Fail2ban failing to ban?

L

Lost Trunk

Guru
Joined
Aug 5, 2008
Messages
228
Reaction score
0
Ever since around the time I applied the last PiaF upgrade I have not received any more message from Fail2ban regarding break-in attempts, which I found a bit suspicious after a few days. So I checked the /var/log/secure log file and found that indeed, there had been hundreds of attempts, and judging by the number per IP address fail2ban hasn't been catching them. So I checked fail2ban.log and found several error messages, though as far as I can tell they appeared when fail2ban was restarting and was trying to delete its previous rules. Here is a typical snippet:

Code: 
2010-12-04 16:32:34,606 fail2ban.actions.action: ERROR  iptables -N fail2ban-APACHE
iptables -A fail2ban-APACHE -j RETURN
iptables -I INPUT -p tcp -j fail2ban-APACHE returned 200
2010-12-04 16:44:13,634 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -j fail2ban-APACHE
iptables -F fail2ban-APACHE
iptables -X fail2ban-APACHE returned 100
2010-12-04 16:44:13,945 fail2ban.jail   : INFO   Jail 'apache-tcpwrapper' stopped
2010-12-04 16:44:14,749 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports http,https -j fail2ban-BadBots
iptables -F fail2ban-BadBots
iptables -X fail2ban-BadBots returned 100
2010-12-04 16:44:14,970 fail2ban.jail   : INFO   Jail 'apache-badbots' stopped
2010-12-04 16:44:15,640 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH
iptables -F fail2ban-SSH
iptables -X fail2ban-SSH returned 100
2010-12-04 16:44:15,858 fail2ban.jail   : INFO   Jail 'ssh-iptables' stopped
2010-12-04 16:44:16,764 fail2ban.actions.action: ERROR  iptables -D INPUT -p all -j fail2ban-ASTERISK
iptables -F fail2ban-ASTERISK
iptables -X fail2ban-ASTERISK returned 100
2010-12-04 16:44:16,984 fail2ban.jail   : INFO   Jail 'asterisk-iptables' stopped
2010-12-04 16:44:18,015 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp --dport ftp -j fail2ban-VSFTPD
iptables -F fail2ban-VSFTPD
iptables -X fail2ban-VSFTPD returned 100
2010-12-04 16:44:18,230 fail2ban.jail   : INFO   Jail 'vsftpd-iptables' stopped
2010-12-04 16:44:18,235 fail2ban.server : INFO   Exiting Fail2ban

I did find some information on a page at http://www.fail2ban.org/wiki/index.php/Fail2ban_talk:Community_Portal though I'm not certain this addresses my issue:

Code: 
[B]fail2ban.action.action ERROR on startup/restart[/B]

  I had multiple fail2ban.action.action ERROR on startup/restart. It seems there was a "race" condition with iptables. I solved the problem completely on my system by editing /usr/bin/fail2ban-client and adding a time.sleep(0.1) 
 def __processCmd(self, cmd, showRet = True):
	beautifier = Beautifier()
	for c in cmd:
		[B]time.sleep(0.1)[/B]
		beautifier.setInputCmd(c)

I did try this but so far I have not seen any messages from fail2ban warning of attempted ssh breakins. The last message I received was on November 28 but as I say, my log files reveal several attempts since then.

Any thoughts?
 
It would be helpful to know what upgrade you applied and when.
 
This update only updated asterisk.conf and *NOTHING* else. Set it back to the original and then *REBOOT* and see what happens. I don't see these problems on my lab servers at all yet.

cd /etc/fail2ban/filters.d
joe asterisk.conf

Here are the lines to commend out

# NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch

# VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')


notice I already put a # in the front of them. This is the only difference. Ctrl KX saves the file then reboot the system and see what happens.


good luck

Tom
 
Well, since rebooting I've received ONE notice of a banned IP from fail2ban, so that's more than I've received in a week. But, I don't know if maybe the reboot fixed it, since I'm not sure how a bad rule (and those don't look bad except possibly for the fact there's no escape backslashes "\" in front of the two parenthesis characters, and I don't know regex well enough to know if those might be required in this case) in the asterisk jail could affect ssh.

I'm not saying the update caused the problem, but I did have an additional rule that you don't in my Asterisk jail (see my post here) and I just wish that there were some way for you to detect when we have modified a file before you overwrite it. It worries me that one of these days you're going to overwrite a file that I've made some custom addition to (that will take a lot more effort to fix than merely re-adding that one line). Maybe some type of patch mechanism that would just update the lines that need to be changed, rather than replacing the entire file, might be a better way to go. Just a suggestion. I know I don't have to apply the updates, but on the whole I think they probably do a lot more good than harm - it's probably just a once in a great while thing when an update steps on something we've changed.

My gut feeling now is that the problem I've had is NOT the fault of the update, but it was just coincidence that it happened right around that time.
 
You must log in or register to reply here.

Members online

Total: 30 (members: 2, guests: 28)

Latest Posts

Forum statistics

Threads
26,687
Messages
174,411
Members
20,257
Latest member
Dempan
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top