I've got an up-to-date Centos 5.8 and can't seem to get fail2ban to get rid of troublesome sshd login attempts. /etc/fail2ban/jail.conf has these sections:
[ssh]
enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6
# Generic filter for pam. Has to be used with action which bans all ports # such as iptables-allports, shorewall [pam-generic]
enabled = false # pam-generic filter can be customized to monitor specific subset of 'tty's filter = pam-generic # port actually must be irrelevant but lets leave it all for some possible uses port = all banaction = iptables-allports port = anyport logpath = /var/log/auth.log maxretry = 6
and an excerpt from a logwatch run just now is:
--------------------- pam_unix Begin ------------------------
sshd: Authentication Failures: unknown (190.145.98.179): 2460 Time(s) root (58.51.95.75): 285 Time(s) unknown (122.70.128.5): 125 Time(s) postgres (190.145.98.179): 64 Time(s) mail (190.145.98.179): 40 Time(s) mysql (190.145.98.179): 40 Time(s) root (190.145.98.179): 36 Time(s) unknown (58.51.95.75): 26 Time(s) ftp (190.145.98.179): 17 Time(s) root (122.70.128.5): 15 Time(s) root (221.226.215.117): 13 Time(s) root (cloud-128-117.diagcomputing.org): 13 Time(s) adm (190.145.98.179): 12 Time(s)
so advice? redirection? rtfm?
Dave
On 05/28/2012 01:00 PM, Dave Stevens wrote:
I've got an up-to-date Centos 5.8 and can't seem to get fail2ban to get rid of troublesome sshd login attempts. /etc/fail2ban/jail.conf has these sections:
[ssh]
enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6
# Generic filter for pam. Has to be used with action which bans all ports # such as iptables-allports, shorewall [pam-generic]
enabled = false # pam-generic filter can be customized to monitor specific subset of 'tty's filter = pam-generic # port actually must be irrelevant but lets leave it all for some possible uses port = all banaction = iptables-allports port = anyport logpath = /var/log/auth.log maxretry = 6
and an excerpt from a logwatch run just now is:
--------------------- pam_unix Begin ------------------------
sshd: Authentication Failures: unknown (190.145.98.179): 2460 Time(s) root (58.51.95.75): 285 Time(s) unknown (122.70.128.5): 125 Time(s) postgres (190.145.98.179): 64 Time(s) mail (190.145.98.179): 40 Time(s) mysql (190.145.98.179): 40 Time(s) root (190.145.98.179): 36 Time(s) unknown (58.51.95.75): 26 Time(s) ftp (190.145.98.179): 17 Time(s) root (122.70.128.5): 15 Time(s) root (221.226.215.117): 13 Time(s) root (cloud-128-117.diagcomputing.org): 13 Time(s) adm (190.145.98.179): 12 Time(s)
so advice? redirection? rtfm?
Dave
First, I don't think your CentOS 5.8 system has a logfile named /var/log/auth.log, so you probably want /var/log/secure or /var/log/audit/audit.log, probably the former, otherwise you can try enabling the pam filter in fail2ban.
Next, you need to edit /etc/fail2ban/filter.d/sshd.conf and setup the python regular expression to match the failure messages that you get from sshd (or pam). You can use the fail2ban-regex program (run it with no arguments for a help message), to test and see if your regular expressions are matching properly.
See http://docs.python.org/library/re.html for documentation on python regular expressions and the fail2ban Wiki on http://www.fail2ban.org http://www.fail2ban.orgwhich explains how to use a python variable in the RE to pass the IP address from the logfile back to fail2ban.
I'm not sure where you got your fail2ban version, I think I'm running one from EPEL, but the jail.conf entry that you have has no action entry, so it won't do anything.
My jail.conf entry for ssh (I don't have SSH enabled for fail2ban), looks like this:
[ssh-iptables]
enabled = false filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, sender=fail2ban@mail.com] logpath = /var/log/secure maxretry = 5
So to enable it, you would change the enabled line to 'enabled = true'. The action line show here will invoke the commands in /etc/fail2ban/action.d/iptables.conf to insert iptables access lists to block the offending ip address. You must have iptables turned on. You can change the maxretry value to specify how many failures are allowed before the IP is blocked. You can also add a "bantime = #seconds" to the jail.conf entry to specify how long to block the IP for.
I would suggest that you remove the copy of fail2ban that you have installed and install the one from the EPEL repo instead and you are much more likely to have the correct configuration for the CentOS logfiles as well as the correct regular expression for matching entries in the log files, so that if you enable it in jail.conf, it might just work with little or no customization.
Nataraj