Difference between revisions of "Fail2ban:Community Portal"

Revision as of 14:51, 29 October 2011

User filters

suhosin

Is the regex correct?

log content:

Jun  2 12:05:27 hostname suhosin[16892]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'h' (attacker '123.123.123.123', file '/var/lib/mediawiki/index.php')
Jun  2 12:49:04 hostname suhosin[18413]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'controller' (attacker '123.123.123.123', file '/var/www/example.com/page.php')

• Jail section

[suhosin]
enabled = true
port    = http,https
filter  = suhosin                                                                                                                               
logpath = /var/log/syslog/*error.log 
maxretry = 1 

• filter suhosin.conf

[Definition]              
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The                  
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host> \w\-.^_]+)
# Values:  TEXT
failregex =   suhosin\[\d*\].*\(attacker\s'<HOST>'.*
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT      
ignoreregex =

Qmail

Qmail vpopmail pop3 filter

Heres the jail

    [qmail-vpopmail-pop3-user-notfound]
    enabled = true
    filter = qmail-vpopmail-pop3-username
    action = iptables[name=POP3, port="110,995" protocol=tcp]
    logpath = /var/log/maillog
    maxretry = 5
    bantime  = 864000
    findtime = 3600

Heres the filter

    # Fail2Ban configuration file
    #
    # Author: Jacke Craig Sparks
    #
    # $Revision: 728 $
    #

    [Definition]

    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. 
    # The host must be matched by a group named "host". The tag "<HOST>" can
    # be used for standard IP/hostname matching and is only an alias for
    # (?:::f{4,6}:)?(?P<host>\S+)
    # Values: TEXT
    failregex = ^\w{3,5} \w{1,2} \w{1,2}:\w{1,2}:\w{1,2} \w{1,6} vpopmail.\d{1,6}.: vchkpw-pop3: vpopmail user not found \w{1,30}@\w{1,30}-\w{1,30}.\w{1,6}:<HOST>
    
    # Option: ignoreregex
    # Notes.: regex to ignore. If this regex matches, the line is ignored.
    # Values: TEXT
    ignoreregex =

    [qmail-vpopmail-pop3-pw-fail]
    enabled  = true
    filter   = qmail-vpopmail-password
    action   = iptables[name=POP3, port="110,995", protocol=tcp]
    logpath  = /var/log/maillog
    maxretry = 5
    bantime  = 864000
    findtime = 3600

    # Fail2Ban configuration file
    #
    # Author: Jackie Craig Sparks
    #
    # $Revision: 728 $
    #
    
    [Definition]
    #Looks for failed password logins to pop3
    failregex = ^\w{3,5} \w{1,2} \w{1,2}:\w{1,2}:\w{1,2} \w{1,6} vpopmail.\d{1,6}.: vchkpw-pop3: password fail \w{1,30}@\w{1,30}-\w{1,30}.\w{1,6}:<HOST>
    ignoreregex =

Qmail vpopmail smtp filter

Jail information

    [qmail-vpopmail-smtp-pw-fail]
    enabled  = true
    filter   = qmail-vpopmail-smtp-password
    action   = iptables[name=SMTP, port="25,465", protocol=tcp]
    logpath  = /var/log/maillog
    maxretry = 5
    bantime  = 864000
    findtime = 3600

    [qmail-vpopmail-smtp-user-notfound]
    enabled = true
    filter = qmail-vpopmail-smtp-username
    action = iptables[name=SMTP, port="25,465" protocol=tcp]
    logpath = /var/log/maillog
    maxretry = 5
    bantime  = 864000
    findtime = 3600

    # Fail2Ban configuration file
    #
    # Author: Jackie Craig Sparks
    #
    # $Revision: 728 $
    #
    [Definition]
    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. 
    # The host must be matched by a group named "host". The tag "<HOST>" can
    # be used for standard IP/hostname matching and is only an alias for
    # (?:::f{4,6}:)?(?P<host>\S+)
    # Values: TEXT
    failregex = ^\w{3,5} \w{1,2} \w{1,2}:\w{1,2}:\w{1,2} \w{1,6} vpopmail.\d{1,6}.: vchkpw-smtp: vpopmail user not found \w{1,30}@\w{1,30}-\w{1,30}.\w{1,6}:<HOST>
    # Option: ignoreregex
    # Notes.: regex to ignore. If this regex matches, the line is ignored.
    # Values: TEXT
    ignoreregex =

    # Fail2Ban configuration file
    #
    # Author: Jackie Craig Sparks
    #
    # $Revision: 728 $
    #
    [Definition]
    #Looks for failed password logins to SMTP
    failregex = ^\w{3,5} \w{1,2} \w{1,2}:\w{1,2}:\w{1,2} \w{1,6} vpopmail.\d{1,6}.: vchkpw-smtp: password fail \w{1,30}@\w{1,30}-\w{1,30}.\w{1,6}:<HOST>
    ignoreregex =

Qmail vpopmail imap filter

Jail

    [qmail-vpopmail-imap-pw-fail]
    enabled  = true
    filter   = qmail-vpopmail-imap-password.conf
    action   = iptables[name=IMAP, port="143,585,993", protocol=tcp]
    logpath  = /var/log/imap4/current
    maxretry = 5
    bantime  = 864000
    findtime = 3600

Filter

    # Fail2Ban configuration file
    #
    # Author: Jackie Craig Sparks
    #
    # $Revision: 728 $
    #
    [Definition]
    #Looks for failed password logins to SMTP
    failregex = ^@\w{1,30} ERR: LOGIN FAILED, ip=.<HOST>.$
    ignoreregex =

Qmail vpopmail imap ssl filter

Jail

    [qmail-vpopmail-imap-ssl-pw-fail]
    enabled  = true
    filter   = qmail-vpopmail-imap-ssl-password
    action   = iptables[name=IMAP, port="143,585,993", protocol=tcp]
    logpath  = /var/log/imap4-ssl/current
    maxretry = 5
    bantime  = 864000
    findtime = 3600

Filter

    # Fail2Ban configuration file
    #
    # Author: Jackie Craig Sparks
    #
    # $Revision: 728 $
    #
    [Definition]
    #Looks for failed password logins to SMTP
    failregex = ^@\w{1,30} ERR: LOGIN FAILED, ip=.<HOST>.$
    ignoreregex =

DOVECOT

Edit: found even better pattern on http://wiki.dovecot.org/HowTo/Fail2Ban

Maybe helpful for Dovecot-users:

 [root@xblue1 fail2ban]# cat /etc/fail2ban/jail.conf 
 ...
 [dovecot]
 enabled  = true
 filter   = dovecot
 maxretry = 5
 bantime  = 3600
 findtime  = 120
 action   = iptables-multiport[name=DOVECOT, port="imap,imaps,pop3,pop3s", protocol=tcp]
            sendmail-whois[name=DOVECOT, dest=you@mail.com, sender=fail2ban@this-server.com]
 logpath  = /var/log/maillog

 [root@xblue1 fail2ban]# cat /etc/fail2ban/filter.d/dovecot.conf 
 [Definition]
 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching.
 # Values:  TEXT
 #
 
 failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
   
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex =

Works wonderful on my servers and keeps dictionary attacks on POP/IMAP-accounts away.

-- Roman

Mysql

Add support for MySQL general log timestamps

(by John Bayly)

MySQL use a different format for their timestamps: yymmdd HH:MM:ss, which makes it impossible to use fail2ban to ban MySQL dictionary attacks. Looking at the source, I've created a dfff for the change:

--- server/datedetector.py.orig 2010-04-20 19:24:09.000000000 +0100
+++ server/datedetector.py      2010-04-20 19:26:19.000000000 +0100
@@ -103,2 +103,8 @@
                        self.__templates.append(template)
+                       # MySQL 080717 17:23:25
+                       template = DateStrptime()
+                       template.setName("YearMonthDay Hour:Minute:Second")
+                       template.setRegex("\d{2}\d{2}\d{2} \d{2}:\d{2}:\d{2}")
+                       template.setPattern("%y%m%d %H:%M:%S")
+                       self.__templates.append(template)
                        # TAI64N

Thanks, John

Fail2SQL - a MySQL Logger for Fail2ban

(by Jordan Tomkinson)

I have created a PHP script that integrates with fail2ban to log ban information to a MySQL database

It has simple reporting and geographical location lookup on IP

For details see the project home page

Apache

apache webmail phishing jail - regex and filter

Here are the other examples of mail phishing that has happened on our network

   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/cube
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/round
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcube-0.2
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcube-0.1
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcubemail-0.1
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcubemail-0.2
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/wm
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/webmail2
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/rms
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/mail2
   [Fri Aug 19 10:33:09 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/mss2
   [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/mss
   [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcubemail
   [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/rc
   [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/webmail
   [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcube
   [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/mail

Jail

    [apache-webmail-phish]
    enabled  = true
    filter   = apache-webmail-phish
    action   = iptables[name=HTTP, port="80,443", protocol=tcp]
    logpath  = /var/log/apache2/error.log
    maxretry = 0
    bantime  = 864000
    findtime = 3600

Filter

    # Fail2Ban configuration file
    #
    # Author: Jackie Craig Sparks
    #
    # $Revision: 728 $
    #
    [Definition]
    #Looks for failed password logins to SMTP
    failregex = ^\[\w{1,3}.\w{1,3}.\d{1,2}.\d{1,2}:\d{1,2}:\d{1,2} \d{1,4}. \[error] \[client.<HOST>].File does not exist:.{1,40}roundcube.{1,200}
    ignoreregex =

apache w00t w00t messages jail - regex and filter

Jail

    [apache-wootwoot]
    enabled  = true
    filter   = apache-wootwoot
    action   = iptables[name=HTTP, port="80,443", protocol=tcp]
    logpath  = /var/log/apache2/error.log
    maxretry = 0
    bantime  = 864000
    findtime = 3600

Filter

    # Fail2Ban configuration file
    #
    # Author: Jackie Craig Sparks
    #
    # $Revision: 728 $
    #
    [Definition]
    #Woot woot messages
    failregex = ^\[\w{1,3} \w{1,3} \d{1,2} \d{1,2}:\d{1,2}:\d{1,2} \d{1,4}] \[error] \[client 195.140.144.30] File does not exist: \/.{1,20}\/(w00tw00t|wootwoot|WootWoot|WooTWooT).{1,250}
    ignoreregex =

apache-auth.conf

Modify "apache-auth.conf" to allow banning on server using digest authentication

Hello, digest authentication is unaccounted for apache using digest instead basic authentication. So just edit the apache-auth.conf file and extend the regex to:

 failregex = [[]client <HOST>[]] .* user .* authentication failure
             [[]client <HOST>[]] .* user .* not found
             [[]client <HOST>[]] .* user .* password mismatch

cheers Ralf

--68.170.212.28 04:39, 3 July 2011 (UTC)== User Suggestions ==

User Interface for writing the regex matching rules

I'm not a complete stranger to regex and I'm VERY frustrated with trying to write what OUGHT to be a simple rule.

I have this in my log file:

Jul 2 22:49:33 www postfix/smtpd[1851]: NOQUEUE: reject: RCPT from unknown[64.40.149.188]: 450 4.1.1 <rebuildingdemocracy@mydomian.com>: Recipient address rejected: undeliverable address: unknown user: "rebuildingdemocracy"; from=<anonymous@www.joe.com> to=<rebuildingdemocracy@mydomain.com> proto=ESMTP helo=<www.joe.com>

What I'd like to do is create a jail and rule that would block the IP address for 24 hours.

I tried several things to get it to match. It should be fairly simple.... Look for a new line in the log file - scan down it to find "NOQUEUE: reject: RCPT from" get the <HOST> from inside the [] and ban them for 24 hours.

GAH!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Python regex just ain't right! Nothing works, including wildcards for all but the pertinent parts. You don't have forums I can find and between this and my PMS, I'm ready to go into Red Queen Mode........

So what I'd like to see, and you all can keep your heads, is an interface in which I can paste a line of log file, point out the bits I want it to match on and it will write the rule correctly for me.

Having the ability to do the same for the ignore bits would be highly useful as well.

Mulitple Servers in DMZ writing IPTABLE rules to primary firewall

(by Lynn Dobbs) All Internet traffic enters my internal network through a single firewall/router and is then handed to appropriate servers that are all running fail2ban. That means an ip address I wish to ban (attacking port 22, for instance), must be individually banned on each server. I would much rather ban the attacker at the first firewall. That way none of my servers receive packets from the banned IP. Currently, fail2ban server/client communication is via a unix socket. It would be great to be able to select, via a conf file entry, a tcp/ip socket option so that my DMZed servers could add rules to the IPTABLES of the primary server.

EDIT to ADD: Uff-Dah. After looking even more closely, I see that I can add an "action" set that would handle communication between the individual servers and the main firewall that would then duplicate the iptable commands over there.

Bruteforce from Botnets

(by CorvusCorax)

Hi. I was recently experimenting with a simple perl script that does roughly the same as fail2ban, to deal with bruteforce attacks on my server. I run into memory issues doe to number of attacks, and searched for alternatives, but fail2ban doesn't meet the requirements due to the following characteristics of nowadays attacks:

Attack characteristics

• Connections related to the same attack series (same or similar usernames are tested) come from hundreds of different IPs.
• Each attacker IP makes a number of simultaneous connections and login attempts at the same time (usually between 5 and 8)
• Each attacker IP does only one such attack, and then will not try again for a timespan reaching from 30 seconds to several hours.

Requirements for Countermeasures

• Superb reaction speed: An IP must be blocked fast enough to prevent completing at least some of the several simultaneous login attempts from the same IP.
• Low threshold: Even with high reaction time, the server must take countermeasures at the first breakin attempt of an IP, in order to have an impact on the attack success.
• User friendlyness: Despite this harsh methods, the server must react in a way not penalizing users that accidently mistype passwords beyond reasonable means.

My approach for implementation:

• I used the | (pipe) syntax in /etc/syslogd.conf, to write relevant log information into a fifo, read on the fly by the response script, that way increasing reaction time.
• The response script has a whitelist of IPs that have succesfully logged in on the same day - from which failures will be tolerated.
• Any login failure from a non whitelisted IP will result in immediate blocking. additionally firewall rules that mimic the old MIRROR iptables target will be put in place, making any further attacks by that IP target the attacking system itself
• To not hit the accidental mistyping legitimate user too hard, the first login failure of an IP will only result in a relatively short BAN, however the IP is remembered, and each additional authentication failure (including simultaneous failures occuring before the block - usually of the 5 to 8 I was blocking all but 2 or 3) increases the length of the BAN - increasing in timejumps of something like 30 seconds, 5 minutes, one hour, one day, ...
• Blocking IPs for more than one day usually isn't very effective, since most botnet participants are on dynamic/dialin IPs anyway which tend to change on a 24h interval - thus the ban would become useless and worse hit other, innocent users. So the maximum ban time is 24 hours from the last seen breakin attempt.

Squid filter

squid.conf

   # Fail2Ban configuration file for squid
   #
   # Author: Jackie Craig Sparks
   #
   # $Revision: 728 $
   #
   [INCLUDES]
   # Read common prefixes. If any customizations available -- read them from
   # common.local
   before = common.conf
   [Definition]
   _daemon = squid
   # Option:  failregex
   # Notes.:  regex to match the password failures messages in the logfile. The
   #          host must be matched by a group named "host". The tag "<HOST>" can
   #          be used for standard IP/hostname matching and is only an alias for
   #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
   # Values:  TEXT
   #
   failregex =  \d{0,10}.*\d{0,3}\ .* \ \d <HOST> TCP_DENIED\/407 .*$
   # Option:  ignoreregex
   # Notes.:  regex to ignore. If this regex matches, the line is ignored.
   # Values:  TEXT
   #
   ignoreregex =

Possible extensions

• Use iptables "log" feature to react to attempted access during the ban-time and increase the ban time in this case - only unbanning if an IP stays silent long enough

It would be cool to see this implemented in fail2ban, especially a configurable escalation strategy with dynamically extending ban times, and support for piped log fifos for better reaction speed would be a must.

Unsorted comments

New Features

Hello, having to manage more than 20 servers a good feature to introduce in the next releases, it could be to allow to modify the email notification's header, setting one common parameter (i.e.<emailheader>=[Machine_name || IP xyz.xyz.yxz.xyz - Fail2ban]) in fail2ban.conf, once for all actions.

for example, the section:

             [Definition]
             # Option:  actionstart
             # Notes.:  command executed once at the start of Fail2Ban.
             # Values:  CMD
             #
             actionstart = printf %%b "Hi,\n
             The jail <name> has been started successfully.\n
             Regards,\n
             Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>

could be modified into:

             Fail2Ban"|mail -s "<emailheader> <name>: started" <dest>

This will allow to the webadmins to understand immediately which server is under attack even without having to open the mail message. It is extremely useful if you are receiving alarms on your mobile phone ;)

cheers ^_^

James

since 3 years I was noticing unhelpfully, what other little guys was trying to do with my servers. to try to break in. silly usernames, allmostly silly passwords. NOW we can stop this. I'm very keen on intelligently breaking attemps, lets see what "other little guys" can do in future. back to fail2ban. GREAT piece of software. thanx_very_much.

here's my try for webmin: I must to define explicit portnumber [port=webmin doesn't work] [webmin-iptables] enabled = true filter = webmin-auth action = iptables[name=webmin, port=10000, protocol=tcp] sendmail-whois[name=webmin, dest=john_with_big_doe@world.net, sender=fail2ban@my_servers.net] logpath = /var/log/messages maxretry = 2

Thanks, Klaus

I also love Fail2ban (great work guys), maybe I'm missing something but is there a way to unban an IP using fail2ban-client? If not could you add this feature?

Thank you :) You're right :/ You can't unban an IP address using fail2ban-client. This will be added in the next development branch (0.9). Be patient ;) --Lostcontrol 23:23, 21 March 2007 (CET)

Fail2ban is one of the best projects I've encountered - I love it! One suggestion: in 0.7 , the iptables.conf action uses pre-ban command"

iptables -L....

Is there a reason for this? Maybe ip spoofing? At any rate, this can cause fail2ban to take forever in implementing its actions if the iptables chains are big, because it causes DNS lookups for each entry. I suggest adding the "n" flag to the command, to speed things up, like this:

iptables -nL....

See:

netfilter FAQ: iptables -L takes a very long time to display the rules

and

Docunext: fail2ban iptable.conf action

Thank you. Added in the repository. --Lostcontrol 13:21, 14 December 2006 (PST)

I have found a problem in fail2ban 0.8.1. The regex for proftpd is incorrect. In the filter.d file, it reads:

failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$

           \(\S*\[<HOST>\]\) - USER \S+ \(Login failed\): Incorrect password.$

The second line does not pick up a failed password. If you change it to:

           \(\S*\[<HOST>\]\): USER \S+ \(Login failed\): Incorrect password.$

it will then pick it up. This has not been fixed in the nightly trunk as of 29-Oct-2007.

Thanks, Phil.

Seems that upon power failure, Fail2Ban fails to start when the computer reboots because the /tmp/fail2ban.sock file still exists. Perhaps this file could be removed automatically upon boot?

Fail2Ban output (like error messages) is sent to /dev/null when Fail2Ban is started during boot (at least on my Gentoo system), so it would be nice to at least be notified of the issue during bootup. Otherwise, it just says "Failed" during bootup, and it's hard to tell why. Just a thought.

=== Additional Actions for large ban tables (spam attacks)

When huge ban tables are formed something a little more efficient than iptables is needed.

Suggestions

Ipset using iphash type

null routing

DNS blacklist

=== Regexp for vsftp

IP Addresses in Documentation

Hello, reading thru the docs and I just noticed that there are places where one should use 123.123.123.123 as an IP Address for documentation.

Refering to http://tools.ietf.org/html/rfc3330 Section 2, Paragraph 12 please do use the TEST-NET assigned numbers. I think it would save quite a few users from misconfiguring their stuff (Just search for "TEST-NET" on the page and you'll be taken directly to the corresponding paragraph.

In reading term papers you will get the result you want.

In short RFC3330 Special-Use IPv4 Addresses:

   192.0.2.0/24 - This block is assigned as "TEST-NET" for use in
   documentation and example code.  It is often used in conjunction with
   domain names example.com or example.net in vendor and protocol
   documentation.  Addresses within this block should not appear on the
   public Internet.

I know this is a bit picky but personally I found that it eases use of documentation (also if you use example.com and example.net domains in documentation rather than some probably not so bogus hostname)

Thank you for the suggestion. I will adapt the documentation. --Lostcontrol 23:12, 18 April 2007 (CEST)

I installed the .80 branch on my fedora clarkconnect box. Unfortunatley clark uses python 2.3, so I had to rpm it to 2.4 I had two python libraries so once i downloaded and untarred the fail2ban source I ran "/usr/bin/python2.4 setup.py install" and everything ran fine, no complaints about @staticmod. I also note my main problem is errors in my proftpd as I'm being hacked by user "administrator" unknown. proftpd logs to /var/log/secure not /var/log/ftp/proftpd as set in the default configs. Once I set my email I allready nabbed a china hacker and got an email. Thanks, I run snort,snortsam, and fail2ban and feel pretty secure.

Could you try a nightly build from trunk? It should work with Python 2.3 which is the minimal requirement for the new development branch. I haven't done a lot of work on this branch yet (CHANGELOG) and your current configuration will work without any modifications. If you try it, please, could you give me feedback (mailing-list or e-mail)? Thank you. --Lostcontrol 09:52, 29 June 2007 (CEST)

• Thanks for this - it works perfectly on RHEL4, which is using Python 2.3. Just a suggestion: you may want to update the README that comes with the package so it doesn't talk about Python >= 2.4 any more.

--Trix

High CPU wake-up in powertop

Using PowerTop (http://www.lesswatts.org/projects/powertop/), fail2ban seems to wake up the CPU a lot, draining laptop batteries.

Here is an ouyput of powertop under Ubuntu 7.10 (running in VirtualBox).

Principales causes de réveils :
  58,6% ( 26,9)   fail2ban-server : schedule_timeout (process_timeout) 
  12,9% (  5,9)   vboxadd-xclient : schedule_timeout (process_timeout)
   5,7% (  2,6)              Xorg : do_setitimer (it_real_fn)
   5,4% (  2,5)   multiload-apple : schedule_timeout (process_timeout)
   4,4% (  2,0)     <kernel core> : clocksource_register (clocksource_watchdog)
   2,2% (  1,0)         nm-applet : schedule_timeout (process_timeout)
[...stripped...]

Could it be possible to investigate this ?

Hi. This is fixed in 0.9 branch (trunk). You can give it a try: http://www.fail2ban.org/nightly/fail2ban-trunk.tar.bz2 --Lostcontrol 12:10, 4 December 2007 (CET)

Created script to check fail2ban configuration

Created this script after I had several misconfigurations across many servers - this will use values from the config files for testing - a wrapper for fail2ban-regex and eliminating late-night, low-on-caffeine human errors in testing your config. Could also be used: after an update to verify the configuration, run weekly cron, create a fail2ban report..

(http://mochabomb.com/software/fail2ban-check.txt)

This was written on Redhat+fail2ban 0.8 - with mild changes ought to work for and *nix system

Fail2ban is an incredibly valuable program. It ought to be included in all Redhat/Debian/FreeBSD/*nix distro's

ban for about xx min, config time between break-in attempts?

I don't know that much about the way fail2ban and breaking into systems works so bear with me. Nevertheless here is an idea that struck me: If you implement an algorithm to "humanize" banning time, i.e. that calculates the time when that IP is not longer droped, would that hide some more information from a potential cracker? I'm thinking: If I can see that my IP is blocked for 1 min, for 3 min, for 8 min, but not 10 min after my last unsuccessful try I might be able to guess (using maybe other info, too) that fail2ban is utilized? Or even better if fail2ban extends the period with every time this ip keeps trying? As I said, just brainstorming here :)

Config options would be nice, too (hopefully I haven't overlooked already existing ones):

• min-time-between-attempts-to-call-ban-action or range-between, e.g. range-between = 1s 10m
• blur-by = x min
• multiply-ban-time-by = x (or even exponentially?) and extend-bantime = true
• comforting feature, nice-to-have: times in Xs = seconds, Xm = minutes.. like e.g. ddclient does

Thanks for your great work end effort! --88.191.80.227 12:48, 17 May 2008 (UTC)

pure-ftpd and apache ban fails with DNS error

Hi,

I'm running Fail2Ban v0.8.2 from fail2ban-0.8.2-14.fc7.rpm on FC7 (obviously). SSH is nicely blocked, but the pure-ftpd and apache logfiles lead to the error:

2008-06-24 17:33:17,657 fail2ban.filter : WARNING Unable to find a corresponding IP address for hostname.domain)

It's not surprising that "hostname.domain)" cannot be resolved due to the ending ")". A simple dns = dns.replace(")","") in filter.py solved the problem, but probably it's just a little typo in the filter regexp for pure-ftpd and apache? Maybe this problem is solved anyway and just apparent in the FC7 rpm?

Regards and thanks for this useful software!

Eike

The above Error also happens on Ubuntu 8,04 with fail2ban 0.8.2 from the ubuntu repositories. So it's not a FC7 related issue, rather an issue if a hostname or ip address is enclosed in brackets "()". I resolved the problem exactly like you did after playing around two hours with the regex and could not find a solution.

Regards and thanks for fail2ban.

Marco

This fixed it for me...

in filter.d/pure-ftpd.conf

BEFORE: failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>) \[WARNING\] %(__errmsg)s \[.+\]$

AFTER: failregex = pure-ftpd(?:\[\d+\])?: (.+?@<HOST>\)) \[WARNING\] %(__errmsg)s \[.+\]$

I changed the (.+?@<HOST>) term to (.+?@<HOST>\))

I also had to change the logfile entry to /var/log/messages instead of the supplied logfile.

-Doug

Fail2ban is failing to ban VSFTPD bruteforce

A similar issue to those above, in my case with VSFTPD, with unresolvable DNS names from /var/log/secure:

• Scenario: VSFTP configuration is set for PAM authentication, using xferlog in standard format. Fail2ban for vsftpd is watching /var/log/secure
• Problem: PAM sends failed login information to /var/log/secure, but the remote server's IP address has been replaced by a DNS name. Resulting DNS name does not resolve or does not resolve correctly, thus fail2ban is unable to ban the IP address.
• Fix: Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch /var/log/vsftpd.log instead. This log file shows the incoming ip address instead of the DNS name.

A few notes

Hello and thanks for the nice script :)

I'm running Gentoo and fail2ban 0.8.2. I noticed that fail2ban didn't use the "POSSIBLE BREAK-IN ATTEMPT"-regexp at all and I think it's because my sshd puts an exclamation mark after the line, like "POSSIBLE BREAK-IN ATTEMPT!".

88.191.80.227 had some good ideas and I thought of something else too: a specific bantime for a certain regexp. At least I'm annoyed with the endless "connection from"-reports from sshd and most of them are caused by a bot. It would be nice to have that rule among the other sshd-rules, but with a lesser 'punishment'.

Question about persistent IP address bans over restart

Hi, just started using Fail2ban - love the software.

I have the ban time for postfix spamming IP adresses set to 1 month, but when logrotate does its thing from cron.daily I see that it restarts Fail2ban. This seems to remove all currently banned IPs (for all rulesets) and fire out the usual collection of "Stopped...", "Started..." emails.

Is there any way to get currently banned IP adresses to persist over Fail2ban restarts?

- Richard

I'm also interested in the ability to have bans persist over restarts. Can it be done with the post-ban scripts?

- Kevin

logrotate configuration must run 'fail2ban-client set logtarget /var/log/fail2ban.log' instead of 'invoke-rc.d --quiet fail2ban reload' (Debian installation).

- Eupalynos

That works for logrotate, but not for other restarts (e.g. system reboot). A feature to keep track of active bans in some persistent store would be nice to cover all cases.

- Curby

Here is a solution that seems to save and reload banned ip's across fail2ban service restarts (without creating duplicate fail2ban rules in iptables) by modifying a small portion of /etc/init.d/fail2ban:

start() {

   echo -n $"Starting fail2ban: "
   getpid
   if [ -z "$pid" ]; then
       rm -rf /var/run/fail2ban/fail2ban.sock # in case of unclean shutdown
       $FAIL2BAN start > /dev/null
       RETVAL=$?
   fi
   if [ $RETVAL -eq 0 ]; then
       touch /var/lock/subsys/fail2ban
       echo_success
       /sbin/service iptables restart # reloads previously banned ip's
   else
       echo_failure
   fi
   echo
   return $RETVAL

}

stop() {

   echo -n $"Stopping fail2ban: "
   getpid
   RETVAL=$?
   if [ -n "$pid" ]; then
       /sbin/service iptables save # saves banned ip's
       $FAIL2BAN stop > /dev/null
   sleep 1
   getpid
   if [ -z "$pid" ]; then
       rm -f /var/lock/subsys/fail2ban
       echo_success
   else
       echo_failure
   fi
   else
       echo_failure
   fi
   echo
   return $RETVAL

}

A downside is that fail2ban-client doesn't know anything about these persistent bans.

Enjoy! -- Vinnie Vedi

You could extract the current banned IPs on service stop using this script:

#!/bin/sh
jails=$(fail2ban-client status | grep Jail\ list: | sed 's/.*Jail list:\t\+//;s/,//g')
for jail in ${jails}; do
    for ip in $(fail2ban-client status ${jail}|grep IP\ list|sed 's/.*IP list:\t//'); do
        echo "fail2ban-client set ${jail} banip ${ip}"
    done
done

Save the output to a file, and execute the file on service start.

- mehturt

Question how to ban hack attacks but not ban members

I see items in my logs like:

     /admin/phpMyAdmin-2.2.3/main.php: 1 Time(s)
     /admin/phpMyAdmin-2.2.6/main.php: 1 Time(s)
     /admin/phpMyAdmin-2.5.1/main.php: 1 Time(s)
     /admin/phpMyAdmin-2.5.4/main.php: 1 Time(s)
     /admin/phpMyAdmin-2.5.5-pl1/main.php: 1 Time(s)
     /admin/phpMyAdmin-2.5.5-rc1/main.php: 1 Time(s)
     /admin/phpMyAdmin-2.5.5-rc2/main.php: 1 Time(s)
     /admin/phpMyAdmin-2.5.5/main.php: 1 Time(s)
     /admin/phpMyAdmin-2.5.6-rc1/main.php: 1 Time(s)
     /admin/phpMyAdmin-2.5.6-rc2/main.php: 1 Time(s)
     /phpMyAdmin-2.6.1-pl2/main.php: 1 Time(s)
     /phpMyAdmin-2.6.1-pl3/main.php: 1 Time(s)
     /phpMyAdmin-2.6.1-pl3/read_dump.phpmain.php: 1 Time(s)
     /phpMyAdmin-2.6.1-rc1/main.php: 1 Time(s)
     /phpMyAdmin-2.6.1-rc2/main.php: 1 Time(s)
     /phpMyAdmin-2.6.1/main.php: 1 Time(s)
     /phpMyAdmin-2.6.2-beta1/main.php: 1 Time(s)
     /phpMyAdmin-2.6.2-pl1/main.php: 1 Time(s)
     /phpMyAdmin-2.6.2-rc1/main.php: 1 Time(s)
     /phpMyAdmin-2.6.2/main.php: 1 Time(s)
     /phpMyAdmin-2.6.3-pl1/main.php: 1 Time(s)
     /phpMyAdmin-2.6.3-pl1/read_dump.phpmain.php: 1 Time(s)
     /phpMyAdmin-2.6.3-rc1/main.php: 1 Time(s)
     /phpMyAdmin-2.6.3/main.php: 1 Time(s)
     /phpMyAdmin-2.6.4-pl1/main.php: 1 Time(s)

How do I ban bad guys without banning members who just mis-type pages or try to rip it and just specify out of range pages? I just want to keep the BAD GUYS OUT!

- Tom

Add a action : Log packet with NFLOG

I made a modification based on iptables-multiport-log.conf :

     # Fail2Ban configuration file
     #
     # Author: Guido Bozzetto
     # Modified: Cyril Jaquier
     # Modified: Cyril Lopez
     # make "fail2ban-<name>" chain to match drop IP
     # make "fail2ban-<name>-nflog" chain to log and drop
     # insert a jump to fail2ban-<name> from -I INPUT if proto/port match
     #
     #
     #
     
     [Definition]
     
     # Option:  actionstart
     # Notes.:  command executed once at the start of Fail2Ban.
     # Values:  CMD
     #
     actionstart = iptables -N fail2ban-<name>
                   iptables -A fail2ban-<name> -j RETURN
                   iptables -I INPUT 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
                   iptables -N fail2ban-<name>-nflog
                   iptables -I fail2ban-<name>-nflog -j NFLOG --nflog-group 10 --nflog-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " -m limit --limit 6/m --limit-burst 2
                   iptables -A fail2ban-<name>-nflog -j DROP
     
     # Option:  actionstop
     # Notes.:  command executed once at the end of Fail2Ban
     # Values:  CMD
     #
     actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
                  iptables -F fail2ban-<name>
                  iptables -F fail2ban-<name>-nflog
                  iptables -X fail2ban-<name>
                  iptables -X fail2ban-<name>-nflog
     
     # Option:  actioncheck
     # Notes.:  command executed once before each actionban command
     # Values:  CMD
     #
     actioncheck = iptables -n -L fail2ban-<name>-nflog >/dev/null
     
     # Option:  actionban
     # Notes.:  command executed when banning an IP. Take care that the
     #          command is executed with Fail2Ban user rights.
     # Tags:    <ip>  IP address
     #          <failures>  number of failures
     #            unix timestamp of the ban time
     # Values:  CMD
     #
     actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-nflog
     
     # Option:  actionunban
     # Notes.:  command executed when unbanning an IP. Take care that the
     #          command is executed with Fail2Ban user rights.
     # Tags:    <ip>  IP address
     #          <failures>  number of failures
     #          <time>  unix timestamp of the ban time
     # Values:  CMD
     #
     actionunban = iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-nflog
     
     [Init]
     
     # Defaut name of the chain
     #
     name = default
     
     # Option:  port
     # Notes.:  specifies port to monitor
     # Values:  [ NUM | STRING ]  Default:
     #
     port = ssh
     
     # Option:  protocol
     # Notes.:  internally used by config reader for interpolations.
     # Values:  [ tcp | udp | icmp | all ] Default: tcp
     #
     protocol = tcp

Permanently Ban Persistent IP Addresses

I would love to see a way for Fail2Ban to permanently ban IPs that receive a temporary ban x number of times. For instance, if an IP attempts to break into SSH 5 times and fails, it gets a temporarily ban of 10 minutes. If that same IP tries and fails again 5 more times after the temporary ban is lifted, it gets another temporary ban. If that same IP cycles through this process 5 times in a span of 6 hours, create a firewall rule that is either permanent or covers a much longer time frame. I don't want to extend the number of minutes for a single ban in case a legit user just fails to log in too many times, but I don't want to receive the Fail2Ban emails for the same IP 300 times before I manually create a new firewall entry permanently blocking that IP.

Is this possible or can this functionality be easily added to Fail2Ban?

Thanks for such a great and useful tool!

- Mike

Hi Mike, how about this solution: Fail2ban_monitoring_Fail2ban

- Regards, whyscream

Add regex tag for count

I have a couple services who will sit on failed attempts for a little bit, then release them all with something like "Failed login from <HOST>, X times" where X is of course variable. I don't see an easy way to add a new tag to the parser that could be used in a regex to pull that number in like one does with the <HOST> tag, so if someone could tell me where to do it that would be great. If someone wants to send me a diff, that would be even greater! :> 128.112.24.13 18:24, 10 June 2009 (UTC) (domain astro.princeton.edu, user huston)

Python 2.6 support (relevant only for 0.8.3 and older)

fail2ban does not work with Python 2.6. See http://www.howtoforge.com/forums/showthread.php?t=34886 As, on OpenSUSE 11.1, there is no Python 2.5 (which is recommended in the above source and which I can confirm to work) available, I am looking for a fix for the fail2ban-server.

Fixed in 0.8.4

Some help in custom filter needed

I have a rather odd looking log file coming out of cardservproxy:

[090805 11:05:23.156] WARNING -> NewcamdSession[15:via] <- User 'j49' (80.232.242.106) login denied, unauthorized/invalid/missing password

Would it be possible to work out the solution for fail2ban and could someone help me with regex? Because I haven't had any experience with it and so far a couple hours and many different tries to make it work were worthless. Everything else, like ssh, ssh-ddos works perfectly. So far this is a perfect tool for stopping mid-knowledge wannabe-hackers. Great piece of software!

Prevention of duplicate iptables entries

If you do a default fail2ban setup and enable ssh-iptables (for example), fail2ban will write a user defined chain to iptables in memory. So far so good. Now if you did a "service iptables save" or "iptables-save > /etc/sysconfig/iptables" which is the standard way to save iptables it writes the current rules, including the added fail2ban rules, to the file. The next time you reboot the fail2ban rules are added to iptables twice, once by the default 'iptables' config file and again by fail2ban. This is confirmed by doing a "iptables -L".

If you understand iptables and fail2ban it is an easy mistake to avoid but certainly not idiot proof or when you are working on something at 4am on 10 cups of coffee or whatever as a previous contributor mentioned. Is there any way to perhaps put a check into /etc/fail2ban/action.d/iptables.conf to prevent duplicate entries?

Some help on banning bad guys

reviewing the fail2ban logs I keep seeing hundreds of entries like these:

  2009-11-18 00:06:33,415 fail2ban.actions: WARNING [apache-tcpwrapper] 202.108.50.4 already banned   
  2009-11-18 00:06:34,414 fail2ban.actions: WARNING [apache-tcpwrapper] 200.201.190.82 already banned 
  2009-11-18 00:06:35,415 fail2ban.actions: WARNING [apache-tcpwrapper] 123.125.156.145 already banned
  2009-11-18 00:06:36,416 fail2ban.actions: WARNING [apache-tcpwrapper] 124.172.110.158 already banned
  2009-11-18 00:06:37,418 fail2ban.actions: WARNING [apache-tcpwrapper] 202.108.50.4 already banned   
  2009-11-18 00:06:38,419 fail2ban.actions: WARNING [apache-tcpwrapper] 123.133.132.247 already banned
  2009-11-18 00:06:39,419 fail2ban.actions: WARNING [apache-tcpwrapper] 119.145.136.236 already banned
  2009-11-18 00:06:40,419 fail2ban.actions: WARNING [apache-tcpwrapper] 122.70.146.53 already banned  
  2009-11-18 00:06:41,419 fail2ban.actions: WARNING [apache-tcpwrapper] 124.172.110.158 already banned
  2009-11-18 00:06:42,419 fail2ban.actions: WARNING [apache-tcpwrapper] 122.70.146.53 already banned  

My only recourse is when I see these attacks is to open a command line and just manually kill them one by one with iptables -A INPUT -s 122.70.146.53 -j DROP. So how can I configure my fail2ban to really get rid of these idiots? This is my jail2.conf for apache-tcpwrapper:

  [apache-tcpwrapper]
  enabled  = true
  filter   = apache-auth
  action   = iptables[name=SSH, port=ssh, protocol=tcp]
          sendmail-whois[name=SSH, dest=foo@bar.com, sender=fail2ban@bar.com]
  logpath  = /var/log/httpd/error_log
  maxretry = 3

reply- terry@cnysupport.com: You may be using the wrong jail config file. You're banning using tcpwrappers, but apache isn't using tcpwrappers. You would need to switch to an apache jail that uses iptables or reconfigure apache to use tcpwrappers.

ASSP filter for Fail2ban

You can set up fail2ban to monitor the maillog.txt file of the ASSP Anti-SPAM SMTP proxy: ASSP

Regex Tag to modify bantime

(by Paul Gregg) I am attempting to use ProjectHoneyPot.org http:BL (HTTP blacklist) to identify suspicious/comment spammer/etc visitors to my webserver. I have written a daemon that watches the Apache HTTP server's access_log (parses it out) and checks http:BL API for the visiting IP. If the IP comes back reported as being on the blacklist (excluding search engines which are reported, but obviously not dangerous), I output a record to a new logfile called httpbl_access_log. I then have fail2ban watch this log and ban any IPs I find in there with:

 failregex = HTTPBL: <HOST> (\S+)

and jail.conf:

 [httpbl-access-log]
 enabled  = true
 filter   = httpbl-access-log
 port     = http
 maxfailures = 1
 bantime = 86400
 logpath  = /usr/local/apache2/logs/httpbl_access_log
 action   = iptables[name=httpbl-access-log, port=http, protocol=tcp]

The logfile watched looks like:

 [19/Mar/2010:16:32:44 +0000] HTTPBL: 64.120.251.242 13 127.3.13.5 Comment_Spammer,Suspicious
 [19/Mar/2010:16:34:56 +0000] HTTPBL_WHITELISTED: 218.28.69.205 29 127.29.31.1 Suspicious
 [19/Mar/2010:16:51:18 +0000] HTTPBL: 91.201.64.11 27 127.3.27.5 Comment_Spammer,Suspicious

(so you can see my regex ignores the whitelisted, but reported, entries).

However, and the reason for my posting, I want to take the number after the <HOST> entry and use that as my bantime for this entry. Currently I am reporting http:BL's "threat" score (see 3rd octet in the 127.x.x.x discounted by how old http:BL's entry is, 2nd octet). I am prepared to change this to output raw seconds that I want the ban to be in force for.

I don't think this can be done today - any chance for a <BANTIME> tag?

Thanks, Paul Gregg

Bug: banning when PAM is erroring

(by Nate M)

There is a bug wherein fail2ban will ban an IP when the user is not authenticated due to PAM erroring. In this particular case, our server came under a DoS attack which ate up the RAM memory and thus caused errors with PAM ... when I tried to log-in via SSH in order to respond to the attack, I was banned due to the temporary error. This should ideally not happen. As you can see below, the PAM error and "failed password" error occurred during the same timestamp; fail2ban perhaps should check to see that this type of error did not occur at the same time as a "failed password" in order to avoid banning legitimate users.

/var/log/secure:

Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM unable to dlopen(/lib64/security/pam_env.so)
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM [error: /lib64/security/pam_env.so: failed to map segment from shared object: Cannot allocate memory]
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM adding faulty module: /lib64/security/pam_env.so
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM unable to dlopen(/lib64/security/pam_unix.so)
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM [error: /lib64/security/pam_unix.so: failed to map segment from shared object: Cannot allocate memory]
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM adding faulty module: /lib64/security/pam_unix.so
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM unable to dlopen(/lib64/security/pam_plesk.so)
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM [error: /lib64/security/pam_plesk.so: failed to map segment from shared object: Cannot allocate memory]
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM adding faulty module: /lib64/security/pam_plesk.so
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM unable to dlopen(/lib64/security/pam_deny.so)
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM [error: /lib64/security/pam_deny.so: failed to map segment from shared object: Cannot allocate memory]
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM adding faulty module: /lib64/security/pam_deny.so
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM unable to dlopen(/lib64/security/pam_nologin.so)
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM [error: /lib64/security/pam_nologin.so: failed to map segment from shared object: Cannot allocate memory]
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM adding faulty module: /lib64/security/pam_nologin.so
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM unable to dlopen(/lib64/security/pam_cracklib.so)
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM [error: /lib64/security/pam_cracklib.so: failed to map segment from shared object: Cannot allocate memory]
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM adding faulty module: /lib64/security/pam_cracklib.so
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM unable to dlopen(/lib64/security/pam_keyinit.so)
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM [error: /lib64/security/pam_keyinit.so: failed to map segment from shared object: Cannot allocate memory]
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM adding faulty module: /lib64/security/pam_keyinit.so
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM unable to dlopen(/lib64/security/pam_limits.so)
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM [error: /lib64/security/pam_limits.so: failed to map segment from shared object: Cannot allocate memory]
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM adding faulty module: /lib64/security/pam_limits.so
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM unable to dlopen(/lib64/security/pam_succeed_if.so)
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM [error: /lib64/security/pam_succeed_if.so: failed to map segment from shared object: Cannot allocate memory]
Jun 22 21:14:21 dedicated-server-one sshd[2921]: PAM adding faulty module: /lib64/security/pam_succeed_if.so
Jun 22 21:14:21 dedicated-server-one sshd[2921]: Failed password for usernate from 111.222.111.222 port 44282 ssh2
Jun 23 01:14:21 dedicated-server-one sshd[2922]: Connection closed by 111.222.111.222
Jun 22 21:14:21 dedicated-server-one sshd[2921]: Failed password for usernate from 111.222.111.222 port 44282 ssh2

/var/log/fail2ban.log:

2010-06-22 21:14:23,381 fail2ban.actions: WARNING [ssh] Ban 111.222.111.222
2010-06-22 21:19:23,504 fail2ban.actions: WARNING [ssh] Unban 111.222.111.222

IP log suggestion

(by Chad Columbus)

I suggest that you add an IP log, this log will allow 2 things:
1. It will allow IP bans to be reinstated on restart
2. It will allow IPs to be blocked exponentially longer with each ban.

I think #1 is obvious, but what I want with #2 is that when someone is banned for say 10 min, we add that to the log. If they come back and get banned again, this time it is for 20 min, if they return a 3rd time 40 min, and so on. This will eventually block them for days, weeks or years, if they behave badly enough.

Multi-server suggestion

(by Chad Columbus)

I also support the "Mulitple Servers in DMZ writing IPTABLE rules to primary firewall" suggested at the top of this page, I also use a central firewall/load balancer.
I would like to go one further and find a way to allow multiple servers in the same DMZ share their bad his and bans. I think maybe I can do this with a centralized log server, but I would prefer it was build into fail2ban.
Here is what I mean:
I have (as an example) 3 servers for ssh, a bad guy comes in and the load balancer sends the request to server #1, They come back and the request goes to server #2, and again but to server #3. This will effectively give the bad guy 3x the number of chances. The real problem is that I have 40+ servers behind the load balancer.
What I would like is for server #1 to share with server #2 that it got a bad hit, or at the very least when one of the servers bans the IP, it shares the ban with the others, so that they are not getting 5 tries X 40 servers.

If there is a good way to solve this without modifying fail2ban please let me know and I will try it.

Multi-server answers?

You'd just need a few things to accomplish your goal:

• Centralized logging
• fail2ban running on the centralized log server
• and fail2ban able to control your firewall/load balancer

-Scott Miller

Bug: Fail2ban stacks on no whois response

If a whois server does not return a response the Fail2Ban process will just hang because there is not timeout on some version of whois. Can the action.d/sendmail-whois.conf be modified to include a timeout for the whois command. Something like this works on my version.

`/usr/bin/whois <ip> & sleep 5; kill$!`\n -Caleb Collins

IPv6

Is Fail2ban protecting me against attackers with an IPv6 address? Are there some changes to do in the configuration files (such as using ip6tables in addition to iptables)? The switch from IPv4 is coming fast (last v4 ranges allocated in June 2011, last IPs around the beginning of 2012, this is only 1 year from now!), so I'd rather be ready… - Xavier

Count "Last message repeated N times" correctly

It seems Fail2ban undercounts entries from syslog files such as /var/log/syslog and /var/log/auth.log, since it doesn't seem to be aware that syslog may log "last message repeated N times" instead of the full message. For example, if an ssh attack occurs several times in quick succession, there may be only one entry "Failed password for someuser from 1.2.3.4 port 4307 ssh2" followed by "last message repeated 10 times". It should be possible to set a regex that matches these kinds of log entries, and forces the log filter to treat them as if they were N of the previous log entry.

solution (tested in Ubunut 10.04):
1.open /etc/rsyslog.conf
2.find RepeatedMsgReduction and change on to off
3.After that, restart rsyslog and fail2ban

Bugs running action.d start actions

I'm seeing some startup actions getting errors during the startup of fail2ban, but I can enter those same commands by hand and they are accepted. All are setting up the iptables.

Of the 7 servers I have, all are set up fairly identically. Servers 2 and 3 restarted with no problems; the 5 jails I define all started with no errors. Server 1 had problems with APACHE-SETUP; server 4 created the vsftp chain, but didn't add the call or the Return. Server 5 failed to set up anything in iptables for vsftp; server 6 also completely lost the setup for vsftp; server 7 missed all the commands for the asterisk iptables setup.

I see this kind of thing from the logfile:

(my apologies, I don't know how to quote or force line breaks in the following!)

2010-12-09 23:42:18,684 fail2ban.actions.action: ERROR iptables -N fail2ban-asterisk iptables -A fail2ban-asterisk -j RETURN iptables -I INPUT -p all -j fail2ban-asterisk returned -1

or

2010-12-10 04:41:55,696 fail2ban.actions.action: ERROR iptables -N fail2ban-APACHE_SETUP iptables -A fail2ban-APACHE_SETUP -j RETURN iptables -I INPUT -p tcp -m multiport --dports http,https -j fail2ban-APACHE_SETUP returned 200 2010-12-10 04:41:55,699 fail2ban.actions.action: ERROR iptables -N fail2ban-SHARED iptables -A fail2ban-SHARED -m recent --name SHARED --rcheck -m limit --limit 1/minute -j LOG --log-prefix "DROPBANNED: " --log-tcp-options --log-ip-options iptables -A fail2ban-SHARED -m recent --name SHARED --rcheck -j DROP iptables -A fail2ban-SHARED -j RETURN iptables -I INPUT -j fail2ban-SHARED returned 100

or

2010-12-10 04:42:07,729 fail2ban.actions.action: ERROR iptables -n -L INPUT | grep -q fail2ban-SHARED returned 100 2010-12-10 04:42:07,730 fail2ban.actions.action: ERROR Invariant check failed. Trying to restore a sane environment

I'm using fail2ban-0.8.4.

Is it some timing issue? Is there any way to better debug why the setup commands are getting errors? See the stuff iptables responded with? It's the inconsistency of what commands are failing, for what jail, that makes me wonder.

In the jail.conf, asterisk has action = iptables-allports[name=asterisk, protocol=all] for vsftpd, action = iptables[name=VSFTPD, port=ftp, protocol=tcp] for apache-setup, action = iptables-multiport[name=APACHE_SETUP, port="http,https", protocol=tcp]

any help appreciated. If I can demo fail2ban, I'll share the usage of "recent" and it's hash tables for banning huge numbers of IP's, with just a few fixed rules in iptables. Perhaps it could be added to the actions.d dir.

I'm looking at the logs, and I see the 5 jails started, 4-6 milliseconds apart. The error(s) coming within another 4-6 msec. Could it be, that, if they are separate threads, they are dumping their iptables commands in parallel, is it even possible that an iptables command would be rejected if it could not immediately get a lock?

--Late breaking: I inserted a sleep 1 in front of the allports start action; a sleep 2 in front of another, and a sleep 3 in the iptables.conf; that left only the iptables-multiport, because 2 rules use the same thing. So, they got the 0 second delay slot. I restarted my fail2bans one after the other, and got only 1 ERROR message: from the 2 sharing the same slot. So, if you are running an older version of netfilter (This is on centos, which seems to prefer ancient versions) and you are getting what seems to be random ERRORS in starting/stopping your jails, then consider throwing in some sleeps to spread them out. It might be nice if these start actions could be serialized.

• A successful resolution is to modify only the relevant action config (in this case iptables-multiport.conf) and insert a random sleep (0.0000 to 2.9999 seconds) before the iptables action, so actionstart becomes:

 actionstart =   sleep `perl -e 'print rand(3);'`
             iptables -N fail2ban-<name>
             iptables -A fail2ban-<name> -j RETURN
             iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

More on bug running actions

There is an explanation of the bug and a fix noted at the Ubuntu bugs list. It involves adding one line to the fail2ban code. Could this be fixed in the next release?

I've used that fix--it works on my system (Ubuntu 10.10).

failregex POSSIBLE BREAK-IN ATTEMPT in filter sshd.conf

By default filter ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$ in filter.d/sshd.conf don't catch lines in auth.log like this:

Feb 7 10:34:04 app2 sshd[11295]: reverse mapping checking getaddrinfo for 91.227.55.116.broad.km.yn.dynamic.163data.com.cn [116.55.227.91] failed - POSSIBLE BREAK-IN ATTEMPT!

So I've added in /etc/fail2ban/filter.d/sshd.conf, this line in 'failregex':

^%(__prefix_line)sreverse mapping checking getaddrinfo .* \[<HOST>\] failed - POSSIBLE BREAK-IN ATTEMPT!\s*$

and it works fine. I use debian squeeze.

Squid filter

I use Squid with PAM authentication, and I added /etc/fail2ban/filter.d/squid.conf with the following failregex:

<HOST>\s+TCP_DENIED\/407.*$

and the appropriate jail.local entries. It seems to be working, but I'm sure someone could come up with something better/more complete.

Hey Iv been working with this on my vps and the above wasnt quite working for me. So heres what I used.

squid.conf

   # Fail2Ban configuration file for squid
   #
   # Author: Jackie Craig Sparks
   #
   # $Revision: 728 $
   #
   [INCLUDES]
   # Read common prefixes. If any customizations available -- read them from
   # common.local
   before = common.conf
   [Definition]
   _daemon = squid
   # Option:  failregex
   # Notes.:  regex to match the password failures messages in the logfile. The
   #          host must be matched by a group named "host". The tag "<HOST>" can
   #          be used for standard IP/hostname matching and is only an alias for
   #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
   # Values:  TEXT
   #
   failregex =  \d{0,10}.*\d{0,3}\ .* \ \d <HOST> TCP_DENIED\/407 .*$
   # Option:  ignoreregex
   # Notes.:  regex to ignore. If this regex matches, the line is ignored.
   # Values:  TEXT
   #
   ignoreregex =

apache w00t w00t messages jail - regex and filter

Jail

    [apache-wootwoot]
    enabled  = true
    filter   = apache-wootwoot
    action   = iptables[name=HTTP, port="80,443", protocol=tcp]
    logpath  = /var/log/apache2/error.log
    maxretry = 0
    bantime  = 864000
    findtime = 3600

Filter

    # Fail2Ban configuration file
    #
    # Author: Jackie Craig Sparks
    #
    # $Revision: 728 $
    #
    [Definition]
    #Woot woot messages
    failregex = ^\[\w{1,3} \w{1,3} \d{1,2} \d{1,2}:\d{1,2}:\d{1,2} \d{1,4}] \[error] \[client 195.140.144.30] File does not exist: \/.{1,20}\/(w00tw00t|wootwoot|WootWoot|WooTWooT).{1,250}
    ignoreregex =

apache webmail phishing jail - regex and filter

Here are the other examples of mail phishing that has happened on our network

   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/cube
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/round
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcube-0.2
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcube-0.1
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcubemail-0.1
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcubemail-0.2
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/wm
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/webmail2
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/rms
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/mail2
   [Fri Aug 19 10:33:09 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/mss2
   [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/mss
   [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcubemail
   [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/rc
   [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/webmail
   [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcube
   [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/mail

Jail

    [apache-webmail-phish]
    enabled  = true
    filter   = apache-webmail-phish
    action   = iptables[name=HTTP, port="80,443", protocol=tcp]
    logpath  = /var/log/apache2/error.log
    maxretry = 0
    bantime  = 864000
    findtime = 3600

Filter

    # Fail2Ban configuration file
    #
    # Author: Jackie Craig Sparks
    #
    # $Revision: 728 $
    #
    [Definition]
    #Looks for failed password logins to SMTP
    failregex = ^\[\w{1,3}.\w{1,3}.\d{1,2}.\d{1,2}:\d{1,2}:\d{1,2} \d{1,4}. \[error] \[client.<HOST>].File does not exist:.{1,40}roundcube.{1,200}
    ignoreregex =

Qmail vpopmail imap ssl filter

Jail

    [qmail-vpopmail-imap-ssl-pw-fail]
    enabled  = true
    filter   = qmail-vpopmail-imap-ssl-password
    action   = iptables[name=IMAP, port="143,585,993", protocol=tcp]
    logpath  = /var/log/imap4-ssl/current
    maxretry = 5
    bantime  = 864000
    findtime = 3600

Filter

    # Fail2Ban configuration file
    #
    # Author: Jackie Craig Sparks
    #
    # $Revision: 728 $
    #
    [Definition]
    #Looks for failed password logins to SMTP
    failregex = ^@\w{1,30} ERR: LOGIN FAILED, ip=.<HOST>.$
    ignoreregex =

Qmail vpopmail imap filter

Jail

    [qmail-vpopmail-imap-pw-fail]
    enabled  = true
    filter   = qmail-vpopmail-imap-password.conf
    action   = iptables[name=IMAP, port="143,585,993", protocol=tcp]
    logpath  = /var/log/imap4/current
    maxretry = 5
    bantime  = 864000
    findtime = 3600

Filter

    # Fail2Ban configuration file
    #
    # Author: Jackie Craig Sparks
    #
    # $Revision: 728 $
    #
    [Definition]
    #Looks for failed password logins to SMTP
    failregex = ^@\w{1,30} ERR: LOGIN FAILED, ip=.<HOST>.$
    ignoreregex =

Qmail vpopmail pop3 filter

Heres the jail

    [qmail-vpopmail-pop3-user-notfound]
    enabled = true
    filter = qmail-vpopmail-pop3-username
    action = iptables[name=POP3, port="110,995" protocol=tcp]
    logpath = /var/log/maillog
    maxretry = 5
    bantime  = 864000
    findtime = 3600

Heres the filter

    # Fail2Ban configuration file
    #
    # Author: Jacke Craig Sparks
    #
    # $Revision: 728 $
    #

    [Definition]

    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. 
    # The host must be matched by a group named "host". The tag "<HOST>" can
    # be used for standard IP/hostname matching and is only an alias for
    # (?:::f{4,6}:)?(?P<host>\S+)
    # Values: TEXT
    failregex = ^\w{3,5} \w{1,2} \w{1,2}:\w{1,2}:\w{1,2} \w{1,6} vpopmail.\d{1,6}.: vchkpw-pop3: vpopmail user not found \w{1,30}@\w{1,30}-\w{1,30}.\w{1,6}:<HOST>
    
    # Option: ignoreregex
    # Notes.: regex to ignore. If this regex matches, the line is ignored.
    # Values: TEXT
    ignoreregex =

    [qmail-vpopmail-pop3-pw-fail]
    enabled  = true
    filter   = qmail-vpopmail-password
    action   = iptables[name=POP3, port="110,995", protocol=tcp]
    logpath  = /var/log/maillog
    maxretry = 5
    bantime  = 864000
    findtime = 3600

    # Fail2Ban configuration file
    #
    # Author: Jackie Craig Sparks
    #
    # $Revision: 728 $
    #
    
    [Definition]
    #Looks for failed password logins to pop3
    failregex = ^\w{3,5} \w{1,2} \w{1,2}:\w{1,2}:\w{1,2} \w{1,6} vpopmail.\d{1,6}.: vchkpw-pop3: password fail \w{1,30}@\w{1,30}-\w{1,30}.\w{1,6}:<HOST>
    ignoreregex =