Hi all,
I am trying to get fail2ban going on my server and its log message reports the following error
2009-02-16 17:42:05,339 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' returned 256 2009-02-16 17:42:05,354 ERROR: 'iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH
Is this because of the way the RedHat tool sets up the firewall?
Thanks for any responses.
Devraj Mukherjee wrote:
Hi all,
I am trying to get fail2ban going on my server and its log message reports the following error
2009-02-16 17:42:05,339 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' returned 256 2009-02-16 17:42:05,354 ERROR: 'iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH
Is this because of the way the RedHat tool sets up the firewall?
Thanks for any responses.
First, have you installed iptables, shorewall, and tcp-wrappers installed?
Second, have you tried the failed grep expression, i.e., have you tried
iptables -L INPUT | grep -q fail2ban-SSH
As to why this would fail, you need to ask on the fail2ban mailing list since evidently this appears to be part of the installation.
The iptables can be setup by anyone - RedHat simply provides a default set of rules.
Agile Aspect wrote:
Devraj Mukherjee wrote:
Hi all,
I am trying to get fail2ban going on my server and its log message reports the following error
2009-02-16 17:42:05,339 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' returned 256 2009-02-16 17:42:05,354 ERROR: 'iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH
Is this because of the way the RedHat tool sets up the firewall?
Thanks for any responses.
First, have you installed iptables, shorewall, and tcp-wrappers installed?
Second, have you tried the failed grep expression, i.e., have you tried
iptables -L INPUT | grep -q fail2ban-SSHAs to why this would fail, you need to ask on the fail2ban mailing list since evidently this appears to be part of the installation.
The iptables can be setup by anyone - RedHat simply provides a default set of rules.
Actually, it is a rather OS dependent package and the rules for CentOS are difficult to write. That really doesn't belong on the fail2ban list either.
You don't need shorewall, just the standard CentOS firewall works fine. Just be sure to only enable iptables rules. I have rules working for several things. SSH attempts, Dovecot attempts and a rule to block based on my Spamhaus setup so that the same spammer doesn't keep loading up sendmail with DNS queries. Now to try to figure out a rule for email dictionary attacks. Unfortunately the logs don't provide a good method of tying the reject to an IP address. RegEx... I'm very weak at RegEx.
John Hinton
John Hinton wrote:
Agile Aspect wrote:
Devraj Mukherjee wrote:
Hi all,
I am trying to get fail2ban going on my server and its log message reports the following error
2009-02-16 17:42:05,339 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' returned 256 2009-02-16 17:42:05,354 ERROR: 'iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH
Is this because of the way the RedHat tool sets up the firewall?
Thanks for any responses.
First, have you installed iptables, shorewall, and tcp-wrappers installed?
Second, have you tried the failed grep expression, i.e., have you tried
iptables -L INPUT | grep -q fail2ban-SSHAs to why this would fail, you need to ask on the fail2ban mailing list since evidently this appears to be part of the installation.
The iptables can be setup by anyone - RedHat simply provides a default set of rules.
Actually, it is a rather OS dependent package and the rules for CentOS are difficult to write. That really doesn't belong on the fail2ban list either.
Please post the iptable rule which you is believe is OS dependent.
You don't need shorewall, just the standard CentOS firewall works fine.
It depends upon what the OP installed. The fail2ban web page recommends shorewall be installed - so there's a chance the OP installed it.
Agile Aspect wrote:
John Hinton wrote:
Agile Aspect wrote:
Devraj Mukherjee wrote:
Hi all,
I am trying to get fail2ban going on my server and its log message reports the following error
2009-02-16 17:42:05,339 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' returned 256 2009-02-16 17:42:05,354 ERROR: 'iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH
Is this because of the way the RedHat tool sets up the firewall?
Thanks for any responses.
First, have you installed iptables, shorewall, and tcp-wrappers installed?
Second, have you tried the failed grep expression, i.e., have you tried
iptables -L INPUT | grep -q fail2ban-SSHAs to why this would fail, you need to ask on the fail2ban mailing list since evidently this appears to be part of the installation.
The iptables can be setup by anyone - RedHat simply provides a default set of rules.
Actually, it is a rather OS dependent package and the rules for CentOS are difficult to write. That really doesn't belong on the fail2ban list either.
Please post the iptable rule which you is believe is OS dependent.
You don't need shorewall, just the standard CentOS firewall works fine.
It depends upon what the OP installed. The fail2ban web page recommends shorewall be installed - so there's a chance the OP installed it.
First, I installed the RPM from dag. Some of it was set to go out of the box. Seems like I didn't need to do anything for SSH rules to work besides turning it on. Seems like VSFTP was pretty close. Dovecot was a write I think I might have done... or a major rewrite. Also, as there are differences between CentOS 3, 4 and 5... I'd also need to know which version you're running.
This really is a great tool. It is not easy to create rules. I was actually thinking that a CentOS fail2ban wiki or something might be nice. If it were divided into separate versions, we could share rules there. It took me about 3 or 4 hours to write and test just one. But again, I'm really slow at RegEx.
I keep seeing more attacks on just about every service available. Dovecot logins being the latest. VSFTP gets hit pretty hard... SSH gets pounded. But, using this also as a spam filter is also another good use. On one of my servers with moderate email traffic, it is banning about 150 IP address per hour based just on multiple Spamhaus rejects. That's a lot of load reduction right there. Now, if I could start pulling out stuff from SpamAssassin rejects... that could drop our loads by a huge amount. Over time, it might even reduce the number of attempts... if they do any purging of old email addresses.
John Hinton
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of John Hinton Sent: Sunday, March 01, 2009 9:05 PM To: CentOS mailing list Subject: Re: [CentOS] Fail2Ban
Agile Aspect wrote:
John Hinton wrote:
Agile Aspect wrote:
Devraj Mukherjee wrote:
Hi all,
I am trying to get fail2ban going on my server and its
log message
reports the following error
2009-02-16 17:42:05,339 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' returned 256 2009-02-16 17:42:05,354 ERROR: 'iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH
Is this because of the way the RedHat tool sets up the firewall?
Thanks for any responses.
First, have you installed iptables, shorewall, and tcp-wrappers installed?
Second, have you tried the failed grep expression, i.e., have you tried
iptables -L INPUT | grep -q fail2ban-SSHAs to why this would fail, you need to ask on the
fail2ban mailing
list since evidently this appears to be part of the installation.
The iptables can be setup by anyone - RedHat simply provides a default set of rules.
Actually, it is a rather OS dependent package and the rules for CentOS are difficult to write. That really doesn't belong on the fail2ban list either.
Please post the iptable rule which you is believe is OS dependent.
You don't need shorewall, just the standard CentOS
firewall works fine.
It depends upon what the OP installed. The fail2ban web page recommends shorewall be installed - so there's a chance the OP installed it.
First, I installed the RPM from dag. Some of it was set to go out of the box. Seems like I didn't need to do anything for SSH rules to work besides turning it on. Seems like VSFTP was pretty close. Dovecot was a write I think I might have done... or a major rewrite. Also, as there are differences between CentOS 3, 4 and 5... I'd also need to know which version you're running.
This really is a great tool. It is not easy to create rules. I was actually thinking that a CentOS fail2ban wiki or something might be nice. If it were divided into separate versions, we could share rules there. It took me about 3 or 4 hours to write and test just one. But again, I'm really slow at RegEx.
I keep seeing more attacks on just about every service available. Dovecot logins being the latest. VSFTP gets hit pretty hard... SSH gets pounded. But, using this also as a spam filter is also another good use. On one of my servers with moderate email traffic, it is banning about 150 IP address per hour based just on multiple Spamhaus rejects. That's a lot of load reduction right there. Now, if I could start pulling out stuff from SpamAssassin rejects... that could drop our loads by a huge amount. Over time, it might even reduce the number of attempts... if they do any purging of old email addresses.
John Hinton
I tried to install the rpm from Dag a while back but it complained about having Shorewall installed. I have an older version of fail2ban installed and cannot upgrade due to this. I use denyhosts also.
I use firestarter to admin my rules. Could I edit the requirement for shorewall out of the spec file in the src rpm to get it to work?
Thanks!!
Actually, it is a rather OS dependent package and the rules for CentOS are difficult to write. That really doesn't belong on the fail2ban list either.
i have a basic fail2ban with tcp-wrappers & /etc/hosts.deny combo working. i couldnt get the iptables thing working properly.
You don't need shorewall, just the standard CentOS firewall works fine. Just be sure to only enable iptables rules. I have rules working for several things. SSH attempts, Dovecot attempts and a rule to block based on my Spamhaus setup so that the same spammer doesn't keep loading up sendmail with DNS queries.
john, could u share your rules for the dovecot attempts?t
On Sun, Mar 01, 2009 at 05:53:39PM -0800, Linux Advocate wrote:
i have a basic fail2ban with tcp-wrappers & /etc/hosts.deny combo working. i couldnt get the iptables thing working properly.
You don't need shorewall, just the standard CentOS firewall works fine. Just be sure to only enable iptables rules. I have rules working for several things. SSH attempts, Dovecot attempts and a rule to block based on my Spamhaus setup so that the same spammer doesn't keep loading up sendmail with DNS queries.
john, could u share your rules for the dovecot attempts?t
Since no one else has stepped up... here's dovecot and vsftpd.
These worked for me, ymmv. Centos 5 with rpmforge. Folded, failregex should be a single line with a space between ":" and "authentication".
/etc/fail2ban/filter.d/dovecot.conf
[Definition] failregex = dovecot-auth: pam_unix(dovecot:auth): authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$ ignoreregex =
/etc/fail2ban/filter.d/vsftpd.conf
[Definition] failregex = vsftpd: pam_unix(vsftpd:auth): authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$ ignoreregex =
And changes to /etc/fail2ban/jail.conf. (Note that you also want to change the sendmail actions to use valid email addresses...)
diff --git a/jail.conf b/jail.conf index b74320f..a726947 100644 --- a/jail.conf +++ b/jail.conf @@ -113,7 +113,7 @@ bantime = 300 enabled = false filter = vsftpd action = sendmail-whois[name=VSFTPD, dest=you@mail.com] -logpath = /var/log/vsftpd.log +logpath = /var/log/secure maxretry = 5 bantime = 1800
@@ -121,11 +121,11 @@ bantime = 1800
[vsftpd-iptables]
-enabled = false +enabled = true filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=you@mail.com] -logpath = /var/log/vsftpd.log +logpath = /var/log/secure maxretry = 5 bantime = 1800
@@ -203,3 +203,25 @@ action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] logpath = /var/log/named/security.log ignoreip = 168.192.0.1
+[dovecot-notification] + +enabled = false +filter = dovecot +action = sendmail-whois[name=Dovecot, dest=you@mail.com] +logpath = /var/log/secure +maxretry = 5 +bantime = 1800 + +# Same as above but with banning the IP address. + +[dovecot-iptables] + +enabled = true +filter = dovecot +action = iptables-multiport[name=Dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp] + sendmail-whois[name=Dovecot, dest=you@mail.com] +logpath = /var/log/secure +maxretry = 5 +bantime = 1800 +#ignoreip = 168.192.0.1 +
thanx john
----- Original Message ----
From: John Lundin lundin@fini.net
john, could u share your rules for the dovecot attempts?t
Since no one else has stepped up... here's dovecot and vsftpd.
These worked for me, ymmv. Centos 5 with rpmforge. Folded, failregex should be a single line with a space between ":" and "authentication".
/etc/fail2ban/filter.d/dovecot.conf
[Definition] failregex = dovecot-auth: pam_unix(dovecot:auth): authentication failure; .* rhost=(?:\s+user=\S*)?\s*$ ignoreregex =
/etc/fail2ban/filter.d/vsftpd.conf
[Definition] failregex = vsftpd: pam_unix(vsftpd:auth): authentication failure; .* rhost=(?:\s+user=\S*)?\s*$ ignoreregex =
And changes to /etc/fail2ban/jail.conf. (Note that you also want to change the sendmail actions to use valid email addresses...)
diff --git a/jail.conf b/jail.conf index b74320f..a726947 100644 --- a/jail.conf +++ b/jail.conf @@ -113,7 +113,7 @@ bantime = 300 enabled = false filter = vsftpd action = sendmail-whois[name=VSFTPD, dest=you@mail.com] -logpath = /var/log/vsftpd.log +logpath = /var/log/secure maxretry = 5 bantime = 1800
@@ -121,11 +121,11 @@ bantime = 1800
[vsftpd-iptables]
-enabled = false +enabled = true filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=you@mail.com] -logpath = /var/log/vsftpd.log +logpath = /var/log/secure maxretry = 5 bantime = 1800
@@ -203,3 +203,25 @@ action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] logpath = /var/log/named/security.log ignoreip = 168.192.0.1
+[dovecot-notification]
+enabled = false +filter = dovecot +action = sendmail-whois[name=Dovecot, dest=you@mail.com] +logpath = /var/log/secure +maxretry = 5 +bantime = 1800
+# Same as above but with banning the IP address.
+[dovecot-iptables]
+enabled = true +filter = dovecot +action = iptables-multiport[name=Dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
sendmail-whois[name=Dovecot, dest=you@mail.com]+logpath = /var/log/secure +maxretry = 5 +bantime = 1800 +#ignoreip = 168.192.0.1
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Saturday 28 February 2009 23:45, Devraj Mukherjee wrote:
Hi all,
I am trying to get fail2ban going on my server and its log message reports the following error
2009-02-16 17:42:05,339 ERROR: 'iptables -L INPUT | grep -q fail2ban-SSH' returned 256 2009-02-16 17:42:05,354 ERROR: 'iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH
Is this because of the way the RedHat tool sets up the firewall?
Thanks for any responses.
Redhart in their great wisdom decided to make themselve different. As a way of making it's customers dependant on them. This is simple to fix.
Edit the rule set with your favoirate editor and do the following:
Remove all the lines with -j RH-Firewall-1-INPUT. Replace all the lines with RH-Firewall-1-INPUT with INPUT
The original looks something like this:
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
The new should look something like this:
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p icmp --icmp-type any -j ACCEPT -A INPUT -p 50 -j ACCEPT -A INPUT -p 51 -j ACCEPT -A INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A INPUT -p udp -m udp --dport 631 -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Fail2Ban should work now.
-
Agile Aspect -
Devraj Mukherjee -
John Hinton -
John Lundin -
Linux Advocate -
Robert Spangler -
Thomas Dukes