Fail2ban talk:Community Portal

From Fail2ban
Revision as of 10:41, 4 July 2012 by Zeng1380 (Talk | contribs) (vous pouvez vous détendre de base. « Un des travailleursDire: new section)

Jump to: navigation, search

Misc Questions


Hi, i try to make a fail2ban-package for a famous Opensource-Webhosting platform (

BQ is based on CentOS4 (python >=2.3), so we have to use fail2ban-0.6.x.
 unknown user:
 Jan 25 04:01:05 hostname proftpd[10476]: ([]) - USER xxxx: no such user found from [] to
 existing user, wrong pw:
 Jan 25 04:02:03 hostname proftpd[10495]: ([]) - USER rob (Login failed): Incorrect password.

But i didnt succeed. Maybe u can help me with that. I cant update to CentOS5 and/or python>=2.4.

Thanx for that wonderful tool :)

I am finding this error a few times on different scripts when installing on CentOS

byte-compiling /usr/share/fail2ban/server/ to mytime.pyc

 File "/usr/share/fail2ban/server/", line 49

SyntaxError: invalid syntax

Any ideas

Are you sure that you have Python 2.4? Annotations are available since Python 2.4. --Lostcontrol 15:53, 8 May 2007 (CEST)

I got 2.4.3 root@usa2 [~]# python -V Python 2.4.3

I installed 2.5.1 and still the same problem.

Now it is working the version 0.6.2 installed from an RPM. I will try again 0.8.0 but later. Thanks

Can someone tell me why I´m getting these errors with fail2ban?

2007-07-07 17:22:09,608 fail2ban.actions.action: CRITICAL Unable to restore environment
2007-07-08 01:57:43,008 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp --dport http -j fail2ban-apache
iptables -F fail2ban-apache
iptables -X fail2ban-apache returned 100
2007-07-08 01:57:43,933 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp --dport ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 100

I´m using Debian Etch


I got similar errors on startup for iptables -N, iptables -A, and iptables -X and it turned out that the directory where the iptables executable resides (/sbin on my system) was was not included in the PATH environment variable. Adding /sbin to the PATH with:


in the file /etc/init.d/fail2ban fixed the problem on my Redhat Enterprise Linux 5 system.


Please use mailing-list for support next time. It seems that your iptables setup (related to fail2ban) get changed while fail2ban is running. Some firewall scripts/apps flush all rules when saving the changes. If fail2ban runs, it will not find its own chains anymore and will try to restore them. --Lostcontrol 09:57, 13 July 2007 (CEST)

Just tried to use latest build 0.8.1 and got thisd output

  1. fail2ban-client -h
 File "/usr/bin/fail2ban-client", line 360

SyntaxError: invalid syntax

I found a way to work around this problem with CentOS. Apparently CentOS has multiple versions of Python installed. Modify /usr/bin/fail2ban-client and /usr/bin/fail2ban-server so that the first line on each reads as follows:

(or wherever the direct executable for python2.4 is). By default it reads as #!/usr/bin/python, which is apparently an earlier version of python. If you don't know where python2.4 is located, you can find it by typing the following:
whereis python2

--rojo 14:36, 30 Oct 2007 (EST)

In the FAQ this line is not very clear

"You probably have the sendmail command. Copy /etc/fail2ban/action.d/mail-whois.conf to /etc/fail2ban/action.d/mail-whois.local, edit this file and replace mail with sendmail. Here is an example:"

which is "this" file mail-whois.local is what it sounds like

That's correct. You have to edit mail-whois.local. --Lostcontrol 10:17, 13 September 2007 (CEST)


I have a CentOS 4 VPS with Python 2.3.

When I restart fail2ban I get this error:

" File "/usr/bin/fail2ban-client", line 360


SyntaxError: invalid syntax "

I made sure to change the paths to #!/usr/local/bin/python2.3 in both /usr/bin/fail2ban-client and /usr/bin/fail2ban-server but it still does not work.

Are there any other ideas?


Client/Server Question

What is the purpose/reason to have the server and client separate? Couldn't find this in the wiki, maybe it should be placed in the FAQ?

Memory Usage (160MB for fail2ban-server)

Hi, i like the concept of fail2ban ... but i run it on a Virtul Box ...

The fail2ban-server Prozess need 160MB ... for what ??? its my config/system bugy ?? or its normal ??

I used it on Ubuntu 7.04 Phyton 2.5.3 and de Fail2Ban v0.8.3

  • update on the 20th of January 2011 (author SJL)

A Python application, like fain2ban, might consume a lot of memory only because of the relatively oversized default stack size on Linux.This can be changed by editing the /etc/default/fail2ban (on Debian, please change for your own installation) and appending this to the end of the file:

 ulimit -s 256

The file "/etc/default/fail2ban" will typically looks like this after installing Fail2Ban 8.4 on Debian 6 from the repository:

# This file is part of Fail2Ban.
# Fail2Ban is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# Fail2Ban is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with Fail2Ban; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
# Author: Cyril Jaquier
# $Revision: 1.2 $

# Command line options for Fail2Ban. Refer to "fail2ban-client -h" for
# valid options.

Add "ulimit -s 256" to a new line at the end of the file:

# This file is part of Fail2Ban.
# Fail2Ban is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# Fail2Ban is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with Fail2Ban; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
# Author: Cyril Jaquier
# $Revision: 1.2 $

# Command line options for Fail2Ban. Refer to "fail2ban-client -h" for
# valid options.
ulimit -s 256

It is not added to the FAIL2BAN_OPTS parameter.

Stopping and starting via "fail2ban-client" will not apply this value. You need to reboot your system or restart the daemon with:

# sudo /etc/init.d/fail2ban stop
# sudo /etc/init.d/fail2ban start

The values from "/etc/default/fail2ban" are applied at boot up. Stop and Starting Fail2Ban via "fail2ban-client" will not have this value applied and will revert back to the linux default stack frame used by the ulimit command and the old memory usage of 160MB+.


root      1026  0.0  0.0 150020  8004 ?        Sl   Jan12   0:07 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock


root     29688  1.0  0.0  35600  6528 ?        Sl   10:38   0:00 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock

The VSZ value has decreased from 150020kB to 35600kB.

I would like to implement this, although I don't seem to have /etc/default/fail2ban. Where else would I need to look to include this in my configuration? and where exactly in the actual file does it need to go? (that is if someone can help me find it)?

Christmas gift - version 0.9 these days ?

Hi - I heavily appreciate fail2ban. Just these days I am configuring 2 new servers opensuse and would love to include some of the new features listed by others above. Like server-IP as sender subject line or so mentioned earlier.

Since we have Christmas time, I was wondering if we may get a Christmas gift - version 0.9 these days ?? Traffic is drastically increasing day by day, so is hacker activity during the weeks before Christmas. Added security let's us sleep much better.

Log Prefix Regex

Can anyone tell me how to recognize this datestamp prefix? I recently upgraded rsyslogd and it changed my log format. I'd rather change fail2ban than change my log back to the old format. Do I have to edit the source code or can it be done in the filter? If it's only in the source code is there any good reason why it isn't done in the filter?

2009-01-15T20:59:46.201822-05:00 nro sshd[5978]: Failed password for invalid user antoine from port 45379 ssh2

BTW Mine is a mail server and I have 50K to 80K bans in iptables. After I reboot I get hammered for days!

-- 09:52, 26 December 2010 (UTC)----

Good question. I just found out it was the rsyslog update that stopped my Fail2Ban from working. The rsyslog update uses a new date/time string. The new rsyslog also comes with a new conf file which contains the following:

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

It will use the old fashioned data/time string that Fail2Ban works fine with. So you won't have to change your sshd.conf filter. So just restart rsyslog with the new config file and you should be fine again.

Fail2ban on CentOS/RedHat Plesk

I have implemented fail2ban on our Plesk servers for Proftpd and Qmail (so far). I had to put the full path to iptables in the actions.d i.e. /pathtoiptables/iptables -N fail2ban-<name> etc. This is the relevant section of filters.d/proftpd.conf for Plesk users and the logfile is /var/log/messages:

failregex = .*proftpd\[\S+\]: \S+ \(\S+\[<HOST>\]\) - PAM\(\S+\): Authentication failure.$

           .*authentication failure.*rhost=<HOST>.*$'
           .*proftpd\[\S+\]: \S+ \(\S+\[<HOST>\]\) - no such user .*$

In jail.conf I set bantime = 600 and findtime = 30 and it works great. Thank you so much!

For Qmail, I started just trying to block brute force attempts to break into email accounts and here is the relevant section from qmail.conf:

failregex = .*password incorrect from \@ \[<HOST>\].*$

Also works great and the qmail logfile is /usr/local/psa/var/log/maillog.

What I am working on now, and what I would dearly like to get help with is blocking relay attempts. We get about 100K relay attempts per day and I have been trying to find a way to block these. For Plesk users here is the relevant regular expression in the qmail logfile for relay attempts:

.*relaylock: mail from <HOST>.*$

The problems I have is that the relaylock filter blocks genuine users because relaylock sometimes kicks in even for genuine users who have authenticated. This happens for users with PCs but even more frequently for users with Macs, and I am not sure why. Many of our users are assigned dynamic IPs by their ISPs. How can I stop them from getting blocked by this relaylock filter? I have tried putting the major ISPs e.g., etc. in ignoreip but some users still got blocked. My assumption is that is the same to ignoreip as * since ignoreip just looks for matches. Is that right? If not, is it possible to use wildcards in ignore IP e.g. * or is there an even better way? It would be ideal to be able to specify that: if an IP address matches a particular log entry then it should be automatically added to ignoreip e.g. if the log contains a line where the user successfully authenticated, then the IP they connected from is ignored by fail2ban. That would stop genuine users from being blocked without them having to contact us to let us know their IP address or ISP.[ Any help on this issue would be appreciated since its the main hurdle I need to overcome. If we still have problems with genuine users being blocked by the ed of the week I will just have to remove this filter which would be a shame since it really helps and I am sure it would help many more people with the same problem.

It would be also be nice to have a separate bantime and findtime in jail.conf for qmail, and other applications.

Any tips, pointers, and help, would be much appreciated.

Thanks for fail2ban!


Repeated attempts at DNS lookup

Hey I keep getting lines in the log file that say:

      WARNING Unable to find a corresponding IP address for

Trying to get rid of that in the logs, but it keeps popping up even though there was only one attempt from that host, almost a month ago. What option can I use to stop it from trying to DNS lookup that host?

Thanks a lot


A potential answer: See if the log fail2ban is watching can log IP addresses rather than DNS names. An example: Link to VSFTPD fix

Emails from fail2ban not containing whois info help needed.

Example of an email I received from fail2ban when testing (IP'S edited but were from outside my lan).


The IP xx.xx.xx.xx has just been banned by Fail2Ban after 4 attempts against ssh.

Here are more information about xx.xx.xx.xx:

Lines containing IP:xx.xx.xx.xx in /var/log/auth.log

Apr 6 11:55:05 user sshd[8884]: Invalid user dg from xx.xx.xx.xx Apr 6 11:55:05 user sshd[8884]: Failed none for invalid user dg from xx.xx.xx.xx port 57992 ssh2 Apr 6 11:55:09 user sshd[8884]: Failed password for invalid user dg from xx.xx.xx.xx port 57992 ssh2 Apr 6 11:55:13 user sshd[8884]: Failed password for invalid user dg from xx.xx.xx.xx port 57992 ssh2 Apr 6 13:42:53 user sshd[13938]: Invalid user kjhgfd from xx.xx.xx.xx Apr 6 13:42:53 user sshd[13938]: Failed none for invalid user kjhgfd from xx.xx.xx.xx port 59527 ssh2 Apr 6 13:42:59 user sshd[13938]: Failed password for invalid user kjhgfd from xx.xx.xx.xx port 59527 ssh2 Apr 6 13:43:03 user sshd[13938]: Failed password for invalid user kjhgfd from xx.xx.xx.xx port 59527 ssh2



fail2ban.actions.action ERROR on startup/restart

I had multiple fail2ban.actions.action ERROR on startup/restart. It seems there was a "race" condition with iptables. I solved the problem completely on my system by editing /usr/bin/fail2ban-client and adding a time.sleep(0.1)

def __processCmd(self, cmd, showRet = True):
	beautifier = Beautifier()
	for c in cmd:
  • Thanks. This patch solved the problem on my server. :) -- 11:55, 13 November 2010 (UTC)
  • Add my thanks. I was having random fail2ban.actions.action ERRORs when doing a restart, but when I executed the same iptables commands by hand they worked fine. Adding your pacing line seems to fix the problem.
  • confirm this fix, it works great for multiple lines of iptables command 18:50, 12 January 2011 (UTC)
  • Thanks to and Google. Can't make Fail2ban work after I install a new fresh Debian 6 / Squeeze on my server :( . Adding this "sleep" fix solved the problem. -- 08:07, 19 February 2011 (UTC)
  • worked for me on debian 6 squeeze (without it, random iptables rules were missing) -- 20:40, 12 June 2011 (UTC)
  • Thanks this also helped me fix it, but I needed to add time.sleep(0.3) on my ubuntu 8.04 server or the last rule was still failing. (5 August 2011)
  • Did not work --Mat 16:54, 11 January 2012 (CET)
  • Did not work on VPS hosted Ubuntu 10.04 systems (15th August 2011). The fixed delay time is too regular and still caused the same race condition. A successful resolution was to modify only the relevant action config (in this case iptables-multiport.conf) and insert a random sleep (0.0000 to 2.9999 seconds) before the iptables action, so actionstart becomes:
 actionstart =   sleep `perl -e 'print rand(3);'`
             iptables -N fail2ban-<name>
             iptables -A fail2ban-<name> -j RETURN
             iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
Right, but that's extremely inefficient. We have Fail2ban, a Python script, calling sh through exec() (or whatever it's name is in Python) which calls Perl, another interpreted language program, to run a script to actually do the random number generation. The solution would be, of course, to actually fix Fail2ban: Comment in Debian bugtracker. -- 16:37, 12 September 2011 (CEST)
  • Adding a sleep command directly in fail2ban code makes thing work properly:

In /usr/share/fail2ban/server/` (Debian) just add a sleep(1):

 def execActionStart(self):
   startCmd = Action.replaceTag(self.__actionStart, self.__cInfo)
   return Action.executeCmd(startCmd)
  • Thanks, the above code works flawlessly on Ubuntu Lucid (10.04) i686 2.6.32-37-generic-pae

Antonio J. de Oliveira

  • The above (Debian) method fails to work in CentOS6 when the server is rebooted, instead the following method worked for me:

In /usr/share/fail2ban/server/ at the top, add time to the import:

 import time, logging, os

Then add time.sleep(1) to execActionStart:

 def execActionStart(self):
   startCmd = Action.replaceTag(self.__actionStart, self.__cInfo)
   return Action.executeCmd(startCmd)

fail2ban ban distribution to multiple servers

I'm using fail2ban for blocking misconfigured mailservers on couple of servers:

 File "/etc/fail2ban/filter.d/postfix-badhelo.conf":
 failregex = reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1 (.*) Helo command rejected: Host not found
 File "/etc/fail2ban/filter.d/postfix-nohostname.conf":
 failregex = reject: RCPT from (.*)\[<HOST>\]: 450 4.7.1 Client host rejected: cannot find your hostname

Currently my servers are using separate netfilter policies (and each checks it's own /var/log/maillog). I'd like fail2ban to "push" the ban and unban action to remote servers (so fail2ban-server would be aware of it and block/unblock accordingly).

What kind of action would you suggest? I have a couple of ideas but none is good enough:

  • distribute ssh pubkeys between the servers and save them to /root/.ssh/authorized_keys and use ssh action that would connect to the rest of the servers, using iptables remotely... It's really a shame fail2ban-client doesn't support manually banning/unbanning IPs from console)
  • distribute mail logs to multiple servers, which can be a bit awkward

Need help for sendmail+sasl+pam fail2ban config (CentOS/RHEL 5)

I'm on CentOS/RHEL 5, using sendmail 8.13.8 and cyrus-sasl 2.1.22. I'm trying to figure out how to use fail2ban to properly protect against SMTP attacks. Right now, I've implemented the suggestion from, but that relies on sendmail identifying the SMTP attack... a number of attack methods can completely bypass this and go undetected.

I would prefer to ban based on SASL authentication failures (just like for ssh, etc.). sasl is configured to use PAM, but for some reason, it doesn't log the rhost IP. (sshd, imapd, etc. will all log the rhost IP via pam, but saslauthd won't - it leaves the rhost field blank.). Sendmail doesn't log when an sasl auth failure occurs, so basically I've got a useless log from sasl and no log from sendmail. There are _some_ cotemporal entries from sendmail in the maillog, e.g. the remote host didn't issue VRFY/EXPN/etc.... but those lines can occur legitimately under many circumstances, so should not be used for banning. The spam failure line would be the best, but is useless without an rhost IP.

Does anyone know how I can get saslauthd to properly log the rhost ip via pam? Or, how I can get sendmail to log when an sasl auth failure occurs (including the remote IP)? Extensive googling has revealed nothing, unfortunately. Thanks in advance.

Fail2ban failing to ban when log timestamp is not in the same timezone

Here is a tip for configure Postfix in the same timezone as server:

Multiple logpath

Hello How can I configure many logpath for the same rule ? Thanks background check

exceptionnelle et la robustesse de la marque, cependant

Liedtke souligné: Adidas, l' exceptionnelle et la robustesse de la marque, cependant pas air max 90 femme une quantité suffisante de merveilleuse . «En tant que marketing et publicité préparer , l'entreprise particulier notamment invités shopping chercher ses vues , ces produits voulu savoir divers petits enfants , signalés : pouces Tout le temps mettre sur Adidas, ils sont prêts à aller et venir quand il s'agit de u ? "L' jeunes répondit tout le garçon habillé en Adidas chaussures sont aggravée mutuellement discuter Les petites filles gals , Enfants Pack , bien que le jeune bien a été contraint de porter Nike chaussures et même Vous avez un effet sur associée à pour ne pas mentionner pour football est un grand disparité sera le mettre en de l'univers Coupe , européenne Boire avec le Planète Verre à vin , air max 90 européenne Boire , Champions Groupe , en plus lorsque vous utilisez le balle de golf , air max 90 pas cher tout le que Adidas contrat superstars , Messi, Kaka, Xavi Villa ce genre de bien connue star airmax90 plus Adidas parrainage associée à légitime Madrid , Air conditionné Milan, Liverpool , Plusieurs semaines, le Bayern Munich football les grands garçons autour le particulier que ainsi conçu bonne travail football Comme dit le proverbe "Les vagues Les monticules boucles qui font mal avant le moment où. Nike gagnante ci-dessus indésirables est égale à simultanément en outre nécessaire pour peau le concours pour la place et à venir articles de sport organisation . Autrefois une décennie est , le populaire équilibre dans la Business part du marché a été augmentation progressivement Dans le cas où l' chaussures de sport fabricants vraiment get ce vitalité nouvelle du marché , le révolutionnaire équilibre cependant le nike air max marché marchés économie particuliers . Le dernier stabilité sera saisir pleinement portée nike air max 90 de leur utilisation. En passant en revue la création Développement, l 'entreprise n'a pas à partir nike air max 90 pas cher de votre marché .

vous pouvez vous détendre de base. « Un des travailleursDire

e l'équipe I, les efforts visant à former et peut participer aux Jeux olympiques de Londres. « Little Cheung dit de base.
Centre-ville est un peu éloigné, présente en outre à la formation, little Cheung aime rester dans le dortoir, « regarder les dessins animés, plus je regarder dessins animés, est à l'écoute de chansons, comme la chanson de Eason ChanVous pouvez, mais cette fois son concert à Fuzhou je ne puis aller au pour voir, l'addition vraiment impressionnante de la chanson. ”
Usure de tir à l'arc, little Cheung aime également chanter, jouer de basket-ball, football et l'eau, jouer au billard. « Pingdu peut porter. « Little Cheung dit avec confiance, comme il est à la volée confiant de tir à l'arc.
Les équipes de disque et tir à l'arc dans la formation de plus d'un mois de Putian, dans la base, il, vous voulez faire est de protéger le travail de logistique, les joueurs formés dans la tranquillité d'esprit.
"Avant je l'équipe, ont nike pas cher donné à chaque salle a large bande, acteurs de votre temps libre, vous pouvez vous détendre de base. « Un des travailleursDire nike solde quand.
Plus important est de protéger le régime de l'équipe à la suite de la base. Pour les athlètes de manger un contrôle chaussure nike pas cher strict et les choses ne peuvent pas acheter me. « Elles sont et dachaoshi a signé un contrat pour acheter, acheter de la viande, les légumes sont des aliments très stricte sécurité de tests doit être pas il y a un problème. En plus des plats, je fournis pour l'équipe nationale, également que certaines fonctionnalités de Putian collation Po, étain m surface aux halogénures métalliques, poudre, ils aiment manger de la base. « Membres du personnel déclaré aux journalistes que de plus de.
Ces de base, a vécu chez les athlètes chaque étage sur la table de billard. LoisirsAttente peut jouer une douzaine mouches. Équipes de disque et de tir à l'arc est également préparé à s'engager dans un match de tennis au cours de la période de formation. À l'extérieur de la base, il y a des courts de tennis avec cours de basket, un terrain de jeu et badminton pour les joueurs et entraîneurs entertainment hit guizhentang ours base journée portes ouverWu Pengao : Gagne Phelps était trop difficile pour les Jeux olympiques ou les Jeux prendrait fin complète tempête concurrence sociale nouvelle nouvelle vague _ _ _ sports network
Wu Peng n'était pas l'équipe chinoise a réclamé la marque axée sur les Jeux olympiques de Londres, il a rempli sa performance, on s'attend à. Entrevue Wu, Peng dit que les nike pas chere Jeux olympiques de Londres souhaite copier les Wu Peng battus Phelps miracles durs à 17 ans ont participé dans les Jeux olympiques nike soldes d'Athènes, l'année 2008 à la porte et il manque les médailles. « Nathan Jeux olympiques peut être la dernière chance je je, souhaite chaussures nike pas cher obtenir une médaille, c'est mon objectif de Wu. « Peng a déclaré que, selon la prédiction de la Barra, équipes de pays exécuté mieux queAnnée 2008 Jeux olympiques de Pékin ne sont pas une année sabbatique petit, 2008 l'é