Package: fail2ban Version: 0.8.3-2sid1 Severity: grave Justification: renders package unusable
Greetings Yarik! fail2ban has worked great for years. Our last conversation was in 2005! Upon updating (belatedly) to Lenny and changing my ssh port, I find fail2ban fails to ban ssh attacks. So either this is a grave bug rendering the package unable to fulfill its security function, or somehow I have inadvertently defeated it by changing the ssh port or something. I am using the default fail2ban configuration/installation and no firewall package. (This box is behind a router.) auth.log shows attacks continuing while fail2ban.log shows the offending ip "already banned." ~$ cat /var/log/fail2ban.log 2010-08-27 08:03:40,275 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3 2010-08-27 08:03:40,287 fail2ban.jail : INFO Creating new jail 'ssh' 2010-08-27 08:03:40,288 fail2ban.jail : INFO Jail 'ssh' uses poller 2010-08-27 08:03:40,417 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2010-08-27 08:03:40,420 fail2ban.filter : INFO Set maxRetry = 6 2010-08-27 08:03:40,425 fail2ban.filter : INFO Set findtime = 600 2010-08-27 08:03:40,429 fail2ban.actions: INFO Set banTime = 600 2010-08-27 08:03:40,763 fail2ban.jail : INFO Jail 'ssh' started 2010-08-27 14:38:27,694 fail2ban.actions: WARNING [ssh] Ban 87.118.253.2 2010-08-27 14:40:02,859 fail2ban.actions: WARNING [ssh] 87.118.253.2 already banned 2010-08-27 14:41:42,946 fail2ban.actions: WARNING [ssh] 87.118.253.2 already banned 2010-08-27 14:43:42,062 fail2ban.actions: WARNING [ssh] 87.118.253.2 already banned 2010-08-27 14:45:11,155 fail2ban.actions: WARNING [ssh] 87.118.253.2 already banned 2010-08-27 14:46:42,236 fail2ban.actions: WARNING [ssh] 87.118.253.2 already banned 2010-08-27 14:48:15,321 fail2ban.actions: WARNING [ssh] 87.118.253.2 already banned ~$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination DROP all -- host-2.PARUS.87.118.253.0.0xfffffff0.macomnet.net anywhere RETURN all -- anywhere anywhere Forcing this worked by manually dropping the attacking ip:: ~$ sudo iptables -I INPUT -j DROP -s 87.118.253.2 Am I missing something? Thanks! Ralph -- System Information: Debian Release: 5.0.5 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-bpo.5-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages fail2ban depends on: ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip ii python 2.5.2-3 An interactive high-level object-o ii python-central 0.6.8 register and build utility for Pyt Versions of packages fail2ban recommends: ii iptables 1.4.2-6 administration tools for packet fi ii whois 4.7.30 an intelligent whois client Versions of packages fail2ban suggests: ii bsd-mailx [mailx] 8.1.2-0.20071201cvs-3 A simple mail user agent pn python-gamin <none> (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
