fail2ban isn't banning

Amedee @ Ubuntu amedee-ubuntu at amedee.be
Wed Aug 5 11:15:37 UTC 2009 

On Thu, July 30, 2009 14:38, Amedee @ Ubuntu wrote:
> Hello,
>
> I installed fail2ban. I also installed shorewall.
> It's my impression that nothing gets blocked by fail2ban.
> I will try to give as much detail as possible.
>
> I have added my fail2ban configuration files as fail2ban.tar.gz
> The important config changes are:
>
> /etc/fail2ban/fail2ban.conf:
> loglevel = 4
>
> /etc/fail2ban/jail.local:
> [postfix]
> enabled = true
> filter = postfix
> maxretry = 1
> banaction = shorewall
> bantime=86400
>
> [ssh]
> enabled = true
> filter = sshd
> banaction = shorewall
> bantime=86400
>
> /etc/fail2ban/filter.d/postfix.conf:
> failregex = reject: RCPT from (.*)\[<HOST>\]: 554
>             reject: RCPT from (.*)\[<HOST>\]: 550 .* Recipient address
> rejected: User unknown in local recipient table
>
>
> No config changes in /etc/fail2ban/jail.conf
>
>
> Testing, as descibed in
> http://www.fail2ban.org/wiki/index.php/FAQ_english#Fail2ban_is_running_but_not_banning_SSH_bruteforce
>
> d# dpkg -l |grep fail
> ii  fail2ban                         0.8.3-2sid1                bans IPs
> that cause multiple authentication
> --> TEST OK
>
>
> # /etc/init.d/fail2ban status
> Status of authentication failure monitor:fail2ban is running.
> --> TEST OK
>
>
> # fail2ban-client status
> Status
> |- Number of jail:      2
> `- Jail list:           postfix, ssh
> --> TEST OK
>
>
> # fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf
> Running tests
> =============
>
> Use regex file : /etc/fail2ban/filter.d/postfix.conf
> Use log file   : /var/log/mail.log
>
>
> Results
> =======
>
> Failregex
> |- Regular expressions:
> |  [1] reject: RCPT from (.*)\[<HOST>\]: 554
> |  [2] reject: RCPT from (.*)\[<HOST>\]: 550 .* Recipient address
> rejected: User unknown in local recipient table
> |
> `- Number of matches:
>    [1] 569 match(es)
>    [2] 982 match(es)
>
> Ignoreregex
> |- Regular expressions:
> |
> `- Number of matches:
>
> Summary
> =======
>
> Addresses found:
> [1]
> *snip a few hunderd ip addresses*
> Date template hits:
> 32237 hit(s): Month Day Hour:Minute:Second
> 0 hit(s): Weekday Month Day Hour:Minute:Second Year
> 0 hit(s): Weekday Month Day Hour:Minute:Second
> 0 hit(s): Year/Month/Day Hour:Minute:Second
> 0 hit(s): Day/Month/Year Hour:Minute:Second
> 0 hit(s): Day/Month/Year:Hour:Minute:Second
> 0 hit(s): Year-Month-Day Hour:Minute:Second
> 0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
> 0 hit(s): TAI64N
> 0 hit(s): Epoch
> 0 hit(s): ISO 8601
>
> Success, the total number of match is 1551
>
> However, look at the above section 'Running tests' which could contain
> important information.
> --> TEST OK (I guess???)
>
>
> # date
> Thu Jul 30 14:14:16 CEST 2009
> # tail -2 /var/log/mail.log
> Jul 30 12:14:14 intrepid postfix/anvil[1115]: statistics: max connection
> count 1 for (smtp:75.89.255.116) at Jul 30 14:10:53
> Jul 30 12:14:14 intrepid postfix/anvil[1115]: statistics: max cache size 1
> at Jul 30 14:10:53
> --> TEST OK (I guess??? because my logs are in UTC, not in CEST=UTC+2)
>
>
>
> But this is rather strange:
>
> # fail2ban-client status postfix
> Status for the jail: postfix
> |- filter
> |  |- File list:        /var/log/mail.log
> |  |- Currently failed: 0
> |  `- Total failed:     0
> `- action
>    |- Currently banned: 0
>    |  `- IP list:
>    `- Total banned:     0
> --> NOK? Nothing is banned??
>
>
> # iptables -L -v
> Chain INPUT (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> 2793K 3926M accounting  all  --  any    any     anywhere
> anywhere
> 2793K 3926M dynamic    all  --  any    any     anywhere
> anywhere
> 2655K 3791M net2fw     all  --  eth0   any     anywhere
> anywhere
>  138K  135M ACCEPT     all  --  lo     any     anywhere
> anywhere
>     0     0 ACCEPT     all  --  any    any     anywhere
> anywhere            state RELATED,ESTABLISHED
>     0     0 Drop       all  --  any    any     anywhere
> anywhere
>     0     0 LOG        all  --  any    any     anywhere
> anywhere            LOG level info prefix `Shorewall:INPUT:DROP:'
>     0     0 DROP       all  --  any    any     anywhere
> anywhere
> *snip a few other chains*
> Chain dynamic (2 references)
>  pkts bytes target     prot opt in     out     source
> destination
> --> Nothing in chain dynamic???
>
>
> When I manually ban an IP address with the same actionban as in
> /etc/fail2ban/action.d/shorewall.conf, it *does* get blocked:
>
> # iptables -v -L dynamic
> Chain dynamic (2 references)
>  pkts bytes target     prot opt in     out     source
> destination
> # shorewall drop 10.10.10.10
> 10.10.10.10 Dropped
> # iptables -v -L dynamic
> Chain dynamic (2 references)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 DROP       all  --  any    any     10.10.10.10
> anywhere
>
>
> Attached is a copy of /var/log/fail2ban.log (gzipped).
>
> How can I find out what's wrong and fix it?

*bump*
Sorry people but it still isn't working. Even a reboot didn't help. :-D

If this is not the right place to ask, please say so.

-- 
Amedee

More information about the ubuntu-users mailing list