fail2ban isn't banning

Amedee @ Ubuntu amedee-ubuntu at amedee.be
Thu Jul 30 12:38:17 UTC 2009


Hello,

I installed fail2ban. I also installed shorewall.
It's my impression that nothing gets blocked by fail2ban.
I will try to give as much detail as possible.

I have added my fail2ban configuration files as fail2ban.tar.gz
The important config changes are:

/etc/fail2ban/fail2ban.conf:
loglevel = 4

/etc/fail2ban/jail.local:
[postfix]
enabled = true
filter = postfix
maxretry = 1
banaction = shorewall
bantime=86400

[ssh]
enabled = true
filter = sshd
banaction = shorewall
bantime=86400

/etc/fail2ban/filter.d/postfix.conf:
failregex = reject: RCPT from (.*)\[<HOST>\]: 554
            reject: RCPT from (.*)\[<HOST>\]: 550 .* Recipient address
rejected: User unknown in local recipient table


No config changes in /etc/fail2ban/jail.conf


Testing, as descibed in
http://www.fail2ban.org/wiki/index.php/FAQ_english#Fail2ban_is_running_but_not_banning_SSH_bruteforce

d# dpkg -l |grep fail
ii  fail2ban                         0.8.3-2sid1                bans IPs
that cause multiple authentication
--> TEST OK


# /etc/init.d/fail2ban status
Status of authentication failure monitor:fail2ban is running.
--> TEST OK


# fail2ban-client status
Status
|- Number of jail:      2
`- Jail list:           postfix, ssh
--> TEST OK


# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf
Running tests
=============

Use regex file : /etc/fail2ban/filter.d/postfix.conf
Use log file   : /var/log/mail.log


Results
=======

Failregex
|- Regular expressions:
|  [1] reject: RCPT from (.*)\[<HOST>\]: 554
|  [2] reject: RCPT from (.*)\[<HOST>\]: 550 .* Recipient address
rejected: User unknown in local recipient table
|
`- Number of matches:
   [1] 569 match(es)
   [2] 982 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
*snip a few hunderd ip addresses*
Date template hits:
32237 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601

Success, the total number of match is 1551

However, look at the above section 'Running tests' which could contain
important information.
--> TEST OK (I guess???)


# date
Thu Jul 30 14:14:16 CEST 2009
# tail -2 /var/log/mail.log
Jul 30 12:14:14 intrepid postfix/anvil[1115]: statistics: max connection
count 1 for (smtp:75.89.255.116) at Jul 30 14:10:53
Jul 30 12:14:14 intrepid postfix/anvil[1115]: statistics: max cache size 1
at Jul 30 14:10:53
--> TEST OK (I guess??? because my logs are in UTC, not in CEST=UTC+2)



But this is rather strange:

# fail2ban-client status postfix
Status for the jail: postfix
|- filter
|  |- File list:        /var/log/mail.log
|  |- Currently failed: 0
|  `- Total failed:     0
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     0
--> NOK? Nothing is banned??


# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
2793K 3926M accounting  all  --  any    any     anywhere             anywhere
2793K 3926M dynamic    all  --  any    any     anywhere             anywhere
2655K 3791M net2fw     all  --  eth0   any     anywhere             anywhere
 138K  135M ACCEPT     all  --  lo     any     anywhere
anywhere
    0     0 ACCEPT     all  --  any    any     anywhere
anywhere            state RELATED,ESTABLISHED
    0     0 Drop       all  --  any    any     anywhere
anywhere
    0     0 LOG        all  --  any    any     anywhere
anywhere            LOG level info prefix `Shorewall:INPUT:DROP:'
    0     0 DROP       all  --  any    any     anywhere
anywhere
*snip a few other chains*
Chain dynamic (2 references)
 pkts bytes target     prot opt in     out     source
destination
--> Nothing in chain dynamic???


When I manually ban an IP address with the same actionban as in
/etc/fail2ban/action.d/shorewall.conf, it *does* get blocked:

# iptables -v -L dynamic
Chain dynamic (2 references)
 pkts bytes target     prot opt in     out     source
destination
# shorewall drop 10.10.10.10
10.10.10.10 Dropped
# iptables -v -L dynamic
Chain dynamic (2 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DROP       all  --  any    any     10.10.10.10
anywhere


Attached is a copy of /var/log/fail2ban.log (gzipped).

How can I find out what's wrong and fix it?

-- 
Amedee
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fail2ban.log.gz
Type: application/x-gzip
Size: 1540 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090730/5313ab6d/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fail2ban.tar.gz
Type: application/x-gzip
Size: 10145 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090730/5313ab6d/attachment-0001.bin>


More information about the ubuntu-users mailing list