[CentOS] anyone care to helop with a fail2ban problem on Centos 5.8?

Tue May 29 11:23:42 UTC 2012
Nataraj <incoming-centos at rjl.com>

On 05/28/2012 01:00 PM, Dave Stevens wrote:
> I've got an up-to-date Centos 5.8 and can't seem to get fail2ban to  
> get rid of troublesome sshd login attempts. /etc/fail2ban/jail.conf  
> has these sections:
>
> [ssh]
>
> enabled = true
> port    = ssh
> filter  = sshd
> logpath  = /var/log/auth.log
> maxretry = 6
>
> # Generic filter for pam. Has to be used with action which bans all ports
> # such as iptables-allports, shorewall
> [pam-generic]
>
> enabled = false
> # pam-generic filter can be customized to monitor specific subset of 'tty's
> filter  = pam-generic
> # port actually must be irrelevant but lets leave it all for some  
> possible uses
> port = all
> banaction = iptables-allports
> port     = anyport
> logpath  = /var/log/auth.log
> maxretry = 6
>
> and an excerpt from a logwatch run just now is:
>
>   --------------------- pam_unix Begin ------------------------
>
>   sshd:
>      Authentication Failures:
>         unknown (190.145.98.179): 2460 Time(s)
>         root (58.51.95.75): 285 Time(s)
>         unknown (122.70.128.5): 125 Time(s)
>         postgres (190.145.98.179): 64 Time(s)
>         mail (190.145.98.179): 40 Time(s)
>         mysql (190.145.98.179): 40 Time(s)
>         root (190.145.98.179): 36 Time(s)
>         unknown (58.51.95.75): 26 Time(s)
>         ftp (190.145.98.179): 17 Time(s)
>         root (122.70.128.5): 15 Time(s)
>         root (221.226.215.117): 13 Time(s)
>         root (cloud-128-117.diagcomputing.org): 13 Time(s)
>         adm (190.145.98.179): 12 Time(s)
>
> so advice? redirection? rtfm?
>
> Dave
>
>

First, I don't think your CentOS 5.8 system has a logfile named
/var/log/auth.log, so you probably want /var/log/secure or
/var/log/audit/audit.log, probably the former, otherwise you can try
enabling the pam filter in fail2ban.

Next, you need to edit /etc/fail2ban/filter.d/sshd.conf and setup the
python regular expression to match the failure messages that you get
from sshd (or pam).  You can use the fail2ban-regex program (run it with
no arguments for a help message), to test and see if your regular
expressions are matching properly. 

See http://docs.python.org/library/re.html for documentation on python
regular expressions and the fail2ban Wiki on http://www.fail2ban.org
<http://www.fail2ban.org>which explains how to use a python variable in
the RE to pass the IP address from the logfile back to fail2ban.

I'm not sure where you got your fail2ban version, I think I'm running
one from EPEL, but the jail.conf entry that you have has no action
entry, so it won't do anything.

My jail.conf entry for ssh (I don't have SSH enabled for fail2ban),
looks like this:

[ssh-iptables]

enabled  = false
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban at mail.com]
logpath  = /var/log/secure
maxretry = 5



So to enable it, you would change the enabled line to 'enabled = true'. 
The action line show here will invoke the commands in
/etc/fail2ban/action.d/iptables.conf to insert iptables access lists to
block the offending ip address. You must have iptables turned on.    You
can change the maxretry value to specify how many failures are allowed
before the IP is blocked.  You can also add a "bantime = #seconds" to
the jail.conf entry to specify how long to block the IP for.

I would suggest that you remove the copy of fail2ban that you have
installed and install the one from the EPEL repo instead and you are
much more likely to have the correct configuration for the CentOS
logfiles as well as the correct regular expression for matching entries
in the log files, so that if you enable it in jail.conf, it might just
work with little or no customization.

Nataraj