> -----Original Message----- > From: centos-bounces at centos.org > [mailto:centos-bounces at centos.org] On Behalf Of John Hinton > Sent: Sunday, March 01, 2009 9:05 PM > To: CentOS mailing list > Subject: Re: [CentOS] Fail2Ban > > Agile Aspect wrote: > > John Hinton wrote: > > > >> Agile Aspect wrote: > >> > >> > >>> Devraj Mukherjee wrote: > >>> > >>> > >>> > >>>> Hi all, > >>>> > >>>> I am trying to get fail2ban going on my server and its > log message > >>>> reports the following error > >>>> > >>>> 2009-02-16 17:42:05,339 ERROR: 'iptables -L INPUT | grep -q > >>>> fail2ban-SSH' returned 256 > >>>> 2009-02-16 17:42:05,354 ERROR: 'iptables -D INPUT -p tcp --dport > >>>> ssh -j fail2ban-SSH > >>>> > >>>> Is this because of the way the RedHat tool sets up the firewall? > >>>> > >>>> Thanks for any responses. > >>>> > >>>> > >>>> > >>>> > >>>> > >>> First, have you installed iptables, shorewall, and tcp-wrappers > >>> installed? > >>> > >>> Second, have you tried the failed grep expression, i.e., have you > >>> tried > >>> > >>> iptables -L INPUT | grep -q fail2ban-SSH > >>> > >>> As to why this would fail, you need to ask on the > fail2ban mailing > >>> list since evidently this appears to be part of the installation. > >>> > >>> The iptables can be setup by anyone - RedHat simply provides a > >>> default set of rules. > >>> > >>> > >>> > >>> > >> Actually, it is a rather OS dependent package and the rules for > >> CentOS are difficult to write. That really doesn't belong on the > >> fail2ban list either. > >> > >> > > Please post the iptable rule which you is believe is OS dependent. > > > > > >> You don't need shorewall, just the standard CentOS > firewall works fine. > >> > >> > > It depends upon what the OP installed. The fail2ban web page > > recommends shorewall be installed - so there's a chance the OP > > installed it. > > > > > First, I installed the RPM from dag. Some of it was set to go > out of the box. Seems like I didn't need to do anything for > SSH rules to work besides turning it on. Seems like VSFTP was > pretty close. Dovecot was a write I think I might have > done... or a major rewrite. Also, as there are differences > between CentOS 3, 4 and 5... I'd also need to know which > version you're running. > > This really is a great tool. It is not easy to create rules. > I was actually thinking that a CentOS fail2ban wiki or > something might be nice. If it were divided into separate > versions, we could share rules there. It took me about 3 or 4 > hours to write and test just one. But again, I'm really slow at RegEx. > > I keep seeing more attacks on just about every service available. > Dovecot logins being the latest. VSFTP gets hit pretty > hard... SSH gets pounded. But, using this also as a spam > filter is also another good use. > On one of my servers with moderate email traffic, it is > banning about 150 IP address per hour based just on multiple > Spamhaus rejects. That's a lot of load reduction right there. > Now, if I could start pulling out stuff from SpamAssassin > rejects... that could drop our loads by a huge amount. Over > time, it might even reduce the number of attempts... if they > do any purging of old email addresses. > > John Hinton I tried to install the rpm from Dag a while back but it complained about having Shorewall installed. I have an older version of fail2ban installed and cannot upgrade due to this. I use denyhosts also. I use firestarter to admin my rules. Could I edit the requirement for shorewall out of the spec file in the src rpm to get it to work? Thanks!!