from:"Bill Shirley"

Re: [Fail2ban-users] intermediate unban during running process that generates further events

2014-10-02 Thread Bill Shirley


On 9/27/2014 12:47 PM, Laurent wrote:

Le 25/09/2014 19:21, Martin Menzel a écrit :

In my special case I use fail2ban in the inverse sense. As long as I
get a special event in a given interval again and again the firewall
should be kept open and if no event is detect longer as the "ban"
interval the firewall is closed again.

Hi!

I really don't know if fail2ban is the proper tool to achieve that..
maybe you should see towards "port knocking", wich seems to be more
accurate to your needs..


--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


I am using fail2ban to populate a ipset and using iptables to DROP traffic in 
the ipset (from iptables -t filter):
DROP   all  --  *  * 0.0.0.0/00.0.0.0/0match-set fail2ban-IpPort src,dst /* flagged by 
fail2ban */


looks like you could just reverse this with:
ACCEPT   all  --  *  * 0.0.0.0/00.0.0.0/0match-set fail2ban-IpPort src,dst /* flagged by 
fail2ban */

DROP all  --  *  *   0.0.0.0/0 0.0.0.0/0

My ipset define (in Shorewall init) command is:
ipset -exist create fail2ban-IpPort hash:ip,port timeout 3600
with the timeout options the kernel automagically removes the entry when it 
expires.
On entry update, the new timeout value is used.


My jail (my_ipset_ipport2 and 3 are just symlinks to my_ipset_ipport:
[postfix-sasl]
#enabled= false
enabled = true
filter  = sasl
action  = my_ipset_ipport[port=smtp, bantime=3600]
  my_ipset_ipport2[port=smtps, bantime=3600]
  my_ipset_ipport3[port=submission, bantime=3600]
logpath = /var/log/maillog
maxretry= 3
bantime = 3600


I use my own fail2ban action since I don't want the iptables entry removed.
cat /etc/fail2ban/action.d/my_ipset_ip.conf:
# from iptables-ipset-proto6.conf

[INCLUDES]

before = iptables-blocktype.conf


[Definition]
actioncheck =
actionstart =
actionstop =
actionban = ipset -exist add fail2ban-  timeout 
#actionunban = ipset -exist del fail2ban- 
actionunban =

[Init]
name = Ip
port = ssh
protocol = tcp
bantime = 3600

Modify the above if you want to ban an IP address instead of a IP/port 
combination.
Here's a start:
ipset -exist create fail2ban-Ip hash:ip timeout 86400

Hope this helps,
Bill

--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] intermediate unban during running process that generates further events

2014-10-02 Thread Bill Shirley


On 10/2/2014 7:19 AM, Bill Shirley wrote:

On 9/27/2014 12:47 PM, Laurent wrote:

Le 25/09/2014 19:21, Martin Menzel a écrit :

In my special case I use fail2ban in the inverse sense. As long as I
get a special event in a given interval again and again the firewall
should be kept open and if no event is detect longer as the "ban"
interval the firewall is closed again.

Hi!

I really don't know if fail2ban is the proper tool to achieve that..
maybe you should see towards "port knocking", wich seems to be more
accurate to your needs..


--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


I am using fail2ban to populate a ipset and using iptables to DROP traffic in 
the ipset (from iptables -t filter):
DROP   all  --  *  * 0.0.0.0/00.0.0.0/0match-set fail2ban-IpPort src,dst /* flagged by 
fail2ban */


looks like you could just reverse this with:
ACCEPT   all  --  *  * 0.0.0.0/00.0.0.0/0match-set fail2ban-IpPort src,dst /* flagged 
by fail2ban */

DROP all  --  *  *   0.0.0.0/0 0.0.0.0/0

My ipset define (in Shorewall init) command is:
ipset -exist create fail2ban-IpPort hash:ip,port timeout 3600
with the timeout options the kernel automagically removes the entry when it 
expires.
On entry update, the new timeout value is used.


My jail (my_ipset_ipport2 and 3 are just symlinks to my_ipset_ipport:
[postfix-sasl]
#enabled= false
enabled = true
filter  = sasl
action  = my_ipset_ipport[port=smtp, bantime=3600]
  my_ipset_ipport2[port=smtps, bantime=3600]
  my_ipset_ipport3[port=submission, bantime=3600]
logpath = /var/log/maillog
maxretry= 3
bantime = 3600


I use my own fail2ban action since I don't want the iptables entry removed.
cat /etc/fail2ban/action.d/my_ipset_ip.conf:
# from iptables-ipset-proto6.conf

[INCLUDES]

before = iptables-blocktype.conf


[Definition]
actioncheck =
actionstart =
actionstop =
actionban = ipset -exist add fail2ban-  timeout 
#actionunban = ipset -exist del fail2ban- 
actionunban =

[Init]
name = Ip
port = ssh
protocol = tcp
bantime = 3600

Modify the above if you want to ban an IP address instead of a IP/port 
combination.
Here's a start:
ipset -exist create fail2ban-Ip hash:ip timeout 86400

Hope this helps,
Bill



--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


Arrg, I mixed my two examples.  The action should be:
cat /etc/fail2ban/action.d/my_ipset_ipport.conf:
# from iptables-ipset-proto6.conf

[INCLUDES]

before = iptables-blocktype.conf


[Definition]
actioncheck =
actionstart =
actionstop =
actionban = ipset -exist add fail2ban- ,: timeout 

#actionunban = ipset -exist del fail2ban- ,:
actionunban =

[Init]
name = IpPort
port = http
protocol = tcp
bantime = 3600

Bill

--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Configuring fail2ban on RHEL7

2014-10-21 Thread Bill Shirley


I don't think this is a systemd problem.  In Fedora 19 fail2ban's service file:
[Unit]
Description=Fail2ban Service
After=syslog.target network.target

[Service]
Type=forking
ExecStart=/usr/bin/fail2ban-client -x start
ExecStop=/usr/bin/fail2ban-client stop
ExecReload=/usr/bin/fail2ban-client reload
PIDFile=/var/run/fail2ban/fail2ban.pid
Restart=always <=== they told it to restart on failure

[Install]
WantedBy=multi-user.target

I think you have a syntax error. What does 'fail2ban-client -d' report?

Bill


On 10/21/2014 4:20 AM, Charles Bradshaw wrote:

Looks a bit like a problem with systemd.

You did a restart, therefore fail2ban was running previously. What is
the status of f2b after your restart?
[..]# fail2ban-client status

You should be using systemctl not service to control services on a
system running systemd. I presume you are running Fedora? Are you also
running SELINUX?

What does the fail2ban log say?

On Tue, 2014-10-21 at 00:33 +, Steven Jones wrote:

Hi,


I am attempting to setup fail2ban to protect ssh.


So I copied jail.conf to jail.local and edited the file, however
fail2ban will now not run.


:(




[root@vuwuniconnect01 fail2ban]# service fail2ban restart
Redirecting to /bin/systemctl restart  fail2ban.service
Job for fail2ban.service failed. See 'systemctl status
fail2ban.service' and 'journalctl -xn' for details.
[root@vuwuniconnect01 fail2ban]# journalctl -xn
-- Logs begin at Mon 2014-10-20 13:46:33 NZDT, end at Tue 2014-10-21
13:22:18 NZDT. --
Oct 21 13:22:18 vuwuniconnect01.ods.vuw.ac.nz fail2ban-client[5071]: '
enabled = true\n'
Oct 21 13:22:18 vuwuniconnect01.ods.vuw.ac.nz systemd[1]:
fail2ban.service: control process exited, code=exited status=255
Oct 21 13:22:18 vuwuniconnect01.ods.vuw.ac.nz systemd[1]: Failed to
start Fail2ban Service.
-- Subject: Unit fail2ban.service has failed
-- Defined-By: systemd
-- Support:
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit fail2ban.service has failed.
--
-- The result is failed.
Oct 21 13:22:18 vuwuniconnect01.ods.vuw.ac.nz systemd[1]: Unit
fail2ban.service entered failed state.
Oct 21 13:22:18 vuwuniconnect01.ods.vuw.ac.nz systemd[1]:
fail2ban.service holdoff time over, scheduling restart.
Oct 21 13:22:18 vuwuniconnect01.ods.vuw.ac.nz systemd[1]: Stopping
Fail2ban Service...
-- Subject: Unit fail2ban.service has begun shutting down
-- Defined-By: systemd
-- Support:
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit fail2ban.service has begun shutting down.
Oct 21 13:22:18 vuwuniconnect01.ods.vuw.ac.nz systemd[1]: Starting
Fail2ban Service...
-- Subject: Unit fail2ban.service has begun with start-up
-- Defined-By: systemd
-- Support:
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit fail2ban.service has begun starting up.
Oct 21 13:22:18 vuwuniconnect01.ods.vuw.ac.nz systemd[1]:
fail2ban.service start request repeated too quickly, refusing to
start.
Oct 21 13:22:18 vuwuniconnect01.ods.vuw.ac.nz systemd[1]: Failed to
start Fail2ban Service.
-- Subject: Unit fail2ban.service has failed
-- Defined-By: systemd
-- Support:
http://lists.freedesktop.org/mailman/listinfo/systemd-devel


--
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
___ Fail2ban-users mailing list 
Fail2ban-users@lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



--
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] dovecot.conf didn't work

2014-10-22 Thread Bill Shirley

On 10/21/2014 7:55 AM, fail2ban...@rirasoft.de wrote:
> Hi there,
> I've installed a mailserver with CentOS7 and fail2ban (0.9-9.el7 from
> epel). The default regex in dovecot.conf didn't work as expect.
>
> Example:
> mailserver dovecot: imap-login: Disconnected (no auth attempts in 0
> secs): user=<>, rip=66.240.192.138, lip=192.168.2.10, TLS: Disconnected,
> TLSv1.2 with cipher DHE-RSA-AES25
> 6-GCM-SHA384 (256/256 bits)
> mailserver dovecot: imap-login: Disconnected (no auth attempts in 4
> secs): user=<>, rip=66.240.192.138, lip=192.168.2.10, TLS, TLSv1.2 with
> cipher ECDHE-RSA-AES128-GCM-SHA256
> (128/128 bits)
>
> How can I match these lines? I found a lot people with the same issue
> when googling.
>
>
>
> [root@mailserver ~]# fail2ban-regex /var/log/maillog
> /etc/fail2ban/filter.d/dovecot.conf
>
>
> Running tests
> =
>
>
> Use failregex file : /etc/fail2ban/filter.d/dovecot.conf
> Use log file : /var/log/maillog
> Use encoding : UTF-8
>
>
>
> Results
> ===
>
>
> Failregex: 0 total
>
>
> Ignoreregex: 0 total
>
>
> Date template hits:
> |- [# of hits] date format
> | [2671] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?:
> Year)?
> `-
>
>
> Lines: 2671 lines, 0 ignored, 0 matched, 2671 missed
> Missed line(s): too many to print. Use --print-all-missed to print all
> 2671 lines
> [root@mailserver ~]#
>
>
> Thanks
> Andreas
>
> --
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://p.sf.net/sfu/Zoho
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users

On my system, dovecot.conf that came with fail2ban-0.8.10-1.fc17.noarch only 
deals with authentication failure.

Bill

--
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] HELP - squid filter doesn't work

2014-12-05 Thread Bill Shirley


On 12/3/2014 11:56 AM, braint...@freenet.de wrote:


Hello Community,

Perhaps you can help me.

I'm responsible for a squid3 proxy server. But I'm not able to block ip's ,who 
failed to authenticate (ncsa_method).

Thats my /var/log/squid3/access.log output

27/Nov/2014:13:16:41  0 125.46.40.22 TCP_DENIED/407 3836 GET 
http://www.google.de/ - NONE/- text/html

Thats my jail in jail.conf

enabled = true
port = 8080
filter = squidfilter
logpath = /var/log/squid3/access.log
maxretry = 1
bantime = 180

Thats my filter

# squidfilter

[Definition]

failregex = 0  TCP_DENIED/407

ignoreregex =

In reality it doesn't work, although I successfully checked my filter with 
"fail2ban-regex" command.

Here is the output

# fail2ban-regex '27/Nov/2014:13:16:41  0 125.46.40.22 TCP_DENIED/407 3836 GET http://www.google.de/ - NONE/- 
text/html'


'0  TCP_DENIED/407'



Summary
===

Addresses found:
[1]
125.46.40.22 (Thu Nov 27 13:16:41 2014)

Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
2 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): 

Success, the total number of match is 1

However, look at the above section 'Running tests' which could contain important
information.
#


It would be so nice if you could help me.

Greetings

Black1check




---
Alle Postfächer an einem Ort. Jetzt wechseln und E-Mail-Adresse mitnehmen! Rundum glücklich mit freenetMail 




--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

You might try putting an 'action' in the jail.

HTH,
Bill
--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[Fail2ban-users] How to make use of regex tags

2015-01-11 Thread Bill Shirley

Is there a way to make use of regex tags like mac and interface in the filter?

my_test.conf:
failregex = 
DHCPREQUEST\s+for\s+\s+from\s+(?P([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2}).+via\s+(?P.+)
 DHCPACK to  
\((?P([0-9a-fA-F]{1,2}:){5}[0-9a-fA-F]{1,2})\).+via\s+(?P.+)

jail.local:
[my_test]
enabled = true
filter  = my_test
action  = my_ipset_ip[name=TestIp, bantime=3600]
logpath = /var/log/messages
maxretry= 0
bantime = 3600

my_ipset_ip.conf:
[Definition]
actioncheck =
actionstart =
actionstop =
actionban = ipset add fail2ban-  timeout  -exist


Thanks,
Bill


--
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
vanity: www.gigenet.com
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban not rescanning logs & readding hits on f2b restart. what config did I miss here?

2015-01-21 Thread Bill Shirley

From man ipset:
timeout value

parameter when creating a set and adding entries. The value of the timeout parameter for the create command
means the default
timeout value (in seconds) for new entries. If a set is created with timeout support, then the same timeout
option can be used to
specify non-default timeout values when adding entries. Zero timeout value means the entry is added permanent
to the set. The

timeout value of already added elements can be changed by readding the
element using the -exist option.

From /etc/fail2ban/action.d/iptables-ipset-proto6-allports.conf:
actionstart = ipset create fail2ban- hash:ip timeout
iptables -I INPUT -m set --match-set fail2ban- src -j

.
.
actionban = ipset add fail2ban- timeout -exist
.
.
bantime = 600

The bantime here merely sets the time if no time is given in the action
command. The jail:
action = iptables-ipset-proto6-allports[name=zimbra-recipient]
does not send the bantime to the default it taken. You should use:
action = iptables-ipset-proto6-allports[name=zimbra-recipient, bantime=604800]

HTH,
Bill

On 1/19/2015 9:37 PM, rogt3...@proinbox.com wrote:

apparently this is the way you have to do it in the jail.local

action = iptables-ipset-proto6-allports[name=zimbra-recipient,
bantime=604800]

Otherwise the action ignores the fail2ban 'bantime = X' value

If I do that and restart you now get

ipset -L fail2ban-zimbra-recipient
Name: fail2ban-zimbra-recipient
Type: hash:ip
Revision: 2
Header: family inet hashsize 1024 maxelem 65536 timeout 604800
Size in memory: 16504
References: 1
Members:

Notice the timeout = 604800

Header: family inet hashsize 1024 maxelem 65536 timeout 604800

not = 600 like before

--
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

--
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban not rescanning logs & readding hits on f2b restart. what config did I miss here?

2015-01-27 Thread Bill Shirley

If I understand it:
bantime in a jail is the number of seconds before fail2ban issues the unban
action.
bantime in an action just fills in anything that is missing on the call to the
action; same as port, protocol, etc.

jail.local
[my_ssh]
.
action = my_ipset_ipport[name=TestIpPort]

my_ipset_ipport:
.
[Definition]
.
.
actionban = ipset add fail2ban- ,: timeout
-exist

[Init]
name = IpPort
port = ssh
protocol = tcp
bantime = 3600

Since the jail action call does not supply , , or ;
the action [Init] section values are used.

HTH,
Bill

On 1/21/2015 8:05 PM, Lee Clemens wrote:
My point regarding this is that I am still unclear why the action overrides the bantime - why not use the bantime
defined by the jail's configuration?

On 01/21/2015 04:54 AM, Bill Shirley wrote:

HTH,
Bill

On 1/19/2015 9:37 PM, rogt3...@proinbox.com wrote:

___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] workaround to re-find banned ips on reload?

2015-03-20 Thread Bill Shirley

I use ipset instead of iptables:
ipset -exist create fail2ban-IpPort hash:ip,port timeout 3600
ipset -exist create fail2ban-Ip hash:ip timeout 86400

and my action has a blank value for
actionunban =

You can pass any timeout value you want from the jail and just let the 
operating system
keep track of the time.

You can cycle or stop fail2ban and they are still banned.  However to manually 
unban, use
the ipset command to remove the entry.


Bill


On 3/11/2015 8:10 PM, Lee Clemens wrote:
> On 03/10/2015 09:14 AM, AJ Weber wrote:
>> I realize this has come-up a number of times.  Seems like a very common
>> request (common-enough that it probably should be implemented as a
>> feature?).
>>
>> Anyway, on restart/reload of fail2ban, I'd like to have it re-scan the
>> log files back "findtime" (at least) for each jail and re-add those ip's
>> to the jails.
>>
>> I'm using v0.8.14.  Is there any way to do this or is there a way to
>> "trick" fail2ban to do so (I tried "touching" one of the old log files,
>> but fail2ban still doesn't seem to re-read that file to ban ips).
> Best way may be to use the recidive jail added in v0.9 (iirc)
>> Thanks for any tips and tricks!
>>
>> -AJ
>>
>
> --
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] [Possible SPAM] Re: slow restart/stop due to unban each IP instead of just flush chain

2015-10-07 Thread Bill Shirley

My approach is to not use the unban but use an ipset with a timeout value.  This
let's the kernel/ipset keep track of when to unban.
#- my_ipset_ipport:
[INCLUDES]

before = iptables-blocktype.conf


[Definition]
actioncheck =
actionstart =
actionstop =
actionban = ipset -exist add fail2ban-  timeout 
#actionunban = ipset -exist del fail2ban- 
actionunban =

[Init]
name = Ip
port = ssh
protocol = tcp
bantime = 3600

#- jail:
[apache-noscript]
#enabled= false
enabled = true
filter  = apache-noscript
#action = my_ipset_ip
action  = my_ipset_ipport[port=http, bantime="%(bantime)s"]
   my_ipset_ipport2[port=https, bantime="%(bantime)s"]
logpath = /var/log/httpd/error_log
maxretry= 2
bantime = 86400

Note: my_ipset_ipport2 is just a symlink to my_ipset_ipport.  Also
I don't use an actionstart or actionstop since I add the ipset with Shorewall.

Use the ipset command to manually unban.

Bill



On 10/6/2015 11:06 AM, Rhys McWilliams wrote:
> Hi Nick,
> Great suggestion to look at ipset as it should definitely be faster for
> iptables to process than standard rules...
>
> I've given it a test with my list of "attackers" IPs which is currently
> at 1023 entries...
> The results are definitely better with 1 minute 50 seconds to stop with
> ipset as compared to 3 minutes 49 seconds for the standard rules.
> fail2ban still goes through the motion of issuing an unban for each IP
> so I'd guess that the time difference is down to the fact that it's
> quicker to run the "ipset del" command that it is to run "iptables -D".
>
> On the plus side, it is quite an improvement in time so I'm grateful for
> the suggestion...
>
> I'm sure if I set the actionunban to be the same as the actionstop if
> would do just that, but then you loose the ability to unban a single IP,
> among other things, so that's not really a solution...
>
> Regards
> 
> Rhys McWilliams
> Cell: +27 82 335-5014
> Fax: 086 618-2798
> http://www.castlehillcc.co.za
> r...@castlehillcc.co.za
>
> On 2015/10/06 15:03, Nick Howitt wrote:
>> I like your thinking.
>>
>> As a slight lateral idea, have you investigated using ipset blocking
>> rules instead? They are far more suitable for large numbers of blocks
>> but I have not checked them out in f2b recently. I have a feeling on
>> my distro there were problems with deleting ipset rules from the INPUT
>> chain but they would be much faster as you only load one or two rules
>> in iptables. All the rest of the IP manipulation is outside iptables.
>>
>> Nick
>>
>> On 2015-10-06 11:55, Rhys McWilliams wrote:
>>> Hi,
>>> Apologies if this has been asked and answered before but I cannot seem
>>> to find anything about it via Internet searches...
>>>
>>> I'm running Fail2Ban v0.9.2 (installed using yum) on CentOS 6.7
>>>
>>> I run a jail to block various remote connection attempts from my
>>> external interface to ports like telnet (23), VNC (5900) and various
>>> other that should not be accepting connections from the public Internet,
>>> basically hacking attempts...
>>>
>>> Here is my jail.local entry
>>>
>>>   [remote-connections]
>>>   enabled  = true
>>>   filter   = remote-connections
>>>   action   = iptables-allports[name=REMCON, protocol=all]
>>>   sender=fail2...@domain.tld]
>>>   logpath  = /var/log/messages
>>>   maxretry = 1
>>>   findtime = 86400
>>>   bantime = 604800
>>>
>>> The action is the standard default installed iptables-allports.conf with
>>> no modifications, which has the following actionstop and actionunban
>>> lines
>>>
>>> actionstop = iptables -D  -p  -j f2b-
>>>iptables -F f2b-
>>>iptables -X f2b-
>>>
>>> actionunban = iptables -D f2b- -s  -j 
>>>
>>>
>>> As you can see from my jail definition above I have a strict policy that
>>> if there is so much as 1 match then the source IP gets banned for 1 week
>>> (bantime = 604800). My opinion is that nobody should be trying to access
>>> the the ports I specify in my filter and if they are then it can only be
>>> for malicious intent, therefore ban them:)
>>>
>>> Okay, now down to the reason for emailing the this list...
>>> While testing to get information together my f2b-REMCON chain contained
>>> 965 entries (it has been much higher than that too) so I consider it
>>> having been working rather well...
>>> The problem is that when I do a service fail2ban restart (or reload) it
>>> takes 3 and a half minutes to restart which I can see,from the
>>> fail2ban.log file, is due to the fact that fail2ban is first issuing an
>>> "unban" for each IP in the chain.
>>> An individual unban of a single IP is quite quick, typically under 0.5 a
>>> second, but of course multiply that by the number of entries I get in my
>>> f2b-REMCON chain, it's no longer a quick process...
>>>
>>> My question being, is there a specific reason the unban per

Re: [Fail2ban-users] fail2ban whitelist not working

2015-10-16 Thread Bill Shirley

You should make your changes to /etc/fail2ban/jail.local.  This keeps package 
updates from
clobbering your changes.  Read the documentation.

One can only guess at your configuration unless you provide the jail instance, 
filter config,
and action config you are using for this.

Bill


On 10/16/2015 5:07 AM, Noel da Costa wrote:
> I should add that the place I added the ignoreip address to was 
> /etc/fail2ban/jail.conf
>
>
>
>> On 16 Oct 2015, at 10:46 AM, Noel da Costa > > wrote:
>>
>> Hi,
>>
>> fail2ban is blocking one of my servers even though I've added it to the 
>> ignoreip list and restarted the fail2ban service.
>>
>> I’m not sure if this is expected behaviour but fail2ban only logs the first 
>> blockage. When I try to connect again from that
>> server nothing gets logged. The server trying to connect gets the error:
>>
>>   [0] => ssh: connect to host xxx.xxx.xxx.xxx port 22: Connection refused
>>   [1] => fatal: The remote end hung up unexpectedly
>> If I reboot the server it works for a while. It also seems to be a bit 
>> flaky. It reports that I’m logging in with the
>> incorrect password even though the password should actually not be required 
>> because I’m logging in using ssh keys.
>>
>> All of this is happening via scripts that are executed from my web server. 
>> It seems to work fine on some vhosts but not on others.
>>
>> Very confused.
>>
>>
>> --
>> ___
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net 
>> 
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
>
> --
>
>
>
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>

--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] How to user

2015-10-16 Thread Bill Shirley

 refers to whats between the brackets in your jail.local:
[postfix]
#enabled= false
enabled = true
filter  = postfix
action  = my_ipset_ipport[port=smtp, bantime=86400]
   my_ipset_ipport2[port=smtps, bantime=86400]
   my_ipset_ipport3[port=submission, bantime=86400]
logpath = /var/log/maillog
maxretry= 3
bantime = 60
findtime= 172800

The above jail is 'postfix'.


[0:root@elmo fail2ban]$ fail2ban-client get postfix logpath
Current monitored log file(s):
`- /var/log/maillog

Bill


On 10/16/2015 5:20 AM, Noel da Costa wrote:
>
> Hi,
>
> The docs : http://www.fail2ban.org/wiki/index.php/Commands#JAIL_INFORMATION : 
> show the use of  but they don’t seem to
> indicate what format the jail name should take.
>
> *For example:*
> [root@server]# locate jail
> /etc/fail2ban/jail.conf
> /etc/fail2ban/jail.d
> /etc/fail2ban/jail.local
>
> *I tried all of the following:*
> fail2ban-client reload jail
> fail2ban-client reload jail.conf
> fail2ban-client reload jail.local
> fail2ban-client reload /etc/fail2ban/jail.local
> fail2ban-client reload sshd
>
> None of which worked.
>
>
> --
>
>
>
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>

--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] available tags in actions

2015-11-24 Thread Bill Shirley

Anyone got an idea of how to use the variable 'apacheUser' or 'dport' in this 
filter?
apache-common.local:
_apache_access_client = 
(?P.+)\s+(?P\S+)\[\]\s+(?P\d+)\s+(?P.+)\s+\[[^]]+\]

Seems like it should be accessible in either jail.local or some action (or 
both).
I've searched the internet but not found any examples.

Bill
PS. I have a non-standard apache access_log.


On 11/23/2015 10:14 AM, Y. wrote:
> Only 2 or 3 tags actually come from fail2ban:  and  in the
> context of ban/unban actions, and  in the context of filters, if I
> remember correctly.
>
> All other tags are user-defined. You can pass parameters when calling an
> action, between square brackets, and you can read these parameters inside
> the ban/unban actions: these are all the other tags that you saw.
>
> Cheers,
>
> Y.
>
> On Mon, 23 Nov 2015, Simon Fromme wrote:
>
>> Date: Mon, 23 Nov 2015 15:42:24
>> From: Simon Fromme 
>> To: fail2ban-users@lists.sourceforge.net
>> Subject: [Fail2ban-users] available tags in actions
>>
>> Hello,
>>
>> being new to fail2ban I have problems understanding the tag-system. I
>> was defining a custom action "actions.d/foo.conf" (getting called in the
>> [recidive] section in "jail.conf") and I am now wondering which tags I
>> can use within actionban = ...
>>
>> I have not found any documentation on this so I was wondering if there
>> is some summary of tags I can use? As it seems to me there are tags that
>> are globally available, some that get defined within the [Init] section
>> of an action and some that I can pass directly to the action from within
>> jail.conf. Maybe via some other way as well?
>>
>> I would be thankful for some information on the mechanism by which tags
>> are being made available to the actions within actions.d and for a list
>> of global tags I can use there.
>>
>> In the predefined actions I have encountered: , , ,
>> , , , etc. but I am sure this list is far from
>> exclusive.
>>
>> Thanks a lot for your help!
>> Simon Fromme
>>
>> --
>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>> Give your users amazing mobile app experiences with Intel(R) XDK.
>> Use one codebase in this all-in-one HTML5 development environment.
>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
>> http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
>> ___
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>
> --
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>

--
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] [SPAM] Postfix j-chkmail milter rejects

2015-12-04 Thread Bill Shirley

Yes, it looks like the 'milter-reject' would work except you may have a problem
with the 'unknown[unknown]' message since there is no IP address.

What have you tried?

Bill

On 12/3/2015 11:55 AM, Dudi Goldenberg wrote:
> No one?
>
> *From:* Dudi Goldenberg [mailto:d...@kolcore.com]
> *Sent:* Wednesday, December 02, 2015 7:59
> *To:* fail2ban-users@lists.sourceforge.net
> *Subject:* [Fail2ban-users] [SPAM] Postfix j-chkmail milter rejects
>
> Hello list,
>
> Sorry for the resend if the previous post did make the list – I didn’t get it.
>
> Can anyone help writing a filter for a postfix milter reject log?
>
> The reject comes from j-chkmail, reject reasons may vary, here are some 
> examples:
>
> Nov 26 11:25:59 mail postfix/smtpd[26033]: NOQUEUE: milter-reject: CONNECT 
> from unknown[203.255.53.138]: 421 4.5.1 Too many open
> connections; proto=SMTP
>
> Nov 29 20:40:11 mail postfix/smtpd[27473]: NOQUEUE: milter-reject: CONNECT 
> from unknown[82.144.250.140]: 421 4.5.1 Connection
> Rate; proto=SMTP
>
> Nov 30 08:06:11 mail postfix/smtpd[26292]: NOQUEUE: milter-reject: CONNECT 
> from unknown[unknown]: 421 4.5.1 Can't get your IP
> address. Try again later !; proto=SMTP
>
> Nov 30 21:28:58 mail postfix/cleanup[9133]: 7DA6AD61A0: milter-reject: 
> END-OF-MESSAGE from
> mail-wm0-f48.google.com[74.125.82.48]: 5.7.1 Date in the future ???; 
> from=mailto:talp...@gmail.com>>
> to=mailto:mo...@med-trix.com>> proto=ESMTP 
> helo=
>
> Dec  1 14:34:37 mail postfix/smtpd[7883]: NOQUEUE: milter-reject: MAIL from 
> unknown[85.25.194.116]: 421 4.5.1 Unreacheable
> domain. Try again later !; from= > proto=ESMTP
> helo=
>
> Maybe looking for milter-reject should to the job.
>
> My goal is to add it to postfix.conf filter.
>
> TIA
>
> Dudi
>
>
>
> --
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>
>
>
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>

--
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Fail2ban not executing action

2015-12-12 Thread Bill Shirley

I don't see any errors in your configuration.  Could it be you don't
have 20 hits within one hour for the same IP address?

Bill

On 12/12/2015 10:48 PM, Brad wrote:
> I have installed Fail2ban on Centos 6.7 and configured it to handled failed 
> login attempts to dovecot.  I tried to configure it
> based on various different directions on the web, but no luck.
>
> It appears the filter is working correctly, but the action never seems to get 
> executed
>
> fail2ban-client status dovecot-pop3imap
>
> 
>
> Status for the jail: dovecot-pop3imap
>
> |- Filter
>
> |  |- Currently failed: 1
>
> |  |- Total failed: 9
>
> |  `- File list:/var/log/maillog
>
> `- Actions
>
> |- Currently banned: 0
>
> |- Total banned: 0
>
> `- Banned IP list:
>
> 
>
> fail2ban-client –d
>
> 
>
> ['set', 'syslogsocket', 'auto']
>
> ['set', 'loglevel', 'INFO']
>
> ['set', 'logtarget', '/var/log/fail2ban']
>
> ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
>
> ['set', 'dbpurgeage', 86400]
>
> ['add', 'dovecot-pop3imap', 'auto']
>
> ['set', 'dovecot-pop3imap', 'usedns', 'warn']
>
> ['set', 'dovecot-pop3imap', 'addlogpath', '/var/log/maillog', 'head']
>
> ['set', 'dovecot-pop3imap', 'maxretry', 20]
>
> ['set', 'dovecot-pop3imap', 'addignoreip', '127.0.0.1/8']
>
> ['set', 'dovecot-pop3imap', 'logencoding', 'auto']
>
> ['set', 'dovecot-pop3imap', 'bantime', 172800]
>
> ['set', 'dovecot-pop3imap', 'ignorecommand', '']
>
> ['set', 'dovecot-pop3imap', 'findtime', 3600]
>
> ['set', 'dovecot-pop3imap', 'addfailregex', '(?: pop3-login|imap-login): 
> .*(?:Authentication failure|Aborted login \\(auth
> failed|Aborted login \\(tried to use disabled|Disconnected \\(auth 
> failed|Aborted login \\(\\d+ authentication
> attempts).*rip=(?P\\S*),.*']
>
> ['set', 'dovecot-pop3imap', 'addaction', 'iptables-multiport']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actionban', 
> ' -I f2b- 1 -s  -j ']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actionstop', 
> ' -D  -p  -m multiport
> --dports  -j f2b-\n -F f2b-\n -X 
> f2b-']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actionstart', 
> ' -N f2b-\n -A f2b-
> -j \n -I  -p  -m multiport --dports 
>  -j f2b-']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actionunban', 
> ' -D f2b- -s  -j ']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actioncheck', 
> " -n -L  | grep -q 'f2b-[ \\t]'"]
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'iptables', 
> 'iptables ']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'known/chain', 
> 'INPUT']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 
> 'known/lockingopt', '']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'protocol', 'tcp']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'name', 
> 'dovecot-pop3imap']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'chain', 'INPUT']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'known/__name__', 
> 'Init']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'known/protocol', 
> 'tcp']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'known/port', 
> 'ssh']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 
> 'known/returntype', 'RETURN']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'known/iptables', 
> 'iptables ']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'lockingopt', '']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'known/name', 
> 'default']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 
> 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'returntype', 
> 'RETURN']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'blocktype', 
> 'REJECT --reject-with icmp-port-unreachable']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'port', 
> 'pop3,pop3s,imap,imaps']
>
> ['set', 'dovecot-pop3imap', 'addaction', 'sendmail-whois']
>
> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionban', 'printf 
> %b "Subject: [Fail2Ban] : banned  from
> `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom:  
> <>\nTo: \\n\nHi,\\n\nThe IP  has
> just been banned by Fail2Ban after\n attempts against 
> .\\n\\n\nHere is more information about 
> :\\n\n`/usr/bin/whois  || echo missing whois 
> program`\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f  ']
>
> ['set', 'dovecot-pop3imap', 'action', 'sendmail-whois', 'actionstop', 'printf 
> %b "Subject: [Fail2Ban] : stopped on `uname
> -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom:  
> <>\nTo: \\n\nHi,\\n\nThe ja

Re: [Fail2ban-users] Fail2ban not executing action

2015-12-12 Thread Bill Shirley

Have you tried using '' instead of '(?P\\S*)' which looks wrong
due to the double backslash.

You are getting hits but maybe it can't find the IP address.

Bill


On 12/12/2015 11:55 PM, Brad wrote:
> The same ip hits about once every minute, failing and filling up my log...
> That was the reason I tried Fail2ban...
>
>
> -Original Message-
> From: Bill Shirley [mailto:bshir...@openmri-scottsboro.com]
> Sent: Saturday, December 12, 2015 8:37 PM
> To: fail2ban-users@lists.sourceforge.net
> Subject: Re: [Fail2ban-users] Fail2ban not executing action
>
> I don't see any errors in your configuration.  Could it be you don't have 20
> hits within one hour for the same IP address?
>
> Bill
>
> On 12/12/2015 10:48 PM, Brad wrote:
>> I have installed Fail2ban on Centos 6.7 and configured it to handled
>> failed login attempts to dovecot.  I tried to configure it based on
> various different directions on the web, but no luck.
>>
>> It appears the filter is working correctly, but the action never seems
>> to get executed
>>
>> fail2ban-client status dovecot-pop3imap
>>
>> 
>>
>> Status for the jail: dovecot-pop3imap
>>
>> |- Filter
>>
>> |  |- Currently failed: 1
>>
>> |  |- Total failed: 9
>>
>> |  `- File list:/var/log/maillog
>>
>> `- Actions
>>
>>  |- Currently banned: 0
>>
>>  |- Total banned: 0
>>
>>  `- Banned IP list:
>>
>> 
>>
>> fail2ban-client -d
>>
>> 
>>
>> ['set', 'syslogsocket', 'auto']
>>
>> ['set', 'loglevel', 'INFO']
>>
>> ['set', 'logtarget', '/var/log/fail2ban']
>>
>> ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
>>
>> ['set', 'dbpurgeage', 86400]
>>
>> ['add', 'dovecot-pop3imap', 'auto']
>>
>> ['set', 'dovecot-pop3imap', 'usedns', 'warn']
>>
>> ['set', 'dovecot-pop3imap', 'addlogpath', '/var/log/maillog', 'head']
>>
>> ['set', 'dovecot-pop3imap', 'maxretry', 20]
>>
>> ['set', 'dovecot-pop3imap', 'addignoreip', '127.0.0.1/8']
>>
>> ['set', 'dovecot-pop3imap', 'logencoding', 'auto']
>>
>> ['set', 'dovecot-pop3imap', 'bantime', 172800]
>>
>> ['set', 'dovecot-pop3imap', 'ignorecommand', '']
>>
>> ['set', 'dovecot-pop3imap', 'findtime', 3600]
>>
>> ['set', 'dovecot-pop3imap', 'addfailregex', '(?:
>> pop3-login|imap-login): .*(?:Authentication failure|Aborted login
>> \\(auth
>> failed|Aborted login \\(tried to use disabled|Disconnected \\(auth
>> failed|failed|Aborted login \\(\\d+ authentication
>> attempts).*rip=(?P\\S*),.*']
>>
>> ['set', 'dovecot-pop3imap', 'addaction', 'iptables-multiport']
>>
>> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport',
>> 'actionban', ' -I f2b- 1 -s  -j ']
>>
>> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport',
>> 'actionstop', ' -D  -p  -m multiport
>> --dports  -j f2b-\n -F f2b-\n -X
>> f2b-']
>>
>> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport',
>> 'actionstart', ' -N f2b-\n -A f2b- -j
>> \n -I  -p  -m multiport
>> --dports  -j f2b-']
>>
>> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport',
>> 'actionunban', ' -D f2b- -s  -j ']
>>
>> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport',
>> 'actioncheck', " -n -L  | grep -q 'f2b-[
>> \\t]'"]
>>
>> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport',
>> 'iptables', 'iptables ']
>>

Re: [Fail2ban-users] Fail2ban not executing action

2015-12-13 Thread Bill Shirley

Have you tried dovecot.conf?

[1:root@elmo fail2ban 1]$ rpm -qa | grep fail
fail2ban-server-0.9.3-1.fc22.noarch
fail2ban-systemd-0.9.3-1.fc22.noarch

[0:root@elmo filter.d]$ ls /etc/fail2ban/filter.d/
3proxy.confcommon.conf  guacamole.conf  
perdition.confsieve.conf
apache-auth.conf   counter-strike.conf  horde.conf  
php-url-fopen.confsogo-auth.conf
apache-badbots.confcourier-auth.confignorecommands  
portsentry.conf   solid-pop3d.conf
apache-botsearch.conf  courier-smtp.confkerio.conf  
postfix.conf  squid.conf
apache-common.conf cyrus-imap.conf  lighttpd-auth.conf  
postfix.local squirrelmail.conf
apache-common.localdirectadmin.conf monit.conf  
postfix-rbl.conf  sshd.conf
apache-fakegooglebot.conf  dovecot.conf my_apache-wplogin.conf  
postfix-sasl.conf sshd-ddos.conf
apache-modsecurity.confdropbear.confmy_dovecot_secure.conf  
postfix-sasl.localstunnel.conf
apache-nohome.conf drupal-auth.conf mysqld-auth.conf
proftpd.conf  suhosin.conf
apache-noscript.conf   ejabberd-auth.conf   nagios.conf 
pure-ftpd.conftine20.conf
apache-noscript.local  exim-common.conf named-refused.conf  
qmail.confuwimap-auth.conf
apache-overflows.conf  exim.confnginx-botsearch.conf
recidive.conf vsftpd.conf
apache-pass.conf   exim-spam.conf   nginx-http-auth.conf
roundcube-auth.conf   webmin-auth.conf
apache-shellshock.conf freeswitch.conf  nsd.conf
selinux-common.conf   wuftpd.conf
assp.conf  froxlor-auth.confopenwebmail.conf
selinux-ssh.conf  xinetd-fail.conf
asterisk.conf  groupoffice.conf oracleims.conf  
sendmail-auth.conf
botsearch-common.conf  gssftpd.conf pam-generic.conf
sendmail-reject.conf

I actually use my_dovecot_secure.conf:
failregex = auth:.+dovecot:auth.+authentication\s+failure;.+rhost=
 dovecot:.+rip=.+wrong version number
 dovecot:.+tried to use disallowed plaintext auth.+rip=
 dovecot:.+auth failed.+rip=

HTH,
Bill

On 12/12/2015 10:48 PM, Brad wrote:
> I have installed Fail2ban on Centos 6.7 and configured it to handled failed 
> login attempts to dovecot.  I tried to configure it
> based on various different directions on the web, but no luck.
>
> It appears the filter is working correctly, but the action never seems to get 
> executed
>
> fail2ban-client status dovecot-pop3imap
>
> 
>
> Status for the jail: dovecot-pop3imap
>
> |- Filter
>
> |  |- Currently failed: 1
>
> |  |- Total failed: 9
>
> |  `- File list:/var/log/maillog
>
> `- Actions
>
> |- Currently banned: 0
>
> |- Total banned: 0
>
> `- Banned IP list:
>
> 
>
> fail2ban-client –d
>
> 
>
> ['set', 'syslogsocket', 'auto']
>
> ['set', 'loglevel', 'INFO']
>
> ['set', 'logtarget', '/var/log/fail2ban']
>
> ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
>
> ['set', 'dbpurgeage', 86400]
>
> ['add', 'dovecot-pop3imap', 'auto']
>
> ['set', 'dovecot-pop3imap', 'usedns', 'warn']
>
> ['set', 'dovecot-pop3imap', 'addlogpath', '/var/log/maillog', 'head']
>
> ['set', 'dovecot-pop3imap', 'maxretry', 20]
>
> ['set', 'dovecot-pop3imap', 'addignoreip', '127.0.0.1/8']
>
> ['set', 'dovecot-pop3imap', 'logencoding', 'auto']
>
> ['set', 'dovecot-pop3imap', 'bantime', 172800]
>
> ['set', 'dovecot-pop3imap', 'ignorecommand', '']
>
> ['set', 'dovecot-pop3imap', 'findtime', 3600]
>
> ['set', 'dovecot-pop3imap', 'addfailregex', '(?: pop3-login|imap-login): 
> .*(?:Authentication failure|Aborted login \\(auth
> failed|Aborted login \\(tried to use disabled|Disconnected \\(auth 
> failed|Aborted login \\(\\d+ authentication
> attempts).*rip=(?P\\S*),.*']
>
> ['set', 'dovecot-pop3imap', 'addaction', 'iptables-multiport']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actionban', 
> ' -I f2b- 1 -s  -j ']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actionstop', 
> ' -D  -p  -m multiport
> --dports  -j f2b-\n -F f2b-\n -X 
> f2b-']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actionstart', 
> ' -N f2b-\n -A f2b-
> -j \n -I  -p  -m multiport --dports 
>  -j f2b-']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actionunban', 
> ' -D f2b- -s  -j ']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'actioncheck', 
> " -n -L  | grep -q 'f2b-[ \\t]'"]
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'iptables', 
> 'iptables ']
>
> ['set', 'dovecot-pop3imap', 'action', 'iptables-multiport', 'known/chain', 
> '

Re: [Fail2ban-users] Writing an action to stop heavy DNS ANY attacks.

2015-12-28 Thread Bill Shirley

Fail2ban bans by IP address.

I think you may want to look into Bind views.  Have one view
for queries that need to be recursive and another view for the rest.

Bill


On 12/28/2015 12:20 PM, Bob Roswell wrote:
> Hello –
>
> I am trying to block DNS ANY amplification attacks.My recursive (they 
> have to be) DNS servers are seeing hundreds of
> thousands of queries like the ones below.  The client IP addresses are all 
> different and likely forged.
>
> 28-Dec-2015 09:12:31.290 queries: client 176.90.14.49#12504: query: 
> turkey.com IN ANY +E (w.x.y.z)
>
> 28-Dec-2015 09:12:31.308 queries: client 141.196.216.227#47554: query: 
> turkey.com IN ANY +E (w.x.y.z)
>
> ……
>
> Example of iptables rule that works
>
> -A RH-Firewall-1-INPUT -p udp --dport 53 -m string --algo bm --hex-string 
> "|06|turkey|03|com" -j DROP
>
> I can also write the rule looking for the hex equivalent of turkey.com, but 
> it is easier (for me writing the rules manually) to
> use the format above.
>
> Any way to automate my manual working using fail2ban?  I think I can write 
> the regex to  find the domain.  I just done see any
> examples of how I might convert that to the desired output.
>
> Bob Roswell
>
> brosw...@syssrc.com
>
> 410-771-5544 ext 4336
>
> Computer Museum Highlights 
>
>
>
> --
>
>
>
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>

--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] mysqld-auth banning random ip's

2015-12-29 Thread Bill Shirley

Have you run?:
fail2ban-regex /var/log/mysql.warn /etc/fail2ban/filter.d/mysqld-auth.conf

Bill

On 12/29/2015 10:38 AM, Michiel Hazelhof wrote:
> Hi All,
>
> I am running the current default mysqld-auth filter
> (https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/mysqld-auth.conf),
> and for some reason it is banning ip adresses that do not occur in the
> log file and fails to ban ip's that do occur.
>
> Jail.conf:
> [mysqld-iptables]
> enabled   = true
> banaction = iptables-allports
> port  = 1:65535
> filter= mysqld-auth
> logpath   = /var/log/mysql.warn
> bantime   = 604800
> findtime  = 86400
> maxretry  = 5
>
> mysql.warn (not banned, 148 attempts):
> 2015-12-29  9:58:48 140359785273088 [Warning] Access denied for user
> 'root'@'216.99.157.170' (using password: YES)
>
> fail2ban.log (banned, but does not occur in mysql.warn):
> 2015-12-29 16:32:31,127 fail2ban.actions[8772]: NOTICE
> [mysqld-iptables] Ban 155.94.224.210
>
> Could anybody help me figure out what is going wrong?
>

--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban with firewalld and shorewall

2016-02-03 Thread Bill Shirley


You didn't provide your jail so I'm just guessing:
You should use one of the iptables actions instead of firewallcmd.

For my Shorewall setup, I define my ipsets in /etc/shorewall/init:
ipset -exist create fail2ban-IpPort hash:ip,port timeout 3600
ipset -exist create fail2ban-Ip hash:ip timeout 86400

I don't have 'actionunban' defined; I just let the ipset timeout value expire 
which removes the entry.
/etc/fail2ban/action.d/my_ipset_ip.conf (IP blocking):
[INCLUDES]

before = iptables-blocktype.conf

[Definition]
actioncheck =
actionstart =
actionstop =
actionban = ipset add fail2ban-  timeout  -exist
#actionunban = ipset del fail2ban-  -exist
actionunban =

[Init]
name = Ip
port = ssh
protocol = tcp
my_timeout = 3600

/etc/fail2ban/action.d/my_ipset_ipport.conf (IP and port blocking):
[INCLUDES]

before = iptables-blocktype.conf

[Definition]
actioncheck =
actionstart =
actionstop =
actionban = ipset add fail2ban- ,: timeout 
 -exist
#actionunban = ipset del fail2ban- ,: -exist
actionunban =

[Init]
name = IpPort
port = http
protocol = tcp
my_timeout = 3600

and a jail.local entry:
[postfix-sasl]
#enabled= false
enabled = true
filter  = sasl
action  = my_ipset_ipport[port=smtp, my_timeout=14400]
  my_ipset_ipport2[port=smtps, my_timeout=14400]
  my_ipset_ipport3[port=submission, my_timeout=14400]
logpath = /var/log/maillog
maxretry= 2
bantime = 60
findtime= 7200

Note that my_ipset_ipport{2,3} are symlinks to my_ipset_ipport since
fail2ban won't repeat an action.  Also, with a short 'bantime' if an attacker
keeps banging the port, he'll just keep resetting the timeout back to 
'my_timeout'.



I have two additional ipsets for Shorewall's use:
ipset -exist create IpPort3600 hash:ip,port timeout 3600
ipset -exist create IpOneDay hash:ip timeout 86400

/etc/shorewall/rules:
DROPinet:+IpPort3600[src,dst]   fw
DROPinet:+IpOneDay[src,dst] fw
ADD(+IpPort3600:src,dst):info:ADD,IpPort3600inet fw  tcp,udp domain
ADD(+IpOneDay:src):info:ADD,IpOneDayinetfw tcp 
ftp,sftp,ssh,telnet,telnets,exec,login,shell
ADD(+IpOneDay:src):info:ADD,IpOneDayinetfw tcp mysql
ADD(+IpOneDay:src):info:ADD,IpOneDayinetfw udp http,https   
   # no such udp service
ADD(+IpOneDay:src):info:ADD,IpOneDayinetfw tcp 8080,8443
ADD(+IpOneDay:src):info:ADD,IpOneDayinetfw tcp 5900 
   # vnc
ADD(+IpOneDay:src):info:ADD,IpOneDayinetfw tcp,udp 
ms-sql-s,ms-sql-m
ADD(+IpOneDay:src):info:ADD,IpOneDayinetfw tcp 3389 
   # rdp
DROPinet:+IpPort3600[src,dst]   fw
DROPinet:+IpOneDay[src,dst] fw

Attackers get logged once and thereafter are silently dropped until their 
timeout is reached.

HTH,
Bill

On 2/2/2016 10:31 AM, Alex wrote:

Hi,
I'm receiving a ton of attempts to reach services on my network for
hosts and/or services that don't exist, presumably in an attempt to
compromise those services.

It's at the point where it's consuming a sizable amount of bandwidth.

I've tried to write a fail2ban rule on the firewall, which also has
shorewall installed, but it won't start because I don't have firewalld
also running.

Is it possible to use fail2ban without firewalld? I don't need
firewalld running on a host where there is already shorewall running.

firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m
multiport --dports domain -m set --match-set fail2ban-firewall src -j
REJECT --reject-with icmp-port-unreachable -- returned 252
2016-02-02 10:25:32,258 fail2ban.actions[23608]: ERROR
Failed to start jail 'firewall' action 'firewallcmd-ipset': Error
starting action

Thanks,
Alex

--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Huge ipset reboot problem?

2016-02-11 Thread Bill Shirley

Try using an empty actionunban in your action and set the bantime = 60 in your 
jail.  This way fail2ban thinks it's unbanning 
after a minute.  fail2ban shutdown should be quick.

Bill

On 2/11/2016 5:15 AM, Charles Bradshaw wrote:
> Hello list,
>
> I am running fail2ban.noarch 0.9.3-1.el6.1 as installed from the CentOS
> repository.
>
> I have one ipset jail which over time has accumulated more than 17000
> permanent bans. This is causing a severe problem during restarts.
> (obviously!)
>
> First it would take many hours to shut down fail2ban gracefully the
> solution is to force a power down. This leaves the ipset intact.
>
> Next when the fail2ban server restarts it takes a similar many hours for
> the server to redundantly restore the bans from the database to the
> already intact ipset.
>
> This a ridiculous process! The whole purpose of ipsets is to efficiently
> hold vast numbers of blocked IPs.
>
> The most importantly problem here is fail2ban is preventing fast clean
> shutdowns. Understand 17000 bans is nothing! an ipset can efficiently
> hold > 65K, under which circumstances the shutdown and restart delays
> would extend to weeks!! The startup delay is not a severe problem except
> that 17000 emails and all the disk activity is a total pain in the ass.
>
> So the question is: how to turn off fail2ban gracefully without these
> ridiculous delays.
>
> Also note when fail2ban shuts down the ipset entries in iptables do not
> get deleted, but that's another story.
>
> Thanks in advance, Charles Bradshaw
>
>
>
>
> --
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Huge ipset reboot problem?

2016-02-11 Thread Bill Shirley


When you said:

This leaves the ipset intact.

I made the the assumption, maybe incorrectly, that you were saving your ipset with some utility on shutdown and restoring after 
a re-boot.


If that IS the case then change your jail to:
bantime = 60

and make actionunban empty in your .local action:
#actionunban = ipset -exist del fail2ban- 
actionunban =

fail2ban will ban the IP address and in one minute it will unban it.  However, with actionunban being empty, the IP address will 
not be removed from the ipset.  So now fail2ban thinks very few, if any, addresses are banned.  With very few addresses to 
'remove', shutdown should be quick.


Bill


On 2/11/2016 7:03 PM, Charles Bradshaw wrote:

Thanks Bill,

Sorry I'm being a bit dim. Do you mean to temporarily modify the
actionban in /etc/fail2ban/action.d/myaction.conf before the shutdown?
How does that affect the shutdown? I can see how it affects the restart
but eh.. no action actionban no bans at all after restart!

Surely deleting the actionstop clause altogether, thus preventing
deletion of the ipset and a modified actionstart to do nothing if the
ipset already exists. Then neither start nor stop take time.

I see the new sqlite behavior, but then where is the reference to dbfile
forcing all the bans into /var/lib/fail2ban/fail2ban.sqlite3 it is not
in my fail2ban.conf! If its use is default behaviour how do I disable
it?

On Thu, 2016-02-11 at 12:19 -0500, Bill Shirley wrote:

Try using an empty actionunban in your action and set the bantime = 60 in your 
jail.  This way fail2ban thinks it's unbanning
after a minute.  fail2ban shutdown should be quick.

Bill

On 2/11/2016 5:15 AM, Charles Bradshaw wrote:

Hello list,

I am running fail2ban.noarch 0.9.3-1.el6.1 as installed from the CentOS
repository.

I have one ipset jail which over time has accumulated more than 17000
permanent bans. This is causing a severe problem during restarts.
(obviously!)

First it would take many hours to shut down fail2ban gracefully the
solution is to force a power down. This leaves the ipset intact.

Next when the fail2ban server restarts it takes a similar many hours for
the server to redundantly restore the bans from the database to the
already intact ipset.

This a ridiculous process! The whole purpose of ipsets is to efficiently
hold vast numbers of blocked IPs.

The most importantly problem here is fail2ban is preventing fast clean
shutdowns. Understand 17000 bans is nothing! an ipset can efficiently
hold > 65K, under which circumstances the shutdown and restart delays
would extend to weeks!! The startup delay is not a severe problem except
that 17000 emails and all the disk activity is a total pain in the ass.

So the question is: how to turn off fail2ban gracefully without these
ridiculous delays.

Also note when fail2ban shuts down the ipset entries in iptables do not
get deleted, but that's another story.

Thanks in advance, Charles Bradshaw




--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web tran

Re: [Fail2ban-users] Huge ipset reboot problem?

2016-02-12 Thread Bill Shirley

In response to Charles:
For #2, after you empty actionunban, write a script to iterate thru your ipset 
and for each IP issue:
fail2ban-client set  unbanip 
now fail2ban forgets about them and since actionunban is empty they're still in 
the ipset.  No duplicate data.

For #3, some admins don't save on shutdown nor restore on boot their ipset.  I 
don't.  I just let
the system build it from scratch.

For Tom and all:
I too use Shorewall.  I actually create my ipsets with a timeout:
ipset -exist create fail2ban-Ip hash:ip timeout 86400

# --
my action:
[INCLUDES]

before = iptables-blocktype.conf


[Definition]
# start, stop, et. al. handled by Shorewall
actioncheck =
actionstart =
actionstop =
actionban = ipset -exist add fail2ban-  timeout 
#actionunban = ipset -exist del fail2ban- 
actionunban =

[Init]
name = Ip
my_timeout = 3600


# --
my jail:
[ProFTP]
#enabled= false
enabled = true
filter  = proftpd
action  = my_ipset_ip[my_timeout=86400]
logpath = /var/log/proftpd/system.log
maxretry= 3
findtime= 7200
bantime = 60

Note: an ipset timeout value of zero IS a permanent ban (man ipset).  Change 
 as needed in
each jail.

Bill


On 2/12/2016 9:16 AM, Tom Hendrikx wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Hi,
>
> Maybe an interesting side note: fail2ban is built to quickly ban *and*
> unban problematic ip addresses. The whole nature of fail2ban is (IMHO)
> in the fact that it automatically unbans ip addresses after a while.
>
> However, you state that you have a list of 17000 ip adresses that are
> permanently banned. There is no reason to have fail2ban maintain this
> list. I fixed this by having an action in f2b that sent the addresses to
> the shorewall blacklist (which IS devised for perm bans). An empty unban
> action and irrelevant unban time complete the setup.
>
>
> You can replace shorewall with any other solution you like, of course.
> But keeping the perm bans in f2b is IMHO simply using the wrong tool
> for the job.
>
> Regards,
>   Tom
>
> On 12-02-16 14:49, Charles Bradshaw wrote:
>> Bill,
>>
>> Sorry again, I actually miss read your first reply. I read
>> actionban instead of actionunban.
>>
>> I am indeed saving and restoring the ipset. At least, that's what I
>> used to do until I found fail2ban taking hours to shutdown. Last
>> time I hit the boot button after about an hour with the result that
>> the ipset was left intact. ipset has built in and well documented
>> method for backup and restore.
>>
>> While I understand your proposed method and see how it would work,
>> I make the following observations:
>>
>> 1 - Your method has a certain pragmatic elegance, but is devious
>> and will certainly confuse the uninitiated!
>>
>> 2 - I can see how your method will work if implemented from square
>> one, but what about the 17000 odds IP which have been previously
>> band with a ban time of forever? I've been running the particular
>> jail with bantime = -1 for well over a year now.
>>
>> 3 - Why store anything at all in an external database. Ipsets are
>> just that, a highly efficient linked to iptables database. The
>> botnet problem is increasing rapidly. Today I'm seeing 8/hour
>> originally it was 2 or 3. In the meantime > 17000 IP have been
>> permanently banned. That says there are botnets out there with
>> orders more than 1 infected machines! We know not when this
>> will, in effect, escalate to Denial of Service! Several hours to
>> shutdown is a kind of DNS!
>>
>> Back on a pragmatic front, storing and manipulating vast amounts
>> of duplicate data is simply not good practice. If you look out
>> there you will find much discussion on the subject of how to unban
>> the inadvertently banned. I might be wrong, but I suspect because
>> sqlite permanent banning was implemented without due consideration
>> of the consequences on existing installations.
>>
>> I think what I really need to understand now is; how does fail2ban
>> 'think' an IP is banned or not. Where is the database? When is it
>> written/read? In what version of fail2ban did sqlite get
>> implemented. At present my /var/lib/fail2ban/fail2ban.sqlite3 has
>> 7.9MB of entries.
>>
>> I ask again how do I turn sqlite activity off? Just point me at
>> the documentation.
>>
>> Charles Bradshaw
>>
>> On Thu, 2016-02-11 at 22:31 -0500, Bill Shirley wrote:
>>> When

Re: [Fail2ban-users] Huge ipset reboot problem?

2016-02-12 Thread Bill Shirley

Or easier for #2:
1:root@elmo dns]$ cat /etc/redhat-release
Fedora release 22 (Twenty Two)
[1:root@elmo dns]$ ls /var/lib/fail2ban/
fail2ban.sqlite3

Rename that puppy.

Bill

On 2/12/2016 6:15 PM, Bill Shirley wrote:
> In response to Charles:
> For #2, after you empty actionunban, write a script to iterate thru your 
> ipset and for each IP issue:
> fail2ban-client set  unbanip 
> now fail2ban forgets about them and since actionunban is empty they're still 
> in the ipset.  No duplicate data.
>
> For #3, some admins don't save on shutdown nor restore on boot their ipset.  
> I don't.  I just let
> the system build it from scratch.
>
> For Tom and all:
> I too use Shorewall.  I actually create my ipsets with a timeout:
> ipset -exist create fail2ban-Ip hash:ip timeout 86400
>
> # 
> --
> my action:
> [INCLUDES]
>
> before = iptables-blocktype.conf
>
>
> [Definition]
> # start, stop, et. al. handled by Shorewall
> actioncheck =
> actionstart =
> actionstop =
> actionban = ipset -exist add fail2ban-  timeout 
> #actionunban = ipset -exist del fail2ban- 
> actionunban =
>
> [Init]
> name = Ip
> my_timeout = 3600
>
>
> # 
> --
> my jail:
> [ProFTP]
> #enabled= false
> enabled = true
> filter  = proftpd
> action  = my_ipset_ip[my_timeout=86400]
> logpath = /var/log/proftpd/system.log
> maxretry= 3
> findtime= 7200
> bantime = 60
>
> Note: an ipset timeout value of zero IS a permanent ban (man ipset).  Change 
>  as needed in
> each jail.
>
> Bill
>

--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban seems to delete my NAT Firewall rules

2016-04-07 Thread Bill Shirley


As far as I know, fail2ban never "reloads" the firewall rules. fail2ban just 
manages its chains.  Perhaps there's something
in the "load-balancer" doing this.

You should list your action rules and jail.

-> I have a startup script, that sets the Firewall NAT rules on every startup 
of the system in RC4.

iptables defaults to -t filter which is what your including here.  You should be using -t nat if you think it's changing the NAT 
rules.


Bill

On 4/7/2016 7:33 AM, Alexander R. Gruber wrote:

Thank you Steve, for your answer.

To your questions:


How do you have the load balanced rules set? are they persistent in a
file that is always run from server start up?

-> I have a startup script, that sets the Firewall NAT rules on every startup 
of the system in RC4.

Every few hours f2b reloads the Firewall rules from its database (according to 
the log) and when that happens the NAT rules vanish from my server - leading to 
a STOP in service, as the loadbalancing breaks.

The time this happens is every few hours and always goes hand in hand with the time in 
the f2b log where the system does the before mentioned process of "resetting" 
and loading stuff from its database.
So I have a strong bias towards f2b being the "culprit" as this is the only 
process that fiddles around with the IPtables in the first instance.

I also noticed very strange things:


2016-04-07 13:22:19,849 fail2ban.filter [3526]: INFO[ssh] Found 
183.3.202.xxx
2016-04-07 13:22:20,294 fail2ban.actions[3526]: NOTICE  [sshd] 
183.3.202.200 already banned
2016-04-07 13:22:21,836 fail2ban.filter [3526]: INFO[ssh] Found 
183.3.202.xxx
2016-04-07 13:22:21,837 fail2ban.filter [3526]: INFO[sshd] Found 
183.3.202.xxx
2016-04-07 13:22:28,687 fail2ban.filter [3526]: INFO[sshd] Found 
183.3.202.xxx
2016-04-07 13:22:28,688 fail2ban.filter [3526]: INFO[ssh] Found 
183.3.202.xxx
2016-04-07 13:22:30,912 fail2ban.filter [3526]: INFO[ssh] Found 
183.3.202.xxx
2016-04-07 13:22:30,913 fail2ban.filter [3526]: INFO[sshd] Found 
183.3.202.xxx
2016-04-07 13:22:31,306 fail2ban.actions[3526]: NOTICE  [sshd] 
183.3.202.xxx already banned
2016-04-07 13:22:31,857 fail2ban.actions[3526]: NOTICE  [ssh] 
183.3.202.xxx already banned
2016-04-07 13:22:42,443 fail2ban.filter [3526]: INFO[sshd] Found 
183.3.202.xxx
2016-04-07 13:22:42,445 fail2ban.filter [3526]: INFO[ssh] Found 
183.3.202.xxx
2016-04-07 13:22:44,260 fail2ban.filter [3526]: INFO[sshd] Found 
183.3.202.xxx
2016-04-07 13:22:44,260 fail2ban.filter [3526]: INFO[ssh] Found 
183.3.202.xxx
2016-04-07 13:22:50,860 fail2ban.filter [3526]: INFO[sshd] Found 
183.3.202.xxx
2016-04-07 13:22:50,861 fail2ban.filter [3526]: INFO[ssh] Found 
183.3.202.xxx
2016-04-07 13:22:51,329 fail2ban.actions[3526]: NOTICE  [sshd] 
183.3.202.xxx already banned
2016-04-07 13:22:53,105 fail2ban.filter [3526]: INFO[sshd] Found 
183.3.202.xxx
2016-04-07 13:22:53,106 fail2ban.filter [3526]: INFO[ssh] Found 
183.3.202.xxx
2016-04-07 13:23:00,356 fail2ban.filter [3526]: INFO[ssh] Found 
183.3.202.xxx
2016-04-07 13:23:00,358 fail2ban.filter [3526]: INFO[sshd] Found 
183.3.202.xxx
2016-04-07 13:23:01,974 fail2ban.filter [3526]: INFO[ssh] Found 
183.3.202.xxx
2016-04-07 13:23:01,975 fail2ban.filter [3526]: INFO[sshd] Found 
183.3.202.xxx
2016-04-07 13:23:02,342 fail2ban.actions[3526]: NOTICE  [sshd] 
183.3.202.xxx already banned
2016-04-07 13:23:02,893 fail2ban.actions[3526]: NOTICE  [ssh] 
183.3.202.xxx already banned
root@xxx:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source   destination

Chain FORWARD (policy ACCEPT)
target prot opt source   destination

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination
root@bmn1:~# sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source   destination

Chain FORWARD (policy ACCEPT)
target prot opt source   destination

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination

The chain rules seem to be empty ...

root@xxx:~# service fail2ban restart
   * Restarting authentication failure monitor fail2ban
root@xxx:~# iptables -n -L
Chain INPUT (policy ACCEPT)
target prot opt source   destination
f2b-hn-apache-retry-ban  tcp  --  0.0.0.0/00.0.0.0/0
multiport dports 80,443
f2b-apache  tcp  --  0.0.0.0/00.0.0.0/0multiport dports 
80,443
f2b-sshtcp  --  0.0.0.0/00.0.0.0/0multiport dports 
22
f2b-php-url-fopen  tcp  --  0.0.0.0/00.0.0.0/0multiport 
dports 80,443
f2b-apache-nohome  tcp  --  0.0.0.0/00.0.0.0/0multiport 
dports 80,443
f2b-apache-overflows  tcp  -

Re: [Fail2ban-users] what's the current state of bantime for ipset actions in jails vs confs?

2016-04-09 Thread Bill Shirley


It doesn't really matter what the default timeout is if you send the value from 
the jail:
actionban = ipset -exist add fail2ban-  timeout 

[Init]
name = Ip
my_timeout = 3600

jail:
[sshd]
action  = my_ipset_ip[my_timeout=86400]

[sshd-2]
action  = my_ipset_ip[my_timeout=12345]

Bill

On 4/8/2016 1:11 PM, jaso...@mail-central.com wrote:


On Fri, Apr 8, 2016, at 09:58 AM, Nick Howitt wrote:

  Can you set your ipset set with a default timeout? It is a supported
  parameter. This is only a workaround.

Sure.  In the current action already is for example

actionstart = if ! ipset -quiet -name list f2b- >/dev/null;
   then ipset -quiet -exist create f2b- hash:ip timeout 
;
   fi

Atm I can create/clone multiple ipset actions for different bantimes, but that 
just seems a waste.

Ideally I want to be able to reuse the same action, spec'ing the jails in 
.local, for example

[my-jail-1]
enabled = true
maxretry = 3
findtime = %(oneweek)s
bantime = %(onemonth)s
filter = my-filter-1
action   = an-ipset-action...

[my-jail-2]
enabled = true
maxretry = 10
findtime = %(onehour)s
bantime = %(oneday)s
filter = my-filter-2
action   = an-ipset-action...


I'm having a hard time understanding why there's not a consistent approach to 
this.  Clearly other folks have been asking the same question.

If there's an answer, I didn't find it yet.

Jason

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] what's the current state of bantime for ipset actions in jails vs confs?

2016-04-09 Thread Bill Shirley


Yes, however you must include the 'actionban':
[Definition]
.
.
actionban = ipset -exist add fail2ban-  timeout 

[Init]
name = Ip
my_timeout = 3600

Bill



On 4/9/2016 12:48 PM, jaso...@mail-central.com wrote:


On Sat, Apr 9, 2016, at 09:41 AM, Bill Shirley wrote:

It doesn't really matter what the default timeout is if you send the value from 
the jail:
actionban = ipset -exist add fail2ban-  timeout 

[Init]
name = Ip
my_timeout = 3600

jail:
[sshd]
action  = my_ipset_ip[my_timeout=86400]

[sshd-2]
action  = my_ipset_ip[my_timeout=12345]


Huh.  I thought I tried that^ and it didn't work.  Re-examining ...

To be clear,


[Init]
name = Ip
my_timeout = 3600

goes in the ACTION, my_ipset_ip.conf

and


jail:
[sshd]
action  = my_ipset_ip[my_timeout=86400]

[sshd-2]
action  = my_ipset_ip[my_timeout=12345]

in the jail.local, right?

Jason

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] jail.d/ 'time vairabl alias' file complains about "File contains no section headers." ?

2016-04-09 Thread Bill Shirley


Probably either [INCLUDES] or [DEFAULT].  Look at your jail.{conf,local}, it's 
divided into sections

[0:root@elmo fail2ban]$ grep -E '^\[' jail.local
[INCLUDES]
[DEFAULT]
[my_test]
[sshd]
[apache-auth]
[apache-noscript]
[apache-overflows]
[apache-wp-login]
[ProFTP]
[OpenVPN]
[dovecot-secure]
[postfix-sasl]
[postfix]
[post-rbl]


Bill

On 4/9/2016 1:45 PM, jaso...@mail-central.com wrote:

Reading/following

"Handy time variable aliases"

http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#Handy_time_variable_aliases

I created

cat /etc/fail2ban/jail.d/aliases.conf
one_hour = 3600
one_day = 86400
one_hour = 3600
six_hours = 21600
one_day = 86400
two_days = 172800
one_week = 604800
permanent = -1

But when I exec

fail2ban-client -x start

I get an error

ERROR  Failed during configuration: File contains no section headers.
file: '/etc/fail2ban/jail.d/aliases.conf', line: 1
'one_hour = 3600\n'

What 'section header' is needed here?

Jason

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] what's the current state of bantime for ipset actions in jails vs confs?

2016-04-09 Thread Bill Shirley


Yes, running the program once beats twice.  Also -exist should work with del. 
You don't need the double
dash in front of 'add' or 'del':
actionban = ipset -exist add fail2ban- ,: timeout 

actionunban = ipset -exist del fail2ban- ,:

Bill

On 4/9/2016 2:19 PM, Nick Howitt wrote:

As we seem to have resolution here, just branching slightly o/t.

In iptables-ipset-proto4.conf we have:

actionban = ipset --test f2b-  ||  ipset --add f2b- 
actionunban = ipset --test f2b-  && ipset --del f2b- 


Would it be better to use ipset's own built-in parameters -q/-quiet and 
-!/-exist to give:

actionban = ipset -exist --add f2b- 
actionunban = ipset -quiet --del f2b- 


That way, action unban quietly fails when adding and deleting records and there 
is no need to do the --test.

In a similar way actionstart should possibly have an -exist for the case where f2b has been ended without allowing it to 
destroy the set.


Regards,
Nick

On 09/04/2016 18:07, Bill Shirley wrote:

Yes, however you must include the 'actionban':
[Definition]
.
.
actionban = ipset -exist add fail2ban-  timeout 

[Init]
name = Ip
my_timeout = 3600

Bill



On 4/9/2016 12:48 PM, jaso...@mail-central.com wrote:

On Sat, Apr 9, 2016, at 09:41 AM, Bill Shirley wrote:

It doesn't really matter what the default timeout is if you send the value from 
the jail:
actionban = ipset -exist add fail2ban-  timeout 

[Init]
name = Ip
my_timeout = 3600

jail:
[sshd]
action  = my_ipset_ip[my_timeout=86400]

[sshd-2]
action  = my_ipset_ip[my_timeout=12345]


Huh.  I thought I tried that^ and it didn't work.  Re-examining ...

To be clear,


[Init]
name = Ip
my_timeout = 3600

goes in the ACTION, my_ipset_ip.conf

and


jail:
[sshd]
action  = my_ipset_ip[my_timeout=86400]

[sshd-2]
action  = my_ipset_ip[my_timeout=12345]

in the jail.local, right?

Jason

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users




--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users




--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] f2b match working, test find lots of matches, but real exec adds only one ip to ipset?

2016-04-11 Thread Bill Shirley

It could be your ignoreip preventing the ban or not enough hits (maxretry) 
within findtime.  It also
could be that all those hits are from the same IP address (not likely thought).

Post your jail.

Bill

On 4/10/2016 9:36 PM, jaso...@mail-central.com wrote:
> I'm running f2b
>
> I've tested my match-and-populate-ipset config
>
>   fail2ban-regex -vv \
>   /var/log/postfix/postfix.log \
>   /etc/fail2ban/filter.d/my-postfix-ipset.conf
>
> which shows an moderate expected number of matches
>
>   Results
>   ===
>
>   Failregex: 173 total
>   ...
>   Lines: 204773 lines, 0 ignored, 173 matched, 204600 missed
>   [processed in 14.68 sec]
>
>   Missed line(s): too many to print.  Use --print-all-missed to print all 
> 204600 lines
>
>
> When I launch f2b service, running from systemd, I see this is logs
>
>   ...
>   2016-04-10 18:03:31,439 fail2ban.filter [7922]: DEBUG   
> Processing line with time:1460336611.0 and ip:88.199.175.11
>   2016-04-10 18:03:31,439 fail2ban.filter [7922]: INFO
> [my-postfix-ipset] Found 88.199.175.11
>   2016-04-10 18:03:31,439 fail2ban.failmanager[7922]: DEBUG   Total # 
> of detected failures: 68. Current failures from 7 IPs (IP:count): 
> 84.61.149.81:1, 192.94.73.17:1, 88.199.175.11:1, 168.144.32.46:1, 
> 64.90.191.10:1, 80.17.38.39:1, 195.154.82.115:1
>   2016-04-10 18:03:31,439 fail2ban.datedetector   [7922]: DEBUG   Matched 
> time template (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: 
> Year)?
>   2016-04-10 18:03:31,439 fail2ban.datedetector   [7922]: DEBUG   Got 
> time 1460336611.00 for "'Apr 10 18:03:31'" using template (?:DAY )?MON 
> Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
>   2016-04-10 18:03:31,441 fail2ban.datedetector   [7922]: DEBUG   Sorting 
> the template list
>
> and then log output just seems to repeat and endless # of the same date match
>
>   2016-04-10 18:03:31,439 fail2ban.datedetector   [7922]: DEBUG   Got 
> time 1460336611.00 for "'Apr 10 18:03:31'" using template (?:DAY )?MON 
> Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
>
>
> If I check the ipset at this point,
>
>   ipset -L f2b-Ip
>   Name: f2b-Ip
>   Type: hash:ip
>   Revision: 4
>   Header: family inet hashsize 1024 maxelem 65536 timeout 3600
>   Size in memory: 224
>   References: 0
>   Members:
>   88.199.175.11 timeout 604649
>
> I see only ONE ip blocked.  That IP *should* be blocked, but so should lots 
> of others.
>
> I'm not sure what to debug here, since my loglevel=DEBUG logs just stop.
>
> Any help on how to start to find the problem?
>
> Jason
>
> --
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
> gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] f2b match working, test find lots of matches, but real exec adds only one ip to ipset?

2016-04-11 Thread Bill Shirley


I don't see anything wrong except you're not using your ipset from Shorewall:

ipset -L f2b-Ip Name: f2b-Ip Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 3600 Size in 
memory: 224 References: 0 Members: 88.199.175.11 timeout 604649


References=0 says nothing in iptables is using this ipset.

On fail2ban start/restart with bantime=60, looks like fail2ban sees that these 
entries don't need to be banned
because 60 seconds have already passed.  Try:
temporarily changing bantime=604800 in [postfix-ipset]
fail2ban-client reload postfix-ipset

It should populate your ipset.

Bill

On 4/11/2016 1:48 PM, jaso...@mail-central.com wrote:

On Mon, Apr 11, 2016, at 10:32 AM, Bill Shirley wrote:

It could be your ignoreip preventing the ban or not enough hits (maxretry) 
within findtime.  It also
could be that all those hits are from the same IP address (not likely thought).

iiuc, ignoreip whitelists ONLY the ips it lists.

my ignoreip lists only my internal & external IPs.

and wouldn't a bad ignoreip= prevent all matches?

the 'problem' exists even with maxretry=1; tho there are definitely enough hits 
it any case

and not, those hits come from 10+ addresses.


Post your jail.

cat jail.local
[DEFAULT]
enabled = false
destemail = exampl...@example.com
sender = fail2...@example.com
ignoreip = 127.0.0.1/8 10.15.1.0/24 10.15.2.0/24 XX.XX.XX.XX
ignorecommand =
maxretry = 3
bantime  = %(one_hour)s
findtime = %(six_hours)s
filter = %(__name__)s
action = %(action_mwl)s
backend = auto
usedns = warn
logencoding = utf-8
mta = sendmail
protocol = tcp
chain = INPUT

[postfix-ipset]
enabled = true
logpath = /var/log/postfix/postfix.log
maxretry = 1
findtime = %(one_week)s
bantime = 60
filter = my-ipset
action   = postfix-ipset[expiretime=%(one_week)s]

cat action.d/postfix-ipset.conf
[INCLUDES]
before = iptables-common.conf

[Definition]
actioncheck =
actionstart =
actionstop =
actionban = ipset -exist add f2b-  timeout 
actionunban =

[Init]
name = Ip
expiretime = 3600

Jason


--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] f2b match working, test find lots of matches, but real exec adds only one ip to ipset?

2016-04-11 Thread Bill Shirley

Post your filter.

Bill

On 4/11/2016 2:45 PM, jaso...@mail-central.com wrote:
>
> On Mon, Apr 11, 2016, at 11:29 AM, Bill Shirley wrote:
>> I don't see anything wrong except you're not using your ipset from Shorewall:
>>
>> ipset -L f2b-Ip Name: f2b-Ip Type: hash:ip Revision: 4 Header: family inet 
>> hashsize 1024 maxelem 65536 timeout 3600 Size in
>> memory: 224 References: 0 Members: 88.199.175.11 timeout 604649
>>
>> References=0 says nothing in iptables is using this ipset.
> Huh, missed that.
>
> Just rechecked it, and
>
> ipset -L f2b-Ip
>   Name: f2b-Ip
>   Type: hash:ip
>   Revision: 4
>   Header: family inet hashsize 1024 maxelem 65536 timeout 3600
>   Size in memory: 224
>   References: 1
>   Members:
>   88.199.175.11 timeout 584895
>
> So that's different.   No idea what's going on there.
>
>> On fail2ban start/restart with bantime=60, looks like fail2ban sees that 
>> these entries don't need to be banned
>> because 60 seconds have already passed.  Try:
>> temporarily changing bantime=604800 in [postfix-ipset]
>> fail2ban-client reload postfix-ipset
> Changed that, restarted.
>
> I see in log
>
> 2016-04-11 11:42:03,764 fail2ban.actions[1581]: NOTICE  
> [postfix-ipset] Unban 88.199.175.11
> 2016-04-11 11:42:04,018 fail2ban.actions[1581]: NOTICE  
> [postfix-ipset] Ban 88.199.175.11
> 2016-04-11 11:42:32,708 fail2ban.actions[1581]: NOTICE  
> [postfix-ipset] 88.199.175.11 already banned
>
>> It should populate your ipset.
> It does.  But still  with only that one IP
>
> ipset -L f2b-Ip
>   Name: f2b-Ip
>   Type: hash:ip
>   Revision: 4
>   Header: family inet hashsize 1024 maxelem 65536 timeout 3600
>   Size in memory: 224
>   References: 1
>   Members:
>   88.199.175.11 timeout 604680
>
> Just *love* these gremlins!
>
> Jason


--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban iptables error?

2016-04-26 Thread Bill Shirley


Something clobbered your iptables.  This was recently discussed on this list.

Did you reload your iptables/firewall?

Bill

On 4/25/2016 6:39 PM, Mahir Sayar Txaqo wrote:

why do you guys think im getting this error message?

==> ./fail2ban.log <==
2016-04-25 18:35:30,167 fail2ban.actions: WARNING [wordpress] Ban 192.0.102.45
2016-04-25 18:35:30,182 fail2ban.actions.action: ERROR  iptables -n -L INPUT | 
grep -q 'fail2ban-default[ \t]' returned 100
2016-04-25 18:35:30,183 fail2ban.actions.action: ERROR  Invariant check failed. 
Trying to restore a sane environment
2016-04-25 18:35:30,193 fail2ban.actions.action: ERROR  iptables -D INPUT -p 
tcp -m multiport --dports ssh -j fail2ban-default
iptables -F fail2ban-default
iptables -X fail2ban-default returned 300
2016-04-25 18:35:30,203 fail2ban.actions.action: ERROR  iptables -N 
fail2ban-default
iptables -A fail2ban-default -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-default returned 
300
2016-04-25 18:35:30,207 fail2ban.actions.action: ERROR  iptables -n -L INPUT | 
grep -q 'fail2ban-default[ \t]' returned 100
2016-04-25 18:35:30,208 fail2ban.actions.action: CRITICAL Unable to restore 
environment


--

Mahir Sayar Txaqo
https://about.me/mahirsayar





--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] How to: add matched line in sended mail

2016-05-17 Thread Bill Shirley

This more of a job for Simple Event Correlator (SEC):
https://simple-evcorr.github.io/

Bill

On 5/16/2016 11:09 AM, Marcin Mirosław wrote:
> Hi!
> I'd like to use Fail2ban in a little different scenario than blocking
> ip. I'm trying to setup Fail@ban to monitor rbldnsd log to detect
> appearing predefined string (this is private uribl server) and send
> email to me with information if such string appears.
>
> examples of log:
> 1462867150 8.8.8.8 somedomain.uribl A IN: NXDOMAIN/0/95
>
>
> 1455794291 8.8.8.8 otherdomain.uribl A IN: NXDOMAIN/0/88
>
>
> 1455794291 8.8.8.8 anotherdomain.pl A IN: NXDOMAIN/0/92
>
> I'd like to get notification with line which match failregex to know
> that "otherdomain.uribl" appeared in log. I'm using regexp:
> .*\s\s%otherdomain\.uribls\sA\sIN:\sNXDOMAIN/\d/\d\d$
> Maybe I should change regexp to match  in place where
> "otherdomain.uribl" appears? But how to define both own regexp and
>  to match the same string?
> Fail2ban-0.9.3
>
> Thanks for any advice.
>
> Marcin
>
>
> --
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] How to: add matched line in sended mail

2016-05-18 Thread Bill Shirley


A little more info since you're interested:
[0:root@elmo ~]$ rpm -qi sec
Name: sec
Version : 2.7.7
Release : 0.fc22
Architecture: noarch
Install Date: Sun 09 Aug 2015 07:28:16 AM EDT
Group   : System Environment/Daemons
Size: 581726
License : GPLv2+
Signature   : RSA/SHA256, Wed 18 Feb 2015 12:59:17 PM EST, Key ID 
11adc0948e1431d5
Source RPM  : sec-2.7.7-0.fc22.src.rpm
Build Date  : Wed 18 Feb 2015 08:24:45 AM EST
Build Host  : buildvm-15.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager: Fedora Project
Vendor  : Fedora Project
URL : http://simple-evcorr.sourceforge.net/
Summary : Simple Event Correlator script to filter log file entries
Description :
SEC is a simple event correlation tool that reads lines from files, named
pipes, or standard input, and matches the lines with regular expressions,
Perl subroutines, and other patterns for recognizing input events.
Events are then correlated according to the rules in configuration files,
producing output events by executing user-specified shell commands, by
writing messages to pipes or files, etc.


One of my message configuration files (/etc/sec/dhcp.sec) that adds a DHCP lease
to an ipset to allow thru the firewall (some lines are wrapped by email):
# mail = /bin/mail instead of /usr/bin/mail for elvis
# Dec 31 11:19:28 elmo dhcpd[20260]: Host:BROTHER-MFC-J61=>BROTHER-MFC-J61  VendorId:(none) MemberOf:(none)  PoolType:(none)  
Lease:14400 Ipv4:192.168.4.63  MAC:0:1b:a9:3d:2d:e3 --> STATIC

type=Single
ptype=RegExp
pattern=(?\S+)\s+dhcpd\S+:\s+Host:(?\S+)=\>(?\S+).+ 
Lease:(?\d+).+Ipv4:(?(\d{1,3}\.){3}\d{1,3}).+MAC:(?\S+)

desc=DHCP lease issued: Server:$+{server_name} Host:$+{DNShost}  Ipv4:$+{ipv4}  
Lease:$+{leaseTime} MAC:$+{MAC}
action=shellcmd /usr/sbin/ipset -exist add DHCP4-lease $+{ipv4} timeout 
$+{leaseTime}


On 5/18/2016 4:46 AM, Marcin Mirosław wrote:

W dniu 17.05.2016 o 16:14, Bill Shirley pisze:

This more of a job for Simple Event Correlator (SEC):
https://simple-evcorr.github.io/

Hi!
I didn't know this tool. It looks that I should look at SEC closer.

Thanks!
Marcin

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Help with filter apache-noscript...

2016-07-01 Thread Bill Shirley


The filters change from release to release.  They're trying to stay in sync 
with Apache 2.2/2.4 message changes.  You
should post your apache-noscript filter.

Bill

On 6/30/2016 7:49 PM, ad...@redtailbooks.com wrote:

Shouldn't the filter apache-noscript.conf be catching these attempts?

[Wed Jun 22 13:52:33.945066 2016] [:error] [pid 1056] [client 146.185.251.48:40811] script '/var/www/html/xmlrpc.php' not 
found or unable to stat
[Wed Jun 22 13:54:04.439357 2016] [:error] [pid 1053] [client 146.185.251.48:47395] script '/var/www/html/xmlrpc.php' not 
found or unable to stat
[Wed Jun 22 13:54:17.453896 2016] [:error] [pid 1349] [client 146.185.251.48:37233] script '/var/www/html/xmlrpc.php' not 
found or unable to stat
[Wed Jun 22 13:54:37.134533 2016] [:error] [pid 1054] [client 146.185.251.48:58010] script '/var/www/html/xmlrpc.php' not 
found or unable to stat
[Wed Jun 22 13:54:56.203655 2016] [:error] [pid 1052] [client 146.185.251.48:63348] script '/var/www/html/xmlrpc.php' not 
found or unable to stat
[Wed Jun 22 13:56:02.705916 2016] [:error] [pid 1056] [client 146.185.251.48:41745] script '/var/www/html/xmlrpc.php' not 
found or unable to stat
[Wed Jun 22 13:56:32.664866 2016] [:error] [pid 1053] [client 146.185.251.48:50140] script '/var/www/html/xmlrpc.php' not 
found or unable to stat
[Wed Jun 22 13:56:37.995857 2016] [:error] [pid 1349] [client 146.185.251.48:48235] script '/var/www/html/xmlrpc.php' not 
found or unable to stat




 or similar attempts

[Thu Jun 23 19:57:43.196719 2016] [:error] [pid 1899] [client 37.26.128.179:56834] script '/www/publicHtml/myiphb.php' not 
found or unable to stat
[Thu Jun 23 19:57:48.851338 2016] [:error] [pid 1900] [client 37.26.128.179:38994] script '/www/publicHtml/myiphd.php' not 
found or unable to stat
[Thu Jun 23 19:57:54.503360 2016] [:error] [pid 1901] [client 37.26.128.179:46461] script '/www/publicHtml/myiphd.php' not 
found or unable to stat
[Thu Jun 23 19:58:00.158356 2016] [:error] [pid 1898] [client 37.26.128.179:62273] script '/www/publicHtml/myiphd.php' not 
found or unable to stat
[Thu Jun 23 19:58:05.591417 2016] [:error] [pid 1897] [client 37.26.128.179:57190] script '/www/publicHtml/myiphd.php' not 
found or unable to stat
[Thu Jun 23 19:58:06.020256 2016] [:error] [pid 1967] [client 37.26.128.179:61560] script '/www/publicHtml/myiphd.php' not 
found or unable to stat
[Thu Jun 23 19:58:06.445667 2016] [:error] [pid 1899] [client 37.26.128.179:55832] script '/www/publicHtml/myiphb.php' not 
found or unable to stat
[Thu Jun 23 19:58:06.870073 2016] [:error] [pid 1900] [client 37.26.128.179:60554] script '/www/publicHtml/myiphc.php' not 
found or unable to stat


Thanks,
dave

--
Red-Tail Books
204 N Florence St
Casa Grande, Az
520-836-0370


--
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban & postfix

2016-08-26 Thread Bill Shirley

My suggestion is: post your fail2ban version, jail, and postfix filter.

Bill


On 8/26/2016 4:33 PM, sebast...@debianfan.de wrote:
> Hi,
>
>
> fail2ban is very effective to stop attacs on the shell accounts.
>
> The regex for postfix (mail.log) seems to be ignored.
>
> I want to stop hosts which produces the following entries in my log files:
>
>Aug 24 22:38:10 debian postfix/smtpd[2123]: NOQUEUE: reject: RCPT from
> onlinemta58.ccbcjc.com[104.223.236.58]: 550 5.1.1:
> Recipient address rejected: User unknown in virtual mailbox table;
> from=  to=  proto=ESMTP
> helo=
>
> Aug 24 22:40:07 debian postfix/smtpd[2123]: NOQUEUE: reject: RCPT from
> unknown[95.140.39.34]: 450 4.7.1 Client host rejected: cannot find your
> hostname, [95.140.39.34]; from=
> to=  proto=ESMTP helo=
>
> My regex seems to be wrong :-(
>
> Any suggestions ?
>
> Thx
>
> Sebastian
>
>
> --
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban & postfix

2016-09-23 Thread Bill Shirley


You have to have  somewhere in the filter:
failregex = NOQUEUE: reject: RCPT from \S+\[\]: .*$
lost connection after \S+ from (.*)\[\]
reject: (header|body) .* from (.*)\[\]
timeout after \S+ from \S+\[\].*$
warning: Connection rate limit exceeded: .*\[\]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = NOQUEUE: reject_warning:
  NOQUEUE: reject:.*Greylisted

You can test your filter outside of the fail2ban server with:
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix.local

Bill


On 9/21/2016 6:28 AM, sebast...@debianfan.de wrote:

Sorry Bill - here are my answers:

fail2ban version 0.8.13

bantime  = 600
findtime = 600
maxretry = 2


[postfix]
enabled  = true
port = smtp,ssmtp,submission
filter   = postfix
logpath  = /var/log/mail.log



_daemon = postfix/smtpd
failregex = warning: (.*)\[\]: SASL LOGIN authentication failed:
authentication failure
  reject: RCPT from (.*)\[\]: 554 5.1.1
  reject: RCPT from (.*)\[\]: 450 4.7.1
  reject: RCPT from (.*)\[\]: 554 5.7.1
ignoreregex =






Am 26.08.2016 um 22:33 schrieb sebast...@debianfan.de:

Hi,


fail2ban is very effective to stop attacs on the shell accounts.

The regex for postfix (mail.log) seems to be ignored.

I want to stop hosts which produces the following entries in my log files:

Aug 24 22:38:10 debian postfix/smtpd[2123]: NOQUEUE: reject: RCPT from
onlinemta58.ccbcjc.com[104.223.236.58]: 550 5.1.1:
Recipient address rejected: User unknown in virtual mailbox table;
from=  to=  proto=ESMTP
helo=

Aug 24 22:40:07 debian postfix/smtpd[2123]: NOQUEUE: reject: RCPT from
unknown[95.140.39.34]: 450 4.7.1 Client host rejected: cannot find your
hostname, [95.140.39.34]; from=
to=  proto=ESMTP helo=

My regex seems to be wrong :-(

Any suggestions ?

Thx

Sebastian


--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban with firewalld/ipset/iptables

2016-10-06 Thread Bill Shirley


Note: port 587 IS submission
[0:root@apinetstore shorewall]$ grep -e submission -e smtps /etc/services
submission  587/tcp msa # mail message submission
submission  587/udp msa # mail message submission
urd 465/tcp smtps   # URL Rendesvous Directory for SSM / 
SMTP over SSL (TLS)

You probably want smtp,smtps,submission (25,465,587).
Bill


On 10/5/2016 3:11 AM, Nick Howitt wrote:

Your key is this line:

ipv4 filter INPUT 0 -p tcp -m multiport --dports smtp,587,submission -m
set --match-set fail2ban-postfix src -j REJECT --reject-with
icmp-port-unreachable

It looks very similar to iptables. This rule more or less says block
tcp:25,587,465 for any source IP's which exist in the ipset set
fail2ban-postfix. It is that set which contains the individual IP's
which are being blocked. This means you need to use ipset commands to
see what is being blocked.

Ipset is massively more efficient than individual rules when blocking a
load of IP's. There is probably not much difference in speed when
blocking the odd IP or two. With iptables it takes much more time to
load individual rules than it does to load ipset sets. There is
obviously a trade-off between speed and readability. Individual rules
are slower but more readable. Rules using ipset are faster but less
readable.

Nick

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban for a range of IPs

2016-12-15 Thread Bill Shirley

You should be able to address this with the INPUT chain of iptables. Here is
my smtp entry:
pkts bytes target prot opt in out source destination
0 0ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0multiport dports 25,465,587 limit: up to 10/min
burst 4 mode srcip /* mail - unknown */

If any source IP is over the limit it fall thru to the default policy; for me
it is DROP.

I use Shorewall and the entry in the rules file is:
?COMMENT mail - unknown
ACCEPT any fw tcp smtp,smtps,submission {
rate=s:smtp:10/min:4 }
This allows a burst of 4 new connections. The burst bucket is recharged at
smtp:10/min which one per 6 seconds.

Bill

On 12/15/2016 10:59 PM, pjc...@fastmail.fm wrote:

Sorry, perhaps I answered too quickly...
Fail2ban works when the attacker can be distinguished in some way (other
than rate) from an ordinary person browsing your site.
If these ten hosts aren't attempting a "brute force" or "dictionary"
attack ..ie if they are doing nothing more than requesting web pages
(at a fast rate), then fail2ban is probably not the right tool.

On Thu, Dec 15, 2016, at 04:04 PM, Grant wrote:

Well I certainly use it to defend from that kind of attack all the time.
Can you give us some idea of the rate (ie: how many requests per
second)? Also, for that kind of attack it's important to be using the
recidive filter.By any chance is it a wordpress site?

How do you do that?

The requests per second were not astronomical but my backend gets
bogged down when handling several requests per second over a sustained
period of time.

I am using the recidive filter.

It is not a Wordpress site.

- Grant

I recently suffered DoS from a series of 10 sequential IP addresses
which identified themselves as being associated with a fairly legit
search engine. fail2ban would have dealt with the problem if a single
IP address had been used. Can it be made to work in a situation like
this where a series of sequential IP addresses are in play?

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] How to change the syslog facility of Fail2ban

2017-03-11 Thread Bill Shirley


What is it you're trying to accomplish?  Are you using rsyslogd?

I'm using a file (from fail2ban.local):
# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
# Only one log target can be specified.
# If you change logtarget from the default value and you are
# using logrotate -- also adjust or disable rotation in the
# corresponding configuration file
# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
# Values: [ STDOUT | STDERR | SYSLOG | FILE ]  Default: STDERR
#
logtarget = /var/log/fail2ban.log


Bill


On 3/10/2017 11:21 AM, Kenneth Porter wrote:

On 3/10/2017 7:32 AM, Thomas JALABERT wrote:

I would like to change the syslog facility of Fail2ban to local4.
I  didn't found anything on the Internet. Do you think it's possible ?

Grepping the source code, it looks like the facility is hard-coded to
LOG_DAEMON in server.py.


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


--
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Fail2Ban v0.9.6 updated sshd.conf: No 'host' group in '>

2017-07-05 Thread Bill Shirley


Based on the first line of that file:

# Fail2Ban obsolete multiline example resp. test filter (previously sshd.conf)

Did you expect it to work?

Bill

On 7/5/2017 11:46 AM, Robert Kudyba wrote:

Based on this file:
https://raw.githubusercontent.com/sebres/fail2ban/5561423be3b2d4636f5484183c3ad470fd326d06/fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
This is set to nothing it appears:
mdre-normal =

But then I see theses warnings:

fail2ban-client[3646]: ERROR  NOK: ("No 'host' group in '>’",
2017-07-05 11:29:56,218 fail2ban.filter [3653]: WARNING Mutliline regex 
set for jail '%s' but maxlines not greater than 1
2017-07-05 11:29:56,228 fail2ban.filter [3653]: ERROR   No 'host' group in 
'>'
2017-07-05 11:29:56,228 fail2ban.transmitter[3653]: WARNING Command ['set', 'sshd', 'addfailregex', 
'>'] has failed. Received RegexException("No 'host' group in 
'>'",)

Is that OK? We have been seeing a lot of missed bans as mentioned in this 
thread: https://github.com/fail2ban/fail2ban/issues/1719 so we’d like to have 
the latest working correctly.





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Fail2Ban says IP is banned but IP doesn't show up in iptables

2017-07-27 Thread Bill Shirley


Did they get unbanned?  Are they in an ipset instead?

Can't help any without your config files.

Bill


On 7/27/2017 11:42 AM, Vito Botta wrote:

Hi all,

I have configured Fail2Ban on one server and it seems to be banning IPs every now and then (as I can see with the 
"fail2ban-client status" command), but there are no rules for such IPs in iptables (iptables -L).


Any idea?

Thanks!

Vito


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] ProFtpd DROP net-fw TLS connection from client ftp

2017-08-08 Thread Bill Shirley


Looks like you haven't opened up sftp(port 115) in Shorewall.  Post on the
shorewall-us...@lists.sourceforge.net list.  Tom Eastep is very helpful.

If it were fail2ban blocking traffic, you would see it in the log file.

Note if you're not using fail2ban with ipsets actions instead of iptables, 
you're
going to run into problems if you do a 'shorewall restart'.  It will clear your 
bans.

If you still think the problem could be fail2ban, post your config, action, and 
log
files.

Bill

On 8/8/2017 1:42 PM, Davide Marchi wrote:

Hi friends,
I tell you immediately that I am not clear whether the matter concerns Shorewall rather than Fail2ban, so you have pity for me 
:-)



I've configured ProFtpd to connect by tls (SSLv3 TLSv1 -> Letsencypt certificate) and if I stop shorewall the "sftp" 
connection works fine,

but with Shorewall up, it DROP the connection:


Aug  8 18:50:10 server kernel: [16438563.572121] Shorewall:net-fw:DROP:IN=eth0 OUT= 
MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=132.142.22.10 DST=44.320.032.111 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=63283 
DF PROTO=TCP SPT=33175 DPT=55298 WINDOW=29200 RES=0x00 SYN URGP=0




Now I wondering where is the problem,

I don't know if is Fail2ban to tell to Shorewall to Drop this connection or if 
I should open a specific question on Shorewall ML.



Many thanks to all!

Davide
Italy

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Error 2 before a ban.

2017-08-10 Thread Bill Shirley


Looks like you have a bad filter.  Odd that those errors say:
#mine is always last in the list

Did you change a filter?  Post it.

this seems to happen every time someone tried to connect, before it shows the 
warning and then the ban.

Connect how?  IMAP, POP3, SMTP?

Bill


On 8/10/2017 2:31 PM, Steve Rowe via Fail2ban-users wrote:


Hi all, I’m hoping someone can answer the following error query I have.

I am running Fail2Ban v0.9.6 on CentOS Linux release 7.3.1611 (Core)

In the fail2ban log I see a lot (depending on the connection attempts in a 
second or two). Error 2 as below.

2017-08-10 18:10:07,000 fail2ban.filter [22850]: WARNING Unable to find a corresponding IP address for #mine: [Errno 
-2] Name or service not known


2017-08-10 18:10:07,044 fail2ban.filter [22850]: WARNING Unable to find a corresponding IP address for is: [Errno -2] 
Name or service not known


2017-08-10 18:10:07,108 fail2ban.filter [22850]: WARNING Unable to find a corresponding IP address for always: [Errno 
-2] Name or service not known


2017-08-10 18:10:07,132 fail2ban.filter [22850]: WARNING Unable to find a corresponding IP address for last: [Errno 
-2] Name or service not known


2017-08-10 18:10:07,156 fail2ban.filter [22850]: WARNING Unable to find a corresponding IP address for in: [Errno -2] 
Name or service not known


2017-08-10 18:10:07,199 fail2ban.filter [22850]: WARNING Unable to find a corresponding IP address for the: [Errno -2] 
Name or service not known


2017-08-10 18:10:07,218 fail2ban.filter [22850]: WARNING Unable to find a corresponding IP address for list: [Errno 
-2] Name or service not known


2017-08-10 18:10:07,218 fail2ban.filter [22850]: INFO [sasl-iptables] 
Found 213.141.81.24

2017-08-10 18:10:07,645 fail2ban.actions[22850]: NOTICE [sasl-iptables] 
Ban 213.141.81.24

this seems to happen every time someone tried to connect, before it shows the 
warning and then the ban.

Any ideas or suggestions appreciated.



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] CentOS 5.10 and Fail2ban version:0.8.14-1.el5 stopped blocking IPs after Server reboot

2017-08-10 Thread Bill Shirley


I would think:
action   = iptables=multiport[name=asterisk-tcp, port="5060", protocol=tcp]
should be:
action   = iptables-multiport[name=asterisk-tcp, port="5060", protocol=tcp]
Note the dash instead of the equals sign in iptables-multiport

Bill

On 8/10/2017 3:24 PM, Jonathan Hunter wrote:

Hi Guys,

Sorry for the noise, just wondered if anyone had a similar issue to this.

Our server was rebooted, and since that point fail2ban wont work correctly.

We have an Asterisk server we are trying to stop REGISTERATION attempts which 
are fraudulent, and use this rule in jail.conf;


[asterisk]

enabled  = true
filter   = asterisk
action   = iptables=multiport[name=asterisk-tcp, port="5060", protocol=tcp]
   iptables-multiport[name=asterisk-udp, port="5060", protocol=udp]
logpath  = /var/log/asterisk/messages
maxretry = 3


The associated filter when testing the regex provides matches with the criteria(no errors), however we simply dont see any 
entries into IPtables.


Timestamps/ NTP are all in Sync so was wondering if any one had any further 
ideas? As debug not showing anything.

Thanks

Jon



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban or iptables?

2017-09-09 Thread Bill Shirley


A host can have multiple addresses; multiple PTRs can point to a host.  You
should use 'iptables -nvL' and compare banned IP addresses instead of
hostnames.

Bill


On 9/9/2017 6:56 AM, Doug Eckert wrote:

the name & port have been added to /etc/services. I also copied 
filter.d/ssh.conf to filter.d/sshdext.conf and edited to match.

The right source ip an dest port is added to iptables, but traffic is still 
getting through for some reason.

On Sat, Sep 9, 2017 at 2:07 AM Dominic Raferd mailto:domi...@timedicer.co.uk>> wrote:

On 8 September 2017 at 16:22, Eckert, Doug mailto:doug.eck...@dowjones.com>> wrote:

CentOS 6 with fail2ban-0.9.2-1.el6.noarch, and 
iptables-1.4.7-16.el6.x86_64

Not sure where my issue lies. It appears that f2b is processing the log 
file(s) fine and adding 'iptables' rules, but
I still see connection attempts and authentication errors on the ssh 
daemon.

Example. From /var/log/messages, it triggered a ban for this IP at 
0858hrs

Sep  8 08:58:20 ### fail2ban.actions[28791]: NOTICE [sshdext] Ban 
124.190.106.117

'iptables' shows the IP should be DROPping

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source destination
f2b-sshdext  tcp  --  anywhere   anywhere            multiport dports 
sshdext
f2b-vsftpd  tcp  --  anywhere anywhere            multiport dports 
ftp,ftp-data,ftps,ftps-data

...

The 'sshdext' serivce is just 'sshd' running on an alternate port for 
external users - corporate firewall blocks
incoming port 22.


I am not an expert but I am puzzled by line:

f2b-sshdext  tcp  --  anywhere             anywhere  multiport dports 
sshdext

How does iptables --list know which port is 'sshdext'?

'iptables --list -n' will show the numeric values (and is fast), then you 
can see if this rule is indeed covering the
correct port.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 
http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net 

https://lists.sourceforge.net/lists/listinfo/fail2ban-users

--


*Doug Eckert*
Technical Architect - Systems Technology Services

Dow Jones 

 P.O. Box 300 | Princeton NJ 08543-0300
(W) 609.520.4993 (C) 732.666.3681
*Email: **doug.eck...@dowjones.com* **




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban or iptables?

2017-09-17 Thread Bill Shirley


Here's how to add another port:
Tell selinux:
semanage port -a -t ssh_port_t -p tcp 2112

/etc/ssh/sshd_config:
# My changes
Port 22
Port 2112

[0:root@yoda ~]$ netstat -anp | grep ssh
tcp    0  0 0.0.0.0:22  0.0.0.0:*   LISTEN 
1677/sshd
tcp    0  0 0.0.0.0:2112 0.0.0.0:*   LISTEN  1677/sshd

Bill

On 9/11/2017 10:51 AM, Eckert, Doug wrote:

My fault for trusting what I was told instead of looking myself.

I was told the second ssh was listening on 2112, when in fact it was listening on 22. So, fail2ban was banning port 2112, but 
22 traffic was uninhibited.


On Mon, Sep 11, 2017 at 10:28 AM, Eckert, Doug mailto:doug.eck...@dowjones.com>> wrote:

Here's the current date and iptables list

# date
Mon Sep 11 10:23:19 EDT 2017
# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 3250 packets, 253K bytes)
num   pkts bytes target     prot opt in     out     source destination
1        0     0 f2b-sshdext  tcp  --  *      * 0.0.0.0/0 <http://0.0.0.0/0> 
0.0.0.0/0 <http://0.0.0.0/0> multiport dports
2112
2    1891K  113M f2b-vsftpd  tcp  --  *      * 0.0.0.0/0 <http://0.0.0.0/0> 
0.0.0.0/0 <http://0.0.0.0/0> multiport dports
21,20,990,989

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source destination

Chain OUTPUT (policy ACCEPT 3231 packets, 7088K bytes)
num   pkts bytes target     prot opt in     out     source destination

Chain f2b-sshdext (1 references)
num   pkts bytes target     prot opt in     out     source destination
1        0     0 REJECT     all  --  *      *       172.26.47.66 0.0.0.0/0 
<http://0.0.0.0/0> reject-with
icmp-port-unreachable
2        0     0 REJECT     all  --  *      *       103.89.89.149 0.0.0.0/0 
<http://0.0.0.0/0> reject-with
icmp-port-unreachable
3        0     0 REJECT     all  --  *      *       90.150.90.116 0.0.0.0/0 
<http://0.0.0.0/0> reject-with
icmp-port-unreachable
4        0     0 REJECT     all  --  *      *       190.218.115.115 0.0.0.0/0 
<http://0.0.0.0/0> reject-with
icmp-port-unreachable
5        0     0 REJECT     all  --  *      *       193.201.224.212 0.0.0.0/0 
<http://0.0.0.0/0> reject-with
icmp-port-unreachable
6        0     0 REJECT     all  --  *      *       117.239.39.51 0.0.0.0/0 
<http://0.0.0.0/0> reject-with
icmp-port-unreachable
7        0     0 RETURN     all  --  *      * 0.0.0.0/0 <http://0.0.0.0/0> 
0.0.0.0/0 <http://0.0.0.0/0>

Chain f2b-vsftpd (1 references)
num   pkts bytes target     prot opt in     out     source destination
1    1891K  113M RETURN     all  --  *      * 0.0.0.0/0 <http://0.0.0.0/0> 
0.0.0.0/0 <http://0.0.0.0/0>


And a snapshot of /var/log/secure (active sessions from that IP still 
hitting the daemon)

# tail -f secure | grep failure
Sep 11 10:24:53  sshdext[5573]: pam_unix(sshdext:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=193.201.224.212
Sep 11 10:25:07  sshdext[5591]: pam_unix(sshdext:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=193.201.224.212
Sep 11 10:25:13  sshdext[5593]: pam_unix(sshdext:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=193.201.224.212
Sep 11 10:25:15  sshdext[5595]: pam_unix(sshdext:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=193.201.224.212


'sshdext' is a second sshd running on 2112. Entry made in /etc/services for 
it, as well as a matching file in filter.d.
    The regex seems to be doing its job, as iptables entries are there.



On Sat, Sep 9, 2017 at 7:30 PM, Bill Shirley mailto:bshir...@openmri-scottsboro.com>> wrote:

A host can have multiple addresses; multiple PTRs can point to a host.  
You
should use 'iptables -nvL' and compare banned IP addresses instead of
hostnames.

Bill


On 9/9/2017 6:56 AM, Doug Eckert wrote:

the name & port have been added to /etc/services. I also copied 
filter.d/ssh.conf to filter.d/sshdext.conf and edited
to match.

The right source ip an dest port is added to iptables, but traffic is 
still getting through for some reason.

On Sat, Sep 9, 2017 at 2:07 AM Dominic Raferd mailto:domi...@timedicer.co.uk>> wrote:

On 8 September 2017 at 16:22, Eckert, Doug mailto:doug.eck...@dowjones.com>> wrote:

CentOS 6 with fail2ban-0.9.2-1.el6.noarch, and 
iptables-1.4.7-16.el6.x86_64

Not sure where my issue lies. It appears that f2b is processing 
the log file(s) fine and adding 'iptables'
rules, but I still see connection attempts and authentication

Re: [Fail2ban-users] Banned IP continues its attempts, other IP isn't banned even after maxretry

2017-09-18 Thread Bill Shirley


You do realize if you run shorewall commands (restart|stop|clear|etc)
it will wipe out the iptables entries that fail2ban adds?  Shorewall
reloads the entire iptables.

You should use an ipset instead.  Define the ipsets in
/etc/shorewall/init:
ipset -exist create fail2ban-IPv4-port hash:ip,port timeout 3600
ipset -exist create fail2ban-IPv4-ip hash:ip timeout 86400

add this after the ?SECTION NEW in /etc/shorewall/rules
?COMMENT flagged by fail2ban
DROP    inet:+fail2ban-IPv4-port[src,dst]   fw
DROP    inet:+fail2ban-IPv4-ip[src] fw

Create a /etc/fail2ban/action.d/iptables-ipset-proto4.local (a copy of
iptables-ipset-proto4.conf) and blank out:
actioncheck =
actionstart =
actionstop =
(Don't need these because the ipsets are defined in shorewall init.

Modify jails to use iptables-ipset-proto4.

Note in the boot order: Shorewall should start before fail2ban.

Bill


On 9/17/2017 6:34 AM, chaouche yacine via Fail2ban-users wrote:

Hello Dominic,

There was only 1 IP that was banned out of 4. The banned one has been unbanned after bantime (1 day) so I can't find it in 
iptables :


root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL # iptables -nL | grep 201.236.111.84
root@messagerie[10.10.10.19] ~/SCRIPTS/MAIL #

The other 3 werent' banned by fail2ban

NB : I am using shorewall, which uses iptables under the hood IIRC.




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] sshd - different ban rules for bad password vs invalid user?

2017-09-20 Thread Bill Shirley


fail2ban picks up everything in /etc/fail2ban/jail.conf and then applies
additional/overrides from /etc/fail2ban/jail.local (and probably
/etc/fail2ban/jail.d/*. I didn't even realize there was a jail.d folder
until I saw your post).

In one of those configs (probably /etc/fail2ban/jail.conf) there is
a [sshd] section that is enabled.  Add to /etc/fail2ban/jail.local:
[sshd]
enabled = false

Bill


On 9/20/2017 12:46 PM, Stroller wrote:

Hello,

I'm new to Fail2Ban, and still getting to grips with it.

As I understand it, all matches to a filter are treated the same - using the 
default sshd filter a bot trying to logon as a nonexistent user is treated the 
same as a genuine user who has misspelled their password.

I would prefer to ban an IP the second time it attempts to log on as a 
nonexistent user, and allow multiple password attempts if the user exists on 
the system.

I have read some documents and HOWTOs, but seem to be struggling a bit with 
fail2ban's configuration concepts.

I've found /etc/fail2ban/filter.d/sshd.conf and enabled it by creating a 
corresponding /etc/fail2ban/jail.d/sshd.conf, as per Gentoo's wiki. [1]

I would have thought that the logical way to make my own filters would be to 
take the existing /etc/fail2ban/filter.d/sshd.conf and make two copies of it - 
/etc/fail2ban/filter.d/sshd-badusername.local and 
/etc/fail2ban/filter.d/sshd-wrongpassword.local, removing from each the 
unwanted regular expressions.

I expected to be able to create /etc/fail2ban/jail.d/sshd-badusername.conf and 
/etc/fail2ban/jail.d/sshd-wrongpassword.conf with the following contents:

[sshd-badusername]
enabled  = true
logpath = /var/log/messages

[sshd-wrongpassword]
enabled  = true
logpath = /var/log/messages

This doesn't work - when I reload fail2ban I get the messages:
ERROR  No file(s) found for glob /var/log/auth.log
ERROR  Failed during configuration: Have not found any log file for sshd 
jail

I don't understand - I didn't think I had any jail called "sshd" anymore - I thought I had two 
jails, "sshd-badusername" and "sshd-wrongpassword".

Fail2Ban seems highly modular and configurable, and I feel like I'm missing 
something important because there are too many pieces for me to visualise 
correctly.

Stroller.




[1] https://wiki.gentoo.org/wiki/Fail2ban#Configuration
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] which filter has rules for "pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root""

2017-09-29 Thread Bill Shirley


Run fail2ban-client -d and compare the [sshd] section of the output to 
[ssh-iptables] below.

fail2ban parses log files so it constantly has to evolve due to software 
updates,
distro changes, log file locations, local customization, etc.  Any answer to 
your
question would just be a guess.

Bill

On 9/29/2017 11:40 AM, Robert Kudyba wrote:
Running fail2ban-0.9.7-2.fc26.noarch, but I'm not seeing which filter in /etc/fail2ban/filter.d would catch login attempts 
with errors such as:

pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" : 
24 time(s)
or:
Sep 24 05:55:04 ourserver sshd[22772]: pam_succeed_if(sshd:auth): requirement "uid >= 
1000" not met by user "root"
Sep 24 05:55:06 ourserver  sshd[22772]: Failed password for root from 
123.59.182.194 port 43862 ssh2

I tried a grep 1000 */* in that directory, no results. I see an SX suggestion from 2015, 
https://unix.stackexchange.com/a/204393/180291
*"I had a ssh section on my jail local but now I see that I was missing a ssh-iptables section so it would add rules to 
iptables and now it works:

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]

logpath  = /var/log/secure
maxretry = 5"*

But is this the same as enabling the[sshd]jail/filter?


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Problem with fail2ban-regex

2017-10-06 Thread Bill Shirley


Does it fail when you give it the full path to the .conf file?
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/my_dovecot_secure.conf

Bill

On 10/6/2017 6:02 AM, Etienne MONIER wrote:


Hi everyone !

I've got a problem with fail2ban.

I've installed owncloud on a raspberry pi and I want it safe to bruteforcing. I then installed fail2ban with following 
configurations :


//etc/fail2ban/filter.d/owncloud.conf/

[INCLUDES]
before = common.conf

[Definition]
_daemon = owncloud

failregex = {"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: 
''\)","level":2,"time":".*","method":".*}

ignoreregex =


//etc/fail2ban/jail.d/owncloud.conf/

[owncloud]
enabled = true
filter = owncloud
port = http,https
logpath = /var/log/owncloud.log
maxretry = 5


To test if the filter is right (as fail2ban does not detect any login fail), I've tried fail2ban-regex /var/log/owncloud.log 
filter.d/owncloud.conf. But it gives me



Running tests
=

Use   failregex filter file : owncloud, basedir:
Traceback (most recent call last):
  File "/usr/local/bin/fail2ban-regex", line 34, in 
    exec_command_line()
  File 
"/usr/local/lib/python2.7/dist-packages/fail2ban/client/fail2banregex.py", line 
598, in exec_command_line
    if not fail2banRegex.start(opts, args):
  File 
"/usr/local/lib/python2.7/dist-packages/fail2ban/client/fail2banregex.py", line 
498, in start
    if not self.readRegex(cmd_regex, 'fail'):
  File 
"/usr/local/lib/python2.7/dist-packages/fail2ban/client/fail2banregex.py", line 
277, in readRegex
    if not reader.read():
  File 
"/usr/local/lib/python2.7/dist-packages/fail2ban/client/configreader.py", line 
274, in read
    return ConfigReader.read(self, self._file)
  File 
"/usr/local/lib/python2.7/dist-packages/fail2ban/client/configreader.py", line 
89, in read
    ret = self._cfg.read(name)
  File 
"/usr/local/lib/python2.7/dist-packages/fail2ban/client/configreader.py", line 
166, in read
    % self._basedir)
ValueError: Base configuration directory  does not exist

Help, please !

Etienne



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] ubuntu 16.04 / Lines: 682 lines, 0 ignored, 25 matched, 657 missed

2017-10-15 Thread Bill Shirley


You failed to describe your problem.  You got 25 matches and 657 that didn't.

What are you expecting?

Bill

On 10/15/2017 3:47 PM, A wrote:

I can't be the first to encounter this...  does anyone have a fix for the below 
please?

Thank you in advance!

- Andrew

# fail2ban-regex /var/log/auth.log.1 /etc/fail2ban/filter.d/sshd.
conf

Running tests
=

Use   failregex filter file : sshd, basedir: /etc/fail2ban
Use maxlines : 10
Use log file : /var/log/auth.log.1
Use encoding : UTF-8


Results
===

Failregex: 25 total
|-  #) [# of hits] regular expression
|   3) [10] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ 
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ 
\S+\])?\s*Failed \S+ for .*? from (?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ 
(?:[\da-f]{2}:){15}[\da-f]{2}(, client user ".*", client host ".*")?))?\s*$
|   5) [5] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ 
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ 
\S+\])?\s*[iI](?:llegal|nvalid) user .* from \s*$
|  16) [10] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ 
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ 
\S+\])?\s*pam_unix\(sshd:auth\):\s+authentication 
failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=\s.*$

`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [682] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-

Lines: 682 lines, 0 ignored, 25 matched, 657 missed [processed in 0.45 sec]
Missed line(s): too many to print.  Use --print-all-missed to print all 657 
lines


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Reporting to badips.com and blocklist.de at same time

2017-10-18 Thread Bill Shirley


Do not hijack a thread.  Start your own thread.

Bill


On 10/18/2017 7:12 AM, Mitchell Krog Photography wrote:

Hi All

Is it possible when a jail blocks an IP to send to badips.com  + 
blocklist.de  ?
If so can anyone point me in the right direction.

Many Thanks

Regards
Mitchell



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Reporting to badips.com and blocklist.de at same time

2017-10-18 Thread Bill Shirley


Turn on threading in your email client (I find it very useful) and it will be
obvious.  He replied to Stefan's post and changed the subject.

Bill

On 10/18/2017 2:21 PM, Tony Collins wrote:
I can't see any hijacking - the contents match the subject line ("Reporting to badips.com <http://badips.com> and blocklist.de 
<http://blocklist.de> at same time"), unless I'm missing an email somewhere.


Tony Collins

On 18 October 2017 at 19:09, Bill Shirley mailto:bshir...@openmri-scottsboro.com>> wrote:

Do not hijack a thread.  Start your own thread.

Bill


On 10/18/2017 7:12 AM, Mitchell Krog Photography wrote:

Hi All

Is it possible when a jail blocks an IP to send to badips.com <http://badips.com> 
+ blocklist.de <http://blocklist.de> ?
If so can anyone point me in the right direction.

Many Thanks

Regards
Mitchell




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net 
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users 
<https://lists.sourceforge.net/lists/listinfo/fail2ban-users>




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net 
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users 
<https://lists.sourceforge.net/lists/listinfo/fail2ban-users>




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Possible Reporting to badips.com and blocklist.de at same time?

2017-10-19 Thread Bill Shirley


Mitchell,
I don't think anyone here meant to grind on and on about thread hi-jacking.  
You seemed
to not understand doing a reply and replacing the body and subject doesn't 
create a
new thread.  Now you do; mission accomplished.

On to your original post, what is it that you want to send to badips.com and 
blocklist.de?
Email?  What have you tried?

Bill


On 10/19/2017 8:58 AM, Mitchell Krog Photography wrote:

You are so very helpful Patrick, I will also just send your emails to /dev/null
WOW, what a helpful mailing list this has become with such nice people and NO …. YOU and 3 other people are the one ranting on 
about nonsense and a simple mistake !!! but not one of you can actually even answer a simple question.

I will just seek help elsewhere, thank you very much.

= unsubscribe


From: Patrick Shanahan  
Reply: Patrick Shanahan  
Date: 19 October 2017 at 2:54:16 PM
To: Mitchell Krog Photography  

Subject: Re: [Fail2ban-users] Possible Reporting to badips.com and blocklist.de 
at same time?


* Mitchell Krog Photography  [10-19-17 06:50]:
> Patrick
>
> I help and have helped a lot of people on this list on the time I have
> been on here. This list is turning into the likes of Apache user lists
> where everybody rants and raves and nit picks about nonsense instead of
> answering any questions. If you read my earlier replies yesterday I
> said it was a mistake and not intentional so why go on and on and on
> about it?
>
> Are you here to help users or try your very best just to insult and
> offend them ?
>
> I guess I will probably get a quicker answer from @Sebres on the github
> repo.
>
>
> From: Patrick Shanahan 
> Reply: Patrick Shanahan 
> Date: 19 October 2017 at 12:24:48 PM
> To: Mitchell Krog Photography 
> Subject:  Re: [Fail2ban-users] Possible Reporting to badips.com and 
blocklist.de at same time?
>
> * Mitchell Krog Photography  [10-19-17 06:21]:
> > Hi All
> >
> > Is it possible when a jail blocks an IP to send
> > to badips.com + blocklist.de At the same time ?
> > If so can anyone point me in the right direction.
> >
> > Many Thanks
> >
> > For those accusing me of “hijacking threads” and telling me to go and
> > Google “email hijacking” as if I have no idea what that is having being
> > in the industry for 30 years …  kindly see attached screengrab of this
> > brand new message, completely blank and composed with a slightly
> > different subject line.
>
> and what is it that you believe with your 30 years of industrial
> experience, this proves. you do not show the complete header, only what
> your chosen client reveals to you. google may (keyword) indeed help you
> or not ???
>
> --
> (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri
> http://en.opensuse.org openSUSE Community Member facebook/ptilopteri
> Registered Linux User #207535 @ http://linuxcounter.net
> Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode

I guess you *really* do not understand. and your choice to continue
ranting is on you along with your choice to top post and full quote and
unformatted text. I do have a solution:

:0:
* ^From.*mitchellkrog
/dev/null


--
(paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri
http://en.opensuse.org openSUSE Community Member facebook/ptilopteri
Registered Linux User #207535 @ http://linuxcounter.net
Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] IP isn't banned even after maxretry

2017-10-29 Thread Bill Shirley


I have my on method of interfacing fail2ban and Shorewall; it uses ipsets:
Ban by IP address - /etc/fail2ban/action.d/my_ipset_ip.conf:
[INCLUDES]

before = iptables-blocktype.conf

[Definition]
actioncheck =
actionstart =
actionstop =
actionban = ipset -exist add fail2ban-  timeout 
actionunban = ipset -exist del fail2ban- 
actionunban =

[Init]
name = IPv4-ip
my_timeout = 0

Ban by IP address and port - /etc/fail2ban/action.d/my_ipset_ipport.conf:
[INCLUDES]

before = iptables-blocktype.conf

[Definition]
actioncheck =
actionstart =
actionstop =
actionban = ipset -exist add fail2ban- ,: timeout 

actionunban = ipset -exist del fail2ban- ,:
actionunban =

[Init]
name = IPv4-port
port = http
protocol = tcp
my_timeout = 0

To ban multiple ports, I created symlinks for 2, 3, and 4.  fail2ban wouldn't 
repeat
and action with the same name in the same defined fail.
[0:root@elmo action.d]$ ls -l my_ipset_ip*
-rw-r--r--. 1 root root 315 Mar 28  2017 my_ipset_ip.conf
lrwxrwxrwx. 1 root root  20 Jul 23  2015 my_ipset_ipport2.conf -> 
my_ipset_ipport.conf
lrwxrwxrwx. 1 root root  20 Jul 23  2015 my_ipset_ipport3.conf -> 
my_ipset_ipport.conf
lrwxrwxrwx. 1 root root  20 Jul 23  2015 my_ipset_ipport4.conf -> 
my_ipset_ipport.conf
-rw-r--r--. 1 root root 380 Mar 28  2017 my_ipset_ipport.conf

The following jail bans by IP address and port. This allows users to still get 
access
to other services (IMAP, POP3, http, https) even though they're banned from 
postfix.
jail.local:
[postfix-sasl]
#enabled    = false
enabled = true
filter  = postfix-sasl
action  = my_ipset_ipport[port=smtp]
  my_ipset_ipport2[port=smtps]
  my_ipset_ipport3[port=submission]
logpath = /var/log/maillog
maxretry    = 3
bantime = 600
findtime    = 7200
and your long one:
[postfix-sasl-long]
#enabled    = false
enabled = true
filter  = postfix-sasl
action  = my_ipset_ipport[name=IPv4-port-long, port=smtp]
  my_ipset_ipport2[name=IPv4-port-long, port=smtps]
  my_ipset_ipport3[name=IPv4-port-long, port=submission]
logpath = /var/log/maillog
maxretry    = 10
bantime = 86400
findtime    = 432000


/etc/shorewall/init:
# ipset for ban by IP address
ipset -exist create fail2ban-IPv4-ip hash:ip timeout 86400
# ipset for ban by IP address and port
ipset -exist create fail2ban-IPv4-port hash:ip,port timeout 86400
# you'll want one with a different one for long bans:
ipset -exist create fail2ban-IPv4-port-long hash:ip,port timeout 86400

Right after '?SECTION NEW' in /etc/shorewall/rules:
?COMMENT flagged by fail2ban
DROP net:+fail2ban-IPv4-ip[src] fw
DROP    net:+fail2ban-IPv4-port[src,dst]   fw
# you'll want one with a different one for long bans:
DROP    net:+fail2ban-IPv4-port-long[src,dst] fw

Bill

On 10/29/2017 12:48 PM, Tom Hendrikx wrote:

Hi,

you [problem is shorewall.

The shorewall block method only takes a single input: the ip address. It
is not able to differ between multiple jails (unlike f.i. iptables).

That means that when 187.178.172.36 connects, it is probable banned by
postfix-sasl after a few times. After a short while it is unbenned, and
promptly returns. After a few times of baning/unbanning by postfix-sasl,
it will also be banned by postfix-sasl-long. Now the address is banned
by 2 jails.

Then it is unbanned again by postfix-sasl, and thus removed from the
shorewall blacklist. Fail2ban thinks that postfix-sasl-long is still
banning this, but shorewall doesn't block it. Now the address can keep
coming back and fail2ban won't block it again.

Shorewall is a dumb jail, don't use it when you want to do sophisticated
things like short and long blocks for the same port, or f.i. using
recidive jail.


Kind regards,
Tom




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Error of "Failed to execute ban jail"

2017-11-26 Thread Bill Shirley


Post your jail config section for [recidive] and your 'iptables-allports' 
action.

Is XX.XX.XX.XX in
2017-11-16 07:59:07,449 fail2ban.actions        [641]: NOTICE  [recidive] Ban 
XX.XX.XX.XX
an obfuscated public IP address?

Why are your log file entries out of order?

Bill

On 11/26/2017 8:54 AM, Smart Goldman wrote:

Hello.

I often got fail2ban's error mails like this:

2017-11-16 07:59:07,449 fail2ban.actions        [641]: NOTICE  [recidive] Ban 
XX.XX.XX.XX
2017-11-16 07:59:07,671 fail2ban.actions        [641]: ERROR   Failed to execute ban jail 'recidive' action 
'iptables-allports' info 'CallingMap({'time': 1510819147.4490871, 'matches': '2017-11-12 03:23:00,898 fail2ban.actions        
[641]: NOTICE  [sshd] Ban XX.XX.XX.XX

2017-11-14 20:18:43,887 fail2ban.actions        [641]: NOTICE  [sshd] Ban 
XX.XX.XX.XX
2017-11-16 07:59:06,944 fail2ban.actions        [641]: NOTICE  [sshd] Ban XX.XX.XX.XX', 'ipfailures': Actions.__checkBan.. at 0x7fa01c6b7488>, 'ipjailfailures': . at 
0x7fa01c6b79d8>, 'ipmatches': . at 0x7fa01c6b7950>, 'failures': 3, 
'ipjailmatches': . at 0x7fa01c6b76a8>, 'ip': 'XX.XX.XX.XX'})': Error stopping action


It means failure of IP ban?
How can I fix this error?

OS: Ubuntu 16.04 LTS

Thank you.

Yusui



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Error of "Failed to execute ban jail"

2017-11-26 Thread Bill Shirley

to execute ban jail 'sshd' action 'iptables-multiport' 
info 'CallingMap({'time': 1510819146.9440994, 'matches': 'Nov 16 07:59:01 okapi sshd[3714]: Invalid user admin from 
XX.XX.XX.XX\nNov 16 07:59:01 okapi sshd[3714]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh 
ruser= rhost=XX.XX.XX.XX\nNov 16 07:59:03 okapi sshd[3714]: Failed password for invalid user admin from XX.XX.XX.XX port 43794 
ssh2\nNov 16 07:59:05 okapi sshd[3714]: Failed password for invalid user admin from XX.XX.XX.XX port 43794 ssh2\nNov 16 
07:59:06 okapi sshd[3714]: Failed password for invalid user admin from XX.XX.XX.XX port 43794 ssh2', 'ipfailures': Actions.__checkBan.. at 0x7fa01c6b79d8>, 'ipjailfailures': . at 
0x7fa01c6b7488>, 'ipmatches': . at 0x7fa01c6b76a8>, 'failures': 5, 
'ipjailmatches': . at 0x7fa01c6b7950>, 'ip': 'XX.XX.XX.XX'})': Error stopping action

2017-11-16 07:59:07,449 fail2ban.actions        [641]: NOTICE  [recidive] Ban 
XX.XX.XX.XX
2017-11-16 07:59:07,671 fail2ban.actions        [641]: ERROR   Failed to execute ban jail 'recidive' action 
'iptables-allports' info 'CallingMap({'time': 1510819147.4490871, 'matches': '2017-11-12 03:23:00,898 fail2ban.actions        
[641]: NOTICE  [sshd] Ban XX.XX.XX.XX\n2017-11-14 20:18:43,887 fail2ban.actions [641]: NOTICE  [sshd] Ban 
XX.XX.XX.XX\n2017-11-16 07:59:06,944 fail2ban.actions        [641]: NOTICE  [sshd] Ban XX.XX.XX.XX', 'ipfailures': Actions.__checkBan.. at 0x7fa01c6b7488>, 'ipjailfailures': . at 
0x7fa01c6b79d8>, 'ipmatches': . at 0x7fa01c6b7950>, 'failures': 3, 
'ipjailmatches': . at 0x7fa01c6b76a8>, 'ip': 'XX.XX.XX.XX'})': Error stopping action

2017-11-17 07:59:07,179 fail2ban.actions        [641]: NOTICE  [sshd] Unban 
XX.XX.XX.XX
2017-11-17 07:59:07,406 fail2ban.actions        [641]: ERROR   Failed to execute unban jail 'sshd' action 'iptables-multiport' 
info '{'time': 1510819146.9440994, 'failures': 5, 'matches': 'Nov 16 07:59:01 okapi sshd[3714]: Invalid user admin from 
XX.XX.XX.XXNov 16 07:59:01 okapi sshd[3714]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=XX.XX.XX.XXNov 16 07:59:03 okapi sshd[3714]: Failed password for invalid user admin from XX.XX.XX.XX port 43794 ssh2Nov 
16 07:59:05 okapi sshd[3714]: Failed password for invalid user admin from XX.XX.XX.XX port 43794 ssh2Nov 16 07:59:06 okapi 
sshd[3714]: Failed password for invalid user admin from XX.XX.XX.XX port 43794 ssh2', 'ip': 'XX.XX.XX.XX'}': Error stopping action


2017-11-27 0:37 GMT+09:00 Bill Shirley mailto:bshir...@openmri-scottsboro.com>>:

Post your jail config section for [recidive] and your 'iptables-allports' 
action.

Is XX.XX.XX.XX in
2017-11-16 07:59:07,449 fail2ban.actions        [641]: NOTICE [recidive] 
Ban XX.XX.XX.XX
an obfuscated public IP address?

Why are your log file entries out of order?

Bill


On 11/26/2017 8:54 AM, Smart Goldman wrote:

Hello.

I often got fail2ban's error mails like this:

2017-11-16 07:59:07,449 fail2ban.actions     [641]: NOTICE  [recidive] Ban 
XX.XX.XX.XX
2017-11-16 07:59:07,671 fail2ban.actions     [641]: ERROR   Failed to 
execute ban jail 'recidive' action
'iptables-allports' info 'CallingMap({'time': 1510819147.4490871, 
'matches': '2017-11-12 03:23:00,898 fail2ban.actions   
    [641]: NOTICE  [sshd] Ban XX.XX.XX.XX
2017-11-14 20:18:43,887 fail2ban.actions     [641]: NOTICE  [sshd] Ban 
XX.XX.XX.XX
2017-11-16 07:59:06,944 fail2ban.actions     [641]: NOTICE  [sshd] Ban 
XX.XX.XX.XX', 'ipfailures': . at 0x7fa01c6b7488>, 'ipjailfailures': .
at 0x7fa01c6b79d8>, 'ipmatches': . at 0x7fa01c6b7950>, 'failures': 3,
'ipjailmatches': . at 
0x7fa01c6b76a8>, 'ip': 'XX.XX.XX.XX'})': Error
stopping action

It means failure of IP ban?
How can I fix this error?

OS: Ubuntu 16.04 LTS

Thank you.

Yusui




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net 
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users 
<https://lists.sourceforge.net/lists/listinfo/fail2ban-users>

Re: [Fail2ban-users] need info on permanent ban and persistent database storage

2017-12-15 Thread Bill Shirley


Don't forget the 'vacuum' command:
-rw---. 1 root root 164M Dec 15 06:56 fail2ban.sqlite3

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3
sqlite> delete from bans where timeofban <= strftime('%s', '2016-07-25');
sqlite> vacuum;
sqlite> .quit

-rw---. 1 root root 76M Dec 15 07:02 fail2ban.sqlite3

Bill

On 12/15/2017 6:11 AM, Admin Beckspaced wrote:

Hello Mark,

thanks for your reply. Also going to top post here and close the topic ;)

I also found that link about sqlite db actually never gets purged by fail2ban.

https://github.com/fail2ban/fail2ban/issues/1316

Did play around a bit with the cron command they provide in that post:

python -c "import sys, logging; logging.basicConfig(stream=sys.stdout, level=logging.INFO); from fail2ban.server.database 
import Fail2BanDb; db = Fail2BanDb('/var/lib/fail2ban/fail2ban.sqlite3'); db.purge()"


But be careful it purges the complete database so all data gets lost!

you could instead delete older entries, e.g. older than 90 days, only.
These are the command I ran in the sqlite cli.

perhaps this might help someone?

thanks & greetings
Becki

linux:~ # sqlite3
sqlite> .open /var/lib/fail2ban/fail2ban.sqlite3
sqlite> .database
seq  name file
---  --- --
0    main /var/lib/fail2ban/fail2ban.sqlite3
sqlite> .tables
bans    fail2banDb  jails   logs
sqlite> .schema bans
CREATE TABLE bans(jail TEXT NOT NULL, ip TEXT, timeofban INTEGER NOT NULL, data 
JSON, FOREIGN KEY(jail) REFERENCES jails(name) );
CREATE INDEX bans_jail_timeofban_ip ON bans(jail, timeofban);
CREATE INDEX bans_jail_ip ON bans(jail, ip);
CREATE INDEX bans_ip ON bans(ip);
sqlite> SELECT count(*) from bans;
sqlite> SELECT count(ip) FROM bans WHERE timeofban <= strftime('%s', 
date('now', '-90 days'));
sqlite> DELETE FROM bans WHERE timeofban <= strftime('%s', date('now', '-90 
days'));



On 14.12.2017 20:33, Mark Costlow wrote:

I have been looking at dbpurgeage here recently as well.  Unfortunately
I don't have an answer for you, just more questions.

We've never set it to a specific value, so it is at the default
of 86400.  However, our sqlite data file does not seem to ever
have entries purged from the bans table.  On one set of machines
where fail2ban was first set up in March 2015, the entries go back
to then.  On another set initialized about 7 months ago, they
go back 7 months.

Both of these setups are using recidive jails, in addition to several
"normal" jails.  They are all working fine.  We were trying to troubleshoot
why they take a very long time to shut down and start up.  The months/years
of cruft in the bans table seems to be the answer ... if we trim
that table shutdown/startup is much faster.

One set of these is running 0.9.3 on gentoo linux, the other set is running
0.9.6 on FreeBSD.

I just found this thread says stock fail2ban doesn't implement the
purge at all, and suggests you would need to add a cron job to do
so: https://github.com/fail2ban/fail2ban/issues/1316

I think we are going to just add a cron job to purge the table periodically.

Mark






--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] need info on permanent ban and persistent database storage

2017-12-15 Thread Bill Shirley


File /etc/fail2ban/fail2ban.prune.sqlite.commands:
delete from bans where timeofban <= strftime('%s', date('now', '-90 days'));
vacuum;
.quit

From cli:
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 < 
/etc/fail2ban/fail2ban.prune.sqlite.commands

Can schedule in cron too.

Bill


On 12/15/2017 7:08 AM, Bill Shirley wrote:

Don't forget the 'vacuum' command:
-rw---. 1 root root 164M Dec 15 06:56 fail2ban.sqlite3

sqlite3 /var/lib/fail2ban/fail2ban.sqlite3
sqlite> delete from bans where timeofban <= strftime('%s', '2016-07-25');
sqlite> vacuum;
sqlite> .quit

-rw---. 1 root root 76M Dec 15 07:02 fail2ban.sqlite3

Bill

On 12/15/2017 6:11 AM, Admin Beckspaced wrote:

Hello Mark,

thanks for your reply. Also going to top post here and close the topic ;)

I also found that link about sqlite db actually never gets purged by fail2ban.

https://github.com/fail2ban/fail2ban/issues/1316

Did play around a bit with the cron command they provide in that post:

python -c "import sys, logging; logging.basicConfig(stream=sys.stdout, level=logging.INFO); from fail2ban.server.database 
import Fail2BanDb; db = Fail2BanDb('/var/lib/fail2ban/fail2ban.sqlite3'); db.purge()"


But be careful it purges the complete database so all data gets lost!

you could instead delete older entries, e.g. older than 90 days, only.
These are the command I ran in the sqlite cli.

perhaps this might help someone?

thanks & greetings
Becki

linux:~ # sqlite3
sqlite> .open /var/lib/fail2ban/fail2ban.sqlite3
sqlite> .database
seq  name file
---  --- --
0    main /var/lib/fail2ban/fail2ban.sqlite3
sqlite> .tables
bans    fail2banDb  jails   logs
sqlite> .schema bans
CREATE TABLE bans(jail TEXT NOT NULL, ip TEXT, timeofban INTEGER NOT NULL, data JSON, FOREIGN KEY(jail) REFERENCES 
jails(name) );

CREATE INDEX bans_jail_timeofban_ip ON bans(jail, timeofban);
CREATE INDEX bans_jail_ip ON bans(jail, ip);
CREATE INDEX bans_ip ON bans(ip);
sqlite> SELECT count(*) from bans;
sqlite> SELECT count(ip) FROM bans WHERE timeofban <= strftime('%s', 
date('now', '-90 days'));
sqlite> DELETE FROM bans WHERE timeofban <= strftime('%s', date('now', '-90 
days'));



On 14.12.2017 20:33, Mark Costlow wrote:

I have been looking at dbpurgeage here recently as well.  Unfortunately
I don't have an answer for you, just more questions.

We've never set it to a specific value, so it is at the default
of 86400.  However, our sqlite data file does not seem to ever
have entries purged from the bans table.  On one set of machines
where fail2ban was first set up in March 2015, the entries go back
to then.  On another set initialized about 7 months ago, they
go back 7 months.

Both of these setups are using recidive jails, in addition to several
"normal" jails.  They are all working fine.  We were trying to troubleshoot
why they take a very long time to shut down and start up.  The months/years
of cruft in the bans table seems to be the answer ... if we trim
that table shutdown/startup is much faster.

One set of these is running 0.9.3 on gentoo linux, the other set is running
0.9.6 on FreeBSD.

I just found this thread says stock fail2ban doesn't implement the
purge at all, and suggests you would need to add a cron job to do
so: https://github.com/fail2ban/fail2ban/issues/1316

I think we are going to just add a cron job to purge the table periodically.

Mark






--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Enable multiple jails

2018-01-17 Thread Bill Shirley


Looks like your regex is wrong.  Do you get any hits when you run:
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/blockip-custom.conf

I think your regex should be:
failregex = \[\]:\s+535 Incorrect authentication data

Bill

On 1/17/2018 9:46 AM, Emanuel Gonzalez wrote:


Yes, the file blockip-custom.conf exists in /etc/fail2ban/action.d but not 
block IPs


example:


Jan 17 11:38:54 linux.backend exim[14840]: 2018-01-17 11:38:52 fixed_login authenticator failed for (User) [190.98.45.180]: 
535 Incorrect authentication data (set_id=s...@dattaweb.com)
Jan 17 11:38:55 linux.backend exim[21870]: 2018-01-17 11:38:56 fixed_login authenticator failed for (User) [190.98.45.180]: 
535 Incorrect authentication data (set_id=s...@dattaweb.com)
Jan 17 11:38:55 linux.backend exim[14840]: 2018-01-17 11:38:56 fixed_login authenticator failed for (User) [190.98.45.180]: 
535 Incorrect authentication data (set_id=s...@dattaweb.com)
Jan 17 11:38:56 linux.backend exim[21770]: 2018-01-17 11:38:56 fixed_login authenticator failed for (User) [190.98.45.180]: 
535 Incorrect authentication data (set_id=s...@dattaweb.com)
Jan 17 11:38:56 linux.backend exim[14840]: 2018-01-17 11:38:56 fixed_login authenticator failed for (User) [190.98.45.180]: 
535 Incorrect authentication data (set_id=s...@dattaweb.com)
Jan 17 11:38:58 linux.backend exim[21770]: 2018-01-17 11:38:56 fixed_login authenticator failed for (User) [190.98.45.180]: 
535 Incorrect authentication data (set_id=s...@dattaweb.com)
Jan 17 11:38:58 linux.backend exim[21770]: 2018-01-17 11:38:58 fixed_login authenticator failed for (User) [190.98.45.180]: 
535 Incorrect authentication data (set_id=s...@dattaweb.com)
Jan 17 11:38:58 linux.backend exim[21770]: 2018-01-17 11:38:58 fixed_login authenticator failed for (User) [190.98.45.180]: 
535 Incorrect authentication data (set_id=s...@dattaweb.com)
Jan 17 11:38:59 linux.backend exim[21870]: 2018-01-17 11:38:56 fixed_login authenticator failed for (User) [190.98.45.180]: 
535 Incorrect authentication data (set_id=s...@dattaweb.com)


In the file maillog-custom.conf

failregex =  \[\]:\d+: 535 Incorrect authentication data
[rsyslog-maillog]
enabled = true
filter = maillog-custom
bantime = 86400
findtime = 600
*maxretry = 5*
port = smtp,465,submission,imap3,imaps,pop3,pop3s
# tail iniciar al final del log
# para que no arranque a procesarlo desde el principio o desde donde se quedo
logpath = /var/log/maillog

any ideas?

Regards,





*De:* Roman Pikalo 
*Enviado:* miércoles, 17 de enero de 2018 9:04:49
*Para:* Emanuel Gonzalez
*Cc:* fail2ban-users@lists.sourceforge.net
*Asunto:* Re: [Fail2ban-users] Enable multiple jails
Do you have blockip-custom banaction defined in /etc/fail2ban/jail.conf /file ?

Bregs, Roman

Emanuel Gonzalez mailto:emanuel_gonza...@live.com.ar>>:


Helo, I have read all the documentation but I can not solve my problem.

I create the file jail-custom.conf /etc/fail2ban/jail.d with this config:

[rsyslog-maillog]
enabled = true
filter = maillog-custom
bantime = 86400
findtime = 600
maxretry = 5
#port = smtp,465,submission,imap3,imaps,pop3,pop3s
port = imap3,imaps,pop3,pop3s
# tail iniciar al final del log
# para que no arranque a procesarlo desde el principio o desde donde se quedo
logpath = /var/log/maillog tail


[exim]
enabled = true
filter = exim
port = smtp,465,submission
bantime = 86400
findtime = 600
maxretry = 5
#banaction = blockip-custom
#action = %(action_)s
action = blockip-custom
logpath  = /var/log/maillog
backend  = auto
#journalmatch =


The jail "rsyslog-maillog is work, but the exim jail not.

tail -f /var/log/fail2ban.log
2018-01-16 15:20:58,599 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
111.75.167.157
2018-01-16 15:21:05,610 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
111.89.179.159
2018-01-16 15:21:06,830 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
112.112.193.39
2018-01-16 15:21:13,871 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
112.112.25.39
2018-01-16 15:21:14,643 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
112.113.241.17
2018-01-16 15:21:15,435 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
112.113.60.146
2018-01-16 15:21:17,246 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
112.113.60.247
2018-01-16 15:21:24,439 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
112.113.60.38
2018-01-16 15:21:25,222 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
112.113.61.121
2018-01-16 15:21:26,009 fail2ban.actions [13905]: NOTICE  [rsyslog-maillog] Ban 
112.113.61.183

any ideas? regards

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org ! 
http://sdm.link/slashdot
___
Fa

Re: [Fail2ban-users] issue matching date/time in epoch format when not at beginning of the line

2018-01-20 Thread Bill Shirley


See what data patterns fail2ban is using.  Run fail2ban-regex
(change for your log file and filter) with the -v switch:
fail2ban-regex -v /var/log/httpd/access_log 
/etc/fail2ban/filter.d/my_apache_access.conf

I have a server using version0.9.3 which gives:
Date template hits:
|- [# of hits] date format
|  [128] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
|  [0] Year(?P<_sep>[-/.])Month(?P=_sep)Day 
24hour:Minute:Second(?:,Microseconds)?
|  [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
|  [0] Day(?P<_sep>[-/])MON(?P=_sep)Year[ 
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
|  [0] Month/Day/Year:24hour:Minute:Second
|  [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
|  [0] TAI64N
|  [0] Epoch
|  [0] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)?
|  [0] ^24hour:Minute:Second
|  [0] ^
|  [0] ^Year2MonthDay  ?24hour:Minute:Second
|  [0] MON Day, Year 12hour:Minute:Second AMPM
|  [0] ^MON-Day-Year2 24hour:Minute:Second

I would think 'Epoch' would match but I can't find anything online that defines
the date pattern.

I had to add a datepattern= to my_apache_access filter when I upgraded
to fail2ban 10.0 because they changed the date patterns requiring dates
to be at the beginning of the line:
# new date patterns for fail2ban-server-0.10.0-1
#|  [0] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day[T 
]24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
#|  [0] {^LN-BEG}(?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: 
ExYear)?
#|  [0] {^LN-BEG}(?:DAY )?MON Day ExYear 24hour:Minute:Second(?:\.Microseconds)?
#|  [0] {^LN-BEG}Day(?P<_sep>[-/])Month(?P=_sep)(?:ExYear|ExYear2) 
24hour:Minute:Second
#|  [0] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ 
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
#|  [0] {^LN-BEG}Month/Day/ExYear:24hour:Minute:Second
#|  [0] {^LN-BEG}Month-Day-ExYear 24hour:Minute:Second(?:\.Microseconds)?
#|  [0] {^LN-BEG}Epoch
#|  [0] {^LN-BEG}ExYear2ExMonthExDay ?24hour:Minute:Second
#|  [0] {^LN-BEG}MON Day, ExYear 12hour:Minute:Second AMPM
#|  [0] {^LN-BEG}ExYearExMonthExDay[T 
]Ex24hourExMinuteExSecond(?:[.,]Microseconds)?(?:\s*Zone offset)?
#|  [0] {^LN-BEG}(?:Zone name )?(?:DAY )?MON Day 
24hour:Minute:Second(?:\.Microseconds)?(?: ExYear)?
#|  [0] {^LN-BEG}(?:Zone offset )?(?:DAY )?MON Day 
24hour:Minute:Second(?:\.Microseconds)?(?: ExYear)?
#|  [0] {^LN-BEG}TAI64N
#|  [0] {^LN-BEG}24hour:Minute:Second
#|  [0] ^
#|  [0] ^MON-Day-ExYear2 24hour:Minute:Second

Ah, I finally found it:
https://docs.python.org/2/library/datetime.html#strftime-strptime-behavior

Bill


On 1/20/2018 2:37 PM, Guiom wrote:

- Fail2Ban version (including any possible distribution suffixes): Fail2ban 
v0.9.3
- OS, including release name/version: Ubuntu 16.04.3 LTS
- [X] Fail2Ban installed via OS/distribution mechanisms
- [X] You have not applied any additional foreign patches to the codebase
- [ ] Some customizations were done to the configuration (provide details below 
is so)

### The issue: unable to match log entry if timestamp is in epoch format and 
not at the beginning of the line

_Summary here_

the offending log entry:

109.145.30.225 | AuthenticationFailureEvent | guiom | 1516469849551 | guiom | {"authentication-method":"form","error":"Invalid 
username or password."} | @P8404Gx1057x12380x0 | 1p1yp8q


this is Bitbucket server. The timestamp is in column 4 (assuming | separators)

jail.conf matches the entry but cannot extract the date:

2018-01-20 17:37:29,555 fail2ban.filter [3271]: WARNING Found a match for '109.145.30.225 | AuthenticationFailureEvent | guiom 
| 1516469849551 | guiom | {"authentication-method":"form","error":"Invalid username or password."} | @P8404Gx1057x12380x0 | 
1p1yp8q' but no valid date/time found for '109.145.30.225 | AuthenticationFailureEvent | guiom | 1516469849551 | guiom | 
{"authentication-method":"form","error":"Invalid username or password."} | @P8404Gx1057x12380x0 | 1p1yp8q'. Please try setting 
a custom date pattern (see man page jail.conf(5)). If format is complex, please file a detailed issue on 
https://github.com/fail2ban/fail2ban/issues in order to get support for this format.


[Definition]
failregex =   | AuthenticationFailureEvent | .*Invalid username or 
password

ignoreregex =





Phronesis_logo    
Dr Guillaume Peersman
m:  +447976918568 e: gu...@peersman.fr 
a:  37 Great Pulteney Street, Bath, Avon, BA2 4DA
linkedin  skype  PGP Key 
 


/Phronesis Technologies Limited is a company registered in England under number 
10726796./




--
Check out the vibrant tech community on one of the world's most

Re: [Fail2ban-users] Log filters - guide and how-to

2018-02-05 Thread Bill Shirley


You should post your jail and filter.  fail2ban's filters change from release 
to release
to accommodate changes in the underlying log file (i.e. apache 2.2 vs apache 
2.4).

Bill

On 2/5/2018 9:55 AM, Palvelin Postmaster via Fail2ban-users wrote:

Hi,

Full disclosure. I’m new to F2B. :)

I managed to setup 0.10.2 (just upgraded to 0.11) and get it working on macOS 
High Sierra. My primary match action is to block connections using the adaptive 
firewall (pf). I’m interested in filter action jails which target attempted 
abuse of apache/php7, proftpd, sshd, and webmin.

My main problem is that some of the log filters don’t seem to work (on macOS). 
For example, the sshd and webmin-auth log filters don’t match anything. Here’s 
an example of the only log entry which occurs when I try to login to Webmin 
with false credentials (logging of logins/logouts is enabled in webmin conf):

XXX.XXX.XXX.XXX - - [04/Feb/2018:23:01:52 +0200] "POST /session_login.cgi 
HTTP/1.1" 401 2333

So, it looks a bit different from the webmin-auth default regexps. Essentially 
just a HTTP status code 401. Can someone help me construct a properly formatted 
regexp for it?

Are there any generic instructions available on how to construct log filter 
regexps? How about instructions as to what each of the default log filters 
attempts to filter (or should it be obvious)?



--
Palvelin.fi Hostmaster
postmas...@palvelin.fi


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Create a Custom Variable in filter file to use in action file pn fail2ban v.8.4

2018-02-06 Thread Bill Shirley


As far as I know, you can't capture any additional info from the filter.  You 
might
try Simple Event Correlator: https://simple-evcorr.github.io/
I have triggers triggers for when my gateway and VPNs go down or back up.

[0:root@c3po soa]$ rpm -qi sec
Name    : sec
Version : 2.7.10
Release : 0.fc24
Architecture: noarch
Install Date: Wed 19 Oct 2016 05:01:14 AM CDT
Group   : System Environment/Daemons
Size    : 590686
License : GPLv2+
Signature   : RSA/SHA256, Fri 24 Jun 2016 11:58:33 AM CDT, Key ID 
73bde98381b46521
Source RPM  : sec-2.7.10-0.fc24.src.rpm
Build Date  : Fri 24 Jun 2016 10:23:53 AM CDT
Build Host  : arm02-builder06.arm.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor  : Fedora Project
URL : http://simple-evcorr.sourceforge.net/
Summary : Simple Event Correlator script to filter log file entries
Description :
SEC is a simple event correlation tool that reads lines from files, named
pipes, or standard input, and matches the lines with regular expressions,
Perl subroutines, and other patterns for recognizing input events.
Events are then correlated according to the rules in configuration files,
producing output events by executing user-specified shell commands, by
writing messages to pipes or files, etc.


Bill


On 2/6/2018 3:52 PM, Ramses wrote:


Hi everybody,

I am using Fail2ban 8.4.

I have created a filter with the following failregex:

failregex = .* Connection with .* \( port .*\) activated

The line that appear in the log file is:

2018-02-02 17:27:49 tinc[25152]: Connection with VPN_002 (88.88.88.88 port 
19410) activated

It’s works well but I need know if I can configure a custom variable in the 
filter file to use in the action file later.

By example, I need use what host name was connect 'VPN_002" and pass it to a 
action file.

Regards,

Ramses



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] error in log

2018-02-15 Thread Bill Shirley


You have a problem with your firewallcmd-ipset action which you didn't post.

Bill

On 2/14/2018 8:38 PM, M.P. wrote:


can someone explain to me where the error is in this configuration?  Here's the error message I get when manually trying to 
ban using the jail, "manban" - I think I may need a slightly different set of parms to shut out certain ports and am not using 
the right references..



2018-02-12 13:38:01,892 fail2ban.action [1305]: ERROR ipset add fail2ban-manban 118.69.37.118 timeout 7776000 -exist 
-- stdout: ''
2018-02-12 13:38:01,892 fail2ban.action [1305]: ERROR ipset add fail2ban-manban 118.69.37.118 timeout 7776000 -exist 
-- stderr: 'ipset v6.29: The set with the given name does not exist\n'
2018-02-12 13:38:01,892 fail2ban.action [1305]: ERROR ipset add fail2ban-manban 118.69.37.118 timeout 7776000 -exist 
-- returned 1
2018-02-12 13:38:01,892 fail2ban.actions    [1305]: ERROR Failed to execute ban jail 'manban' action 'firewallcmd-ipset' 
info 'CallingMap({'ipjailmatches':  at 0x124c938>, 'matches': '', 'ip': '118.69.37.118', 'ipmatches': 
 at 0x124ca28>, 'ipfailures':  at 0x124c578>, 'time': 1518464281.783138, 'failures': 1, 
'ipjailfailures':  at 0x124c6e0>})': Error banning 118.69.37.118


jail.local:  (think the problem may be with the command/parms I'm using to 
determine which ports to block)

[manban]
enabled  = true
filter   = manban
port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks,21,22
logpath  = /var/log/manban.log
maxretry = 1
# 1 month
bantime  = 2592000
findtime = 3600

manban.conf:  (I assume this isn't the problem because this is a copy of an 
existing conf that isn't being actively tested)

[INCLUDES]

before = common.conf

[Definition]
#Looks for failed password logins to SMTP
# sample trigger line: [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: 
/var/www/skraps/roundcubemail
failregex = ^\[\w{1,3}.\w{1,3}.\d{1,2}.\d{1,2}:\d{1,2}:\d{1,2} \d{1,4}. \[error] \[client.].File does not 
exist:.{1,40}roundcube.{1

,200}
ignoreregex =


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] error in log

2018-02-18 Thread Bill Shirley


Again, post your firewallcmd-ipset action.  There's something wrong with it or
with the way your [manban] jail is defaulting to it.

Is /var/log/manban.log an apache error log file?  logpath is the name of the 
file
fail2ban is to monitor, not the place for fail2ban log its actions.

Also, your filter doesn't match your sample trigger line.  It should be 
something like this:
failregex = \[client \].+File does not exist.*roundcubemail.*$
Do not include regex logic to skip over the time.

You can test this with:
fail2ban-regex /var/log/manban /etc/fail2ban/filter.d/manban.conf

Bill

On 2/14/2018 8:38 PM, M.P. wrote:


can someone explain to me where the error is in this configuration?  Here's the error message I get when manually trying to 
ban using the jail, "manban" - I think I may need a slightly different set of parms to shut out certain ports and am not using 
the right references..



2018-02-12 13:38:01,892 fail2ban.action [1305]: ERROR ipset add fail2ban-manban 118.69.37.118 timeout 7776000 -exist 
-- stdout: ''
2018-02-12 13:38:01,892 fail2ban.action [1305]: ERROR ipset add fail2ban-manban 118.69.37.118 timeout 7776000 -exist 
-- stderr: 'ipset v6.29: The set with the given name does not exist\n'
2018-02-12 13:38:01,892 fail2ban.action [1305]: ERROR ipset add fail2ban-manban 118.69.37.118 timeout 7776000 -exist 
-- returned 1
2018-02-12 13:38:01,892 fail2ban.actions    [1305]: ERROR Failed to execute ban jail 'manban' action 'firewallcmd-ipset' 
info 'CallingMap({'ipjailmatches':  at 0x124c938>, 'matches': '', 'ip': '118.69.37.118', 'ipmatches': 
 at 0x124ca28>, 'ipfailures':  at 0x124c578>, 'time': 1518464281.783138, 'failures': 1, 
'ipjailfailures':  at 0x124c6e0>})': Error banning 118.69.37.118


jail.local:  (think the problem may be with the command/parms I'm using to 
determine which ports to block)

[manban]
enabled  = true
filter   = manban
port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks,21,22
logpath  = /var/log/manban.log
maxretry = 1
# 1 month
bantime  = 2592000
findtime = 3600

manban.conf:  (I assume this isn't the problem because this is a copy of an 
existing conf that isn't being actively tested)

[INCLUDES]

before = common.conf

[Definition]
#Looks for failed password logins to SMTP
# sample trigger line: [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: 
/var/www/skraps/roundcubemail
failregex = ^\[\w{1,3}.\w{1,3}.\d{1,2}.\d{1,2}:\d{1,2}:\d{1,2} \d{1,4}. \[error] \[client.].File does not 
exist:.{1,40}roundcube.{1

,200}
ignoreregex =


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] rule banaction error (fail2ban.actions.action: ERROR)

2018-02-19 Thread Bill Shirley


You have the digit 1 after your chain name (fail2ban-Exim) which shouldn't be 
there.
Post your jail, filter, and action.

Bill

On 2/16/2018 9:24 AM, Emanuel Gonzalez wrote:

Hello,

In fail2ban logs i see this error:

2018-02-16 11:15:28,629 fail2ban.actions.action: ERROR /sbin/iptables -I fail2ban-Exim 1 -s 203.146.43.124 -p tcp 
--destination-port 25 -j DROP

/sbin/iptables -I fail2ban-Exim 1 -s 203.146.43.124 -p udp --destination-port 
25 -j DROP
/sbin/iptables -I fail2ban-Exim 1 -s 203.146.43.124 -p tcp --destination-port 
587 -j DROP
/sbin/iptables -I fail2ban-Exim 1 -s 203.146.43.124 -p udp --destination-port 
587 -j DROP
/sbin/iptables -I fail2ban-Exim 1 -s 203.146.43.124 -p tcp --destination-port 
465 -j DROP
/sbin/iptables -I fail2ban-Exim 1 -s 203.146.43.124 -p udp --destination-port 
465 -j DROP returned 100

in the iptables i not see any ip blocked

/etc/fail2ban] # iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source   destination

Chain FORWARD (policy ACCEPT)
target prot opt source   destination

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination

any sugestions?




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Fwd: Re: error in log

2018-02-19 Thread Bill Shirley


It should be in /etc/fail2ban/filter.d/

Do you know which firewall you are using?

Bill

On 2/18/2018 1:44 PM, M.P. wrote:


Note that my failregex shouldn't matter because I'm not actually looking to have it triggered automatically.  I call this jail 
manually from the command line.   The problem isn't with the trigger, but with the action.   Admittedly I pieced together 
different sample configs to try and make this work but something is off.


Where can I find the firewallcmd-ipset action?




Again, post your firewallcmd-ipset action.Â  There's something wrong with it or
with the way your [manban] jail is defaulting to it.

Is /var/log/manban.log an apache error log file?Â  logpath is the name of the 
file
fail2ban is to monitor, not the place for fail2ban log its actions.

Also, your filter doesn't match your sample trigger line.Â  It should be 
something like this:
failregex = \[client \].+File does not exist.*roundcubemail.*$
Do not include regex logic to skip over the time.

You can test this with:
fail2ban-regex /var/log/manban /etc/fail2ban/filter.d/manban.conf

Bill

On 2/14/2018 8:38 PM, M.P. wrote:


can someone explain to me where the error is in this configuration?Â  Here's the error message I get when manually trying to 
ban using the jail, "manban" - I think I may need a slightly different set of parms to shut out certain ports and am not 
using the right references..



2018-02-12 13:38:01,892 fail2ban.actionÂ Â Â Â Â Â Â Â [1305]: ERRORÂ Â  ipset add fail2ban-manban 118.69.37.118 timeout 
7776000 -exist -- stdout: ''
2018-02-12 13:38:01,892 fail2ban.actionÂ Â Â Â Â Â Â Â [1305]: ERRORÂ Â  ipset add fail2ban-manban 118.69.37.118 timeout 
7776000 -exist -- stderr: 'ipset v6.29: The set with the given name does not exist\n'
2018-02-12 13:38:01,892 fail2ban.actionÂ Â Â Â Â Â Â Â [1305]: ERRORÂ Â  ipset add fail2ban-manban 118.69.37.118 timeout 
7776000 -exist -- returned 1
2018-02-12 13:38:01,892 fail2ban.actionsÂ Â Â Â Â Â Â  [1305]: ERRORÂ Â  Failed to execute ban jail 'manban' action 
'firewallcmd-ipset' info 'CallingMap({'ipjailmatches':  at 0x124c938>, 'matches': '', 'ip': 
'118.69.37.118', 'ipmatches':  at 0x124ca28>, 'ipfailures':  at 0x124c578>, 'time': 
1518464281.783138, 'failures': 1, 'ipjailfailures':  at 0x124c6e0>})': Error banning 118.69.37.118


jail.local:Â  (think the problem may be with the command/parms I'm using to 
determine which ports to block)

[manban]
enabledÂ  = true
filterÂ Â  = manban
port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks,21,22
logpathÂ  = /var/log/manban.log
maxretry = 1
# 1 month
bantimeÂ  = 2592000
findtime = 3600

manban.conf:Â  (I assume this isn't the problem because this is a copy of an 
existing conf that isn't being actively tested)

[INCLUDES]

before = common.conf

[Definition]
#Looks for failed password logins to SMTP
# sample trigger line: [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: 
/var/www/skraps/roundcubemail
failregex = ^\[\w{1,3}.\w{1,3}.\d{1,2}.\d{1,2}:\d{1,2}:\d{1,2} \d{1,4}. \[error] \[client.].File does not 
exist:.{1,40}roundcube.{1

,200}
ignoreregex =


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net 

https://lists.sourceforge.net/lists/listinfo/fail2ban-users  


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot 

___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users  



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Fwd: Re: error in log

2018-02-19 Thread Bill Shirley


Sorry, that's where the filters are.  Try /etc/fail2ban/action.d/

Bill

On 2/19/2018 9:17 PM, Bill Shirley wrote:

It should be in /etc/fail2ban/filter.d/

Do you know which firewall you are using?

Bill

On 2/18/2018 1:44 PM, M.P. wrote:


Note that my failregex shouldn't matter because I'm not actually looking to have it triggered automatically.  I call this 
jail manually from the command line.   The problem isn't with the trigger, but with the action.   Admittedly I pieced 
together different sample configs to try and make this work but something is off.


Where can I find the firewallcmd-ipset action?




Again, post your firewallcmd-ipset action.Â  There's something wrong with it or
with the way your [manban] jail is defaulting to it.

Is /var/log/manban.log an apache error log file?Â  logpath is the name of the 
file
fail2ban is to monitor, not the place for fail2ban log its actions.

Also, your filter doesn't match your sample trigger line.Â  It should be 
something like this:
failregex = \[client \].+File does not exist.*roundcubemail.*$
Do not include regex logic to skip over the time.

You can test this with:
fail2ban-regex /var/log/manban /etc/fail2ban/filter.d/manban.conf

Bill

On 2/14/2018 8:38 PM, M.P. wrote:


can someone explain to me where the error is in this configuration?Â  Here's the error message I get when manually trying 
to ban using the jail, "manban" - I think I may need a slightly different set of parms to shut out certain ports and am not 
using the right references..



2018-02-12 13:38:01,892 fail2ban.actionÂ Â Â Â Â Â Â Â [1305]: ERRORÂ Â  ipset add fail2ban-manban 118.69.37.118 timeout 
7776000 -exist -- stdout: ''
2018-02-12 13:38:01,892 fail2ban.actionÂ Â Â Â Â Â Â Â [1305]: ERRORÂ Â  ipset add fail2ban-manban 118.69.37.118 timeout 
7776000 -exist -- stderr: 'ipset v6.29: The set with the given name does not exist\n'
2018-02-12 13:38:01,892 fail2ban.actionÂ Â Â Â Â Â Â Â [1305]: ERRORÂ Â  ipset add fail2ban-manban 118.69.37.118 timeout 
7776000 -exist -- returned 1
2018-02-12 13:38:01,892 fail2ban.actionsÂ Â Â Â Â Â Â [1305]: ERRORÂ Â  Failed to execute ban jail 'manban' action 
'firewallcmd-ipset' info 'CallingMap({'ipjailmatches':  at 0x124c938>, 'matches': '', 'ip': 
'118.69.37.118', 'ipmatches':  at 0x124ca28>, 'ipfailures':  at 0x124c578>, 'time': 
1518464281.783138, 'failures': 1, 'ipjailfailures':  at 0x124c6e0>})': Error banning 118.69.37.118


jail.local:Â  (think the problem may be with the command/parms I'm using to 
determine which ports to block)

[manban]
enabledÂ  = true
filterÂ Â  = manban
port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks,21,22
logpathÂ  = /var/log/manban.log
maxretry = 1
# 1 month
bantimeÂ  = 2592000
findtime = 3600

manban.conf:Â  (I assume this isn't the problem because this is a copy of an 
existing conf that isn't being actively tested)

[INCLUDES]

before = common.conf

[Definition]
#Looks for failed password logins to SMTP
# sample trigger line: [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: 
/var/www/skraps/roundcubemail
failregex = ^\[\w{1,3}.\w{1,3}.\d{1,2}.\d{1,2}:\d{1,2}:\d{1,2} \d{1,4}. \[error] \[client.].File does not 
exist:.{1,40}roundcube.{1

,200}
ignoreregex =


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net 
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> 


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot 
<http://sdm.link/slashdot>
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> 



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users




--
Check out the vibrant tech community

Re: [Fail2ban-users] How to flush log and database?

2018-03-05 Thread Bill Shirley


From the nightly log rotation /etc/logrotate.d/fail2ban
/var/log/fail2ban.log {
    missingok
    notifempty
    postrotate
  /usr/bin/fail2ban-client flushlogs >/dev/null || true
    endscript
}

I think you would run:
fail2ban-client flushlogs

Bill

On 3/5/2018 2:49 PM, Rose, John B wrote:


We have an overly full log file because of extraneous data due to a poorly selected loglevel. What is the best way to approach 
this problem?



Thanks



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] How to flush log and database?

2018-03-06 Thread Bill Shirley


You must have missed the discussion back in December about cleaning up the 
sqlite3
database:
https://sourceforge.net/p/fail2ban/mailman/message/36158578/

The short version.  Trim the sqlite3 database to only the last 90 days:

-
File /etc/fail2ban/fail2ban.prune.sqlite.commands:
delete from bans where timeofban <= strftime('%s', date('now', '-90 days'));
vacuum;
.quit

From cli:
sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 < 
/etc/fail2ban/fail2ban.prune.sqlite.commands

Can schedule in cron too.
-

Bill


On 3/6/2018 2:47 AM, Mitchell Krog Photography wrote:

My preferred method to reset the log file and database (complete reset)

sudo service fail2ban stopsudo truncate -s 0/var/log/fail2ban.log sudo rm /var/lib/fail2ban/fail2ban.sqlite3sudo service 
fail2ban restart


On 2018/03/06 02:32:42, Bill Shirley  wrote:

From the nightly log rotation /etc/logrotate.d/fail2ban
/var/log/fail2ban.log {
    missingok
    notifempty
    postrotate
  /usr/bin/fail2ban-client flushlogs >/dev/null || true
    endscript
}

I think you would run:
fail2ban-client flushlogs

Bill

On 3/5/2018 2:49 PM, Rose, John B wrote:


We have an overly full log file because of extraneous data due to a poorly selected loglevel. What is the best way to 
approach this problem?



Thanks



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] nginx-botcheck and extra SSL cipher logging

2018-03-13 Thread Bill Shirley


In your sample log lines, you have two dashes after the IP address; your regex
only expects one. Try:

failregex = ^.+?"(GET|POST|HEAD) /.+?" 404 .+$

BTW, you don't escape / or -

Bill

On 3/13/2018 2:12 PM, Sophie Loewenthal wrote:

NGINX BOTCHECK

Debian 9.2

$ dpkg -l fail2ban
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version   Architecture  Description
+++--=-=-=
ii  fail2ban 0.9.6-2   all   ban hosts that 
cause multiple authentication errors


-
$ cat /etc/fail2ban/filter.d/nginx-botsearch.conf |grep -v ^#

[INCLUDES]

before = botsearch-common.conf

[Definition]

failregex = ^ \- \S+ \[\] \"(GET|POST|HEAD) \/ \S+\" 404 .+$
 ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or 
directory\), client\: \, server\: \S*\, request: \"(GET|POST|HEAD) \/ 
\S+\"\, .*?$

ignoreregex =

——

Sample log lines:
# grep bot www.example.co.uk_access.log
66.249.75.148 - - [13/Mar/2018:12:33:58 +] TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET /robots.txt 
HTTP/1.1" 404 162 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; 
+http://www.google.com/bot.html)"
66.249.75.148 - - [13/Mar/2018:12:33:58 +] TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET /ads.txt 
HTTP/1.1" 404 162 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; 
+http://www.google.com/bot.html)"
157.55.39.236 - - [13/Mar/2018:15:04:19 +] TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET / HTTP/1.1" 
302 5 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"















On 13 Mar 2018, at 11:07, Tom Hendrikx  wrote:

Hi,

Please keep replies on-list, don't e-mail me privately.

Can you post:
- OS version you're running
- fail2ban version you're running
- contents of the /etc/fail2ban/filter.d/dovecot.conf file, so we can
extend the current regex

For nginx, please create a new thread and supply the same information,
along with some sample log lines.

Kind regards,

Tom


On 12-03-18 21:03, Sophie Loewenthal wrote:

Hi,  Thanks for the fail2ban-regex checker. I checked nginx and this also 
seemed not to work.  Again I have the ciphers listed when they connect.



 NGINX *
# fail2ban-regex mx10.example.co.uk_access.log '^ \- \S+ \[\] \"(GET|POST|HEAD) 
\/ \S+\" 404 .+$'
Running tests
=
Use   failregex line : ^ \- \S+ \[\] \"(GET|POST|HEAD) \/ \S...
Use log file : mx10.example.co.uk_access.log
Use encoding : UTF-8

Results
===
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
|  [10] Day(?P<_sep>[-/])MON(?P=_sep)Year[ 
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 10 lines, 0 ignored, 0 matched, 10 missed
[processed in 0.00 sec]

|- Missed line(s):
|  207.46.13.127 - - [12/Mar/2018:11:52:42 +] TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET / 
HTTP/1.1" 302 5 "-" "Mozilla/5.0 (compatible; bingbot/2.0; 
+http://www.bing.com/bingbot.htm)"
|  184.105.247.194 - - [12/Mar/2018:14:25:42 +] TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256 "GET / 
HTTP/1.1" 302 5 "-" "-"
|  183.129.160.229 - - [12/Mar/2018:15:21:21 +] TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET 
/farm/libs/modules/tween/tween.min.js HTTP/1.1" 404 162 "-" "Mozilla/5.0 (Macintosh; 
Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0"
|  207.46.13.104 - - [12/Mar/2018:15:48:45 +] TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET / 
HTTP/1.1" 302 5 "-" "Mozilla/5.0 (compatible; bingbot/2.0; 
+http://www.bing.com/bingbot.htm)"
|  207.46.13.127 - - [12/Mar/2018:16:15:41 +] TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET / 
HTTP/1.1" 302 5 "-" "Mozilla/5.0 (compatible; bingbot/2.0; 
+http://www.bing.com/bingbot.htm)"
|  66.249.75.148 - - [12/Mar/2018:16:37:47 +] TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET /robots.txt 
HTTP/1.1" 404 162 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; 
+http://www.google.com/bot.html)"
|  66.249.75.144 - - [12/Mar/2018:16:37:47 +] TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET /ads.txt 
HTTP/1.1" 404 162 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; 
+http://www.google.com/bot.html)"
|  207.46.13.45 - - [12/Mar/2018:19:01:28 +] TLSv1.2/DHE-RSA-AES256-GCM-SHA384 "GET /robots.txt 
HTTP/1.1" 404 162 "-" "Mozilla/5.0 (compatible; bingbot/2.0; 
+http://www.bing.com/bingbot.htm)"
|  207.46.13.45 - - [12/Mar/2018:19:01:29 +] TLSv1.2/DHE-RSA-AES256-GCM-SHA384 "GET /robots.txt 
HTTP/1.1" 404 162 "-" "Mozilla/5.0 (compatible; bingbot/2.0; 
+http://www.bing.com/bingbot.htm)"
|  40.77.167.54 - - [12/Mar/2018:19:01:34 +] TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET / 
HTTP/1.1" 302 5 "-" "Mozilla/5.0 (compatible; bingbot/2.0; 
+http://www.bing.co

Re: [Fail2ban-users] dovecot and postfix jail with extra SSL logging

2018-03-13 Thread Bill Shirley


Here's what I use for Dovecot:
failregex = auth:.+dovecot:auth.+authentication\s+failure;.+rhost=
    dovecot:.+rip=.+wrong version number
    dovecot:.+tried to use disallowed plaintext auth.+rip=
    dovecot:.+auth failed.+rip=
    dovecot:.+no auth attemps.+rip=

Bill

On 3/13/2018 2:07 PM, Sophie Loewenthal wrote:

Hi Tom,


Please keep replies on-list, don't e-mail me privately.

A mistake & my apologies. Fail2ban mailing list sets the From address as the 
senders email, not the list’s email. Pressing Reply will reply to your private 
email. The To: has to be manually edited on each reply :(

Dovecor details below:



Debian 9.2

$ dpkg -l fail2ban
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version   Architecture  Description
+++--=-=-=
ii  fail2ban 0.9.6-2   all   ban hosts that 
cause multiple authentication errors


$ cat /etc/fail2ban/filter.d/dovecot.conf|grep -v ^#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (auth|dovecot(-auth)?|auth-worker)

failregex = 
^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; 
logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* 
rhost=(?:\s+user=\S*)?\s*$
 ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: 
[^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ 
auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=(?:, lip=\S+)?(?:, TLS(?: 
handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown 
protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
 ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): 
pam\(\S+,\): pam_authenticate\(\) failed: (User not known to the 
underlying authentication module: \d+ Time\(s\)|Authentication failure \(password 
mismatch\?\))\s*$
 ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): 
(?:pam|passwd-file)\(\S+,\): unknown user\s*$
 ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: 
ldap\(\S*,,\S*\): invalid credentials\s*$

ignoreregex =

[Init]

journalmatch = _SYSTEMD_UNIT=dovecot.service








On 13 Mar 2018, at 11:07, Tom Hendrikx  wrote:

Hi,

Please keep replies on-list, don't e-mail me privately.

Can you post:
- OS version you're running
- fail2ban version you're running
- contents of the /etc/fail2ban/filter.d/dovecot.conf file, so we can
extend the current regex

For nginx, please create a new thread and supply the same information,
along with some sample log lines.

Kind regards,

Tom


On 12-03-18 21:03, Sophie Loewenthal wrote:

Hi,  Thanks for the fail2ban-regex checker. I checked nginx and this also 
seemed not to work.  Again I have the ciphers listed when they connect.



 NGINX *
# fail2ban-regex mx10.example.co.uk_access.log '^ \- \S+ \[\] \"(GET|POST|HEAD) 
\/ \S+\" 404 .+$'
Running tests
=
Use   failregex line : ^ \- \S+ \[\] \"(GET|POST|HEAD) \/ \S...
Use log file : mx10.example.co.uk_access.log
Use encoding : UTF-8

Results
===
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
|  [10] Day(?P<_sep>[-/])MON(?P=_sep)Year[ 
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 10 lines, 0 ignored, 0 matched, 10 missed
[processed in 0.00 sec]

|- Missed line(s):
|  207.46.13.127 - - [12/Mar/2018:11:52:42 +] TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET / 
HTTP/1.1" 302 5 "-" "Mozilla/5.0 (compatible; bingbot/2.0; 
+http://www.bing.com/bingbot.htm)"
|  184.105.247.194 - - [12/Mar/2018:14:25:42 +] TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256 "GET / 
HTTP/1.1" 302 5 "-" "-"
|  183.129.160.229 - - [12/Mar/2018:15:21:21 +] TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET 
/farm/libs/modules/tween/tween.min.js HTTP/1.1" 404 162 "-" "Mozilla/5.0 (Macintosh; 
Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0"
|  207.46.13.104 - - [12/Mar/2018:15:48:45 +] TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET / 
HTTP/1.1" 302 5 "-" "Mozilla/5.0 (compatible; bingbot/2.0; 
+http://www.bing.com/bingbot.htm)"
|  207.46.13.127 - - [12/Mar/2018:16:15:41 +] TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET / 
HTTP/1.1" 302 5 "-" "Mozilla/5.0 (compatible; bingbot/2.0; 
+http://www.bing.com/bingbot.htm)"
|  66.249.75.148 - - [12/Mar/2018:16:37:47 +] TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET /robots.txt 
HTTP/1.1" 404 162 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; 
+http://www.google.com/bot.html)"
|  66.249.75.144 - - [12/Mar/2018:16:37:47 +] TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384 "GET /ads.txt 
HTTP/1.1" 404 162 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; 
+http:

Re: [Fail2ban-users] Unban IP Address on Fail2Ban v8.4.2

2018-03-15 Thread Bill Shirley


If you use iptables with Shorewall, then a 'shorewall restart' will clobber your
fail2ban rules.  It's better to use a ipset with Shorewall.

Bill

On 3/15/2018 5:21 AM, chaouche yacine via Fail2ban-users wrote:

Nick,

Can you please explain why this is better than just removing the rule from iptables ? because that's how I do with shorewall 
so I might be doing something wrong.


Yassine.


On Thursday, March 15, 2018 10:19 AM, Nick Howitt  wrote:


fail2ban-client  set  unbanip 

On 15/03/2018 08:29, Ramses wrote:
> Hi everybody,
>
> I have an old version of fail2ban and I'd like know if I have somehow to 
unban a IP Address that fail2ban has banned.
>
>
> Regards,
>
> Ramses
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net 

> https://lists.sourceforge.net/lists/listinfo/fail2ban-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net 

https://lists.sourceforge.net/lists/listinfo/fail2ban-users




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] latest Dovecot.conf missing failed attempts?

2018-05-01 Thread Bill Shirley


I use my own filter for dovecot - jail.local:
[dovecot]
enabled        = false
# --
[dovecot-secure]
#enabled        = false
enabled        = true
filter        = my_dovecot_secure
...


my_dovecot_secure.conf:
[Definition]
# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/my_dovecot_secure.conf


failregex = auth:.+dovecot:auth.+authentication\s+failure;.+rhost=
    dovecot:.+rip=.+wrong version number
    dovecot:.+tried to use disallowed plaintext auth.+rip=
    dovecot:.+auth failed.+rip=
    dovecot:.+no auth attemps.+rip=


ignoreregex =

[0:root@bb8 ~ 1]$ rpm -qa 'fail2ban*'
fail2ban-server-0.10.2-1.fc27.noarch

Bill

On 4/30/2018 11:56 AM, Robert Kudyba wrote:

We are on Fedora 27 and our version:
rpm -q fail2ban
fail2ban-0.10.2-1.fc27.noarch

Sample log snip of a login attempt not caught:

Apr 29 16:12:26 ourhostname dovecot: imap-login: Disconnected (auth failed, 1 attempts in 7 secs): user=>, method=PLAIN, rip=181.214.87.30, lip=x.x.x.x, TLS, session=

contents of dovecot.conf:

# Fail2Ban filter Dovecot authentication and pop3/imap server
#

[INCLUDES]

before = common.conf

[Definition]

_auth_worker = (?:dovecot: )?auth(?:-worker)?
_daemon = (?:dovecot(?:-auth)?|auth)

prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: 
|(?:pop3|imap)-login: )?(?:Info: )?.+$


failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot 
ruser=\S* rhost=(?:\s+user=\S*)?\s*$
            ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use 
(?:disabled|disallowed) \S+ auth)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$
^pam\(\S+,(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ 
Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$

^[a-z\-]{3,15}\(\S*,(?:,\S*)?\): (?:unknown user|invalid credentials)\s*$
>

mdre-aggressive = ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was 
ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? 
rip=(?:[^>]*(?:, session=<\S+>)?)\s*$


mdre-normal =

# Parameter `mode` - `normal` or `aggressive`.
# Aggressive mode can be used to match log-entries like:
#   'no auth attempts', 'disconnected before auth was ready', 'client didn't 
finish SASL auth'.
# Note it may produce lots of false positives on misconfigured MTAs.
# Ex.:
# filter = dovecot[mode=aggressive]
mode = normal

ignoreregex =

journalmatch = _SYSTEMD_UNIT=dovecot.service

datepattern = {^LN-BEG}TAI64N
              {^LN-BEG}

# DEV Notes:
# * the first regex is essentially a copy of pam-generic.conf
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 
21/03/2016)
#
# Author: Martin Waschbuesch
#         Daniel Black (rewrote with begin and end anchors)
#         Martin O'Neal (added LDAP authentication failure regex)
#         Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)

169 should have been caught, if I read this correctly:

fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf

Running tests
=

Use   failregex filter file : dovecot, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : /var/log/maillog
Use         encoding : ANSI_X3.4-1968


Results
===

Failregex: 169 total
|-  #) [# of hits] regular expression
|   2) [169] ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use 
(?:disabled|disallowed) \S+ auth)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$

`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [28744] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: 
ExYear)?
`-

Lines: 28744 lines, 0 ignored, 169 matched, 28575 missed
[processed in 6.30 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 28575 
lines

in our jail.local:
[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot, port="pop3,imap", protocol=tcp]
logpath = /var/log/maillog*
maxretry = 3
findtime = 10800
bantime = 7200

Am I missing something?



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


--
Check out the vibrant tech community on one of the world's most
eng

Re: [Fail2ban-users] Scriptkiddie regex - Help Please

2018-05-17 Thread Bill Shirley


You didn't mention which version of fail2ban you are using.  For fail2ban 10 
they changed the date patterns:
# old date patterns
#|  [13927] Day(?P<_sep>[-/])MON(?P=_sep)Year[ 
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
#|  [0] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
#|  [0] Year(?P<_sep>[-/.])Month(?P=_sep)Day 
24hour:Minute:Second(?:,Microseconds)?
#|  [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
#|  [0] Month/Day/Year:24hour:Minute:Second
#|  [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
#|  [0] TAI64N
#|  [0] Epoch
#|  [0] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone 
offset)?
#|  [0] ^24hour:Minute:Second
#|  [0] ^
#|  [0] ^Year2MonthDay  ?24hour:Minute:Second
#|  [0] MON Day, Year 12hour:Minute:Second AMPM
#|  [0] ^MON-Day-Year2 24hour:Minute:Second

# new date patterns for fail2ban-server-0.10.0-1
#|  [0] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day[T 
]24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
#|  [0] {^LN-BEG}(?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: 
ExYear)?
#|  [0] {^LN-BEG}(?:DAY )?MON Day ExYear 24hour:Minute:Second(?:\.Microseconds)?
#|  [0] {^LN-BEG}Day(?P<_sep>[-/])Month(?P=_sep)(?:ExYear|ExYear2) 
24hour:Minute:Second
#|  [0] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ 
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
#|  [0] {^LN-BEG}Month/Day/ExYear:24hour:Minute:Second
#|  [0] {^LN-BEG}Month-Day-ExYear 24hour:Minute:Second(?:\.Microseconds)?
#|  [0] {^LN-BEG}Epoch
#|  [0] {^LN-BEG}ExYear2ExMonthExDay ?24hour:Minute:Second
#|  [0] {^LN-BEG}MON Day, ExYear 12hour:Minute:Second AMPM
#|  [0] {^LN-BEG}ExYearExMonthExDay[T 
]Ex24hourExMinuteExSecond(?:[.,]Microseconds)?(?:\s*Zone offset)?
#|  [0] {^LN-BEG}(?:Zone name )?(?:DAY )?MON Day 
24hour:Minute:Second(?:\.Microseconds)?(?: ExYear)?
#|  [0] {^LN-BEG}(?:Zone offset )?(?:DAY )?MON Day 
24hour:Minute:Second(?:\.Microseconds)?(?: ExYear)?
#|  [0] {^LN-BEG}TAI64N
#|  [0] {^LN-BEG}24hour:Minute:Second
#|  [0] ^
#|  [0] ^MON-Day-ExYear2 24hour:Minute:Second


# https://docs.python.org/2/library/datetime.html#strftime-strptime-behavior
# fail2ban 10 fix:
datepattern = %%d(?P<_sep>[-/])%%b(?P=_sep)%%Y[ :]?%%H:%%M:%%S(?:\.%%f)?(?: 
%%z)?
They put a line beginning qualifier in them.  Apache's access log doesn't 
normally begin with the date.
If you're using fail2ban 10, add this datepattern to your filter.

No need to wait to see if you've got a filter right.  Test your filter with:
fail2ban-regex /var/log/httpd/access_log 
/etc/fail2ban/filter.d/my_apache_access.conf

Bill

On 5/16/2018 1:30 PM, Arthur Dent wrote:

Hello All,

I have recently returned to F2B after a long absence, and my Linux
skills (and, in particular my F2B regex skills) have faded.

My web server frequently gets hammered with scripkiddie attacks. A very
typical entry in the httpd/access_log would look like this:
80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET /admin/pma/index.php HTTP/1.1" 404 217 
"-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET /admin/PMA/index.php HTTP/1.1" 404 217 
"-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/mysql/index.php HTTP/1.1" 404 219 
"-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/mysql2/index.php HTTP/1.1" 404 220 
"-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /pma/index.php HTTP/1.1" 404 211 "-" 
"Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /PMA/index.php HTTP/1.1" 404 211 "-" 
"Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/phpmyadmin/index.php HTTP/1.1" 404 224 
"-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/phpMyAdmin/index.php HTTP/1.1" 404 224 
"-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/phpmyadmin2/index.php HTTP/1.1" 404 225 
"-" "Mozilla/5.0"
(and so on... Usually about 20-30 similar lines)

In attempting to keep these idiots out of my logs I have have tried to use a 
F2B jail.

The filter I have created is:

[Definition]
failregex = ^.*'[a|A]dmin.*40[3|4]'

Note: I know that not all the entries above contain "admin" (and that
it is a rather crude way of doing this), but all the attacts do have
several lines in them that *do* contain the word admin.

The jail I have created is:
[scriptkiddies]
enabled  = true
port = http,https
filter   = scriptkiddies
action   = iptables[name=Scriptkiddies, port=http, protocol=tcp]
sendmail-whois[name=Scriptkiddies, dest=root, 
sender=fail2...@example.com]
logpath  = /var/log/httpd/access_log
bantime  = 3600 # Until Hell freezes over if I could
findtime = 600
maxretry = 5

However -
This does not work. What have I done wrong?

Any help gratefully accepted.

Mark

--
Check out the vibrant tech community on one of the world's most
engaging tech site

Re: [Fail2ban-users] Not knowing where the error messages come from

2018-05-30 Thread Bill Shirley


That particular failure does not generate a log line.

BTW: There is a fail2ban-users mailling list.

Bill

On 5/30/2018 11:46 AM, Alberto José García Fumero wrote:

Hi all.

I'm new to fail2ban, and I need advice.

Here I have Postfix+SASL in Linux, users under /home. Quite vanilla.
Postfix uses several reject_rbl_client rules.

Here is a sample of the error messages I have.

***
De: Mail Delivery System 
Para:   Postmaster 
Asunto: Postfix SMTP server: errors from unknown[185.234.217.38]
Fecha:  Tue, 29 May 2018 14:13:00 -0400 (CDT)

Transcript of session follows.

  Out: 220 partagas.ettpartagas.co.cu ESMTP Partagas
  In:  EHLO 190.6.79.98
  Out: 250-partagas.ettpartagas.co.cu
  Out: 250-PIPELINING
  Out: 250-SIZE 1524
  Out: 250-ETRN
  Out: 250-STARTTLS
  Out: 250-ENHANCEDSTATUSCODES
  Out: 250-8BITMIME
  Out: 250 DSN
  In:  AUTH LOGIN
  Out: 503 5.5.1 Error: authentication not enabled

Session aborted, reason: lost connection

For other details, see the local mail logfile
***

When I search for 503 5.5.1  in the log file /var/mail/mail.log,
nothing is found. In fact, there is no such a string to be found in the
logs under /var/log.

Where else should I search?

TIA,

Fumero



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Not knowing where the error messages come from

2018-05-30 Thread Bill Shirley


Sorry, I thought I was looking at the Fedora list I've subscribed to.

Bill

On 5/30/2018 10:11 PM, Bill Shirley wrote:


BTW: There is a fail2ban-users mailling list.



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] apache-noscript

2018-11-26 Thread Bill Shirley


What action are you using for the jail?  Shorewall start/restart loads the 
entire iptables
which will clobber fail2ban's entries.

I use an action that stores the offending IP address in an ipset so that the 
shorewall restart
command doesn't wipe it.

[0:root@bb8 fail2ban]$ rpm -q fail2ban-server
fail2ban-server-0.10.2-1.fc27.noarch

/etc/fail2ban/action.d/my_ipset_ip.conf:
# from iptables-ipset-proto6.conf

[INCLUDES]
#before = iptables-blocktype.conf
before = iptables-common.conf

#systemd unit file has stdout and stderr overrides

[Definition]
actioncheck =
actionstart =
# actionflush was missing
actionflush =
actionstop =

actionban = ipset -exist add fail2ban-  timeout 

#actionunban = ipset -exist del fail2ban- 
actionunban =

[Init]
my_timeout = 3600
suffix = ip

sfx_name = IPv4-
familyopt =

[Init?family=inet6]
sfx_name = IPv6-
familyopt = family inet6

/etc/shorewall/init:
ipset -exist create fail2ban-IPv4-ip hash:ip timeout 86400

/etc/shorewall/rules:
?COMMENT flagged by fail2ban
DROP    inet:+fail2ban-IPv4-ip[src]        fw


Bill

On 11/26/2018 3:44 AM, Koenraad Lelong wrote:

Hi,

I'm trying to harden a web-server. In the logfiles from apache I see a number of attempts to get not-existing php-files so I 
used apache-noscript to try to block the offending IP-address.
The filter fires, but the firewall does not block the IP-address. In fail2ban's log-file I see a number of "already banned" 
messages for that IP-address. I suspect the offender uses a persistent http-connection. How can I block this attack ?


B.T.W. I'm using shorewall as a firewall. I already modified it's main config 
file to :
BLACKLIST="INVALID,UNTRACKED" (i.e. I removed the NEW keyword).
I did this because the standard config didn't work also.

P.S. Fail2ban version is 0.9.3

TIA,

Koenraad



___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban ban's being dropped/disappear without noticed

2019-05-27 Thread Bill Shirley


I use an ipset with Shorewall to ban IP addresses.  My setup uses the 'timeout' 
option
of ipset.  Also, there is no unban/ban overhead upon restarting fail2ban.

/etc/shorewall/init (note 'timeout' is the default in seconds):
ipset -exist create fail2ban-IPv4-ip hash:ip timeout 86400

/etc/shorewall/rules:
?SECTION NEW
?COMMENT flagged by fail2ban
DROP    net:+fail2ban-IPv4-ip[src] fw

/etc/fail2ban/action.d/my_ipset_ip.conf:
[INCLUDES]

before = iptables-blocktype.conf

[Definition]
actioncheck =
actionstart =
actionstop =
actionban = ipset add fail2ban-  timeout  -exist
#actionunban = ipset del fail2ban-  -exist
actionunban =

[Init]
name = IPv4-ip
my_timeout = 3600
Note the actionunban is empty.  I rely on the ipset timeout to expire to unban.

/etc/fail2ban/jail.local:
[sshd]
#enabled    = false
enabled = true
action  = my_ipset_ip[my_timeout=86400]
logpath = %(sshd_log)s
maxretry    = 3
findtime    = 7200
bantime = 60
Because the actionunban is empty, I can use a 60 second 'bantime' and upon
restart fail2ban doesn't try to re-ban the IP addresses but the addresses are 
still
dropped until the 'timeout' expires.

Bill

___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban ban's being dropped/disappear without noticed

2019-05-28 Thread Bill Shirley


Great, I'm glad its working for you.

I forgot to mention the added benefits of manipulating the ipset outside
of Shorewall and fail2ban:
query: ipset list fail2ban-IPv4-ip | grep 218.27.162.22
ban: ipset add fail2ban-IPv4-ip 218.27.162.22
unban: ipset del fail2ban-IPv4-ip 218.27.162.22

If you install the rpmfusion xtables-addons and Maxmind's free GeoIP tables,
you can limit what countries can access the SSH port.
/etc/shoreall/rules (after the fail2ban DROP):
ACCEPT       net:^[US]          fw tcp ssh
DROP net    fw tcp ssh
This only allows SSH from the United States.

Bill


On 5/28/2019 3:52 AM, Steven Barthen via Fail2ban-users wrote:

Hello Bill

I changed and tested your solution and it works very well!

Thanks a lot for that, it solved all my issues!


Cheers

Am Di., 28. Mai 2019 um 01:37 Uhr schrieb Bill Shirley mailto:bshir...@openmri-scottsboro.com>>:

I use an ipset with Shorewall to ban IP addresses.  My setup uses the 
'timeout' option
of ipset.  Also, there is no unban/ban overhead upon restarting fail2ban.

/etc/shorewall/init (note 'timeout' is the default in seconds):
ipset -exist create fail2ban-IPv4-ip hash:ip timeout 86400

/etc/shorewall/rules:
?SECTION NEW
?COMMENT flagged by fail2ban
DROP    net:+fail2ban-IPv4-ip[src] fw

/etc/fail2ban/action.d/my_ipset_ip.conf:
[INCLUDES]

before = iptables-blocktype.conf

[Definition]
actioncheck =
actionstart =
actionstop =
actionban = ipset add fail2ban-  timeout  -exist
#actionunban = ipset del fail2ban-  -exist
actionunban =

[Init]
name = IPv4-ip
my_timeout = 3600
Note the actionunban is empty.  I rely on the ipset timeout to expire to 
unban.

/etc/fail2ban/jail.local:
[sshd]
#enabled    = false
enabled = true
action  = my_ipset_ip[my_timeout=86400]
logpath = %(sshd_log)s
maxretry    = 3
findtime    = 7200
bantime = 60
Because the actionunban is empty, I can use a 60 second 'bantime' and upon
restart fail2ban doesn't try to re-ban the IP addresses but the addresses 
are still
dropped until the 'timeout' expires.

Bill

___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net 
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Ban based on attempted user name

2019-06-06 Thread Bill Shirley


I have a non-public web server that's getting Let's Encrypt certificates.  I 
wrote
a PHP program to lookup the Let's Encrypt addresses and add them to a
ipset.  My firewall (I'm using Shorewall) does an ACCEPT for port 80 on
anything in the ipset.

I'm attaching the email from the Shorewall users list.  It contains the 
announcement
an link to the program.

I run the program from cron so if the addresses change, the ipset gets
updated and is current:
10 0 * * * /usr/local/sbin/DNSlookup_ipset.php -4 -c letsencrypt.dnslookup -s 
letsencrypt -t dns 2>&1

/etc/shorewall/letsencrypt.dnslookup:
outbound1.letsencrypt.org
outbound2.letsencrypt.org

Bill

On 6/3/2019 6:35 PM, Kenneth Porter wrote:

--On Monday, June 03, 2019 4:23 PM -0400 Terry Carmen  
wrote:


I run ssh through a VPN tunnel, so the attempts never show up

I had been banning them, however it ended up turning into a problem
because my drop rules list was getting huge and causing a performance
problem.


How many probes do you see against your VPN?

I'm using ipsets for my ban lists to deal with large lists. I've got a big list adapted from the lists at ipdeny.com to drop 
all packets to my authenticated services from non-US addresses. I'm also blocking access from DigitalOcean and other cloud 
services. *Alas, I have to allow everything to my web server because Letsencrypt doesn't make any guarantees about the source 
of its identity checks to validate my domain*. (Or I could script temporarily dropping the block to my web server when I'm 
updating my certificate.)






___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
--- Begin Message ---
Bill Shirley has contributed a PHP program that will populate an IPSET
from DNS. The program is available at:

http://www.shorewall.org/pub/shorewall/contrib/DNSLookup/
ftp://ftp.shorewall.org/pub/shorewall/contrib/DNSLookup/

The program arguments are documented in the program source.

It is suggested that the program be run periodically via cron. The
program accepts an argument that sets the timeout value for entries in
the ipset. In most applications, setting the timeout to be considerably
longer than the DNS entries' TTL is recommended. That way, sites that
specify a short TTL and advertise a large number of addresses with short
TTLs in round-robin fashon will still fully populate the ipset over time.

Thanks to Bill for this contribution!

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
shorewall-us...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--- End Message ---
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Apache filters

2019-06-13 Thread Bill Shirley


[0:root@yoda fail2ban]$ rpm -qa | grep -e http  -e fail2ban | sort
fail2ban-0.8.10-1.fc17.noarch
httpd-2.2.23-1.fc17.x86_64
httpd-tools-2.2.23-1.fc17.x86_64

My apache-noscript:
[INCLUDES]
before = apache-common.conf

[Definition]
# fail2ban-regex /var/log/httpd/error_log 
/etc/fail2ban/filter.d/apache-noscript.local

# removed \.php
# added |\.php[45]?|php-cgi|(php)?[Mm]y[Aa]dmin|pma
# added webdav
failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): 
/\S*(\.asp|\.exe|\.pl|\.php[45]?|php[-.]cgi|(php)?[Mm]y[Aa]dmin|pma|webdav)\s*$

    ^%(_apache_error_client)s script '/\S*(\.asp|\.exe|\.pl)\S*' not 
found or unable to stat\s*$
    ^%(_apache_error_client)s File does not 
exist:.+/(register|manager|postnuke|administrator|HNAP1|community|county|commission|criminal|blog|wordpress|typo3|(db|php)?admin|xampp)

    ^%(_apache_error_client)s (File does not exist|script not found or 
unable to stat): /\S*/cgi-.+$
    ^%(_apache_error_client)s client denied by server configuration.*$

Snippet of my jail.local:
[apache-noscript]
#enabled    = false
enabled = true
filter  = apache-noscript
#action = my_ipset_ip
action  = my_ipset_ipport[port=http, bantime=86400]
  my_ipset_ipport2[port=https, bantime=86400]
logpath = /var/log/httpd/error_log
findtime    = 7200
maxretry    = 2
bantime = 60
Note adjust your 'action' and 'bantime'.  I use an ipset.

Hope this helps,
Bill

On 6/13/2019 6:59 AM, Erik wrote:

Hi,

In my apache22-error_log I have many lines like:

2019-06-13T07:53:24+02:00 DiskStation [Thu Jun 13 07:53:24 2019] [error] [client xx.xx.xx.xx] Directory index forbidden by 
Options directive: /var/services/web/
2019-06-13T09:33:12+02:00 DiskStation [Thu Jun 13 09:33:12 2019] [error] [client xx.xx.xx.xx] File does not exist: 
/var/services/web/robots.txt


I was already running fail2ban with sasl, postfix and dovecot filters and wanted to add the apache filters. There are many 
apache filters and apache-common.conf seemed the appropriate filter. However, running the filter with fail2ban-regex gives the 
following error:


Running tests
=

Use   failregex filter file : apache-common, basedir: /etc/fail2ban
Traceback (most recent call last):
  File "/usr/bin/fail2ban-regex", line 34, in 
    exec_command_line()
  File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line 
685, in exec_command_line
    if not fail2banRegex.start(args):
  File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line 
586, in start
    if not self.readRegex(cmd_regex, 'fail'): # pragma: no cover
  File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line 
368, in readRegex
    self.setMaxLines(optval)
  File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line 
275, in setMaxLines
    self._filter.setMaxLines(int(v))
TypeError: int() argument must be a string, a bytes-like object or a number, 
not ‘NoneType'

Then I noticed that apache-common.conf is included in the other filters by before = apache-common.conf (I guess that’s what 
this means).
So, I then ran fail2ban-regex with apache-auth.conf but then zero hits. I saw on GitHub that a few years back the apache log 
message changed to


[:error] [pid ] [client xx.xx.xx.xx:]

And that this _apache_error_client = \[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client 
(:\d{1,5})?\] should pick up the new lines.
Apparently, Synology is still using old apache because my error log seems ancient. I have tried changing the 
_apache_error_client but that didn’t’t work (I’n not a regex expert…).


Can somebody please help?

Thanks in advance,
Erik


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] iptables chains not created

2019-06-20 Thread Bill Shirley

I use an ipset so I'm not authoritative on this, but I think the chains are only
created when you get an actual ban.

Have you tried using fail2ban-regex? I'm not familiar where the SSH log file
is on Ubuntu. Here's an example for the Apache error log on Fedora:
fail2ban-regex /var/log/httpd/error_log
/etc/fail2ban/filter.d/apache-noscript.local
This will show you what filter matches are found in the log file.

For help, you should post a log line that should trigger a ban, your SSH filter,
and the [sshd] portion of your jail.

Bill

On 6/20/2019 5:23 PM, Michael Fox wrote:

2^nd request.

I really could use some help here …

Thanks,

Michael

*From:* Michael Fox
*Sent:* Monday, June 17, 2019 5:03 PM
*To:* Fail2Ban-Users Distribution List
*Subject:* iptables chains not created

I’ve been a fail2ban user on Ubuntu for several years. I’m finally building a Ubuntu 18.04 machine. I installed the fail2ban
package (v0.10.2) from Synaptic and tried using my previous jail.local configuration. But after starting/reloading fail2ban,
the jails are not being populated in iptables. In other words, “sudo iptables -n -L” shows no “f2b-…” chains.

When I start or reload fail2ban:

I see no errors in the fail2ban log. But I do see “Jail sshd is not a
JournalFilter instance”. I don’t know what that’s about.

I see no errors in the syslog

systemctl status shows no errors

fail2ban-client status shows no errors, and “-d” appears correct (as far as I
can tell).

Nevertheless, no chains are not created in iptables when fail2ban is
started/reloaded.

I removed all .local jail files, which leaves only the sshd jail turned on by
jail.d/defaults_debian.conf. Still no joy.

I added back in only my own .local sshd config. Still no joy.

By no joy, I mean there is no “f2b-sshd” chain in iptables, yet there are no errors reported in the logs and fail2ban-client
shows that the sshd jail is active.

Is this a known bug?

If so, what’s the solution?

If not, what information is needed to troubleshoot?

Thanks,

Michael

___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban taking to much time to ban IP

2019-06-28 Thread Bill Shirley


Some attacks open up tens, if not hundreds, of connections at one time.  I 
think fail2ban
works by blocking *new* connections and since these connections are already 
initiated
they don't get banned.

You could limit the number of simultaneous connections with iptables.  
Something like:
ACCEPT tcp  --  *  * 0.0.0.0/0    0.0.0.0/0    multiport dports 25,465,587 limit: up to 10/min burst 4 
mode srcip


Bill

On 6/28/2019 8:25 AM, BASSAGET Cédric wrote:

Hello
I'm trying to underestand why fail2ban takes too uch time (> 1 sec) to detect 
tthat an IP address has to be banned and ban it

Here's my fail2ban.log (truncated) :
2019-06-28 14:10:30,253 fail2ban.filter         [24709]: INFO    [asterisk] 
Found 91.121.2.x
 about 3000 same entries .
2019-06-28 14:12:10,614 fail2ban.filter         [24709]: INFO    [asterisk] 
Found 91.121.2.x
2019-06-28 14:12:12,092 fail2ban.actions        [24709]: NOTICE  [asterisk] Ban 
91.121.2.x

in jail.conf I have findtime=600 and maxretries=3. So ban action should be 
triggered really more quickly.

Lines

Any idea about what can be wrong ?
I'm using Fail2Ban v0.9.6 (latest on debian9 repos), defailt filters and jail 
config.

Regards,
Cédric


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban taking to much time to ban IP

2019-06-28 Thread Bill Shirley


conntrack tracks UDP.  Try running:
conntrack -L | grep udp

Bill

On 6/28/2019 9:04 AM, BASSAGET Cédric wrote:

Hello Bill,
would that apply to UDP traffic ? I think it does not as UDP is stateless

Regards

Le ven. 28 juin 2019 à 14:43, Bill Shirley mailto:bshir...@openmri-scottsboro.com>> a écrit :

Some attacks open up tens, if not hundreds, of connections at one time.  I 
think fail2ban
works by blocking *new* connections and since these connections are already 
initiated
they don't get banned.

You could limit the number of simultaneous connections with iptables.  
Something like:
ACCEPT tcp  --  *  * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0 
<http://0.0.0.0/0> multiport dports 25,465,587 limit:
up to 10/min burst 4 mode srcip

Bill

On 6/28/2019 8:25 AM, BASSAGET Cédric wrote:

Hello
I'm trying to underestand why fail2ban takes too uch time (> 1 sec) to 
detect tthat an IP address has to be banned and ban it

Here's my fail2ban.log (truncated) :
2019-06-28 14:10:30,253 fail2ban.filter [24709]: INFO    [asterisk] Found 
91.121.2.x
 about 3000 same entries .
2019-06-28 14:12:10,614 fail2ban.filter [24709]: INFO    [asterisk] Found 
91.121.2.x
2019-06-28 14:12:12,092 fail2ban.actions  [24709]: NOTICE  [asterisk] Ban 
91.121.2.x

in jail.conf I have findtime=600 and maxretries=3. So ban action should be 
triggered really more quickly.

Lines

Any idea about what can be wrong ?
I'm using Fail2Ban v0.9.6 (latest on debian9 repos), defailt filters and 
jail config.

Regards,
Cédric


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net  
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net 
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Ban on source ip and port

2019-07-29 Thread Bill Shirley


Yes, you can write a filter, action, and jail to accomplish this.

It's strange that you would want to ban on *source* port. Source ports are 
usually
random and if an IP is banned, they could just switch their source port.  Are 
you
sure you don't mean destination port?  Like ban an IP accessing your web server
(port 80)?

Bill

On 7/27/2019 11:06 PM, Mick Burns wrote:

Hello

Having a situation here where I need to be more specific in my bans
than just an IP address.
Indeed, not only I need to ban on the source IP, but also on the source port.
My log files entries exposes this in a pretty standard form :  src_ip:port

Is this feasible at all with f2b ?

Thank you.


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] When to decide that fail2ban is not a good solution

2019-09-22 Thread Bill Shirley


If you have thousands of blocked IP address, fail2ban's ipset action is 
desirable.

Some attacks initiate tens of connections at the same time so that although 
fail2ban
bans the address, your system has to handle all of them because they have 
already
connected.  You can mitigate this by limiting the number of connections within a
certain time frame.  Look into iptable's rate limiting.
ACCEPT  multiport dports 25,465,587 limit: up to 10/min burst 4 mode srcip 
/* mail - unknown */
followed by a DROP of those ports.

Another approach is to limit the addresses allowed to connect with iptable's 
GeoIP.
For example, only allow SSH connects from your country.  Or conversely, drop 
all traffic
from known bad countries.

You could block one or more entire subnets (93.184.216.0/24) in iptables.

Bill

On 9/22/2019 6:09 PM, James Moe via Fail2ban-users wrote:

fail2ban 0.10.3
opensuse 15.0

   We use sucicata to detect and optionally block bad actors.
   We recently set up a DNS server for a new domain. Said bad actors
started abusing the server within a day with the DoS DNS Amplification
attack.
   Suricata is set to block those packets.
   To ease the burden on Suricata which can be a CPU intensive
protection, I created a jail to feedback detected DNS attacks. The
attacks are tightly controlled from a large botnet; an attempt occurs
almost precisely every 60 seconds.
   After 5 days of collecting IPs to block, the count has exceeded
10,000, and there is no change in the attack rate implying excellent CnC
and lots of IPs. iptables does not seem to find this troublesome.

   So. Is this a case where fail2ban is not an especially useful solution
to the problem? Or are 1000s of blocked IPs not uncommon?

___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] fail2ban and roundcubemail on centos 8

2019-12-30 Thread Bill Shirley

Squirrelmail, Roundcube, et. al. login locally (::1 or 127.0.0.1). Don't think
you want to ban
those addresses. Search the Apache access log for the login failure screen and
key off
of that.

Bill

On 12/29/2019 11:12 AM, Tom Hendrikx wrote:

Hi,

Your fail regex does not extract an IP address or host from the log line, so
fail2ban will not know which host to ban.

try :

failregex = IMAP Error: Login failed for .* against localhost from \.

Kind regards,

Tom

On 28-12-2019 15:48, Davide Perini wrote:

Hi all, guys.
Hope you are doing well on this holidays.

Is there someone who has fail2ban working on Centos 8 and roundcubemail?

My /var/log/roundcubemail/errors.log
looks like this
[28-Dec-2019 14:27:32 +]: IMAP Error: Login failed for perini.davide against localhost from ::1. AUTHENTICATE
PLAIN: Authentication failed. in /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 200 (POST
/webmail/?_task=login&_action=login)

my roundcube.conf looks like this

[Definition]
failregex = (.*) IMAP Error: Login failed for .* from
ignoreregex =

What is the problem?
Any idea?

Thanks

___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Postfix submission

2020-01-01 Thread Bill Shirley


I think the 'auth=0/1' is the number of successful logins vs login attempts.  
You should be
able to key off of this with your failregex.

Bill

On 1/1/2020 4:16 AM, siefke_lis...@web.de wrote:

Hello,

I have question about catching submission (postfix) connects from ip's
which tried it more then once time.

Here a example:

log:

Jan  1 11:22:34 ru-mail postfix/anvil[7383]: statistics: max connection rate 
1/60s for (submission:45.143.222.192) at Jan  1 11:19:13
Jan  1 11:22:34 ru-mail postfix/anvil[7383]: statistics: max connection count 1 
for (submission:45.143.222.192) at Jan  1 11:19:13
Jan  1 11:23:32 ru-mail postfix/submission/smtpd[7386]: connect from 
unknown[45.143.222.192]
Jan  1 11:23:32 ru-mail postfix/submission/smtpd[7386]: disconnect from 
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4
Jan  1 11:26:52 ru-mail postfix/anvil[7387]: statistics: max connection rate 
1/60s for (submission:45.143.222.192) at Jan  1 11:23:32
Jan  1 11:26:52 ru-mail postfix/anvil[7387]: statistics: max connection count 1 
for (submission:45.143.222.192) at Jan  1 11:23:32
Jan  1 11:26:59 ru-mail postfix/submission/smtpd[7393]: connect from 
unknown[45.143.222.192]
Jan  1 11:26:59 ru-mail postfix/submission/smtpd[7393]: disconnect from 
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4
Jan  1 11:30:19 ru-mail postfix/anvil[7394]: statistics: max connection rate 
1/60s for (submission:45.143.222.192) at Jan  1 11:26:59
Jan  1 11:30:19 ru-mail postfix/anvil[7394]: statistics: max connection count 1 
for (submission:45.143.222.192) at Jan  1 11:26:59
Jan  1 11:31:36 ru-mail postfix/submission/smtpd[7445]: connect from 
unknown[45.143.222.192]
Jan  1 11:31:37 ru-mail postfix/submission/smtpd[7445]: disconnect from 
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4
Jan  1 11:34:57 ru-mail postfix/anvil[7446]: statistics: max connection rate 
1/60s for (submission:45.143.222.192) at Jan  1 11:31:36
Jan  1 11:34:57 ru-mail postfix/anvil[7446]: statistics: max connection count 1 
for (submission:45.143.222.192) at Jan  1 11:31:36
Jan  1 11:35:21 ru-mail postfix/submission/smtpd[7454]: connect from 
unknown[45.143.222.192]
Jan  1 11:35:21 ru-mail postfix/submission/smtpd[7454]: disconnect from 
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4
Jan  1 11:38:41 ru-mail postfix/anvil[7455]: statistics: max connection rate 
1/60s for (submission:45.143.222.192) at Jan  1 11:35:21
Jan  1 11:38:41 ru-mail postfix/anvil[7455]: statistics: max connection count 1 
for (submission:45.143.222.192) at Jan  1 11:35:21
Jan  1 11:39:19 ru-mail postfix/submission/smtpd[7463]: connect from 
unknown[45.143.222.192]
Jan  1 11:39:19 ru-mail postfix/submission/smtpd[7463]: disconnect from 
unknown[45.143.222.192] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4

cat /var/log/mail.log | grep 45.143.222.192 | wc -l
1471

Is there a way to handle it with fail2ban?

Thank you
Silvio


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Blocking Logins in Drupal 7 does not work!

2020-02-17 Thread Bill Shirley


Your failregex isn't even close to matching the log lines in /var/log/messages:

failregex = Submitting address \[\] to the firewall

Feb 17 14:18:42 www drupal[3979]: 
https://www.clubenaval.org.br/novo|1581949122|user|177.124.244.10|https://www.clubenaval.org.br/novo/?q=frontpage&destination=frontpage|https://www.clubenaval.org.br/novo/index.php|0||Login
 attempt failed for chmviola.

Try this for your filter:
[Definition]
#failregex = drupal.*|user|\[\]|.*Login attempt failed.*$
#failregex = drupal.*\[\]
failregex = drupal([^|]*){3}\[\].*Login attempt failed.*$
#failregex = drupal.*\|user\|\[\].*Login attempt failed.*$

ignoreregex =
The uncommented failregex works.

My test files are in /root/tmp
Running command: fail2ban-regex /root/tmp/drupal.messages 
/root/tmp/drupal.filter.conf

Running tests
=

Use   failregex file : /root/tmp/drupal.filter.conf
Use log file : /root/tmp/drupal.messages
Use encoding : UTF-8


Results
===

Failregex: 4 total
|-  #) [# of hits] regular expression
|   1) [4] drupal([^|]*){3}\[\].*Login attempt failed.*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [5] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 5 lines, 0 ignored, *4 matched*, 1 missed
[processed in 0.01 sec]

|- Missed line(s):
|  Feb 17 14:24:46 www drupal[3981]: 
https://www.clubenaval.org.br/novo|1581949486|user|177.124.244.10|https://www.clubenaval.org.br/novo/?q=area_socio_entrada&destination=node/365|https://www.clubenaval.org.br/novo/?q=area_socio_entrada|15||Session 
opened for chmviola

`-

Your English is good.
Bill

On 2/17/2020 11:53 AM, Henrique Fagundes wrote:

Dear Dudi,

Excuse me!

Here is the right file:
https://temporario.aprendendolinux.com/fail2ban/filter.d/drupal-auth.conf.txt


   Ativado Seg, 17 fev 2020 13:13:10 -0300 Dudi Goldenberg 
 escreveu 
  > Hi,
  >
  > What is the content of drupal-auth.conf? You pasted drupal-comment.conf.
  >
  > Regards,
  >
  > D.
  >
  > -Original Message-
  > From: Henrique Fagundes [mailto:supo...@aprendendolinux.com]
  > Sent: Monday, February 17, 2020 17:41
  > To: Fail2ban Users 
  > Subject: [Fail2ban-users] Blocking Logins in Drupal 7 does not work!
  >
  > Dear Colleagues,
  >
  > Good afternoon!
  >
  > But once, I come to enlist the help of this group. Some will certainly 
remember me, with the PhpMyAdmin problem that I ended up solving with the update.
  >
  > Now, I have the same problem with Drupal (and I cannot update it). I can't 
get fail2ban to stop login attempts with error.
  >
  > What I find strange is that before migrating from server, it used version 
0.9.6-2 of fail2ban in Debian 9.12 and it worked correctly.
  >
  > I migrated the server to a CentOS 8.1 running fail2ban in version 0.10.5-2. 
And after that, the lock does not work.
  >
  > I will share the configuration files with you:
  >
  > /etc/fail2ban/jail.conf:
  > https://temporario.aprendendolinux.com/fail2ban/jail.conf.txt
  >
  > /etc/fail2ban/filter.d/drupal-auth.conf:
  > 
https://temporario.aprendendolinux.com/fail2ban/filter.d/drupal-comment.conf.txt
  >
  > /var/log/messages:
  > https://temporario.aprendendolinux.com/messages.txt
  >
  > I understand that the correct thing would be for fail2ban to block IP 
177.124.244.10 after the third login attempt, but it is not happening.
  >
  > can anybody help me?
  >
  > I apologize for the possible typos. I am Brazilian and I have difficulties 
with English.
  >
  >
  > ___
  > Fail2ban-users mailing list
  > Fail2ban-users@lists.sourceforge.net
  > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
  >


___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Blocking Logins in Drupal 7 does not work!

2020-02-17 Thread Bill Shirley


Lines: 742 lines, 0 ignored, 73 matched, 669 missed

73 lines matched.  It *is* working.  Don't forget to reload or restart fail2ban.

Bill

On 2/17/2020 3:18 PM, Henrique Fagundes wrote:

Hello,

Unfortunately it didn't work.

This is the output of my test command:

[root@www /etc/fail2ban]# fail2ban-regex /var/log/messages 
/etc/fail2ban/filter.d/drupal-auth.conf

Running tests
=

Use   failregex filter file : drupal-auth, basedir: /etc/fail2ban
Use log file : /var/log/messages
Use encoding : UTF-8


Results
===

Failregex: 73 total
|-  #) [# of hits] regular expression
|   1) [73] drupal([^|]*){3}\[\].*Login attempt failed.*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [742] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: 
ExYear)?
`-

Lines: 742 lines, 0 ignored, 73 matched, 669 missed
[processed in 0.18 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 669 
lines


   Ativado Seg, 17 fev 2020 16:35:54 -0300 Bill Shirley 
 escreveu 
  > Your failregex isn't even close to matching the log lines in  
/var/log/messages:
  >
  > failregex = Submitting address \[\] to the firewallFeb 17 14:18:42 
www drupal[3979]: 
https://www.clubenaval.org.br/novo|1581949122|user|177.124.244.10|https://www.clubenaval.org.br/novo/?q=frontpage&destination=frontpage|https://www.clubenaval.org.br/novo/index.php|0||Login
 attempt failed for chmviola.Try this for your filter:
  >   [Definition]
  > #failregex = drupal.*|user|\[\]|.*Login  attempt 
failed.*$
  > #failregex = drupal.*\[\]
  > failregex = drupal([^|]*){3}\[\].*Login  attempt 
failed.*$
  > #failregex = drupal.*\|user\|\[\].*Login  attempt 
failed.*$
  >
  > ignoreregex =
  > The uncommented failregex works.
  >
  > My test files are in /root/tmp
  >   Running command: fail2ban-regex /root/tmp/drupal.messages  
/root/tmp/drupal.filter.conf
  >
  > Running tests
  > =
  >
  > Use   failregex file : /root/tmp/drupal.filter.conf
  > Use log file : /root/tmp/drupal.messages
  > Use encoding : UTF-8
  >
  >
  > Results
  > ===
  >
  > Failregex: 4 total
  > |-  #) [# of hits] regular expression
  > |   1) [4] drupal([^|]*){3}\[\].*Login  attempt 
failed.*$
  > `-
  >
  > Ignoreregex: 0 total
  >
  > Date template hits:
  > |- [# of hits] date format
  > |  [5] {^LN-BEG}(?:DAY )?MON Day  
%k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
  > `-
  >
  > Lines: 5 lines, 0 ignored, 4 matched, 1 missed
  > [processed in 0.01 sec]
  >
  > |- Missed line(s):
  > |  Feb 17 14:24:46 www 
drupal[3981]:https://www.clubenaval.org.br/novo|1581949486|user|177.124.244.10|https://www.clubenaval.org.br/novo/?q=area_socio_entrada&destination=node/365|https://www.clubenaval.org.br/novo/?q=area_socio_entrada|15||Session
  opened for chmviola
  > `-
  >
  >   Your English is good.
  >   Bill
  >
  > On 2/17/2020 11:53 AM, Henrique  Fagundes wrote:
  >   Dear Dudi,Excuse me!Here is the right file:https://temporario.aprendendolinux.com/fail2ban/filter.d/drupal-auth.conf.txt  Ativado Seg, 17 fev 2020 13:13:10 -0300 Dudi Goldenberg  escreveu  
> Hi, >  > What is the content of drupal-auth.conf? You pasted drupal-comment.conf. >  > Regards, >  > D. >  > -Original Message- > From: Henrique Fagundes [mailto:supo...@aprendendolinux.com]  > 
Sent: Monday, February 17, 2020 17:41 > To: Fail2ban Users  > Subject: [Fail2ban-users] Blocking Logins in Drupal 7 does not work! >  > Dear Colleagues, >  > Good afternoon! > 
 > But once, I come to enlist the help of this group. Some will certainly remember me, with the PhpMyAdmin problem that I ended up solving with the update. >  > Now, I have the same problem with Drupal (and I cannot update it). I 
can't get fail2ban to stop login attempts with error. >  > What I find strange is that before migrating from server, it used version 0.9.6-2 of fail2ban in Debian 9.12 and it worked correctly. >  > I migrated the server to a 
CentOS 8.1 running fail2ban in version 0.10.5-2. And after that, the lock does not work. >  > I will share the configuration files with you: >  > /etc/fail2ban/jail.conf: > 
https://temporario.aprendendolinux.com/fail2ban/jail.conf.txt >  > /etc/fail2ban/filter.d/drupal-auth.conf: > https://temporario.aprendendolinux.com/fail2ban/filter.d/drupal-comment.conf.txt >  &g

Re: [Fail2ban-users] Blocking Logins in Drupal 7 does not work!

2020-02-17 Thread Bill Shirley


According to your jail, you need 3 failures (maxretry) within 6 hours 
(findtime) for it to ban.  Can you trigger
failed logins yourself to test?  I'm not sure your bantime = -1 is correct.

Bill

On 2/17/2020 3:34 PM, Henrique Fagundes wrote:

The test shows working! But in practice, it doesn't block!

I always restart fail2ban with every change to the configuration files.

systemctl restart fail2ban

   Ativado Seg, 17 fev 2020 17:29:48 -0300 Bill Shirley 
 escreveu 
  > Lines: 742 lines, 0 ignored, 73 matched, 669 missed73 lines 
matched.  It is working.  Don't forget to reload  or restart fail2ban.
  > Bill
  >
  > On 2/17/2020 3:18 PM, Henrique Fagundes  wrote:
  >   Hello,Unfortunately it didn't work.This is the output of my test 
command:[root@www /etc/fail2ban]# fail2ban-regex /var/log/messages 
/etc/fail2ban/filter.d/drupal-auth.confRunning tests=Use   failregex filter 
file : drupal-auth, basedir: /etc/fail2banUse log file : /var/log/messagesUse
 encoding : UTF-8Results===Failregex: 73 total|-  #) [# of hits] regular 
expression|   1) [73] drupal([^|]*){3}\[\].*Login attempt failed.*

Atenciosamente,

Henrique Fagundes
Analista de Suporte Linux
supo...@aprendendolinux.com
Skype: magnata-br-rj
Linux User: 475399

https://www.aprendendolinux.com
https://www.facebook.com/AprendendoLinux
https://youtube.com/AprendendoLinux
https://twitter.com/AprendendoLinux
https://t.me/AprendendoLinux
https://t.me/GrupoAprendendoLinux
__
Participe do Grupo Aprendendo Linux
https://listas.aprendendolinux.com/listinfo/aprendendolinux

Ou envie um e-mail para:
aprendendolinux-subscr...@listas.aprendendolinux.com


   Ativado Seg, 17 fev 2020 17:29:48 -0300 Bill Shirley 
 escreveu 
-Ignoreregex: 0 totalDate template hits:|- [# of hits] date format|  [742] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?`-Lines: 742 lines, 0 ignored, 73 matched, 669 missed[processed in 0.18 sec]Missed line(s): too many to print.  Use --print-all-missed to print all 669 lines  Ativado Seg, 17 fev 2020 16:35:54 -0300 Bill Shirley  escreveu  > Your failregex 
isn't even close to matching the log lines in  /var/log/messages: >  > failregex = Submitting address \[\] to the firewallFeb 17 14:18:42 www drupal[3979]: https://www.clubenaval.org.br/novo|1581949122|user|177.124.244.10|https://www.clubenaval.org.br/novo/?q=frontpage&destination=frontpage|https://www.clubenaval.org.br/novo/index.php|0||Login attempt failed for chmviola.Try this for your filter: >   
[Definition] > #failregex = drupal.*|user|\[\]|.*Login  attempt failed.*$ > #failregex = drupal.*\[\] > failregex = drupal([^|]*){3}\[\].*Login  attempt failed.*$ > #failregex = drupal.*\|user\|\[\].*Login  attempt failed.*$ >  > ignoreregex = > The uncommented failregex works. >  > 
My test files are in /root/tmp >   Running command: fail2ban-regex /root/tmp/drupal.messages  /root/tmp/drupal.filter.conf >> Running tests > = >  > Use   failregex file : /root/tmp/drupal.filter.conf > Use log file : /root/tmp/drupal.messages > Use encoding : UTF-8 >  >  > Results >   
  === >  > Failregex: 4 total > |-  #) [# of hits] regular expression > |   1) [4] drupal([^|]*){3}\[\].*Login  attempt failed.*$ > `- >  > Ignoreregex: 0 total >  > Date template hits: > |- [# of hits] date format > |  [5] {^LN-BEG}(?:DAY )?MON Day  %k:Minute:Second(?:\.Microseconds)?(?: 
ExYear)? > `- >  > Lines: 5 lines, 0 ignored, 4 matched, 1 missed > [processed in 0.01 sec] >  > |- Missed line(s): > |  Feb 17 14:24:46 www drupal[3981]:https://www.clubenaval.org.br/novo|1581949486|user|177.124.244.10|https://www.clubenaval.org.br/novo/?q=area_socio_entrada&destination=node/365|https://www.clubenaval.org.br/novo/?q=area_socio_entrada|15||Session
  opened for chmviola > `- >  >   Your English is good. >   Bill >  > On 2/17/2020 11:53 AM, Henrique  Fagundes wrote: >   Dear Dudi,Excuse me!Here is the right file:https://temporario.aprendendolinux.com/fail2ban/filter.d/drupal-auth.conf.txt  Ativado Seg, 17 fev 2020 13:13:10 -0300 Dudi Goldenberg  escreveu  > Hi, >  > What 
is the content of drupal-auth.conf? You pasted drupal-comment.conf. >  > Regards,

Re: [Fail2ban-users] bantime in jail not honoured by iptables-ipset-proto6-allports.conf

2020-05-27 Thread Bill Shirley


Header: family inet hashsize 1024 maxelem 65536 timeout 600
Timeout here is the *default* timeout.  Look at the actual entry.  It should be 
counting down
between the two ipset commands.

ipset -L | grep -e Name -e 8.8.8.8
Where 8.8.8.8 is the actual IP address.

Bill

On 5/26/2020 9:52 AM, Nick Howitt wrote:

I've just noticed that the sshd jail is not using the bantime set in a 
configlet in /etc/fail2ban/jail.d:
[sshd]
enabled = true
bantime  = 86400
action = iptables-ipset-proto6-allports[name=sshd]

[root@dynamicvpn ~]# ipset list f2b-sshd -terse
Name: f2b-sshd
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 13368
References: 1
Number of entries: 144

I can see there is a a timeout in iptables-ipset-proto6-allports.conf but changing this, e.g, with .local file, changes it for 
all jails. Is it possible to set the timeout for this action on a per-jail basis?


I'm using f2b 0.10.5.



___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] bantime in jail not honoured by iptables-ipset-proto6-allports.conf

2020-05-27 Thread Bill Shirley


My version: fail2ban-server-0.11.1-6.fc32.noarch

On your {sshd] jail, use:
action = iptables-ipset-proto6-allports[*name*=sshd,*bantime*=86400]

Look at /etc/fail2ban/action.d/iptables-ipset-proto6-allports.conf for 
actionban:
actionban = ipset add <*ipmset*>  timeout <*bantime*> -exist

[Init]
bantime = 600  <-- this default is used if not on the invocation line*
ipmset* = f2b-<*name*>

You pass the  in the invocation [...,bantime=86400].   is 
created in the [Init] section with the ipmset =
from the passed  argument.  Fail2ban supplies .

Bill

On 5/27/2020 11:41 AM, Nick Howitt wrote:

Hello Bill,
The countdown is working correctly but from 600 which is the "bantime" setting in iptables-ipset-proto6-allports.conf. I am 
wanting to override it on a per-jail basis, in this example to 86400. It seems that iptables-ipset-proto6-allports.conf does 
not use the override. I can override it in iptables-ipset-proto6-allports.local, but this is an override for all jails using 
this action.

Do you know how to achieve this?
Thanks,
Nick

On 27/05/2020 14:11, Bill Shirley wrote:


Header: family inet hashsize 1024 maxelem 65536 timeout 600
Timeout here is the *default* timeout.  Look at the actual entry.  It should be 
counting down
between the two ipset commands.

ipset -L | grep -e Name -e 8.8.8.8
Where 8.8.8.8 is the actual IP address.

Bill

On 5/26/2020 9:52 AM, Nick Howitt wrote:

I've just noticed that the sshd jail is not using the bantime set in a 
configlet in /etc/fail2ban/jail.d:
[sshd]
enabled = true
bantime  = 86400
action = iptables-ipset-proto6-allports[name=sshd]

[root@dynamicvpn ~]# ipset list f2b-sshd -terse
Name: f2b-sshd
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 13368
References: 1
Number of entries: 144

I can see there is a a timeout in iptables-ipset-proto6-allports.conf but changing this, e.g, with .local file, changes it 
for all jails. Is it possible to set the timeout for this action on a per-jail basis?


I'm using f2b 0.10.5.



___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users





___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] postfix-sasl lossing banned ips Centos 8 / firewalld / systemd

2020-07-28 Thread Bill Shirley


Did you mean to set the timeout on f2b-postfix-sasl to ten minutes (600)?  These
will count down and fall off the list without fail2ban knowing. You should see 
the
countdown with:
watch ipset -L f2b-postfix-sasl

Bill

On 7/27/2020 9:06 PM, registrati...@itconqueror.com wrote:


Hello List, thanks in advance for any help you can provide….

I hope you can help me with this…

Fresh Centos 8 installed with fail2ban + firewalld/system

Everything installed from rpm

I have installed and configured 2 jails, sshd and postfix-sasl, Firewalld is running and getting the list of ban ips from 
fail2ban


ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports 1:65535 -m set --match-set f2b-postfix-sasl src -j REJECT 
--reject-with icmp-port-unreachable


ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports ssh -m set --match-set f2b-sshd src -j REJECT --reject-with 
icmp-port-unreachable


both jail are detecting and banning ips.. as you can see in the output 64 and 
787 ips banned on respectively

Status for the jail: postfix-sasl

|- Filter

|  |- Currently failed: 15

|  |- Total failed: 2979

|  `- Journal matches: _SYSTEMD_UNIT=postfix.service

`- Actions

   |- Currently banned: 64

   |- Total banned: 64

   `- Banned IP list: 46.38.150.37 185.143.73.134 185.143.73.203 46.38.145.253 
46.38.145.252 ….. [output cut]

[root@vps01 ~]# fail2ban-client status sshd

Status for the jail: sshd

|- Filter

|  |- Currently failed: 68

|  |- Total failed: 787

|  `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd

`- Actions

   |- Currently banned: 359

   |- Total banned: 380

   `- Banned IP list: 128.199.142.0 119.29.56.139 210.126.5.91 190.143.39.211 107.159.22.18 181.166.87.8 85.172.11.101 
….[output cut]


However the problem is that firewalld after a couple of minutes loosses the list of ips from fail2ban and it stops blocking 
and actually no longer bocks any new ip added to the jail


As you can see here from command output postfix-sasl has 0 entries, If I

[root@vps01 ~]# ipset list

Name: f2b-postfix-sasl

Type: hash:ip

Revision: 4

Header: family inet hashsize 1024 maxelem 65536 timeout 600

Size in memory: 6168

References: 1

Number of entries: 0

Members:

Name: f2b-sshd

Type: hash:ip

Revision: 4

Header: family inet hashsize 1024 maxelem 65536 timeout 172800

Size in memory: 29688

References: 1

Number of entries: 362

Members:

188.166.164.10 timeout 161635

41.111.135.199 timeout 161638

…. [output cut]

62.94.206.57 timeout 161639

49.232.162.53 timeout 172712

If fail2ban is restarted, postfix-sasl gets its members and effectively blocks connections, but after a couple of minutes it 
goes back to 0 entries and stops protecting…


[root@vps01 ~]# ipset list|grep -v timeout

Name: f2b-sshd

Type: hash:ip

Revision: 4

Size in memory: 29208

References: 1

Number of entries: 361

Members:

Name: f2b-postfix-sasl

Type: hash:ip

Revision: 4

Size in memory: 6264

References: 1

Number of entries: 64

Members:

-- running versions –

cyrus-sasl-2.1.26-23.el7.x86_64

cyrus-sasl-gssapi-2.1.26-23.el7.x86_64

cyrus-sasl-lib-2.1.26-23.el7.x86_64

cyrus-sasl-md5-2.1.26-23.el7.x86_64

cyrus-sasl-plain-2.1.26-23.el7.x86_64

fail2ban-0.10.5-2.el7.noarch

fail2ban-firewalld-0.10.5-2.el7.noarch

fail2ban-sendmail-0.10.5-2.el7.noarch

fail2ban-server-0.10.5-2.el7.noarch

fail2ban-systemd-0.10.5-2.el7.noarch

postfix-2.10.1-9.el7.x86_64

--



___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] How to implement ban using ipset

2020-09-03 Thread Bill Shirley

At the bottom of /etc/fail2ban/action.d/iptables-ipset-proto6.conf:
[Init]

# Option: default-timeout
# Notes:  specifies default timeout in seconds (handled default ipset timeout 
only)
# Values:  [ NUM ]  Default: 600

default-timeout = 600

ipmset = f2b-
familyopt =

[Init?family=inet6]

ipmset = f2b-6
familyopt = family inet6

 comes from your jail:
banaction = iptables-ipset-proto6
I'm surprised it doesn't have the name param: banaction = 
iptables-ipset-proto6[name=something]

The two come together to create the ipset name.  Have a look at your ipsets 
names:
ipset -L | grep -e Name
Any fail2ban ipsets will be prefixed with 'f2b-'. Make sure csf or iptables is 
utilizing the ipset.

Bill

On 9/2/2020 1:17 PM, Phillip Carroll wrote:

On 9/2/2020 5:43 AM, Phillip Carroll wrote:

On 9/1/2020 6:04 PM, Richard Shaw wrote:
On Tue, Sep 1, 2020 at 7:45 PM Phillip Carroll > wrote:

    I have been using csf/lfd as my firewall for several years on several
    versions of CentOS, currently CentOS7. I am using several ipset-managed
    blocklists supported directly by csf. Some of these are fairly huge
    (such as whole country blocks), and it changes them in fractions of a
    second. Very happy with everything it does.

    However, csf syntax for custom regex applied to logs is relatively
    clumsy and error-prone so I have installed fail2ban in hopes of using
    that for custom log-based bans.

    For my initial testing I have set up one jail and a corresponding
    filters. (I found that all very simple.)

    My intent:
    On filter matches, immediately ban the host IP for one full day. Use
    ipset to implement the bans.

    The test case basically watches my exim reject.log (using inotify) and
    unerringly finds the naughty hosts I want to ban.

    My setup:
    jail.local has:

 > [exim-reject]
 > mode      = normal
 > port      = smtp,ssmtp
 > logpath   = /var/log/exim/reject.log
 > filter    = exim-reject
 > maxmatches = 1
 > maxretry   = 1
 > backend   = auto
 > bantime   = 1d
 > banaction = iptables-ipset-proto6
 > enabled   = true

    And exim-reject.conf contains:

 > [INCLUDES]
 > before = exim-common.conf
 > [Definition]
 > failregex =  is listed at zen.spamhaus.org

 >             \[\]:25 dropped: too many syntax or protocol errors

    The contents of fail2ban.log indicates everything is working. It
    says it
    found the lines I expected it to find, and has issued bans (and
    unbans a
    day later).

    However, when I list the ipset sets on the console, the only sets
    listed
    are those managed by csf. Clearly I have implemented something
    incorrectly. I am hoping somebody on the list can set me straight.
    Is it
    possibly a permissions problem?

That quite a bit more complex installation than I use so can't help you there, but fail2ban version and source (EPEL, self 
install, etc) would be helpful.

Thanks,
Richard

@Richard,

This server has only prebuilt packages from the standard repos, managed using 
yum. It is a pretty typical headless server.

I don't use selinux because of conflicts with the ISP provided kernel. (Linode)

 From yum list installed:
fail2ban.noarch 0.11.1-9.el7.2 @epel fail2ban-server.noarch 0.11.1-9.el7.2 @epel ipset.x86_64 
7.1-1.el7  @base ipset-libs.x86_64 7.1-1.el7  @base iptables.x86_64 
1.4.21-34.el7  @base iptables-services.x86_64 1.4.21-34.el7  @base 

Phil

___
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

I turned on DEBUG and restarted fail2ban.  Following is the result in 
fail2ban.log.

The difficulty I have is understanding the content of the scripting macros used in the various commands at the time the 
commands are issued.  For instance, what does "" contain at the time of the ipset create command?  The log would 
appear to indicate the scripting is such that values are used before they are defined. After the create, I see the value set 
as 'f2b-' which is dependent on the value of  which is set on a subsequent set command as 'exim-reject'.

If this order is the actual sequence it would explain the fact that the set f2b-exim-reject' does not exist after the restart 
of fail2ban.

However, perhaps I just don't understand the inner workings.

The log:

2020-09-02 08:34:17,939 fail2ban.server [4077]: INFO    Reload all jails
2020-09-02 08:34:17,939 fail2ban.server [4077]: INFO Reload jail 
'exim-reject'
2020-09-02 08:34:17,940 fail2ban.filter [4077]: DEBUG Setting usedns = 
warn for FilterPyinotify(Jail('exim-reject'))
2020-09-02 08:34:17,940 fail2ban.server [4077]: DEBUG failregex: 
' is listed at zen.spamhaus.org'
2020-09-02 08:34:17,940 fai

98 matches

Mail list logo