[CentOS] Fail2Ban

Sun Mar 1 22:50:01 UTC 2009
John Hinton <webmaster at ew3d.com>

Agile Aspect wrote:
> Devraj Mukherjee wrote:
>> Hi all,
>> I am trying to get fail2ban going on my server and its log message
>> reports the following error
>> 2009-02-16 17:42:05,339 ERROR: 'iptables -L INPUT | grep -q
>> fail2ban-SSH' returned 256
>> 2009-02-16 17:42:05,354 ERROR: 'iptables -D INPUT -p tcp --dport ssh
>> -j fail2ban-SSH
>> Is this because of the way the RedHat tool sets up the firewall?
>> Thanks for any responses.
> First, have you installed iptables, shorewall, and tcp-wrappers
> installed?
> Second, have you tried the failed grep expression, i.e., have
> you tried
>           iptables -L INPUT | grep -q fail2ban-SSH
> As to why this would fail, you need to ask on the fail2ban
> mailing list since evidently this appears to be part of the
> installation.
> The iptables can be setup by anyone - RedHat simply provides
> a default set of rules.
Actually, it is a rather OS dependent package and the rules for CentOS 
are difficult to write. That really doesn't belong on the fail2ban list 

You don't need shorewall, just the standard CentOS firewall works fine. 
Just be sure to only enable iptables rules. I have rules working for 
several things. SSH attempts, Dovecot attempts and a rule to block based 
on my Spamhaus setup so that the same spammer doesn't keep loading up 
sendmail with DNS queries. Now to try to figure out a rule for email 
dictionary attacks. Unfortunately the logs don't provide a good method 
of tying the reject to an IP address. RegEx... I'm very weak at RegEx.

John Hinton