FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 05-28-2012, 08:00 PM
Dave Stevens
 
Default anyone care to helop with a fail2ban problem on Centos 5.8?

I've got an up-to-date Centos 5.8 and can't seem to get fail2ban to
get rid of troublesome sshd login attempts. /etc/fail2ban/jail.conf
has these sections:

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some
possible uses
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6

and an excerpt from a logwatch run just now is:

--------------------- pam_unix Begin ------------------------

sshd:
Authentication Failures:
unknown (190.145.98.179): 2460 Time(s)
root (58.51.95.75): 285 Time(s)
unknown (122.70.128.5): 125 Time(s)
postgres (190.145.98.179): 64 Time(s)
mail (190.145.98.179): 40 Time(s)
mysql (190.145.98.179): 40 Time(s)
root (190.145.98.179): 36 Time(s)
unknown (58.51.95.75): 26 Time(s)
ftp (190.145.98.179): 17 Time(s)
root (122.70.128.5): 15 Time(s)
root (221.226.215.117): 13 Time(s)
root (cloud-128-117.diagcomputing.org): 13 Time(s)
adm (190.145.98.179): 12 Time(s)

so advice? redirection? rtfm?

Dave


--
It is told that such are the aerodynamics and wing loading of the
bumblebee that, in principle, it cannot fly...if all this be
true...life among bumblebees must bear a remarkable resemblance to
life in the United States.

-- John Kenneth Galbraith, in American Capitalism: The Concept of
Countervailing Power


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-29-2012, 11:23 AM
Nataraj
 
Default anyone care to helop with a fail2ban problem on Centos 5.8?

On 05/28/2012 01:00 PM, Dave Stevens wrote:
> I've got an up-to-date Centos 5.8 and can't seem to get fail2ban to
> get rid of troublesome sshd login attempts. /etc/fail2ban/jail.conf
> has these sections:
>
> [ssh]
>
> enabled = true
> port = ssh
> filter = sshd
> logpath = /var/log/auth.log
> maxretry = 6
>
> # Generic filter for pam. Has to be used with action which bans all ports
> # such as iptables-allports, shorewall
> [pam-generic]
>
> enabled = false
> # pam-generic filter can be customized to monitor specific subset of 'tty's
> filter = pam-generic
> # port actually must be irrelevant but lets leave it all for some
> possible uses
> port = all
> banaction = iptables-allports
> port = anyport
> logpath = /var/log/auth.log
> maxretry = 6
>
> and an excerpt from a logwatch run just now is:
>
> --------------------- pam_unix Begin ------------------------
>
> sshd:
> Authentication Failures:
> unknown (190.145.98.179): 2460 Time(s)
> root (58.51.95.75): 285 Time(s)
> unknown (122.70.128.5): 125 Time(s)
> postgres (190.145.98.179): 64 Time(s)
> mail (190.145.98.179): 40 Time(s)
> mysql (190.145.98.179): 40 Time(s)
> root (190.145.98.179): 36 Time(s)
> unknown (58.51.95.75): 26 Time(s)
> ftp (190.145.98.179): 17 Time(s)
> root (122.70.128.5): 15 Time(s)
> root (221.226.215.117): 13 Time(s)
> root (cloud-128-117.diagcomputing.org): 13 Time(s)
> adm (190.145.98.179): 12 Time(s)
>
> so advice? redirection? rtfm?
>
> Dave
>
>

First, I don't think your CentOS 5.8 system has a logfile named
/var/log/auth.log, so you probably want /var/log/secure or
/var/log/audit/audit.log, probably the former, otherwise you can try
enabling the pam filter in fail2ban.

Next, you need to edit /etc/fail2ban/filter.d/sshd.conf and setup the
python regular expression to match the failure messages that you get
from sshd (or pam). You can use the fail2ban-regex program (run it with
no arguments for a help message), to test and see if your regular
expressions are matching properly.

See http://docs.python.org/library/re.html for documentation on python
regular expressions and the fail2ban Wiki on http://www.fail2ban.org
<http://www.fail2ban.org>which explains how to use a python variable in
the RE to pass the IP address from the logfile back to fail2ban.

I'm not sure where you got your fail2ban version, I think I'm running
one from EPEL, but the jail.conf entry that you have has no action
entry, so it won't do anything.

My jail.conf entry for ssh (I don't have SSH enabled for fail2ban),
looks like this:

[ssh-iptables]

enabled = false
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=fail2ban@mail.com]
logpath = /var/log/secure
maxretry = 5



So to enable it, you would change the enabled line to 'enabled = true'.
The action line show here will invoke the commands in
/etc/fail2ban/action.d/iptables.conf to insert iptables access lists to
block the offending ip address. You must have iptables turned on. You
can change the maxretry value to specify how many failures are allowed
before the IP is blocked. You can also add a "bantime = #seconds" to
the jail.conf entry to specify how long to block the IP for.

I would suggest that you remove the copy of fail2ban that you have
installed and install the one from the EPEL repo instead and you are
much more likely to have the correct configuration for the CentOS
logfiles as well as the correct regular expression for matching entries
in the log files, so that if you enable it in jail.conf, it might just
work with little or no customization.

Nataraj





_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 03:37 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org