[rhelv5-list] fail2ban not working as it should

Robert G. (Doc) Savage Sun, 03 May 2009 18:28:43 -0700

I'm trying to contend with global SSH brute force attacks with fail2ban.
Apparently I have one or more settings/permissions wrong. Iptables is
not being updated despite waves of attacks, and I'm not getting any
e-mail warnings. Suggestions anybody?


--Doc Savage
  Fairview Heights, IL

I've made the following changes to /etc/fail2ban.conf:

  background = true
  bantime = -1
  ignoreip = 192.168.1.1/24
[MAIL] notification 
  enabled = true

Here is a sample entry from /var/log/secure for an attack on user
'nagios':

May  3 08:41:20 lion sshd[30068]: reverse mapping checking getaddrinfo for 
51.82.66.200.in-addr.arpa failed - POSSIBLE BREAK-IN ATTEMPT!
May  3 08:41:20 lion sshd[30068]: pam_unix(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=200.66.82.51  user=nagios
May  3 08:41:22 lion sshd[30068]: Failed password for nagios from 200.66.82.51 
port 35501 ssh2
May  3 08:41:22 lion sshd[30069]: Received disconnect from 200.66.82.51: 11: 
Bye Bye

Here's an extract of /var/log/fail2ban.log

2009-04-20 05:32:55,617 WARNING: SSH: ReBan 58.218.209.21
2009-04-20 05:32:55,622 WARNING: SSH: ReBan 123.233.245.226
2009-04-20 05:32:55,627 WARNING: SSH: ReBan 202.104.3.83
2009-04-20 05:32:55,632 WARNING: SSH: ReBan 124.124.219.234
2009-04-20 05:32:55,637 WARNING: SSH: ReBan 116.228.171.5
2009-04-20 05:32:55,642 WARNING: SSH: ReBan 211.138.71.98
2009-04-20 05:32:56,653 ERROR: SSH: 58.218.209.21 already in ban list
2009-04-20 05:32:56,660 ERROR: Unable to send mail to localhost:25 from 
fail2ban to ['root']: <smtplib.SMTPSenderRefused instance at 0x2b8bb0577cb0>: 
(553, '5.5.4 <fail2ban>... Domain name required for sender address fail2ban', 
'fail2ban')
2009-04-20 06:44:56,509 WARNING: SSH: Ban (permanent) 203.240.201.68
2009-04-20 06:44:56,527 ERROR: Unable to send mail to localhost:25 from 
fail2ban to ['root']: <smtplib.SMTPSenderRefused instance at 0x2b8bb0577c68>: 
(553, '5.5.4 <fail2ban>... Domain name required for sender address fail2ban', 
'fail2ban')
2009-04-20 17:55:11,633 WARNING: SSH: Ban (permanent) 219.153.65.15
2009-04-20 17:55:11,651 ERROR: Unable to send mail to localhost:25 from 
fail2ban to ['root']: <smtplib.SMTPSenderRefused instance at 0x2b8bb0577a28>: 
(553, '5.5.4 <fail2ban>... Domain name required for sender address fail2ban', 
'fail2ban')
2009-04-21 11:56:33,547 WARNING: SSH: Ban (permanent) 117.21.249.75
2009-04-21 11:56:33,862 ERROR: Unable to send mail to localhost:25 from 
fail2ban to ['root']: <smtplib.SMTPSenderRefused instance at 0x2b8bb0577908>: 
(553, '5.5.4 <fail2ban>... Domain name required for sender address fail2ban', 
'fail2ban')
2009-04-21 21:23:20,970 WARNING: SSH: Ban (permanent) 220.225.90.184
2009-04-21 21:23:20,987 ERROR: Unable to send mail to localhost:25 from 
fail2ban to ['root']: <smtplib.SMTPSenderRefused instance at 0x2b8bb0577cb0>: 
(553, '5.5.4 <fail2ban>... Domain name required for sender address fail2ban', 
'fail2ban')
2009-04-23 06:45:27,698 WARNING: Restoring firewall rules...
2009-04-23 06:45:27,741 WARNING: SSH: Unban 58.218.209.21
2009-04-23 06:45:27,930 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' 
returned 256
2009-04-23 06:45:27,931 WARNING: SSH: Unban 123.233.245.226
2009-04-23 06:45:27,936 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' 
returned 256
2009-04-23 06:45:27,937 WARNING: SSH: Unban 219.153.65.15
2009-04-23 06:45:27,942 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' 
returned 256
2009-04-23 06:45:27,942 WARNING: SSH: Unban 203.240.201.68
2009-04-23 06:45:27,947 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' 
returned 256
2009-04-23 06:45:27,948 WARNING: SSH: Unban 202.104.3.83
2009-04-23 06:45:27,953 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' 
returned 256
2009-04-23 06:45:27,953 WARNING: SSH: Unban 124.124.219.234
2009-04-23 06:45:27,958 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' 
returned 256
2009-04-23 06:45:27,959 WARNING: SSH: Unban 116.228.171.5
2009-04-23 06:45:27,964 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' 
returned 256
2009-04-23 06:45:27,964 WARNING: SSH: Unban 211.138.71.98
2009-04-23 06:45:27,970 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' 
returned 256
2009-04-23 06:45:27,970 WARNING: SSH: Unban 220.225.90.184
2009-04-23 06:45:27,976 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' 
returned 256
2009-04-23 06:45:27,976 WARNING: SSH: Unban 117.21.249.75
2009-04-23 06:45:27,981 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' 
returned 256
2009-04-23 06:45:28,020 ERROR: 'iptables -D INPUT -p tcp --dport ssh -j 
fail2ban-SSH
iptables -F fail2ban-SSH
iptables -X fail2ban-SSH' returned 256
2009-04-26 18:28:57,257 WARNING: SSH: Ban (permanent) 201.117.193.110
2009-04-26 18:28:57,272 ERROR: Unable to send mail to localhost:25 from root to 
['root']: <socket.error instance at 0x2b03f2df3830>: (111, 'Connection refused')
2009-04-27 12:36:47,779 WARNING: SSH: Ban (permanent) 122.193.0.164
2009-04-27 12:36:47,792 ERROR: Unable to send mail to localhost:25 from root to 
['root']: <socket.error instance at 0x2b03f2df37e8>: (111, 'Connection refused')
2009-04-27 15:34:28,384 WARNING: SSH: Ban (permanent) 147.8.189.246
2009-04-27 15:34:28,395 ERROR: Unable to send mail to localhost:25 from root to 
['root']: <socket.error instance at 0x2b03f2df37a0>: (111, 'Connection refused')
2009-04-27 20:15:46,903 WARNING: SSH: Ban (permanent) 87.94.164.68
2009-04-27 20:15:46,922 ERROR: Unable to send mail to localhost:25 from root to 
['root']: <socket.error instance at 0x2b03f2df3830>: (111, 'Connection refused')




_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list

[rhelv5-list] fail2ban not working as it should

Reply via email to