As title...
I always used fail2ban without problem with CentOS 5.6 or earlier but now with CentOS 6
I'm not able to make fail2ban works well.
Rules are written ok, log are ok, but fail2ban doesn't but anyone...
[SOLVED] Is there someone who succeded with Fail2ban?
-
- Posts: 252
- Joined: 2009/07/10 09:43:13
- Contact:
-
- Posts: 16
- Joined: 2011/08/01 18:53:57
- Contact:
Re: Is there someone who succeded with Fail2ban?
I succeeded in getting fail2ban working. I did have to make one change to the /etc/fail2ban/jail.conf file.
By default, only [ssh-iptables] is enabled, but it wasn't working. When I looked at the result of running
iptables -L
I noticed that the chain fail2ban-SSH had zero references to it. On a hunch, I added
bantime = 1800
to the [ssh-iptables] section and restarted fail2ban (service fail2ban restart).
Now, iptables -L showed a rule in the INPUT chain which referenced the fail2ban-SSH chain.
I logged into a remote machine, and purposely failed to authenticate, and fail2ban added a DROP rule for that IP to the fail2ban-SSH chain.
I even changed the bantime, so it was 60, and tested it again. For a minute, the rule was added banning the IP, and then it was cleared.
So, it appears to be working, at least for ssh.
By default, only [ssh-iptables] is enabled, but it wasn't working. When I looked at the result of running
iptables -L
I noticed that the chain fail2ban-SSH had zero references to it. On a hunch, I added
bantime = 1800
to the [ssh-iptables] section and restarted fail2ban (service fail2ban restart).
Now, iptables -L showed a rule in the INPUT chain which referenced the fail2ban-SSH chain.
I logged into a remote machine, and purposely failed to authenticate, and fail2ban added a DROP rule for that IP to the fail2ban-SSH chain.
I even changed the bantime, so it was 60, and tested it again. For a minute, the rule was added banning the IP, and then it was cleared.
So, it appears to be working, at least for ssh.
Re: Is there someone who succeded with Fail2ban?
Did you install this with yum install or do you have to install it from an rpm approach?
thanks
thanks
-
- Retired Moderator
- Posts: 18276
- Joined: 2006/12/13 20:15:34
- Location: Tidewater, Virginia, North America
- Contact:
[SOLVED] Is there someone who succeded with Fail2ban?
Not sure what Keith or the OP did, but fail2ban is yummable (to coin a word) from multiple repos:[code]
yum --noplugins --showduplicates --enablerepo \* --disablerepo \*-source --disablerepo \*-debug\* list fail2ban
...
fail2ban.noarch 0.8.2-3.el6.rf rpmforge
fail2ban.noarch 0.8.4-24.el6 epel
fail2ban.noarch 0.8.4-27.el6 atrpms
[/code]
yum --noplugins --showduplicates --enablerepo \* --disablerepo \*-source --disablerepo \*-debug\* list fail2ban
...
fail2ban.noarch 0.8.2-3.el6.rf rpmforge
fail2ban.noarch 0.8.4-24.el6 epel
fail2ban.noarch 0.8.4-27.el6 atrpms
[/code]
-
- Posts: 252
- Joined: 2009/07/10 09:43:13
- Contact:
Re: Is there someone who succeded with Fail2ban?
I solved the problem with fail2ban, there was a date problem.
I solved by editing:
/etc/fail2ban/filter.d/common.conf
and changing
__prefix_line = \s*(?:\S+ )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*
with this:
__prefix_line = .*?
I solved by editing:
/etc/fail2ban/filter.d/common.conf
and changing
__prefix_line = \s*(?:\S+ )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*
with this:
__prefix_line = .*?
-
- Retired Moderator
- Posts: 18276
- Joined: 2006/12/13 20:15:34
- Location: Tidewater, Virginia, North America
- Contact:
Re: [SOLVED] Is there someone who succeded with Fail2ban?
Thanks for reporting back. Marking this thread [SOLVED] for posterity.
P.S. It would be good to say which source you used for fail2ban.
P.S. It would be good to say which source you used for fail2ban.