On 03/12/2013 05:35 PM, Timothy Murphy wrote:
I'm running fail2ban on my server (under CentOS-6.4) and it seems to be running according to
[tim@grover fail2ban]$ sudo service fail2ban status Fail2ban (pid 31794) is running... Status |- Number of jail: 1 `- Jail list: ssh-iptables
I have absolutely no idea how fail2ban works, and I'm running it with the default /etc/fail2ban/fail2ban.conf , which seems to set the logfile to /var/log/fail2ban.log . Should I actually study how it is meant to be configured?
I just yum-installed it (from Epel, I assume) and hope it does its job, whatever that is.
It sets up iptables rules for every jail that is configured (iptables -L). You seem to have only the ssh-iptables configured. Check the date of the logfile. I noticed that SYSLOG is now used for logging. It used to be /var/log/fail2ban.log in the past. I removed the old log file. If ssh is the only public service you want to protect against brute force, then you don't need to setup anything. But have a look in /etc/fail2ban/jail.conf and add at least your email address to get a notification when it blocks access. There lots of other "jails" that can be enabled. Normally I receive several messages a day. So not receiving them means that the service is no longer protecting. Simply because it watches a renamed no longer updated version of /var/log/secure:
ls -l /var/log/secure* -rw------- 1 root root 2130892 Mar 12 18:25 /var/log/secure -rw------- 1 root root 1374710 Feb 17 01:31 /var/log/secure-20130217 -rw------- 1 root root 1482646 Feb 24 03:09 /var/log/secure-20130224 -rw------- 1 root root 1732930 Mar 3 03:13 /var/log/secure-20130303 -rw------- 1 root root 656454 Mar 10 03:12 /var/log/secure-20130310
Once a week fail2ban stops working as a new secure log file is created (logrotate) and it seems to watch the only old name. You will not see any error message and status show as running. But I have no proof that it keeps working with the gamin fix.
Theo