FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 06-17-2012, 02:16 PM
Leonard den Ottolander
 
Default

Hello Bob,

On Sat, 2012-06-16 at 22:47 -0400, Bob Hoffman wrote:
> 1- you must use gamin as the setting or the log rotations will make
> fail2ban fail

I noticed the failing of fail2ban after rotating the logs too.
Supposedly it works fine on CentOS 5 (from an IRC chat on
#fedora-epel(?)), but on CentOS 6 fail2ban will stop banning after log
rotation even though it should handle log rotation transparently.

However, you can fix your logrotate configuration to restart fail2ban
after rotating the logs. Sadly that will remove current bans, but at
least new bans will be added:

(mind the line wraps)

$ cat /etc/logrotate.d/syslog
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null`
2> /dev/null || true
# reload fail2ban after log rotation
/usr/bin/fail2ban-client -x reload > /dev/null
endscript
}

Regards,
Leonard.

--
mount -t life -o ro /dev/dna /genetic/research


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-17-2012, 02:32 PM
Mail Lists
 
Default

On 06/17/2012 10:16 AM, Leonard den Ottolander wrote:
> Hello Bob,
>
> On Sat, 2012-06-16 at 22:47 -0400, Bob Hoffman wrote:
>> 1- you must use gamin as the setting or the log rotations will make
>> fail2ban fail
> I noticed the failing of fail2ban after rotating the logs too.
> Supposedly it works fine on CentOS 5 (from an IRC chat on
> #fedora-epel(?)), but on CentOS 6 fail2ban will stop banning after log
> rotation even though it should handle log rotation transparently.
>
> However, you can fix your logrotate configuration to restart fail2ban
> after rotating the logs. Sadly that will remove current bans, but at
> least new bans will be added:
>
> (mind the line wraps)
>
> $ cat /etc/logrotate.d/syslog
> /var/log/cron
> /var/log/maillog
> /var/log/messages
> /var/log/secure
> /var/log/spooler
> {
> sharedscripts
> postrotate
> /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null`
> 2> /dev/null || true
> # reload fail2ban after log rotation
> /usr/bin/fail2ban-client -x reload> /dev/null
> endscript
> }
>
> Regards,
> Leonard.
>

I have been following this thread and I am interested to know what
kinda of notice your getting to know fail2ban has crashed
on a logrotate. I just did a force rotate and the only thing fail2ban
did was restart.

I am using Centos 6.2 + postfix + fail2ban-0.8.2-3.el6.rf

TIA
--
Brian ----- Get the latest Fremont, OH Weather
http://www.Fremont-OH-Weather.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-17-2012, 02:38 PM
Leonard den Ottolander
 
Default

On Sun, 2012-06-17 at 10:32 -0400, Mail Lists wrote:
> I have been following this thread and I am interested to know what
> kinda of notice your getting to know fail2ban has crashed
> on a logrotate. I just did a force rotate and the only thing fail2ban
> did was restart.

There's no notice. For some reason it cannot find the log file(s) it's
tracking anymore after a log rotate and stops adding IPs. The way I
noticed this was happening is because fail2ban started to get awfully
quiet (no ban mails).

> I am using Centos 6.2 + postfix + fail2ban-0.8.2-3.el6.rf

The problem I'm seeing is with the EPEL build for CentOS 6. I don't know
if the RF build is also affected.

Regards,
Leonard.

--
mount -t life -o ro /dev/dna /genetic/research


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-17-2012, 04:09 PM
Mail Lists
 
Default

On 06/17/2012 10:38 AM, Leonard den Ottolander wrote:
> The problem I'm seeing is with the EPEL build for CentOS 6. I don't
> know if the RF build is also affected. Regards, Leonard.

From what I am seeing the RF build is not effected. within seconds
of my forced rotate I got notice of another ban.
Thanks for the info..

--
Brian ----- Get the latest Fremont, OH Weather
http://www.Fremont-OH-Weather.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-17-2012, 04:32 PM
bob
 
Default

On 6/17/2012 12:09 PM, Mail Lists wrote:
> On 06/17/2012 10:38 AM, Leonard den Ottolander wrote:
>> The problem I'm seeing is with the EPEL build for CentOS 6. I don't
>> know if the RF build is also affected. Regards, Leonard.
> From what I am seeing the RF build is not effected. within seconds
> of my forced rotate I got notice of another ban.
> Thanks for the info..
>
force rotate will not trigger the issue with fail2ban....
setup your logrotate file to go daily and see what happens the next day.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-17-2012, 07:11 PM
bob
 
Default

On 6/17/2012 12:32 PM, bob wrote:
> force rotate will not trigger the issue with fail2ban....
> setup your logrotate file to go daily and see what happens the next day.
to clarify, it is the rotation of the log files fail2ban is looking at
that is the issue, not fail2ban rotating its own logs.
without gamin being used with centos 6 it will get lost and stay on the
old log file that was rotated..thus never logging
anything again until restart/reload of fail2ban client
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-18-2012, 03:41 AM
Bob Hoffman
 
Default

Here is what I had to do to make fail2ban work with centos 6, fail2ban
from epel
This is a long letter and no html to make it read better.
It deals with failed jails during start, loss of ban/unban after systems
logrotates files, errors in jails,
sasl errors, logging file correctly to work with fail2ban and logwatch,
fail2ban logrotate.


I hope this helps others, it was a real bear and the first program/rpm I
used that really does not work very well as set up.
(a update was pushed a few weeks back, not sure how this affects
anything below...mine still works as is.)
Forgive me if I left something out.


first I added these programs to the EPEL repo ( I do not allow any
except those I use, so I use the following to limit the repo.)

includepkgs= fail2ban shorewall shorewall-core python-inotify gamin-python

Fail2ban has recently been updated on the epel repo and shorewall-core
is now needed too, this is new.
How the new updates affects any of the below is beyond me, but I doubt
it changed anything.

1st issue
------------------
/etc/fail2ban/jail.conf
change line 39 to
backend = gamin

Without this fail2ban will ignore log rotations by logrotate and stay on
the old file in your jails.
This was needed or it failed. No errors, nothing.
Force log rotate did not make this happen, only the program running each
morning did it.
I changed mine to a daily rotate of /var/log/secure,vsftpd.log, etc...
to test this.
Without gamin it failed every time.

(also you need to add this)
line 16 (add your ip (or ip block?) after the 127 ip) Use a space
between them all.
ignoreip = 127.0.0.1 yourip


2nd issue
-------------------
with more than one jail you can (and will) get chances of errors when
starting fail2ban. Some people seem to attribute it centos 6
having an older version of netfilter. The program goes to fast for
iptables and chokes setting up the chains.
Sometimes they all go on, most times I would lose one to two chains
during each restart of fail2ban.

You have to have debug with at least 'info' to see these errors. When
stopping you will get a ton of these errors too, but they seem
to have no effect on anything.

To stop these errors and allow all jails to start properly you have to
add a sleep line deep in the code.
I have not tested since the update to see if this was overwritten but
will do that this week.

/usr/bin/fail2ban-client

Find the following code and add the time.sleep(0.1) in there as I have.
You need to press the tab 3 times to indent it, python pays attention to
white space, it will choke if you do not do this.

add sleep command into the following, (tab three times)
starts at line 142
def __processCmd(self, cmd, showRet = True):
beautifier = Beautifier()
for c in cmd:
time.sleep(0.1)
beautifier.setInputCmd(c)
try:

This lets netfilter catch up with the fail2ban client and allows all
jails to get started properly.
If you only use one jail this would not be needed, but each one after
that offers a chance of not being turned on.


3rd issue
-------------------
The whole log thing is borked.
if you try to use fail2ban.log, fail2ban itself will choke on it.
If you try to use the repo's set up of using /var/log/messages than
logwatch will get borked on it.
However, if you set it all to /var/log/fail2ban as the log file, it will
work.

No matter which way you want it, logwatch, fail2ban, and logrotate all
point to different files for logging and it is a real mess.

Here is what I did to make it log and allow logrotate to work with it.

/etc/fail2ban/fail2ban.conf
line 25
logtarget = /var/log/fail2ban


/etc/logrotate.d/fail2ban
Below I changed the logtarget and stopped the 'restart' the repo wanted.
Thus it will keep running day after day.

/var/log/fail2ban {
missingok
notifempty
rotate 7
create 0600 root root
postrotate
/usr/bin/fail2ban-client set logtarget /var/log/fail2ban 2>
/dev/null || true
endscript
}

finally for logwatch
/usr/share/logwatch/default.conf/logfiles/fail2ban.conf
LogFile = fail2ban
Archive = fail2ban-*

------------------------------------------------------------------------------------------------------------------
jails I set up...this is gonna be quick with little info, still writing
notes for the book on this one
I lowered the times in them for this letter, but mine are much higher.
I separated the ports for each for testing and safety. You could make
all the ports blocked if you wanted too.

The first ssh in the repo is enabled by default I think. Make sure if
you use these you check all others to make sure they
are not enabled.

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port="22444", protocol=tcp]
logpath = /var/log/secure
maxretry = 2
bantime = 3600


[apache-tcp]
enabled = true
filter = apache-auth
bantime = 10000
action = iptables[name=ApacheAuth, port="80", protocol=tcp]
logpath = /var/log/httpd/error_log
maxretry = 3

[apache-ssl]
enabled = true
filter = apache-auth-ssl
bantime = 10000
action = iptables[name=ApacheAuthSsl, port="443", protocol=tcp]
logpath = /var/log/httpd/ssl_error_log
maxretry = 3



[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port="5000", protocol=tcp]
logpath = /var/log/vsftpd.log
maxretry = 3
bantime = 3600

[Dovecot]
enabled = true
filter = dovecot
bantime = 3600
maxretry = 2
action = iptables-multiport[name=DOVECOT, port="25,465,993,995",
protocol=tcp]
logpath = /var/log/maillog

[Postfix]
enabled = true
filter = postfix
maxretry = 2
bantime = 3600
findtime = 3600
action = iptables-multiport[name=POSTFIX, port="25,465,993,995",
protocol=tcp]
logpath = /var/log/maillog
[Postfix-sasl]
enabled = true
filter = sasl
maxretry = 4
bantime = 3600
findtime = 3600
action = iptables-multiport[name=POSTFIX-SASL, port="25,465,993,995",
protocol=tcp]
logpath = /var/log/maillog


There was not one for dovecot, so I had to make one..
I do not think it is needed though, but I added it anyway (both go to
maillog, but I figured I could do things with the jail later)

Here are some files I had to add to make the above jails work.
#####################################
make a new file called dovecot.conf as below
/etc/fail2ban/filter.d/dovecot.conf

[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag
"<HOST>" can
# be used for standard IP/hostname matching.
# Values: TEXT
#

failregex = (?: pop3-login|imap-login): (?:Authentication
failure|Aborted login (auth failed|Aborted login (tried to use
disabled|Disconnected (auth failed).*rip=(?P<host>S*),.*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

####################################

for my apache auth I added this one from someone online too

#######################
make a new file
/etc/fail2ban/filter.d/apache-auth-ssl.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag
"<HOST>" can
# be used for standard IP/hostname matching and is only an
alias for
# (?:::f{4,6}?(?P<host>[w-.^_]+)
# Values: TEXT
#
failregex = [[]client <HOST>[]] user .* authentication failure
[[]client <HOST>[]] user .* not found
[[]client <HOST>[]] user .* password mismatch

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
###############################


for postfix I had to add somethings to block spam. I had made some
errors to default to 550 to lower spam attempts too.

/etc/fail2ban/filter.d/postfix.conf
failregex = reject: RCPT from (.*)[<HOST>]: 554
reject: RCPT from (.*)[<HOST>]: 550
reject: RCPT from (.*)[<HOST>]: 504

(still need to add a 501 in there too for invalid names)




#############################################
for the sasl/postfix to work properly some changes were made, this is my
file. The one that came with the repo will not work.
At least it did not work for me.

/etc/fail2ban/filter.d/sasl.conf

this is my file

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag
"<HOST>" can
# be used for standard IP/hostname matching and is only an
alias for
# (?:::f{4,6}?(?P<host>[w-.^_]+)
# Values: TEXT
#
failregex = (?i): warning: [-._w]+[<HOST>]: SASL
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:
[A-Za-z0-9+/]*={0,2})?$
(?i): warning: [-._w]+[<HOST>]: SASL
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: Invalid
authentication mechanism
(?i): warning: [-._w]+[<HOST>]: SASL
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

################################################## #



here is my iptables with some things taken out for security...lol


##############################################
[root@ ~]# iptables -L -n


Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-VSFTPD tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:xx
fail2ban-DOVECOT tcp -- 0.0.0.0/0 0.0.0.0/0
multiport dports 25,465,993,995
fail2ban-POSTFIX tcp -- 0.0.0.0/0 0.0.0.0/0
multiport dports 25,465,993,995
fail2ban-ApacheAuthSsl tcp -- 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
fail2ban-ApacheAuth tcp -- 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:22444
fail2ban-POSTFIX-SASL tcp -- 0.0.0.0/0 0.0.0.0/0
multiport dports 25,465,993,995
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW
tcp dpt:xx
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED tcp dpt:xx
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
NEW,ESTABLISHED tcp dpt:xx
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:xx:xx
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-ApacheAuth (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-ApacheAuthSsl (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-DOVECOT (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-POSTFIX (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-POSTFIX-SASL (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-VSFTPD (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 06-18-2012, 08:07 AM
Arch Website Notification
 
Default

=== Signoff report for [community-testing] ===
https://www.archlinux.org/packages/signoffs/

There are currently:
* 4 new packages in last 24 hours
* 0 known bad packages
* 0 packages not accepting signoffs
* 0 fully signed off packages
* 34 packages missing signoffs
* 0 packages older than 14 days

(Note: the word 'package' as used here refers to packages as grouped by
pkgbase, architecture, and repository; e.g., one PKGBUILD produces one
package per architecture, even if it is a split package.)


== New packages in [community-testing] in last 24 hours (4 total) ==

* nginx-1.2.1-4 (i686)
* oss-4.2_2006-3 (i686)
* nginx-1.2.1-4 (x86_64)
* oss-4.2_2006-3 (x86_64)


== Incomplete signoffs for [community] (34 total) ==

* ddclient-3.8.1-4 (any)
0/2 signoffs
* laptop-mode-tools-1.61-2 (any)
0/2 signoffs
* systemd-arch-units-20120612-2 (any)
0/2 signoffs
* ufw-0.31.1-2 (any)
0/2 signoffs
* chrony-1.26-3 (i686)
0/2 signoffs
* dcron-4.5-3 (i686)
0/2 signoffs
* exim-4.80-2 (i686)
0/2 signoffs
* fcron-3.0.6-7 (i686)
0/2 signoffs
* miredo-1.2.5-2 (i686)
0/2 signoffs
* nginx-1.2.1-4 (i686)
0/2 signoffs
* oidentd-2.0.8-6 (i686)
0/2 signoffs
* oss-4.2_2006-3 (i686)
0/2 signoffs
* pdnsd-1.2.9-2 (i686)
0/2 signoffs
* polipo-1.0.4.1-3 (i686)
0/2 signoffs
* prosody-0.8.2-4 (i686)
0/2 signoffs
* tor-0.2.2.36-2 (i686)
0/2 signoffs
* uptimed-0.3.17-2 (i686)
0/2 signoffs
* vnstat-1.11-3 (i686)
0/2 signoffs
* vsftpd-3.0.0-3 (i686)
0/2 signoffs
* chrony-1.26-3 (x86_64)
0/2 signoffs
* dcron-4.5-3 (x86_64)
0/2 signoffs
* exim-4.80-2 (x86_64)
0/2 signoffs
* fcron-3.0.6-7 (x86_64)
0/2 signoffs
* miredo-1.2.5-2 (x86_64)
0/2 signoffs
* nginx-1.2.1-4 (x86_64)
0/2 signoffs
* oidentd-2.0.8-6 (x86_64)
0/2 signoffs
* oss-4.2_2006-3 (x86_64)
0/2 signoffs
* pdnsd-1.2.9-2 (x86_64)
0/2 signoffs
* polipo-1.0.4.1-3 (x86_64)
0/2 signoffs
* prosody-0.8.2-4 (x86_64)
0/2 signoffs
* tor-0.2.2.36-2 (x86_64)
0/2 signoffs
* uptimed-0.3.17-2 (x86_64)
0/2 signoffs
* vnstat-1.11-3 (x86_64)
0/2 signoffs
* vsftpd-3.0.0-3 (x86_64)
0/2 signoffs


== Top five in signoffs in last 24 hours ==

1. allan - 2 signoffs
 
Old 06-18-2012, 08:07 AM
Arch Website Notification
 
Default

=== Signoff report for [testing] ===
https://www.archlinux.org/packages/signoffs/

There are currently:
* 9 new packages in last 24 hours
* 0 known bad packages
* 0 packages not accepting signoffs
* 3 fully signed off packages
* 62 packages missing signoffs
* 0 packages older than 14 days

(Note: the word 'package' as used here refers to packages as grouped by
pkgbase, architecture, and repository; e.g., one PKGBUILD produces one
package per architecture, even if it is a split package.)


== New packages in [testing] in last 24 hours (9 total) ==

* gzip-1.5-1 (i686)
* gzip-1.5-1 (x86_64)
* grub2-efi-x86_64-1:2.00beta6-1 (any)
* grub2-1:2.00beta6-1 (i686)
* nspr-4.9.1-1 (i686)
* nss-3.13.5-1 (i686)
* grub2-1:2.00beta6-1 (x86_64)
* nspr-4.9.1-1 (x86_64)
* nss-3.13.5-1 (x86_64)


== Incomplete signoffs for [core] (28 total) ==

* cloog-0.17.0-2 (i686)
1/2 signoffs
* cronie-1.4.8-2 (i686)
1/2 signoffs
* dmraid-1.0.0.rc16.3-7 (i686)
0/2 signoffs
* gcc-4.7.1-1 (i686)
1/2 signoffs
* glibc-2.15-12 (i686)
1/2 signoffs
* gzip-1.5-1 (i686)
1/2 signoffs
* isl-0.10-1 (i686)
1/2 signoffs
* krb5-1.10.2-2 (i686)
1/2 signoffs
* libtool-2.4.2-6 (i686)
1/2 signoffs
* lvm2-2.02.96-2 (i686)
0/2 signoffs
* openldap-2.4.31-3 (i686)
0/2 signoffs
* openssh-6.0p1-3 (i686)
1/2 signoffs
* sysvinit-2.88-5 (i686)
0/2 signoffs
* xinetd-2.3.15-2 (i686)
0/2 signoffs
* cloog-0.17.0-2 (x86_64)
1/2 signoffs
* cronie-1.4.8-2 (x86_64)
0/2 signoffs
* dmraid-1.0.0.rc16.3-7 (x86_64)
0/2 signoffs
* gcc-4.7.1-1 (x86_64)
1/2 signoffs
* glibc-2.15-12 (x86_64)
1/2 signoffs
* gzip-1.5-1 (x86_64)
1/2 signoffs
* isl-0.10-1 (x86_64)
1/2 signoffs
* krb5-1.10.2-2 (x86_64)
0/2 signoffs
* libtool-2.4.2-6 (x86_64)
1/2 signoffs
* lvm2-2.02.96-2 (x86_64)
0/2 signoffs
* openldap-2.4.31-3 (x86_64)
0/2 signoffs
* openssh-6.0p1-3 (x86_64)
0/2 signoffs
* sysvinit-2.88-5 (x86_64)
0/2 signoffs
* xinetd-2.3.15-2 (x86_64)
0/2 signoffs

== Incomplete signoffs for [extra] (34 total) ==

* archboot-2012.06-1 (any)
0/2 signoffs
* devtools-20120616-1 (any)
0/2 signoffs
* grub2-efi-x86_64-1:2.00beta6-1 (any)
0/2 signoffs
* i8kmon-1.33-4 (any)
0/2 signoffs
* bind-9.9.1.P1-2 (i686)
0/2 signoffs
* clamav-0.97.5-1 (i686)
0/2 signoffs
* dbus-1.6.0-1 (i686)
0/2 signoffs
* gcc4.6-4.6.3-2 (i686)
0/2 signoffs
* gpsd-3.6-1 (i686)
0/2 signoffs
* grub2-1:2.00beta6-1 (i686)
0/2 signoffs
* lm_sensors-3.3.2-3 (i686)
0/2 signoffs
* nspr-4.9.1-1 (i686)
0/2 signoffs
* nss-3.13.5-1 (i686)
0/2 signoffs
* ntp-4.2.6.p5-7 (i686)
0/2 signoffs
* sane-1.0.22-9 (i686)
0/2 signoffs
* smartmontools-5.42-4 (i686)
0/2 signoffs
* squid-3.1.20-2 (i686)
0/2 signoffs
* yp-tools-2.12-3 (i686)
0/2 signoffs
* ypbind-mt-1.33-5 (i686)
0/2 signoffs
* bind-9.9.1.P1-2 (x86_64)
0/2 signoffs
* clamav-0.97.5-1 (x86_64)
0/2 signoffs
* dbus-1.6.0-1 (x86_64)
0/2 signoffs
* gcc4.6-4.6.3-2 (x86_64)
0/2 signoffs
* gpsd-3.6-1 (x86_64)
0/2 signoffs
* grub2-1:2.00beta6-1 (x86_64)
0/2 signoffs
* lm_sensors-3.3.2-3 (x86_64)
0/2 signoffs
* nspr-4.9.1-1 (x86_64)
0/2 signoffs
* nss-3.13.5-1 (x86_64)
0/2 signoffs
* ntp-4.2.6.p5-7 (x86_64)
0/2 signoffs
* sane-1.0.22-9 (x86_64)
0/2 signoffs
* smartmontools-5.42-4 (x86_64)
0/2 signoffs
* squid-3.1.20-2 (x86_64)
0/2 signoffs
* yp-tools-2.12-3 (x86_64)
0/2 signoffs
* ypbind-mt-1.33-5 (x86_64)
0/2 signoffs


== Completed signoffs (3 total) ==

* netcfg-2.8.4-1 (any)
* dbus-core-1.6.0-3 (i686)
* dbus-core-1.6.0-3 (x86_64)


== Top five in signoffs in last 24 hours ==

1. allan - 2 signoffs
 
Old 06-18-2012, 01:53 PM
Leonard den Ottolander
 
Default

Hello Bob,

On Sun, 2012-06-17 at 23:41 -0400, Bob Hoffman wrote:
> /etc/fail2ban/jail.conf
> change line 39 to
> backend = gamin
>
> Without this fail2ban will ignore log rotations by logrotate and stay on
> the old file in your jails.

Polling doesn't work with python >= 2.6. I haven't tested if you will
actually get a warning when using backend = polling, but there's some
code in asyncserver.py disables polling. Using backend = auto will fall
back to using pyInotify. This backend causes the issue with fail2ban not
noticing the log files having been rotated. Might be an issue with too
few events being passed to fail2ban. Couldn't quite work it out yet.

I have reported the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=833056

> with more than one jail you can (and will) get chances of errors when
> starting fail2ban. Some people seem to attribute it centos 6
> having an older version of netfilter. The program goes to fast for
> iptables and chokes setting up the chains.

This issue is known in Debian's bug tracker which also provides a
reference to a patch that you might want to check out.

I have reported the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=833046

> You have to have debug with at least 'info' to see these errors.

They are reported as errors, so I think you might be mistaken here. If
not then there's a bug with the error reporting .

> When
> stopping you will get a ton of these errors too, but they seem
> to have no effect on anything.

Those errors are caused by the chains to be removed not actually being
there.

> add sleep command into the following

That won't work with the current version. The code has changed
significantly. See the patch mentioned in the bugzilla entry above.

> The whole log thing is borked.
> if you try to use fail2ban.log, fail2ban itself will choke on it.

Haven't run into this one yet. Perhaps you can report that via
https://bugzilla.redhat.com/ (you can find EPEL under Fedora).

Regards,
Leonard.

--
mount -t life -o ro /dev/dna /genetic/research


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 07:05 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org