1

Topic: [SOLVED] fail2ban not working

Hi!

In my server(Recently installation, currently in test) fail2ban is configured but it don't ban IPs with failed attempts.

My configuration is the default after the installation.

If I run:

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

I get the correct output:

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file   : /var/log/auth.log


Results
=======

Failregex
|- Regular expressions:
|  [1] ^\s*(?:\S+ )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
|  [2] ^\s*(?:\S+ )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
|  [3] ^\s*(?:\S+ )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Failed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
|  [4] ^\s*(?:\S+ )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*ROOT LOGIN REFUSED.* FROM <HOST>\s*$
|  [5] ^\s*(?:\S+ )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$
|  [6] ^\s*(?:\S+ )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*User .+ from <HOST> not allowed because not listed in AllowUsers$
|  [7] ^\s*(?:\S+ )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
|  [8] ^\s*(?:\S+ )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*refused connect from \S+ \(<HOST>\)\s*$
|  [9] ^\s*(?:\S+ )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
|  [10] ^\s*(?:\S+ )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
|
`- Number of matches:
   [1] 0 match(es)
   [2] 0 match(es)
   [3] 6 match(es)
   [4] 0 match(es)
   [5] 40 match(es)
   [6] 0 match(es)
   [7] 0 match(es)
   [8] 0 match(es)
   [9] 0 match(es)
   [10] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
[2]
[3]
    XXXXXXXXXXXXXX (Tue Jul 27 02:46:01 2010)
... several times the same line ...
    XXXXXXXXXXXXXX (Tue Jul 27 02:49:51 2010)
[4]
[5]
    XXXXXXXXXXXXXX (Tue Jul 27 02:17:17 2010)
... several times the same line ...
    XXXXXXXXXXXXXX (Tue Jul 27 03:17:16 2010)
[6]
[7]
[8]
[9]
[10]

Date template hits:
16096 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 46

However, look at the above section 'Running tests' which could contain important
information.

This tell that fail2ban has found 46 entries... but if I run the client in interactive mode and ask for status:

[10:28:09] root@hostname:[/etc/fail2ban]:fail2ban-client  -i
Fail2Ban v0.8.4-SVN reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

fail2ban> status ssh-iredmail
Status for the jail: ssh-iredmail
|- filter
|  |- File list:    /var/log/auth.log 
|  |- Currently failed:    0
|  `- Total failed:    0
`- action
   |- Currently banned:    0
   |  `- IP list:    
   `- Total banned:    0
fail2ban> 

I'm using Ubuntu 11.04 in amazon EC2 host.

My log from syslog

Jul 27 03:19:34 ec2 fail2ban.jail   : INFO   Creating new jail 'ssh-iredmail'
Jul 27 03:19:34 ec2 fail2ban.jail   : INFO   Jail 'ssh-iredmail' uses poller
Jul 27 03:19:34 ec2 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
Jul 27 03:19:34 ec2 fail2ban.filter : INFO   Set maxRetry = 5
Jul 27 03:19:34 ec2 fail2ban.filter : INFO   Set findtime = 36000
Jul 27 03:19:34 ec2 fail2ban.actions: INFO   Set banTime = 600
Jul 27 03:19:34 ec2 fail2ban.jail   : INFO   Creating new jail 'roundcube-iredmail'
Jul 27 03:19:34 ec2 fail2ban.jail   : INFO   Jail 'roundcube-iredmail' uses poller
Jul 27 03:19:34 ec2 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
Jul 27 03:19:34 ec2 fail2ban.filter : INFO   Set maxRetry = 5
Jul 27 03:19:34 ec2 fail2ban.filter : INFO   Set findtime = 3600
Jul 27 03:19:34 ec2 fail2ban.actions: INFO   Set banTime = 3600
Jul 27 03:19:34 ec2 fail2ban.jail   : INFO   Creating new jail 'dovecot-iredmail'
Jul 27 03:19:34 ec2 fail2ban.jail   : INFO   Jail 'dovecot-iredmail' uses poller
Jul 27 03:19:34 ec2 fail2ban.filter : INFO   Added logfile = /var/log/dovecot.log
Jul 27 03:19:34 ec2 fail2ban.filter : INFO   Set maxRetry = 5
Jul 27 03:19:34 ec2 fail2ban.filter : INFO   Set findtime = 300
Jul 27 03:19:34 ec2 fail2ban.actions: INFO   Set banTime = 3600
Jul 27 03:19:34 ec2 fail2ban.jail   : INFO   Creating new jail 'postfix-iredmail'
Jul 27 03:19:34 ec2 fail2ban.jail   : INFO   Jail 'postfix-iredmail' uses poller
Jul 27 03:19:34 ec2 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
Jul 27 03:19:34 ec2 fail2ban.filter : INFO   Set maxRetry = 5
Jul 27 03:19:34 ec2 fail2ban.filter : INFO   Set findtime = 600
Jul 27 03:19:34 ec2 fail2ban.actions: INFO   Set banTime = 3600
Jul 27 03:19:34 ec2 fail2ban.jail   : INFO   Jail 'ssh-iredmail' started
Jul 27 03:19:34 ec2 fail2ban.jail   : INFO   Jail 'roundcube-iredmail' started
Jul 27 03:19:34 ec2 fail2ban.jail   : INFO   Jail 'dovecot-iredmail' started
Jul 27 03:19:34 ec2 fail2ban.jail   : INFO   Jail 'postfix-iredmail' started

Thanks!

2

Re: [SOLVED] fail2ban not working

You have "findtime = 3600" in Fail2ban config files, it means Fail2ban just check logs which generated in last 1 hours (3600 seconds).

You can try to perform SMTP/IMAP/POP3 connections with incorrect password, see whether or not you are blocked.

3

Re: [SOLVED] fail2ban not working

Hello!

This was just a test... the default value is 600...

Even with 600 it doesn't work.

Thanks.

4

Re: [SOLVED] fail2ban not working

As mentioned in previous reply, i suggest trying to perform SMTP/IMAP/POP3 connections with incorrect password in a short time, see whether or not you are blocked.

5

Re: [SOLVED] fail2ban not working

I just tested it.

Same issue... including RoundCube...

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/roundcube.iredmail.conf
Use log file   : /var/log/mail.log


Results
=======

Failregex
|- Regular expressions:
|  [1] roundcube: (.*) Error: Login failed for (.*) from <HOST>\.
|
`- Number of matches:
   [1] 7 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
    XXXXXXXXXXXXXX (Tue Jul 27 04:23:10 2010)
    XXXXXXXXXXXXXX (Tue Jul 27 04:23:33 2010)
    XXXXXXXXXXXXXX (Tue Jul 27 04:24:05 2010)
    XXXXXXXXXXXXXX (Tue Jul 27 04:24:19 2010)
    XXXXXXXXXXXXXX (Tue Jul 27 04:25:32 2010)
    XXXXXXXXXXXXXX (Tue Jul 27 04:26:11 2010)
    XXXXXXXXXXXXXX (Tue Jul 27 04:26:22 2010)

Date template hits:
888 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 7

However, look at the above section 'Running tests' which could contain important
information.
fail2ban> status roundcube-iredmail
Status for the jail: roundcube-iredmail
|- filter
|  |- File list:    /var/log/mail.log 
|  |- Currently failed:    0
|  `- Total failed:    0
`- action
   |- Currently banned:    0
   |  `- IP list:    
   `- Total banned:    0
fail2ban> status postfix-iredmail
Status for the jail: postfix-iredmail
|- filter
|  |- File list:    /var/log/mail.log 
|  |- Currently failed:    0
|  `- Total failed:    0
`- action
   |- Currently banned:    0
   |  `- IP list:    
   `- Total banned:    0

6

Re: [SOLVED] fail2ban not working

terciof wrote:

Addresses found:
[1]
    XXXXXXXXXXXXXX (Tue Jul 27 04:23:10 2010)
    XXXXXXXXXXXXXX (Tue Jul 27 04:23:33 2010)
    XXXXXXXXXXXXXX (Tue Jul 27 04:24:05 2010)
    XXXXXXXXXXXXXX (Tue Jul 27 04:24:19 2010)
    XXXXXXXXXXXXXX (Tue Jul 27 04:25:32 2010)
    XXXXXXXXXXXXXX (Tue Jul 27 04:26:11 2010)
    XXXXXXXXXXXXXX (Tue Jul 27 04:26:22 2010)

The year in log is 2010, is it correct? We live in 2011 today.

7 (edited by terciof 2011-07-27 23:07:51)

Re: [SOLVED] fail2ban not working

Interesting... in the log itself it doesn't have the year...

I need to find out why it is considering 2010.

My output is something like:

Jul 27 02:45:59 ec2 sshd[28146]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXXXXXXXXXXXXX  user=root
Jul 27 02:46:01 ec2 sshd[28146]: Failed password for root from XXXXXXXXXXXXXX port 42125 ssh2

This may be happening in all Ubuntu 11.04 boxes.

Thanks!

8

Re: [SOLVED] fail2ban not working

I found the problem.

Today when I run the regex against the log from yesterday the result was 2011...

Then I tried again to break the system, and the result was 2010...

The problem is that in my syslog I have my current time(UTC-0300), but in the auth.log it is using the previous UTC time(I'm using amazon EC2 which the default image is UTC). Which leads to an hour from a date in the future, so the fail2ban consider this as a record from the last year...

When I installed the machine I used dpkg-reconfigure tzdata to reconfigure my timezone. But it doesn't change in all places.

I needed to copy my timezone info file from /usr/share/zoneinfo/America/Sao_Paulo to /etc/localtime.

After that my auth.log started login the date correctly... and fail2ban is working know.

This is a important concern, as a lot of people out there my change the timezone in a improper way that leads to a insecure system.

Thanks again.