var/log/fail2ban.log.1 contains content, but the last of nine days ago.
> so I checked if the fail2ban service is active:
> 
> service fail2ban status
> ● fail2ban.service - LSB: Start/stop fail2ban
> Loaded: loaded (/etc/init.d/fail2ban)
> Active: active (exited) since mar 2016-11-15 23:10:13 CET; 1 weeks 1 
> days ago
>Process: 7955 ExecStop=/etc/init.d/fail2ban stop (code=exited, 
> status=0/SUCCESS)
>Process: 7963 ExecStart=/etc/init.d/fail2ban start (code=exited, 
> status=0/SUCCESS)
> 
> nov 15 23:10:13 server fail2ban[7963]: Starting authentication failure 
> monitor: fail2banERROR  Failed during configuration: Bad value 
> substitution:
> nov 15 23:10:13 server fail2ban[7963]: section: [postfix-disc]
> nov 15 23:10:13 server fail2ban[7963]: option : logpath
> nov 15 23:10:13 server fail2ban[7963]: key: syslog_mail
> nov 15 23:10:13 server fail2ban[7963]: rawval :
> nov 15 23:10:13 server fail2ban[7963]: failed!
> 
> 
> Could you kindly tell me what caused and possibly how to remedy the 
> problem? :-)
> 

You made a typo in the config file, which made fail2ban fail on an
earlier restart. The logrotate just tripped over the fact that f2b
wasn't running some days later.

Please show us your jail and filter config for the postfix-disc jail,
but my first guess would be that you setup the jail using

logfile=%(syslog_mail)s

but the variable 'syslog_mail' is not defined anywhere.

Kind regards,
Tom



signature.asc
Description: OpenPGP digital signature
--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Understanding hierarchically-nested regular expressions used in fail2ban

[Tom Hendrikx]

Hi,

That is indeed not regular expression syntax, it is python string
formatting, used to generate the regex. This string is used also in the
fail2ban config files in various distros to setup jails (although I
think that the config file gets less readable from this, especially for
non-programmers, but none of that is related to your question).

See
https://docs.python.org/3/library/stdtypes.html#printf-style-string-formatting
for details on %(...)s syntax.

Regards,
Tom

On 24-11-16 21:17, pjc...@fastmail.fm wrote:
> Hello,
>  I'm new to this list.  I'm familiar with regular expressions but
> there's one aspect of failregex's that I do not understand - the nesting
> aspect.  Take, for instance, this example from "apache-badbots.conf"
> which comes with the installer in the filters.d/ directory:
> 
> badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou
> music spider
> badbots =
> Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent  
> ...etc...etc...etc...
> 
> failregex = ^
> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
> 
> 
> The part that I don't understand is this: 
> "(?:%(badbots)s|%(badbotscustom)s)"
>...If that is a part of standard Posix regular expressions (or perl
> extensions), I was not aware of it.  So what is it?  I can see that the
> "%(badbots)" is probably getting replaced by the big long or'ed regular
> expression above ...but what about the "s" after the last closing
> parenthesis?  And I do not understand the "(? ... )"  ...what does it
> mean to have an expression that is entirely enclosed in this
> parenthesized expression with a question mark after the first opening
> parenthesis? 
> 
> Thanks in advance for any help.
> 
> 
> --
> 
> 
> 
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 




signature.asc
Description: OpenPGP digital signature
--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Fail2ban fails to start when mta = mail

[Tom Hendrikx]

On 04-11-16 15:47, Dave Macias wrote:
> Hello,
> 
> Currently we have a basic postfix setup to send mail from the local box.
> 
> This works:
>> echo "message" | mail -s subject em...@email.com  
> 
> i have a jail under jail.d called sshd2.local
> 
>> [DEFAULT]
>> ignoreip = 127.0.0.1/8  
>> destemail = mailto:ad...@email.org>>
>> sendername = Fail2Ban
>> mta = sendmail
>> #mta = mail
>> action = %(action_mwl)s
>> 
>> [sshd2]
>> enabled = true
>> filter = sshd2
>> port = 
>> findtime = 3600
>> logpath = /var/log/sshd2
>> maxretry = 6
>> # 24 hours
>> bantime = 86400
> 
> I configured sendmail to work but i prefer using postfix. (dont want to
> maintain multiple methods of sending mail)
> 
> when i set mta=mail fail2ban fails to start and i dont get much output:

The config option 'mta' is a misnomer, since it does not set an actual
MTA to use, but a commandline tool that provides email sending service.

Both SendMail (the mta, not the spelling) and postfix provide a
'sendmail' binary, and have compatible commandline interfaces. the
'mail' command is a different binary, provided by a typical non-mta
package  (on ubuntu: mailutils).

If you want to use postfix, remove all of SendMail, install postfix, and
check that you have a 'sendmail' binary (e.g.: sudo which sendmail).
Then configure fail2ban to use 'sendmail'.

KInd regards,
Tom



signature.asc
Description: OpenPGP digital signature
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] samba

[Tom Hendrikx]

I don't think that f2b can deal with such a nasty logging setup. You
should find a way to:

- get the ip in the logfile contents, in stead of the in the log file name
- get a steady log file name, f.i. samba.log.

I haven't used samba in ages, google top hit at
http://www.oreilly.com/openbook/samba/book/ch04_08.html seems to
indicate that you fix the latter in various ways. Maybe when you tinker
with debug level, you can also get an ip address in the error line...

so no idea if that is possible, but maybe you get it to log to syslog?

On 15-10-16 14:20, Pol Hallen wrote:
>> You need to show us some logs from samba that include a failed auth
>> attempt. You have lot of them, when you're seeing brute-force attempts ;)
> 
> Hello Tom, thanks for your reply :)
> 
> every PC that try to connect with wrong credentails make on samba server 
> a log like this:
> 
> [2016/10/15 14:14:38.371368,  2] 
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
>check_ntlm_password:  Authentication for user [admin] -> [admin] 
> FAILED with error NT_STATUS_WRONG_PASSWORD
> 
> fail2ban should be check not only a log file but all files:
> 
> 192.168.34.1.log
> 192.168.34.2.log
> 192.168.34.3.log
> 192.168.34.4.log
> [...]
> 
> every log file match with a PC
> 
> thanks for help
> 
> Pol
> 
> --
> Check out the vibrant tech community on one of the world's most 
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] samba

[Tom Hendrikx]

On 14-10-16 17:35, Pol Hallen wrote:
> Hi all :-)
> 
> I use version 0.8.13
> 
> I didn't found any way to blocks samba bruteforce :-/

You need to show us some logs from samba that include a failed auth
attempt. You have lot of them, when you're seeing brute-force attempts ;)

> 
> Clearly I mean samba in LAN area

That shouldn't matter.
> 
> Any idea?
> 
> thanks!
> 
> Pol
> 
> --
> Check out the vibrant tech community on one of the world's most 
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] block smtp auth if successful logins come from different IPs in a very short period of time

[Tom Hendrikx]

On 14-09-16 15:28, Marcus Schopen wrote:
> Hi,
> 
> I use fail2ban to block smtp auth failures. A few weeks ago a notebook
> was infected and after that I saw massiv logins using this account on my
> smtp relay from world wide fast changing IPs . Ratelimits on smtp auth
> users blocked most of those messages, but before I could close that
> account some spam was sent. Therefore I'm looking for a way to figure
> out, if successful smtp auth logins are coming in a short period of time
> from different IPs, possibly combining with geoip.
> 

Fail2ban always keeps count based on ip address, so counts from
different addresses can never be handled by fail2ban. You should apply
this kind of limit using a policy on your MTA.

Using postfix, you could write a simple policy daemon that is able to
keep track of the number of auth attempts per user (or per user per ip
address) over time. See http://www.postfix.org/SMTPD_POLICY_README.html
for details.

Kind regards,
Tom

--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Persistent ssh bots

[Tom Hendrikx]

On 09-09-16 08:49, Mitchell Krog Photography wrote:
> Saw one reply this morning about changing SSH to a different port. Not
> sure why people go changing their SSH port from 22 to something else,
> does not achieve anything, might just make you feel more secure. Go read
> about security through obscurity. If someone thinks you are hiding
> something you give them reason to go digging deeper looking for it.

Fail2ban does stop the mindless bot trying a dictionary attack on any
found ssh server. It doesn't stop a hacker that is already interested in
you, and is specifically trying to get into your machine. When you get
that kind at attention, fail2ban cannot help you (and isn't meant to be
of help then).

As long as the first category (mindless bots) is 99.9% of the traffic
hitting your ssh server, fail2ban works great within its limits. These
bots aren't interested in digging deeper, they just move on to a next
possible target.

> 
> All my SSH runs on port 22 across 9 different servers. They are all
> accessed using non password logins using certificates. They all run
> Fail2ban and all attackers get perma-banned. One attack of 3 attempts
> and it goes into recidive forever with the bantime set to -1and also
> gets reported to bad IP’s.com.
> 
> In addition I run a daily cron which download sets of IP’s from
> BADips.com  and generates a hosts.deny file on every
> server which keeps out 99% and then the other 1% are caught and reported
> to badips.com  which strengthens the badips.com
> defense system too.
> 
> You can get that script from here
> - https://github.com/mitchellkrogza/fail2ban-useful-scripts
> 
> Be harsh with recidive when it comes to SSH if anyone _but you_ is
> trying to connect to your SSH port they are sniffing and up to no good,
> block them out and be done with them.
> 
> KR
> Mitchell
>  
> 
> 
> 
> 
> From: Nick Howitt  
> Date: 09 September 2016 at 8:07:41 AM
> To: Grant  ,
> fail2ban-users@lists.sourceforge.net
> 
> 
> Subject: Re: [Fail2ban-users] Persistent ssh bots
> 
>> Shut the WAN SSH port completely then use OpenVPN to get on to your
>> LAN and access SSH as if you are connected to the LAN.
>>
>> On 08/09/2016 22:15, Grant wrote:
>>> What do you guys do about ssh bots that are repeatedly banned every 10 
>>> minutes?
>>>
>>> - Grant
>>>
>>> --
>>> ___
>>> Fail2ban-users mailing list
>>> Fail2ban-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>> --
>>
>> ___
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 
> 
> --
> 
> 
> 
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 

--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban doesn't ban

[Tom Hendrikx]

On 31-05-16 11:17, Christophe Millon wrote:
> I have this line in my configuration file
> /etc/fail2ban/filter.d/shd.conf : ^%(__prefix_line)sReceived disconnect
> from : 11:  \[preauth\]\s*$

Is this filename 'shd.conf' correct? Does that match your jail config?
Can you you show us your jail.conf, and the logging that a restart of
fail2ban produces with the config?

Regards,
Tom

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] getting IP address out of postfix logline that doesn't have the IP ?

[Tom Hendrikx]

On 13-04-16 00:03, jaso...@mail-central.com wrote:
> I have a postfix postqueue Amavis filter set up to do A/V scanning.
> 
> Right now, it's configured to DISCARD virus-tagged content.
> 
> It works as far as detection and discard goes.
> 
> I want to run fail2ban over the Postfix logs to identify the IP of the Virus 
> sender, and set a firewall block for awhile.
> 
> But if you look at the log for the postqueue filter's rejection message at 
> postscreen, it does NOT have the IP address.
> 
> Other log lines have it, but not the one reject message.
> 
>   Apr 11 04:24:08 mail01 postfix/postscreen[7312]: CONNECT from 
> [104.44.131.209]:1024 to [192.0.1.17]:25
>   Apr 11 04:24:14 mail01 postfix/postscreen[7312]: PASS NEW 
> [104.44.131.209]:1024
>   Apr 11 04:24:14 mail01 postfix/psint/smtpd[7319]: connect from 
> ldoquy20.cloudapp.net[104.44.131.209]
>   Apr 11 04:24:15 mail01 postfix/psint/smtpd[7319]: NOQUEUE: 
> client=ldoquy20.cloudapp.net[104.44.131.209]
>   Apr 11 04:24:15 mail01 postfix/postqreturn/smtpd[7326]: connect from 
> localhost[127.0.0.1]
>   Apr 11 04:24:15 mail01 postfix/postqreturn/smtpd[7326]: 
> 4ql0LCJHvGz3J39: client=localhost[127.0.0.1]
>   Apr 11 04:24:15 mail01 postfix/cleanup[7327]: 4ql0LCJHvGz3J39: 
> message-id=
>   Apr 11 04:24:16 mail01 postfix/qmgr[20856]: 4ql0LCJHvGz3J39: 
> from=, size=3301, nrcpt=1 (queue active)
>>> Apr 11 04:24:16 mail01 postfix/psint/smtpd[7319]: proxy-accept: 
>>> END-OF-MESSAGE: 250 2.7.0 Ok, discarded, id=06097-01 - INFECTED: 
>>> Porcupine.Malware.36603.UNOFFICIAL; from= 
>>> to= proto=ESMTP helo=
>   Apr 11 04:24:16 mail01 postfix/psint/smtpd[7319]: disconnect from 
> ldoquy20.cloudapp.net[104.44.131.209] ehlo=1 mail=1 rcpt=1 data=1 quit=1 
> commands=5
> 
> This is different than the other postfix log messages that show a REJECT.  
> They have the IP address and I can act on it directly in a fail2ban-detected 
> line.
> 
> How do I reliably get the fail2ban actionable IP out of this one line match , 
> and into a filter? 

There is no ip address, so you can't. You're accepting-then-discarding
the message, so I'm assuming you don't want to let the sender know that
you detected the virus. But then there's no reason to block the sender
for subsequent deliveries in your firewall either, as the sender will
notice that too (depending on the sender noticing actually anything
you're doing, which is questionable when it's a spammer).

If the REJECT log message does have an ip address in the response, I
suggest start using that.

Regards,
Tom

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban seems to delete my NAT Firewall rules

[Tom Hendrikx]

Hi,


You have firewall rules disappearing out of the blue, and you also have
fail2ban chains missing out of the blue (see error log below).

Seems to be you need to look for a third process meddling with your
firewall, both f2b and your loadbalancer rules are ruined over by some
other process.

Regards,
Tom

On 08-04-16 03:44, Alexander R. Gruber wrote:
> Hello Bill,
> 
> there is no Load-Balancer on the machine. The machine is a simple
> webnode, where a loadbalancer sends requests to, which are then answered
> by the node - directly to the requesting client.
> This is done by simple iptable rules:
> 
> root@xxx:/etc/network/if-pre-up.d# iptables -L -t nat
> 
> Chain PREROUTING (policy ACCEPT)
> 
> target prot opt source   destination
> 
> DNAT   tcp  --  anywhere 185.55.25.xxxtcp dpt:http 
> to:185.55.25.xxx:80
> 
> DNAT   tcp  --  anywhere 185.55.25.xxxtcp dpt:https 
> to:185.55.25.xxx:443
> 
> 
> it seems like f2b has trouble managing it's chains on my machine. The
> chains just vanish at some point.
> 
> root@xxx:~# iptables -L -n
> 
> Chain INPUT (policy ACCEPT)
> 
> target prot opt source   destination
> 
> Chain FORWARD (policy ACCEPT)
> 
> target prot opt source   destination
> 
> Chain OUTPUT (policy ACCEPT)
> 
> target prot opt source   destination
> 
> They seem to get lost - and afterwards I get the "already banned"
> entries in the log.
> Before the "already banned" problem - this seems to happen:
> 
> 2016-04-06 08:53:19,351 fail2ban.filter [3526]: INFO[ssh] Found 
> 146.0.77.xxx
> 
> 2016-04-06 08:53:19,352 fail2ban.filter [3526]: INFO[sshd] Found 
> 146.0.77.xxx
> 
> 2016-04-06 08:53:19,577 fail2ban.filter [3526]: INFO[ssh] Found 
> 146.0.77.xxx
> 
> 2016-04-06 08:53:19,578 fail2ban.filter [3526]: INFO[sshd] Found 
> 146.0.77.xxx
> 
> 2016-04-06 08:53:21,608 fail2ban.filter [3526]: INFO[sshd] Found 
> 146.0.77.xxx
> 
> 2016-04-06 08:53:21,609 fail2ban.filter [3526]: INFO[ssh] Found 
> 146.0.77.xxx
> 
> 2016-04-06 08:53:21,731 fail2ban.actions[3526]: NOTICE  [sshd] Ban 
> 146.0.77.xxx
> 
> 2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR   iptables -w 
> -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stdout: ''
> 
> 2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR   iptables -w 
> -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stderr: ''
> 
> 2016-04-06 08:53:21,836 fail2ban.action [3526]: ERROR   iptables -w 
> -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- returned 1
> 
> 2016-04-06 08:53:21,836 fail2ban.CommandAction  [3526]: ERROR   Invariant 
> check failed. Trying to restore a sane environment
> 
> 2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR   iptables -w 
> -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
> 
> iptables -w -F f2b-sshd
> 
> iptables -w -X f2b-sshd -- stdout: ''
> 
> 2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR   iptables -w 
> -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
> 
> iptables -w -F f2b-sshd
> 
> iptables -w -X f2b-sshd -- stderr: "iptables v1.4.21: Couldn't load target 
> `f2b-sshd':No such file or directory\n\nTry `iptables -h' or 'iptables 
> --help' for more information.\niptables: No chain/target/match by that 
> name.\niptables: No chain/target/match by that name.\n"
> 
> 2016-04-06 08:53:21,941 fail2ban.action [3526]: ERROR   iptables -w 
> -D INPUT -p tcp -m multiport --dports ssh -j f2b-sshd
> 
> iptables -w -F f2b-sshd
> 
> iptables -w -X f2b-sshd -- returned 1
> 
> 2016-04-06 08:53:21,942 fail2ban.actions[3526]: ERROR   Failed to 
> execute ban jail 'sshd' action 'iptables-multiport' info 
> 'CallingMap({'ipjailmatches':  at 0x7f3f3dfff938>, 
> 'matches': u'Apr  6 08:53:19 bmn1 sshd[15131]: Invalid user ftpuser from 
> 146.0.77.xxx\nApr  6 08:53:19 bmn1 sshd[15131]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=146.0.77.xxx \nApr  6 08:53:21 bmn1 sshd[15131]: Failed password for 
> invalid user ftpuser from 146.0.77.xxx port 50352 ssh2', 'ip': 
> '146.0.77.xxx', 'ipmatches':  at 0x7f3f3dfff848>, 
> 'ipfailures':  at 0x7f3f3dfff7d0>, 'time': 1459925601.7313, 
> 'failures': 3, 'ipjailfailures':  at 0x7f3f3dfff758>})': 
> Error stopping action
> 
> 
> The "fail2ban.action" Errors seem to span all jails, so I guess there is
> something wrong going on here.
> 
> My config in /etc/fail2ban/jail.local:
> 
> # Fail2Ban configuration file.
> #
> # This file was composed for Debian systems from the original one
> # provided now under /usr/share/doc/fail2ban/examples/jail.conf
> # for additional examples.
> #
> # Comments: use '#' for comment lines and ';' for inline comments
> #
> # To avoid merges during upgrades DO NOT MODIFY THIS FILE
> # and rather provide your changes in /etc/fail2ban/jail.local
> #
> 
> # The DEFAULT allows a glob

Re: [Fail2ban-users] What do you recommend for usedns setting?

[Tom Hendrikx]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 22-02-16 17:57, Atnakus Arzah wrote:
> While looking through the fail2ban log files I noticed log lines 
> such as below:
> 
> 2016-02-21 18:25:07,598 fail2ban.filter [12834]: WARNING 
> Determined IP using DNS Lookup: node1.i-surveillance.pro = 
> ['212.83.170.26']
> 
> From fail2ban manual this is due to the default setting 
> "usedns=warn". I was wondering if there is any case where 
> "usedns=no" might be problematic given that I want to ban traffic 
> from specific IP addresses that scan for repeated ssh logins.
> 
> From the manual:
> 
> # "usedns" specifies if jails should trust hostnames in logs, # 
> warn when DNS lookups are performed, or ignore all hostnames in 
> logs # # yes:   if a hostname is encountered, a DNS lookup will be 
> performed. # warn:  if a hostname is encountered, a DNS lookup
> will be performed, #but it will be logged as a warning. #
> no: if a hostname is encountered, will not be used for banning, # 
> but it will be logged as info. usedns = no
> 
> 

If the logfiles you process only use ip addresses, then it makes no
difference. When you also match hostnames in your logfiles, you're
potentially open to a DOS attack. sshd logs specific ip addresses for
each (failed) connect, so usedns=no should have no negative impact on
that use case. To be sure, post a full log sample of a failed sshd
login attempt.

Regards,
Tom
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWy3A5AAoJEJPfMZ19VO/1IOoP/0McJvt3Eh2lFjKwwK+07gSs
Z3J6bsscBQ3LPvOpD9pYv/yryC/wx1SFJxuxZ0yykGdlzIY9C1w2+QYQWIt8SxE0
xMPoPGSaDSzUOvP1YiwKhL5jt1T1CfN75t7UWs3lqG9mLwHFmfoADVw84Dlfww1V
CBuLZhVzHWRCdHwiNy13c4UY5ipmzgBICl4K01aldudeXUszRN4kDKbMFxpY68v9
iC2MbuzCy0OIx6cFWyeGmrSpfMbPQwkIgoJiCbHyzwVqIwrt/Rt4fw/aDtIWJddR
nAD3+SxS/syMlqmLuIyf5rj0S0MzTTEBHhUzR1u6jqDsA7JteXWebP5qBksB79jX
A7wrIIzMF0FZ/IxI3ZqDgxGZmjwwH+sbXyExfCVJvczLqq0Z4W7SSgH7f+4fze8C
F84U/V9BbVMtHD5lTKZ7k96jMT2Nk+287Drcn5E6JrnkI9Ihof41qSNvKIiqIHqo
uckrburzff4QiPe7GGqZIe64nT+wJetdpMQ1TLkU69Q3+cgOHXOQfWRXTv2Na488
dpMbiugVg/2AHk65AO2CNf180DeI36I/1qNkMSolcSCoKPVkTRVFzsbx86JKsYxQ
KK/m9YKKnsxcxrAaTpX/rrUjdtLyBmr6vmiJ/t3dzYgylFzu3u/DKqt/dy/JSHX4
utIWo9bsMIXCg3dPaWmR
=CC5q
-END PGP SIGNATURE-

--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Huge ipset reboot problem?

[Tom Hendrikx]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

Please don't reply off-list. See comments below.

On 12-02-16 17:17, Charles Bradshaw wrote:
> Hi Tom
> 
> Humm.. yes we agree that storing vast numbers of bans in fail2ban
> is the wrong approach. Duplicate data always is.
> 
> I'm unfamiliar shorewall, I'm almost sure ipset is iptables
> equivalent of shorewall blacklists.

You are wrong. Shorewall is a management wrapper around
iptables/ipset, just like f2b is. It is just better suited for
managing static rules.

> The whole point is ipsets are fast, efficient and separate and
> therefore ease the maintenance problem.

Yes. But f2b is not fast. Which is why you should not look for a
solution to your problem within f2b.

> Looking out there, it's pretty obvious the uninitiated are having
> problems with fail2bans complexity, especially with permanent bans
> and how to unban the inadvertent ones.

Your bans are static, not dynamic, so *don't* try to manage it with a
tool that is dedicated towards managing dynamic bans. KISS principle
applies here.

> 
> I'm not even sure that permanent banning is a good idea. I started
> out trying to reduce the frequency of fake attempts at my forum,
> but after more than 12 months I'm still seeing an increase in the
> number of bans per hour!

If you've read up on botnets, you known this si game you'll lose. The
bots won't disappear, and it wont help you to ban them forever. But I
wasn't really looking into this part of your problem, just trying to
solve your "how do I manage a lot of perm bans efficiently" problem.

> 
> If you know how to cleanly disable the sqlite functionality I would
> be grateful for the heads-up.
> 
> Charles Bradshaw
> 
> On Fri, 2016-02-12 at 15:16 +0100, Tom Hendrikx wrote:
>> Hi,
>> 
>> Maybe an interesting side note: fail2ban is built to quickly ban
>> *and* unban problematic ip addresses. The whole nature of
>> fail2ban is (IMHO) in the fact that it automatically unbans ip
>> addresses after a while.
>> 
>> However, you state that you have a list of 17000 ip adresses that
>> are permanently banned. There is no reason to have fail2ban
>> maintain this list. I fixed this by having an action in f2b that
>> sent the addresses to the shorewall blacklist (which IS devised
>> for perm bans). An empty unban action and irrelevant unban time
>> complete the setup.
>> 
>> 
>> You can replace shorewall with any other solution you like, of
>> course. But keeping the perm bans in f2b is IMHO simply using the
>> wrong tool for the job.
>> 
>> Regards, Tom
>> 
>> On 12-02-16 14:49, Charles Bradshaw wrote:
>>> Bill,
>>> 
>>> Sorry again, I actually miss read your first reply. I read 
>>> actionban instead of actionunban.
>>> 
>>> I am indeed saving and restoring the ipset. At least, that's
>>> what I used to do until I found fail2ban taking hours to
>>> shutdown. Last time I hit the boot button after about an hour
>>> with the result that the ipset was left intact. ipset has built
>>> in and well documented method for backup and restore.
>>> 
>>> While I understand your proposed method and see how it would
>>> work, I make the following observations:
>>> 
>>> 1 - Your method has a certain pragmatic elegance, but is
>>> devious and will certainly confuse the uninitiated!
>>> 
>>> 2 - I can see how your method will work if implemented from
>>> square one, but what about the 17000 odds IP which have been
>>> previously band with a ban time of forever? I've been running
>>> the particular jail with bantime = -1 for well over a year
>>> now.
>>> 
>>> 3 - Why store anything at all in an external database. Ipsets
>>> are just that, a highly efficient linked to iptables database.
>>> The botnet problem is increasing rapidly. Today I'm seeing
>>> 8/hour originally it was 2 or 3. In the meantime > 17000 IP
>>> have been permanently banned. That says there are botnets out
>>> there with orders more than 1 infected machines! We know
>>> not when this will, in effect, escalate to Denial of Service!
>>> Several hours to shutdown is a kind of DNS!
>>> 
>>> Back on a pragmatic front, storing and manipulating vast
>>> amounts of duplicate data is simply not good practice. If you
>>> look out there you will find much discussion on the subject of
>>> how to unban the inadvertently banned. I might be wrong, but I
>>> suspect because sqlite permanent banning was

Re: [Fail2ban-users] Huge ipset reboot problem?

[Tom Hendrikx]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

Maybe an interesting side note: fail2ban is built to quickly ban *and*
unban problematic ip addresses. The whole nature of fail2ban is (IMHO)
in the fact that it automatically unbans ip addresses after a while.

However, you state that you have a list of 17000 ip adresses that are
permanently banned. There is no reason to have fail2ban maintain this
list. I fixed this by having an action in f2b that sent the addresses to
the shorewall blacklist (which IS devised for perm bans). An empty unban
action and irrelevant unban time complete the setup.


You can replace shorewall with any other solution you like, of course.
But keeping the perm bans in f2b is IMHO simply using the wrong tool
for the job.

Regards,
Tom

On 12-02-16 14:49, Charles Bradshaw wrote:
> Bill,
> 
> Sorry again, I actually miss read your first reply. I read
> actionban instead of actionunban.
> 
> I am indeed saving and restoring the ipset. At least, that's what I
> used to do until I found fail2ban taking hours to shutdown. Last
> time I hit the boot button after about an hour with the result that
> the ipset was left intact. ipset has built in and well documented
> method for backup and restore.
> 
> While I understand your proposed method and see how it would work,
> I make the following observations:
> 
> 1 - Your method has a certain pragmatic elegance, but is devious
> and will certainly confuse the uninitiated!
> 
> 2 - I can see how your method will work if implemented from square
> one, but what about the 17000 odds IP which have been previously
> band with a ban time of forever? I've been running the particular
> jail with bantime = -1 for well over a year now.
> 
> 3 - Why store anything at all in an external database. Ipsets are
> just that, a highly efficient linked to iptables database. The
> botnet problem is increasing rapidly. Today I'm seeing 8/hour
> originally it was 2 or 3. In the meantime > 17000 IP have been
> permanently banned. That says there are botnets out there with
> orders more than 1 infected machines! We know not when this
> will, in effect, escalate to Denial of Service! Several hours to
> shutdown is a kind of DNS!
> 
> Back on a pragmatic front, storing and manipulating vast amounts
> of duplicate data is simply not good practice. If you look out
> there you will find much discussion on the subject of how to unban
> the inadvertently banned. I might be wrong, but I suspect because
> sqlite permanent banning was implemented without due consideration
> of the consequences on existing installations.
> 
> I think what I really need to understand now is; how does fail2ban 
> 'think' an IP is banned or not. Where is the database? When is it 
> written/read? In what version of fail2ban did sqlite get
> implemented. At present my /var/lib/fail2ban/fail2ban.sqlite3 has
> 7.9MB of entries.
> 
> I ask again how do I turn sqlite activity off? Just point me at
> the documentation.
> 
> Charles Bradshaw
> 
> On Thu, 2016-02-11 at 22:31 -0500, Bill Shirley wrote:
>> When you said: This leaves the ipset intact. I made the the
>> assumption, maybe incorrectly, that you were saving your ipset
>> with some utility on shutdown and restoring after a re-boot.
>> 
>> If that IS the case then change your jail to: bantime = 60
>> 
>> and make actionunban empty in your .local action: #actionunban =
>> ipset -exist del fail2ban-  actionunban =
>> 
>> fail2ban will ban the IP address and in one minute it will unban
>> it. However, with actionunban being empty, the IP address will
>> not be removed from the ipset.  So now fail2ban thinks very few,
>> if any, addresses are banned.  With very few addresses to
>> 'remove', shutdown should be quick.
>> 
>> Bill
>> 
>> 
>> On 2/11/2016 7:03 PM, Charles Bradshaw wrote:
>> 
>>> Thanks Bill,
>>> 
>>> Sorry I'm being a bit dim. Do you mean to temporarily modify
>>> the actionban in /etc/fail2ban/action.d/myaction.conf before
>>> the shutdown? How does that affect the shutdown? I can see how
>>> it affects the restart but eh.. no action actionban no bans at
>>> all after restart!
>>> 
>>> Surely deleting the actionstop clause altogether, thus
>>> preventing deletion of the ipset and a modified actionstart to
>>> do nothing if the ipset already exists. Then neither start nor
>>> stop take time.
>>> 
>>> I see the new sqlite behavior, but then where is the reference
>>> to dbfile forcing all the bans into
>>> /var/lib/fail2ban/fail2ban.sqlite3 it is not in my
>>> fail2ban.conf! If its use is default behaviour how do I
>>> disable it?
>>> 
>>> On Thu, 2016-02-11 at 12:19 -0500, Bill Shirley wrote:
 Try using an empty actionunban in your action and set the
 bantime = 60 in your jail.  This way fail2ban thinks it's
 unbanning after a minute.  fail2ban shutdown should be
 quick.
 
 Bill
 
 On 2/11/2016 5:15 AM, Charles Bradshaw wrote:
> Hello list,
> 
> I am running fail2ban.noarch 0.9.3-1.

Re: [Fail2ban-users] Fail2Ban sends mails only once

[Tom Hendrikx]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


Hi,

The debug logging from fail2ban shows that the message is sent
successfully to the sendmail program.

Can you find logging from your mail server (postfix, sendmail) that
confirms that the message sent on to gmail?

Regards,
Tom


On 23-01-16 18:28, Saren Tasciyan wrote:
> Hi,
> 
> I think it is not the problem. One can define jails either in
> separate files or single file. I was wondering, why I only get
> e-mail once but not on repeated failed attempts...
> 
> Cheers
> 
> On 18.01.2016 08:07, kuncho pencho wrote:
>> HI,
>> 
>> I'm sorry, but my english is worst. I mean "my config". :)
>> 
>> I think, you should have sshd.conf in jail.d/. In my jail.local
>> all rules are set to "false" and i have 3 files in jail.d/ ,
>> sshd.conf, exim.conf, dovecot.conf and there i set "true". I'll
>> paste my sshd.conf:
>> 
>> [ssh] enabled = true filter = sshd action = iptables[name=SSH,
>> port=ssh, protocol=tcp] sendmail-whois[name=SSH,
>> dest=m...@example.com, sender=m...@example.com,
>> sendername="Fail2Ban"] logpath = /var/log/sshd/current maxretry =
>> 5 bantime = 2592000 findtime = 144000
>> 
>> Cheers
>> 
>> 
>> 
>> 
>> 
>> 
>>>  ?? ?  ??: "YouGenom ."
>>> genomsa...@gmail.com ???: Re: [Fail2ban-users] Fail2Ban
>>> sends mails only once ??: kuncho pencho  
>>> ? ??: 18.01.2016 02:50
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> Hi,
>> 
>> 
>> Sorry about that. There is actually "]" at the end. I have
>> somehow mistakenly deleted it. Actual file has it.
>> 
>> jail.d directory is completely empty.
>> 
>> What do you mean with "Main config"? Is the suggested/correct way
>> of using sendmail-whois this: sendmail-whois[name=SSH, dest= 
>> mym...@example.com, sender= mym...@example.com,
>> sendername="Fail2Ban"] ?
>> 
>> 
>> Thanks a lot for the assistance!
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> On Sun, Jan 17, 2016 at 5:49 PM, kuncho pencho 
>> wrote:
>> 
>> 
>> 
>> Hi,
>> 
>> Could you try to set sender in ssh section in jail.conf?
>> 
>> Yours config is "sendmail-whois[name=ssh, dest= mym...@gmail.com"
>> ,  here is missing "]" simbol and sender.
>> 
>> Main config is with this line:
>> 
>> sendmail-whois[name=SSH, dest= mym...@example.com, sender= 
>> mym...@example.com, sendername="Fail2Ban"]
>> 
>> Do you have sshd.conf in jail.d ?
>>>  ?? ?  >??: "YouGenom ."
>> genomsa...@gmail.com >???: Re: [Fail2ban-users] Fail2Ban
>> sends mails only once
>>> ??: kuncho pencho <
>> kuncho...@abv.bg>
>>> ? ??: 17.01.2016 16:50
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> Hi,
>> 
>> 
>> I did not get any error message after setting up exim4 (but
>> before that I did not get any mail at all anyway). So at the
>> (first,) second and further failed logins there are no errors.
>> But I only get the warning mail at the first failed login. Here
>> is my configuration file (jail.local) attached.
>> 
>> 
>> Thanks!
>> 
>> 
>> 
>> 
>> 
>> On Sun, Jan 17, 2016 at 1:45 PM, kuncho pencho 
>> wrote:
>> 
>> 
>> 
>> Hi,
>> 
>> Could you paste your jail.conf and jail.d/sshd.conf? Is there an
>> error in fail2ban.log?
>> 
>> 
>> 
>>>  ?? ?  ??: "YouGenom ."
>> genomsa...@gmail.com
>>> ???: [Fail2ban-users] Fail2Ban sends mails only once ??:
>> fail2ban-users@lists.sourceforge.net
>>> ? ??: 17.01.2016 13:39
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> Hi,
>> 
>> 
>> I have been trying to set up fail2ban. I have only edited for the
>> SSH jail to warn me in case of failed login. Other
>> jails/actions/filters are at default. Then I tried from another
>> machine a failed login (6 times with wrong password). I have got
>> the mail with whois info. So this is what I was expecting. Then I
>> have waited for the ban to expire (10 mins) and retried to failed
>> login. I did not get any mail this time. In logs, it was
>> mentioned, that a ban was issued for the client IP address.
>> Interestingly, by using another IP address (through VPN) I could
>> get again an e-mail warning for the first time but not second 
>> time. It seems to me fail2ban sends e-mail warning only once per 
>> IP-address. Moreover, I changed log level to 4 (DEBUG) and ran 
>> fail2ban-client reload. Then I tried a failed login with the old
>> (once banned) IP address. It did not send any mail but I found
>> this in the logs:
>> 
>> 2016-01-17 12:32:08,961 fail2ban.actions.action[21573]: DEBUG
>> printf %b "Subject: [Fail2Ban] ssh: banned 192.168.0.11 from
>> `uname -n` Date: `LC_TIME=C date -u +"%a, %d %h %Y %T +"` 
>> From: Fail2Ban  To: mym...@gmail.com\n Hi,\n The IP
>> 192.168.0.11 has just been banned by Fail2Ban after 6 attempts
>> against ssh.\n\n Here is more information about 192.168.0.11:\n 
>> `/usr/bin/whois 192.168.0.11 || echo missing whois program`\n 
>> Regards,\n Fail2Ban" | /usr/sbin/sendmail -f fail2ban 
>> mym...@gmail.com 2016-01-17 12:32:09,491
>> fail2ban.actions.action[21573]: DEBUG   printf %b "Su

Re: [Fail2ban-users] Missing /var/run/fail2ban folder

[Tom Hendrikx]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

The directory /var/run/fail2ban is on tmpfs, and the init script used
on ubuntu (typically added by the packager) is supposed to create the
directory when you start the daemon.

If you want to install f2b by hand (which apparently you did, since
none of the debian/ubuntu sources listed on
http://www.fail2ban.org/wiki/index.php/Downloads has 0.9.3 packages),
you'll need to handle all the requirements also yourself.

Probably the easiest fix is to grab the ubuntu init script from github
and use that with your custom install.

If you *did* use a ready-made ubuntu package to install f2b 0.9.3,
then please tell us where you got it, so we know what we're talking
about ;)

Regards,
Tom

On 16-11-15 16:44, allanit wrote:
> Hi
> 
> Just to let you know I set up a virtual machine with Ubuntu 14.04
> and Fail2ban 0.9.3 and Fail2ban started after instalation but after
> a restart of ubuntu I had the same issues as in my previous post.
> 
> allanit  wrote ..
> 
>> Hi
>> 
>> My Server is ubuntu 14.04, and Fail2ban is 0.9.3 which I
>> recently installed. I am having a problem. Fail2ban wont start
>> after the server has been restarted. When the server restarts
>> there are no error messages but fail2ban is not running. Entering
>> the command below returns the error below that.
>> 
>>> fail2ban-client start
>> 
>> ERROR  There is no directory /var/run/fail2ban to contain the
>> socket file /var/run/fail2ban/fail2ban.sock.
>> 
>> If I create the file /var/run/fail2ban and then run >
>> fail2ban-client start again fail2ban starts and runs correctly
>> until the next time the server has to be restarted and the folder
>> no longer exists.
>> 
>> Why is the folder /var/run/fail2ban being deleted and why isn’t
>> the folder being recreated or am I missing something?
> 
> 
> 
> --
- 
>
> 
Presto, an open source distributed SQL query engine for big data, initia
lly
> developed by Facebook, enables you to easily query your data on
> Hadoop in a more interactive manner. Teradata is also now providing
> full enterprise support for Presto. Download a free open source
> copy now. 
> http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140
> 
> 
> 
> ___ Fail2ban-users
> mailing list Fail2ban-users@lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWSi71AAoJEJPfMZ19VO/1zrwQAOHgjFVTTlKXWqhDgN/Q6tUM
TauQ2xHczVRufJNILQ5JJv+80wc7tog4DCqRN1L7fPSsR8YNeYkVgujvFjfx10V8
MVX3By1bm3IRfF0rj7lo0r4GvVXpSJoOiQwXqRNhWrYgYnlVPXwhLjfT2GhQdAQu
FYSuA23cs8DjSXcAHnWNuO4cmD+sVJOp4b3hSiHkMGMK4G0fdoLKlVf5Qbr8sXE7
U8lHS32Vo1n5txJf5YocGGx6jdDKamYNxJQuGT0T3cDFThQc9lnvJ6jT451oOiV3
HjyPzpl0zHS+icaPnNQFd4eEunOAxoeybAg5c6kxxZy+ppmO3uy3kWQI2bHOHYdG
IsUqHLpqoBMR9UVhnCqFM0IPXgadQbnu8/yhobLKTrf8FxZnTx8PCsmE0F/Rfb59
QeZkuGIo3K/RRzbcNpNDrSLuppiGnZTfBM12ugnYME/xQWo6iafCan3gTvIWZtTx
QROHCNF2PW7JM3UmwFC9iq+mSxKpS+rhwpzTE8IkavRqACxBVJXOyIRP+ysD2WrX
CwwYLKWajagNdcNYnuoZawYKqO9Eig39e7cEuFVpdhvfwvGlr7hofO9QT+crqC4k
twXI4ojJvoXiMmpj67Owa1o2+8p0gCwonsnvjNDtLNgUIJZkNFKM/SmlQp6jX47l
FlVZFXoJkDdUafk9Ip2J
=C7su
-END PGP SIGNATURE-

--
Presto, an open source distributed SQL query engine for big data, initially
developed by Facebook, enables you to easily query your data on Hadoop in a 
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] sendmail-whois-lines says log is /dev/null?

[Tom Hendrikx]

Hi,

You should duplicate the logpath setting as a parameter to the
sendmail-whois-lines. The default setting for the logpath in
sendmail-whois-lines is /dev/null.

Try:

action = iptables-multiport[name=apache-noscanners,port="80,443"]
 sendmail-whois-lines[name=apache-noscanners,
dest=i...@domain.com, sender=fail2...@domain.com, sendername="Fail2Ban",
logpath=/var/log/httpd/*access_log]

Regards,
Tom


On 02-11-15 17:27, Bond Masuda wrote:
> On 11/02/2015 07:50 AM, Tom Hendrikx wrote:
>> Hi,
>>
>> Please show jail config for the related apache jail.
>>
> [apache-noscanners]
> enabled  = true
> port = http,https
> filter = apache-noscanners
> action = iptables-multiport[name=apache-noscanners,port="80,443"]
> sendmail-whois-lines[name=apache-noscanners, 
> dest=i...@domain.com, sender=fail2...@domain.com, sendername="Fail2Ban"]
> logpath  = /var/log/httpd/*access_log
> maxretry = 2
> bantime  = 172800
> 
>>
>> On 02-11-15 16:09, Bond Masuda wrote:
>>> I'm using the sendmail-whois-lines action (default, not modified) in
>>> hopes of seeing some of the log entries associated to a ban. But I get
>>> this in the email:
>>>
>>> Lines containing IP:5.178.68.237 in /dev/null
>>>
>>>
>>> Surely, the log it is monitoring was not /dev/null. It was suppose to be
>>> /var/log/httpd/*access_log. Am I doing something wrong here?
>>>thx
>>>
>>> --
>>> ___
>>> Fail2ban-users mailing list
>>> Fail2ban-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>>
>> --
>> ___
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 
> 
> --
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 

--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] sendmail-whois-lines says log is /dev/null?

[Tom Hendrikx]

Hi,

Please show jail config for the related apache jail.



On 02-11-15 16:09, Bond Masuda wrote:
> I'm using the sendmail-whois-lines action (default, not modified) in 
> hopes of seeing some of the log entries associated to a ban. But I get 
> this in the email:
> 
> Lines containing IP:5.178.68.237 in /dev/null
> 
> 
> Surely, the log it is monitoring was not /dev/null. It was suppose to be 
> /var/log/httpd/*access_log. Am I doing something wrong here?
>   thx
> 
> --
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 

--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Can't

[Tom Hendrikx]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 15-09-15 18:28, Steve Watkins wrote:
> I just installed fail2ban on OS X 10.10 Yosemite using MacPorts.
> It appears to be working, or at least running, in that it created a
> log file and I got no errors when I ran  start>.
> 
> The instructions I have say that to change the configuration (such
> as bantime and maxretry), you need to edit the
> "/etc/fail2ban/jail.conf file."  However, that file does not exist
> on my Mac.  In "/etc" there is a filed called "fail2ban," but no
> directory.
> 
> Running  and  at the 
> terminal returned no results.
> 
> Can anyone help?  Thanks.
> 

First hit on google ;)

http://apple.stackexchange.com/questions/47543/listing-all-files-install
ed-by-some-macports-package

Regards,
Tom
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJV+QmjAAoJEJPfMZ19VO/1zBEP/0NVcaE9IofwYL+0u8WvIuSj
iYncce0UfUlDiMXipQAxvANO5kq5V4fkvRBUmF4tekh+kyYJZoTZumfF2nZyQFM9
aRhsg8taK9Nb2q94CwDScr//ZRDZzwx3W2HqhK2h2tx2xAY7NHms3HUobyMhk9JG
RrccT6qTxHAQSX40vbxilyf+zoW+UA5s/6188dGdcOeiH5DJ8nmS5ubnJE9ULdrc
fFgO0gb3edOcDcOhdAGJCm0shcmxG6BGq80z3j+pA8rccgW4HAb/SJJNNwlbS3MA
SoEc6ctJSBasWZdXbOcXzTQVPG9SIB8UDzJgQ9hmJ5dwmwuOJKl6hAokrO2Fykwk
rVIIk4k9IBSmVJiNS19sC5UxwHk6JaQOvqzyOT2ummL8b1mI/KptqpKKPhHRRthg
XPu+uu0SBbRKSdAEJydBI6TZDytCvEuyw4zM2ScTkqFEP2r0lbLosm3TGAa3rFzu
h/+fJPwJge/OiWYaUm1kM3Rli2RPlqiXG+OxVua6WzzPuhWZRxF8RObHOk91m0bo
IXIva6jnRfVRokPmBxH/Ro+qiQ+utnhQ3RYLW6ZmlvPg9mjXeRl68Gxt0PjGfx/d
nuAPrWdIXp3OU6Y6Oz5UfcP8NE+PVet+3C1Yqlmz6Z/YeFecORpZ2PonnHnExRl+
U9lwGPK7JeEG+JfZXBxn
=yIcy
-END PGP SIGNATURE-

--
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Required kernel modules

[Tom Hendrikx]

On 31-08-15 15:25, Ali Metin wrote:
> 
> 
> 
>>> So what is the answer? How can I load xt_set module in my case to
>>> make fail2ban work?
>> 
>> Are they a requirement for fail2ban? My openSUSE 13.1 server is
>> running kernel 3.11.10 desktop and fail2ban 0.9.2 and doesn't have
>> xt_set loaded and the modules are available to load. 
>> /lib/modules/3.11.10-29-desktop/kernel/net/netfilter/xt_set.ko
>> 
> 
> I guess so, at least some part of fail2ban to work. We came back to 
> original point I have been. For 3.1* kernels I have them too. But
> fail2ban complains.
> 

Hi,

If your cloud provider offers a kernel without ipset support (i.e.
kernel is too old, module unavailable and not compiled in, etc), then
don't use a jail method that requires ipset. Update your f2b
configuration to use a method that does not use ipset. (You also could
try to get your cloud provider to configure a suitable kernel for you,
but don't get your hopes up).

If you think you did just that, and f2b is still complaining, then share
your f2b configuration and the exact error message.

Regards,
Tom


--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Regex for Postfix

[Tom Hendrikx]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 19-06-15 21:25, Carmel NY wrote:
> I just started using 'fail2ban" and have not figured out how to
> create a custom filter.
> 
> I am running Postfix-3.0.1 on a FreeBSD 10.1 system. My mail-log is
> filling up with entries like this:
> 
> Jun 19 06:29:40 scorpio postfix/smtpd[45535]: warning: hostname 
> abts-mum-static-025.109.170.122.airtelbroadband.in does not resolve
> to address 122.170.109.25: hostname nor servname provided, or not
> known
> 
> That is all on one line, although it is shown wrapped here.
> 
> "fail2ban" is not catching this. I need to create a rule that would
> catch "hostname nor servname provided, or not known" or ""address
> : hostname nor servname provided, or not known" for it but I am
> not sure exactly how. I would appreciate it if someone could assist
> me.
> 

These are warnings from postfix, they happen because the mail server
has unexpected dns records, or because your dns setup is screwed up.

While these warnings pop up more with spamming machines than with
valid mail servers, they are not uncommon for valid senders. So don't
block access based on these warnings.

If you really want to block mail delivery for all senders that have
DNS setup issues, you should look into the postfix config parameter
"reject_unknown_reverse_client_hostname" or even
"reject_unknown_client_hostname": they make postfix reject those
connections directly.

Tom
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJVhJEQAAoJEJPfMZ19VO/1THgP/1uAnWMEdXFhCbfzE4/6B6Ro
vyduWX9Xg7dpQYZ+zHnrwaljgcwaiso9COJ4oaZ2M+a4+3/HmG5ucJ0pVTrKRfp6
m9CDDVeZbL4MPyTRhnrI33Ai0HZxmO8c5gwGAkfISGiiLzp4LMYsO3hHkXfnTMij
W+NLt+gx3UgnJcPgALGEPbWnqLiREjstXWn5gfBwnoo9H3ye4JAjZygWydJXSm1o
IbmPSDckLApWzMoM10wNARBQ6WnHwXUUMvcb8vSneNCYNNk1BNMWX0fs2h9f5VxY
PBh8SxAlkIY5mwByeZNjbkydA47QujR/HL3tGU+YqgP/9EjthssPHO8+pa8P3kSQ
8XUtQQmJpAsOUmagrzFA4RkgVmqz9dc/4D//X52tn+Qkv6PXnWEUrdg2JrnnDmFy
s9gW8knCWPkgjHo/AURjQweKEmHxhMBfHJkcVbx1nTI6nX6SKxvEiD/HYsPkzHU+
7UIwZMrQ9ReMoEUUBbEHQRDrVynBr5+OJE1vEkvQYsv6J1vudzHo0cyyXLJ1yAZh
U8RfqYGyvlbw6HNSZOL85Bi49pgCRPBNDZPsSWHg6JH+LT6NsDECMo1kq5w1+/Yi
oBTkhclSlMirplyMBqMfro2SHhG+yoVdNEQEujWxT2uK0OBX/G4olfsDMu12pWTK
YXdT/1aWVZI7uTdbNpuw
=DpeE
-END PGP SIGNATURE-

--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Sogo + fail2ban

[Tom Hendrikx]

On 11-06-15 17:32, Kamaldeep Singh wrote:
> Hi All,
> 
> When I executed the below command:-
> 
> *fail2ban-regex /var/log/sogo/sogo.log
> /etc/fail2ban/filter.d/sogo-auth.conf*
> 
> got output:-
> 
> *Lines: 108 lines, 0 ignored, 22 matched, 86 missed*
> 
> It means lines has been matched but no IP is getting blocked.
> 
> Can anyone help me with this?
> 


Please post relevant config section in jail.{conf,local}, your
sogo-auth.conf file and relevant log entries in /var/log/fail2ban.log


Tom

--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Filter Fail2ban Postfix-Sasl.

[Tom Hendrikx]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 08-06-15 02:24, Wilmer Arambula wrote:
> Hi, as i can create the following filter example for these brute 
> force postfix / smtpd:
> 
> Log Example: mail.warning.log (syslog)
> 
> 2015 Jun  6 15:58:34 postfix/smtpd[20077]: warning: numeric 
> hostname: 178.72.138.184 |  2015 Jun  6 15:59:06 
> postfix/smtpd[20077]: warning: numeric hostname: 178.72.138.184 | 
> 2015 Jun  6 15:59:19 postfix/smtpd[20077]: warning: numeric 
> hostname: 178.72.138.184 |  2015 Jun  6 16:29:02 
> postfix/smtpd[20543]: warning: hostname 
> 14-2-240-152.static.internode.on.net does not resolve to address 
> 14.2.240.152: Name or service not known |  2015 Jun  6 16:29:02 
> postfix/smtpd[20541]: warning: hostname 
> 14-2-240-152.static.internode.on.net does not resolve to address 
> 14.2.240.152: Name or service not known |  2015 Jun  6 16:29:23 
> postfix/smtpd[20543]: warning: hostname 
> 14-2-240-152.static.internode.on.net does not resolve to address 
> 14.2.240.152: Name or service not known |  2015 Jun  6 18:34:43 
> postfix/smtpd[21825]: warning: hostname 203-150-68-51.inter.net.th 
> does not resolve to address 203.150.68.51: Name or service not
> known |  2015 Jun  7 00:26:44 postfix/smtpd[25369]: warning:
> hostname 14-2-240-152.static.internode.on.net does not resolve to
> address 14.2.240.152: Name or service not known |  2015 Jun  7
> 03:18:39 postfix/smtpd[27129]: warning: hostname hn.kd.ny.adsl does
> not resolve to address 182.118.53.86: Name or service not known |
> 2015 Jun  7 03:18:39 postfix/smtpd[27129]: warning: non-SMTP
> command from unknown[182.118.53.86]: GET / HTTP/1.0 |  2015 Jun  7
> 06:43:12 postfix/smtpd[29248]: warning: hostname
> 203-150-68-51.inter.net.th does not resolve to address
> 203.150.68.51: Name or service not known |  2015 Jun  7 06:43:12
> postfix/smtpd[29246]: warning: hostname 203-150-68-51.inter.net.th
> does not resolve to address 203.150.68.51: Name or service not
> known |  2015 Jun  7 08:41:20 postfix/smtpd[30813]: warning:
> hostname 14-2-240-152.static.internode.on.net does not resolve to
> address 14.2.240.152: Name or service not known |  2015 Jun  7
> 17:10:35 postfix/smtpd[3635]: warning: hostname 
> 14-2-240-152.static.internode.on.net does not resolve to address 
> 14.2.240.152: Name or service not known |  2015 Jun  7 17:10:39 
> postfix/smtpd[3635]: warning: hostname 
> 14-2-240-152.static.internode.on.net does not resolve to address 
> 14.2.240.152: Name or service not known |  2015 Jun  7 19:02:25 
> postfix/smtpd[10450]: warning: hostname azteca-comunicaciones.com 
> does not resolve to address 191.102.73.51 |  2015 Jun  7 19:15:15 
> postfix/smtpd[10825]: warning: hostname 203-150-68-51.inter.net.th 
> does not resolve to address 203.150.68.51: Name or service not
> known 2015 Jun  3 23:41:22 postfix/smtpd[10381]: lost connection
> after UNKNOWN from unknown[49.48.140.5] 2015 Jun  3 23:41:22 
> postfix/smtpd[10381]: disconnect from unknown[49.48.140.5] 2015
> Jun 3 23:41:22 postfix/smtpd[10379]: connect from
> unknown[49.48.140.5]
> 

All of these (except for the non-SMTP command warning) are just warnings
that relate to non-existant DNS records, and can happen with any valid
SMTP server too, or can be triggered by an issue with your internal dns
setup.

These specific warnings don't indicate any wrongdoing from the IP owner
(again, an exception for the non-SMTP command warning) and should imho
not trigger a block. The same hosts might have trigger some other error
message when it actually does something stupid. Fail2ban ships several
postfix-related filters by default that should catch most of those.
I also have a postscreen filter lying around, if you're interested in
that.

Tom


-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJVdX2hAAoJEJPfMZ19VO/1Y9AQAJ3RbEZKdV7BUu9AR4hNv4fD
m/pFfUES/5RV9wkH5rfN24yODTYRbwxsmr6TbhYxSPXp7tH0x8cs+EfPtwxTyvfa
GxKYvOaHktBDZh3fMHVHEI323cprYbF5mICPBYKzICobFrBhWWs/mn4mxSFA6q9y
u1V6GWdquiI0Uo9s9PBKwz+wDYPmw/5wUO6ZFJUgFFSZJ+GLlNHoMxlP+2SQ0H8u
+k3d5y0jmgwVZEbHHaWk476ofwpevfV6cdMpcqpnB4cvZL3/jhAQ0eDHvRJTj8vY
N0Fdz6WgCH2WwqSwEr6EyNKFZcLEHBdTHgQ15r0MzxBFNag7ywahCwI46xkq
hphWNogOq1/52oO4F7zRxcbJOOlMCXWOr5CZOFd8dr4d4E1M9C+kE1cxHZrRvONU
Zte8IBgwJqGfRQM37Q92z50n2+2GtQJKp5zyMzblvA3oKQ6s2Rx9WhkBajCMINuT
VhkZlNZXyOdMUYGN1yeFHJSd8jm3RYgXL/CwqZzOlb/atliDQ3IM6Fb6Fc9dDkdy
dExYHjkqVHUrdyu0855T/qa9cIKZhYrLavT8uspab76t4u32cCjo/kQ46CyOdmZI
vd3b19+1chF6YD1gitd07wfaZSnjpHe22S02dH56L/FCrUSUhdIGVet1RMMLt3ZL
Aah0BYaFwL//Utjx16XG
=eGAI
-END PGP SIGNATURE-

--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Sogo + fail2ban

[Tom Hendrikx]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 04-06-15 17:13, Kamaldeep Singh wrote:
> Hi
> 
> On Thursday 04 June 2015 07:50 PM, Yves wrote:
>> The "?" near the end of your RE seems to indicate that the whole 
>> contents of the parenthesis is optional. I wrote too fast and
>> wrongly included actual parenthesis in my examples above, but the
>> meaning remains: I'm not sure the end of the line really is
>> optional.
>> 
>> Were I you, I'd try this: ^.* sogod \[\d+\]: SOGoRootPage Login
>> from '' for user '[^']*' might not have worked.*$
>> 
>> I realize that "^.*" at the start, and ".*$" at the end, are a
>> bit silly regarding pattern-matching, but some tools do need to
>> perform full-string matching, and I don't know where fail2ban
>> stands in this regard.
> I tired your regex. No Luck
> 

This works for me with the supplied example:

failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '' for user
'.*' might not have worked - password policy: -?\d+  grace: -?\d+
expire: -?\d+  bound: -?\d+$

If you also need a variant without the password policy note appended,
add a second failregex in stead of improving (i.e. complicating) the
first one.

@yves: the anchoring at start and finish is done in f2b to circumvent
DOS attacks (see list archives for details) but when you change it
into ^.*  .*$, the protection doesn't work anymore. Technically
f2b doesn't care if you anchor or not.

Tom
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJVcVHGAAoJEJPfMZ19VO/1ZZsP/08HuWb5Lea9m9n9K/1KnXn2
kR5nLTDhFwfe1nokdAnvbZFsTwRCxU6xomwY7CzwsimFejDWLEBDAEOpdjHQ9Fe8
xufJBL/sjUqZaCwlhQ+7CguGC0DLKhDPkzHUvt1+pMLOXPm1RPuAKtplYKL2bEN9
81EHO1vpfPW/b86+IoXVva0zcTVEutWUfLcu5HYjgixPSERShOAm4HwCo9vGB+eb
UvKUqSU0QPvvLM5YpnOKJrd6HVqIX+/kj/yU91QU4gyc48CuwN+oJXQxFMkEgjIr
rZQUgkAFO0FNKJxG9xDL2Y2NgPJymHWuZAEp6AHmPKVB4U7ar8f1g4Mg3FWkmyCH
cAQRaEQQF0CNL5E8ZMqwPRCCa1AgponJWFhbXaL6n664uIBLqOgFaHFW6upZ4XIC
vpQ5iA0peyjh5z0lmxEddQNZXyN5cAM/3jRpWNB6DkWCSGBIhyq+n6smSgdHiQd3
A0g372fTjjl/xdHgAPTz5zTdve+06/7KHA3nyP8gtPR/xSYOcvH1jcrGCSxW9fNG
Y/h6R7+qb4nK+nkypcHTva//Z7VkWlVKp9SjnDmq8ASs9W7ubw3QJCaw5pjbVJwE
JYLgwJDvJHxP0CwJ7ZaqsACoOVRDpP+eSTvwcTL0namqASSzDPVkVNNsMTGP8ePM
crkyryKjlWimsafhL/Uy
=kLrT
-END PGP SIGNATURE-

--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] custom parameter from filter in action

[Tom Hendrikx]

Hi Constantin,

you could *filter* based on bogus queries using the method I
described, but the actions are always done by an ip-based firewall,
i.e. you can only *block* by ip.

If you need to block certain query types without blocking access from
the ip that is performing those queries, you need to use some filter
at the application level, fail2ban can not help you since it can only
block all access from the ip unconditionally.

For apache, you could use f.i. mod_security for applying this kind
(i.e. application level) of filtering, but your original message did
not provide any details on what traffic you're trying to block. Which
application, what type of queries are OK/bad, etc. So not enough
detail to advise your further.

Tom

On 05-05-15 10:32, Constantin Bugneac wrote:
> Thanks Tom,
> 
> I want to use iptables to filter by other criteria - let's say some
>  details from application layer. I'm able to extract from logs the
>  "bogus query" and build a proper iptables filter to block it
> manually and now I'm thinking how to automate this using fail2ban 
> functionality ...
> 
> N.B. It's useless to filter by IP when some clients may sit behind
>  NAT thus blocking access to all instead of addressing specific 
> query.
> 
> Regards, Constantin
> 
> The information in this email is confidential and may be legally 
> privileged. It is intended solely for the addressee. Any opinions 
> expressed are mine and do not necessarily represent the opinions of
>  the Company. Emails are susceptible to interference. If you are
> not the intended recipient, any disclosure, copying, distribution
> or any action taken or omitted to be taken in reliance on it, is
> strictly prohibited and may be unlawful. If you have received this
> message in error, do not open any attachments but please notify the
> Endava Service Desk on (+44 (0)870 423 0187), and delete this
> message from your system. The sender accepts no responsibility for
> information, errors or omissions in this email, or for its use or
> misuse, or for any act committed or omitted in connection with this
> communication. If in doubt, please verify the authenticity of the
> contents with the sender. Please rely on your own virus checkers as
> no responsibility is taken by the sender for any damage rising out
> of any bug or virus infection.
> 
> Endava Limited is a company registered in England under company 
> number 5722669 whose registered office is at 125 Old Broad Street,
>  London, EC2N 1AR, United Kingdom. Endava Limited is the Endava
> group holding company and does not provide any services to clients.
> Each of Endava Limited and its subsidiaries is a separate legal
> entity and has no liability for another such entity's acts or
> omissions.
> 
> --
>
>
>
> 
One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications 
> Performance metrics, stats and reports that give you Actionable 
> Insights Deep dive visibility with transaction tracing using APM 
> Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y 
> ___ Fail2ban-users 
> mailing list Fail2ban-users@lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> 




signature.asc
Description: OpenPGP digital signature
--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] custom parameter from filter in action

[Tom Hendrikx]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 05-05-15 00:09, Constantin Bugneac wrote:
> Hi All,
> 
> 
> 
> How can I reference a custom parameter (not default ones like
>  or ) in action file which is taken from filter regex?
> 
> 
> 
> Here is the line in filter file:
> 
> 
> 
> …
> 
> failregex = ^%(__line_prefix)s(\.\d+)?( error:)?\s*client
> #\S+( \([\S.]+\))?: (view (internal|external): )?query(?:
> \(cache\))? '*(?P\S+)*' denied\s*$
> 
> …
> 
> 
> 
> I need to use the value of  in action file but it’s not 
> substituted when referenced there:
> 
> 
> 
> …
> 
> actionban = iptables -I fail2ban- …. -m comment --comment
> "DROP Q **" -j 
> 
> …
> 
> While debugging I see  instead of actual value.
> 
> 
> 
> It does work with  though.
> 
> I need to filter by other criteria, not by IP...
> 
> 

That is not supported by fail2ban. Also, how would iptables filter the
traffic when you're not using the ip in the action? If you want to
separate the bans per query, you'll probably need to define a seperate
jail+filter for each query.

Regards,
Tom
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJVR/TwAAoJEJPfMZ19VO/1imsQAJlpDxOvggaHuafOD3pdISYX
8xyBzRkyM2hVlIkz8lm0ZX0TNHPuPOW51tncVbaJR6ock5yk0sJFddM29j/VFemy
X9TGzZoZhnCauw6RIDQFf1OdhFx6JUKrUutIg1OxlnhGeYsZwMJG7GdFHC8WebQZ
5FAk48bIHVH6rRpIHf8k2oJpAmZ8NuEjK2rXbHcotmMncxHa3kJHolnv3hcz89za
Kn+xj9zFkia3rDiyjtm1aij1oda6Jw8jsnLAoHRsu9VIFheRf60WGA9warcrtqIr
AUmuy3z3jmc2gcu7jpIHW6haVvUn/AaJLKA7H5BAZMTUkgs0qHHU5Nt2X+JgOHEj
pnhJ5jTOkM4T6zzQ7IGZiLJNJJh5PQG1l9LWLF+dcUmcKlFbtVdhjz2MpMQksdgU
yACLfDzA/tbdOsXIta0ljbcuZTuf5DNyLVGklvbVNuU1sdz5DB6UjibJvnh0UXpl
dKtmvypZWTWF1HopZCqu6dZTNWZxCM0cmfneJrLRtf09sKJd3Ue8JQZ5ScANddGu
8Bd4dF4QHeRKzjmyX9HDYg7IR3aymghiZGh9KqACTXwXs24FMJ32Q0Kf6WQlVUKS
FA+ysbu2HIHBq1UOlJIkZxe9asqBMW9f1bsFr9/UD+9cuKR29NhDmen0Iz1LDKlX
pojsE1eAdtXBJJ+EmSzG
=8vte
-END PGP SIGNATURE-

--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban only bans when restarted

[Tom Hendrikx]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 26-12-14 10:57, a.sm...@ukgrid.net wrote:
> Quoting a.sm...@ukgrid.net:
> 
> Hi List, unfortunately I still have the exact same problem with 
> version v0.8.11. Is this a bug or an issue with monitoring a large
>  number of log files via wildcard? Any help would be very
> appreciated.
> 
> 

It sounds like logrotate (or smething else) changed the files that
need to be monitored, and f2b is not notified about it. The wildcard
is only evaluated at the start of the f2b, so if you have filenames
that change (f.i. with today's date in it), they won't be monitored by
f2f unless you restart/reload f2b.

If this is not enough information to solve (or understand) your issue,
you need to elaborate on your situation: show actual log directory
listings, explain how files are rotated, etc etc.

Tom
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJUoVigAAoJEJPfMZ19VO/1780P/0QJXMtgWElKpzGLgfTT6NWu
AVWX4KVIuoLUnzQKLr2loWwYMKo7wHNeuSvruRO/jYc1WzsNKVviUzO+YRPsEuZD
zNyVCGv6QqQkjUd8MgFqghdtDkZddHBV4i6VAEd2WTlmoQVRp0qTAOaK+vUp3Iel
wqCyaO0Ii9751d6ApjnjG5kiyR6vm1wUNMtRmzBPghsq0Yg5BparkGGsKuRvcFg0
xigt0j0T4YNUWWzx07We4dKS2smx/pXgOpIVNvf+JUS9Nd6Ceunr4tIEMBn5OFYR
EpijRCtaM2FVjhzC2Z/My7jUSunIlzkuOExsTmuiUx5WGAnU4Ch6iBos0WUtQZ5o
cplGchiq6OwxyT9bxdSo71GnguNod/wkdwAWRC1hcgbaTjaMdMDhHn+Uf6atlvsw
B3hb2oWGe2zxs8g8QETGDuqTT34vi6osHZsGkhNfaL0zftI5YswW2zm5QJsDBz3h
9EY7Xj3UOQ536h67WDDU1xiSymejZrXIQ7EuO2XYpep5jLrtRFgS4E7doXgtbE3I
uEUsi3f0j3ZHkNHHkk1U4KCJloxowdNDLCmVpPjBc/y42ZqmefTXvaywvX7wplzX
I0W3trCEHPrn5fdU7ETfQcyYrSb4KFK8bi3Hc1WG6av3EWJiUdz16KToVTb+FrhV
tJKHLQrr0rq9vssi0qB2
=EIkT
-END PGP SIGNATURE-

--
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Syslog -> BGP Blackhole

[Tom Hendrikx]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 30-11-14 17:11, fail2ban list wrote:
> This is my first post, so don't hate on me too much. I did search
> the archive for BGP before posting, so hopefully it hasn't been
> covered.
> 
> I am looking to point Fail2Ban at a centralized syslog server (I
> know I'd have to get the desired logs here first), complain to the
> whois abuse contact (which I'm working on for my single server
> setups) and then insert that IP address as a BGP blackhole. I see
> how to add it as a local route blackhole, but I'm not sure how to
> do the BGP part. I assume that I'd have to install a BGP daemon
> locally or SSH into one (perhaps one I also use as a route
> reflector?) and execute a command to insert a blackhole route.
> 
> Has anyone done this?
> 
> Can I do a second (or third) action in addition to that to remote
> into off-net boxes and add it to their routes. I'd like to prefer
> to do it via routes as routes has less load than a firewall.
> 

It sounds like a difficult task with a small gain. The amount of cpu
cycles spared by using routes vs iptables is probably useless once you
start using a python program that can tail logfiles (i.e. run fail2ban).


Tom
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJUe0ngAAoJEJPfMZ19VO/1yMQQANDEBE3iEa6fMSEUmovqCEny
XD9NnLayNT1Lkl0NZnUV7J+9VOVV6a6+q8c7WiCu52bnKIiE756erWVwDnWRnIHb
1vaK/+xWdt43l+c9b0nU8iT6pS7qIERJmAGfZz6wcv0mZBnsaQYBioI2kudV1X42
oaIxYS3vLF7cAqst610jMIH9y7WA8DzgXzDErs/MZYMVYq0BRZVfYiIi0Nwu7oet
15gr2wiYcmXjRLQlmlXD5zHrHsMbTjmr7lMM2FP9sCyECPiCa3Gukh/8RlQbb7cl
xScZUtCtCQV+CaeKzg2heo++Z5ndM9rpx5rJ5YhXlmDQ6C+8/iH5D5UheaTgKWMr
g0J/bbgbHb74TyaQkMlfk8TAWzyxs+ramcZaXgraYhvFvxlhitL8WswbPiBTWBHj
ifWfh9Y4AgyAbCmySE0/GKwYgi2W9ui+03pyhUqS2v4Hyu8s/MIatNixkyPlGYfh
HZV/gEY5K2ZsK/mjmoGxQHNTuMIVOUY94sjOyqdtfGsyEE2uF3aZ6bj2WMQ1t2dq
NGkR/LfAU5C1uPftfVOGJqevqCUkI/o4FW3u9+DzAg35sOlmrvW33OpMTQlWsNUb
G5m4Rvea3B1BD/VFVl/Bx6+KymdhwCRMVn8KFEwuZ5sESaKJi+0aELpe/7bQZoRp
Lsxmz6YdBXo6xAb+6AIZ
=6mC5
-END PGP SIGNATURE-

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users