# [solved] Fail2ban fails to start

## elmar283

When I rebooted my system today fail2ban failed to start. I didn't change any config file.

I can't find out what is wrong because there is almost no log info to go on.

Here is the only loginfo I have:

```
elmarotter@ZaphodBeeblebrox /etc/fail2ban $ sudo tail -f /var/log/fail2ban.log 

Wachtwoord: 

2014-02-20 22:26:53,959 fail2ban.server : INFO   Exiting Fail2ban
```

This is the startup message:

```

elmarotter@ZaphodBeeblebrox /etc/fail2ban $ sudo /etc/init.d/fail2ban start

 * Starting fail2ban ...

 * Failed to start fail2ban                                                                                                                                                                       [ !! ]

 * ERROR: fail2ban failed to start

elmarotter@ZaphodBeeblebrox /etc/fail2ban $ 
```

```

elmarotter@ZaphodBeeblebrox /etc/fail2ban $ cat /etc/conf.d/fail2ban 

# Config file for /etc/init.d/fail2ban

#

# For information on options, see "/usr/bin/fail2ban-client -h".

FAIL2BAN_OPTIONS=""

# Force execution of the server even if the socket already exists:

#FAIL2BAN_OPTIONS="-x"

elmarotter@ZaphodBeeblebrox /etc/fail2ban $ 

```

Anyone knows what might be wrong?Last edited by elmar283 on Fri Feb 21, 2014 5:47 pm; edited 1 time in total

----------

## 666threesixes666

does

```

sudo /etc/init.d/fail2ban restart

```

also fail?

if so, try disabling all the jails, back off the settings, then gradually bring in more and more jails until it stops working.  can you pastebin your jail file?

----------

## elmar283

I'm going to try your suggestion. Here is my jail.conf:

```
elmarotter@ZaphodBeeblebrox /etc $ sudo cat /etc/fail2ban/jail.conf 

# Fail2Ban jail specifications file

#

# Comments: use '#' for comment lines and ';' for inline comments

#

# Changes:  in most of the cases you should not modify this

#           file, but provide customizations in jail.local file, e.g.:

#

# [DEFAULT]

# bantime = 3600

#

# [ssh-iptables]

# enabled = true

#

# The DEFAULT allows a global definition of the options. They can be overridden

# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not

# ban a host which matches an address in this list. Several addresses can be

# defined using space separator.

ignoreip = 127.0.0.1/8 192.168.0.0/24 192.168.178.0/24

# "bantime" is the number of seconds that a host is banned.

bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"

# seconds.

findtime  = 600

# "maxretry" is the number of failures before a host get banned.

maxretry = 5

# "backend" specifies the backend used to get files modification.

# Available options are "pyinotify", "gamin", "polling" and "auto".

# This option can be overridden in each jail as well.

#

# pyinotify: requires pyinotify (a file alteration monitor) to be installed.

#              If pyinotify is not installed, Fail2ban will use auto.

# gamin:     requires Gamin (a file alteration monitor) to be installed.

#              If Gamin is not installed, Fail2ban will use auto.

# polling:   uses a polling algorithm which does not require external libraries.

# auto:      will try to use the following backends, in order:

#              pyinotify, gamin, polling.

backend = auto

# "usedns" specifies if jails should trust hostnames in logs,

#   warn when reverse DNS lookups are performed, or ignore all hostnames in logs

#

# yes:   if a hostname is encountered, a reverse DNS lookup will be performed.

# warn:  if a hostname is encountered, a reverse DNS lookup will be performed, 

#        but it will be logged as a warning.

# no:    if a hostname is encountered, will not be used for banning,

#        but it will be logged as info.

usedns = warn

# This jail corresponds to the standard configuration in Fail2ban 0.6.

# The mail-whois action send a notification e-mail with a whois request

# in the body.

[ssh-iptables]

enabled  = true

filter   = sshd

action   = iptables[name=SSH, port=ssh, protocol=tcp]

           sendmail-whois[name=SSH, dest=<removed>, sender=<removed>]

logpath  = /var/log/sshd.log

maxretry = 5

[proftpd-iptables]

enabled  = false

filter   = proftpd

action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]

           sendmail-whois[name=ProFTPD, dest=you@example.com]

logpath  = /var/log/proftpd/proftpd.log

maxretry = 6

# This jail forces the backend to "polling".

[sasl-iptables]

enabled  = false

filter   = sasl

backend  = polling

action   = iptables[name=sasl, port=smtp, protocol=tcp]

           sendmail-whois[name=sasl, dest=you@example.com]

logpath  = /var/log/mail.log

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is

# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled     = true

filter      = sshd

action      = hostsdeny

              sendmail-whois[name=SSH, dest=<removed>]

ignoreregex = for myuser from

logpath     = /var/log/messages.log

# This jail demonstrates the use of wildcards in "logpath".

# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled  = false

filter    = apache-auth

action   = hostsdeny

logpath  = /var/log/apache*/*error.log

           /home/www/myhomepage/error.log

maxretry = 6

# The hosts.deny path can be defined with the "file" argument if it is

# not in /etc.

[postfix-tcpwrapper]

enabled  = false

filter   = postfix

action   = hostsdeny[file=/not/a/standard/path/hosts.deny]

           sendmail[name=Postfix, dest=<removed>]

logpath  = /var/log/postfix.log

bantime  = 300

# Do not ban anybody. Just report information about the remote host.

# A notification is sent at most every 600 seconds (bantime).

[vsftpd-notification]

enabled  = false

filter   = vsftpd

action   = sendmail-whois[name=VSFTPD, dest=<removed>]

logpath  = /var/log/vsftpd.log

maxretry = 5

bantime  = 1800

# Same as above but with banning the IP address.

[vsftpd-iptables]

enabled  = false

filter   = vsftpd

action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]

           sendmail-whois[name=VSFTPD, dest=you@example.com]

logpath  = /var/log/vsftpd.log

maxretry = 5

bantime  = 1800

# Ban hosts which agent identifies spammer robots crawling the web

# for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled  = false

filter   = apache-badbots

action   = iptables-multiport[name=BadBots, port="http,https"]

           sendmail-buffered[name=BadBots, lines=5, dest=<removed>]

logpath  = /var/www/*/logs/access_log

bantime  = 172800

maxretry = 1

# Use shorewall instead of iptables.

[apache-shorewall]

enabled  = false

filter   = apache-noscript

action   = shorewall

           sendmail[name=Postfix, dest=<removed>]

logpath  = /var/log/apache2/error_log

# Ban attackers that try to use PHP's URL-fopen() functionality

# through GET/POST variables. - Experimental, with more than a year

# of usage in production environments.

[php-url-fopen]

enabled = false

port    = http,https

filter  = php-url-fopen

logpath = /var/www/*/logs/access_log

maxretry = 1

# A simple PHP-fastcgi jail which works with lighttpd.

# If you run a lighttpd server, then you probably will

# find these kinds of messages in your error_log:

# ALERT – tried to register forbidden variable ‘GLOBALS’

# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')

# This jail would block the IP 1.2.3.4.

[lighttpd-fastcgi]

enabled = false

port    = http,https

filter  = lighttpd-fastcgi

# adapt the following two items as needed

logpath = /var/log/lighttpd/error.log

maxretry = 2

# Same as above for mod_auth

# It catches wrong authentifications

[lighttpd-auth]

enabled = false

port    = http,https

filter  = lighttpd-auth

# adapt the following two items as needed

logpath = /var/log/lighttpd/error.log

maxretry = 2

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"

# option is overridden in this jail. Moreover, the action "mail-whois" defines

# the variable "name" which contains a comma using "". The characters '' are

# valid too.

[ssh-ipfw]

enabled  = false

filter   = sshd

action   = ipfw[localhost=192.168.0.1]

           sendmail-whois[name="SSH,IPFW", dest=<removed>]

logpath  = /var/log/auth.log

ignoreip = 168.192.0.1

# These jails block attacks against named (bind9). By default, logging is off

# with bind9 installation. You will need something like this:

#

# logging {

#     channel security_file {

#         file "/var/log/named/security.log" versions 3 size 30m;

#         severity dynamic;

#         print-time yes;

#     };

#     category security {

#         security_file;

#     };

# };

#

# in your named.conf to provide proper logging.

# This jail blocks UDP traffic for DNS requests.

# !!! WARNING !!!

#   Since UDP is connection-less protocol, spoofing of IP and imitation

#   of illegal actions is way too simple.  Thus enabling of this filter

#   might provide an easy way for implementing a DoS against a chosen

#   victim. See

#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html

#   Please DO NOT USE this jail unless you know what you are doing.

#

# [named-refused-udp]

#

# enabled  = false

# filter   = named-refused

# action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]

#            sendmail-whois[name=Named, dest=<removed>

# logpath  = /var/log/named/security.log

# ignoreip = 168.192.0.1

# This jail blocks TCP traffic for DNS requests.

[named-refused-tcp]

enabled  = false

filter   = named-refused

action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]

           sendmail-whois[name=Named, dest=<removed>]

logpath  = /var/log/named/security.log

ignoreip = 168.192.0.1

# Multiple jails, 1 per protocol, are necessary ATM:

# see https://github.com/fail2ban/fail2ban/issues/37

[asterisk-tcp]

enabled  = false

filter   = asterisk

action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]

           sendmail-whois[name=Asterisk, dest=<removed>, sender=fail2ban@example.com]

logpath  = /var/log/asterisk/messages

maxretry = 10

[asterisk-udp]

enabled  = false

filter    = asterisk

action   = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]

           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]

logpath  = /var/log/asterisk/messages

maxretry = 10

# Jail for more extended banning of persistent abusers

# !!! WARNING !!!

#   Make sure that your loglevel specified in fail2ban.conf/.local

#   is not at DEBUG level -- which might then cause fail2ban to fall into

#   an infinite loop constantly feeding itself with non-informative lines

[recidive]

enabled  = false

filter   = recidive

logpath  = /var/log/fail2ban.log

action   = iptables-allports[name=recidive]

           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]

bantime  = 604800  ; 1 week

findtime = 86400   ; 1 day

maxretry = 5

[courierpop3-iptables]

enabled  = true

filter   = courierlogin

backend  = polling

action   = iptables[name=courierpop3, port=pop3, protocol=tcp]

           mail-whois[name=courierpop3, dest=root@localhost]

logpath  = /var/log/mail.log

maxretry = 5

[courierimap-iptables]

enabled  = true

filter   = courierlogin

backend  = polling

action   = iptables[name=courierimap, port=imap, protocol=tcp]

           mail-whois[name=courierimap, dest=root@localhost]

logpath  = /var/log/mail.log

maxretry = 5

elmarotter@ZaphodBeeblebrox /etc $ 
```

Last edited by elmar283 on Thu Feb 20, 2014 10:54 pm; edited 2 times in total

----------

## elmar283

I used a new install and new config. After that it did start. But it fails when I enable ssh-iptables.

Here is my new jail.conf:

```
elmarotter@ZaphodBeeblebrox ~ $ cat /etc/fail2ban/jail.conf 

# Fail2Ban jail base specification file

#

# HOW TO ACTIVATE JAILS:

#

# YOU SHOULD NOT MODIFY THIS FILE.

#

# It will probably be overwitten or improved in a distribution update.

#

# Provide customizations in a jail.local file or a jail.d/customisation.local.

# For example to change the default bantime for all jails and to enable the

# ssh-iptables jail the following (uncommented) would appear in the .local file.

# See man 5 jail.conf for details.

#

# [DEFAULT]

# bantime = 3600

#

# [ssh-iptables]

# enabled = true

# Comments: use '#' for comment lines and ';' (following a space) for inline comments

# The DEFAULT allows a global definition of the options. They can be overridden

# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not

# ban a host which matches an address in this list. Several addresses can be

# defined using space separator.

ignoreip = 127.0.0.1/8 192.168.0.0/24 192.168.178.0/24 

# External command that will take an tagged arguments to ignore, e.g. <ip>,

# and return true if the IP is to be ignored. False otherwise.

#

# ignorecommand = /path/to/command <ip>

ignorecommand =

# "bantime" is the number of seconds that a host is banned.

bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"

# seconds.

findtime  = 600

# "maxretry" is the number of failures before a host get banned.

maxretry = 3

# "backend" specifies the backend used to get files modification.

# Available options are "pyinotify", "gamin", "polling" and "auto".

# This option can be overridden in each jail as well.

#

# pyinotify: requires pyinotify (a file alteration monitor) to be installed.

#              If pyinotify is not installed, Fail2ban will use auto.

# gamin:     requires Gamin (a file alteration monitor) to be installed.

#              If Gamin is not installed, Fail2ban will use auto.

# polling:   uses a polling algorithm which does not require external libraries.

# auto:      will try to use the following backends, in order:

#              pyinotify, gamin, polling.

backend = auto

# "usedns" specifies if jails should trust hostnames in logs,

#   warn when DNS lookups are performed, or ignore all hostnames in logs

#

# yes:   if a hostname is encountered, a DNS lookup will be performed.

# warn:  if a hostname is encountered, a DNS lookup will be performed,

#        but it will be logged as a warning.

# no:    if a hostname is encountered, will not be used for banning,

#        but it will be logged as info.

usedns = warn

# This jail corresponds to the standard configuration in Fail2ban.

# The mail-whois action send a notification e-mail with a whois request

# in the body.

[pam-generic]

enabled = false

filter  = pam-generic

action  = iptables-allports[name=pam,protocol=all]

logpath = /var/log/secure

[xinetd-fail]

enabled = false

filter  = xinetd-fail

action  = iptables-allports[name=xinetd,protocol=all]

logpath = /var/log/daemon*log

[ssh-iptables]

enabled  = true

filter   = sshd

action   = iptables[name=SSH, port=ssh, protocol=tcp]

           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]

logpath  = /var/log/sshd.log

maxretry = 5

[ssh-ddos]

enabled  = false

filter   = sshd-ddos

action   = iptables[name=SSHDDOS, port=ssh, protocol=tcp]

logpath  = /var/log/sshd.log

maxretry = 2

[dropbear]

enabled  = false

filter   = dropbear

action   = iptables[name=dropbear, port=ssh, protocol=tcp]

logpath  = /var/log/messages

maxretry = 5

[proftpd-iptables]

enabled  = false

filter   = proftpd

action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]

           sendmail-whois[name=ProFTPD, dest=you@example.com]

logpath  = /var/log/proftpd/proftpd.log

maxretry = 6

[gssftpd-iptables]

enabled  = false

filter   = gssftpd

action   = iptables[name=GSSFTPd, port=ftp, protocol=tcp]

           sendmail-whois[name=GSSFTPd, dest=you@example.com]

logpath  = /var/log/daemon.log

maxretry = 6

[pure-ftpd]

enabled  = false

filter   = pure-ftpd

action   = iptables[name=pureftpd, port=ftp, protocol=tcp]

logpath  = /var/log/pureftpd.log

maxretry = 6

[wuftpd]

enabled  = false

filter   = wuftpd

action   = iptables[name=wuftpd, port=ftp, protocol=tcp]

logpath  = /var/log/daemon.log

maxretry = 6

# This jail forces the backend to "polling".

[sasl-iptables]

enabled  = false

filter   = postfix-sasl

backend  = polling

action   = iptables[name=sasl, port=smtp, protocol=tcp]

           sendmail-whois[name=sasl, dest=you@example.com]

logpath  = /var/log/mail.log

# ASSP SMTP Proxy Jail

[assp]

enabled = false

filter  = assp

action  = iptables-multiport[name=assp,port="25,465,587"]

logpath = /root/path/to/assp/logs/maillog.txt

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is

# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled     = false

filter      = sshd

action      = hostsdeny[daemon_list=sshd]

              sendmail-whois[name=SSH, dest=you@example.com]

ignoreregex = for myuser from

logpath     = /var/log/sshd.log

# Here we use blackhole routes for not requiring any additional kernel support

# to store large volumes of banned IPs

[ssh-route]

enabled  = false

filter   = sshd

action   = route

logpath  = /var/log/sshd.log

maxretry = 5

# Here we use a combination of Netfilter/Iptables and IPsets

# for storing large volumes of banned IPs

#

# IPset comes in two versions. See ipset -V for which one to use

# requires the ipset package and kernel support.

[ssh-iptables-ipset4]

enabled  = false

filter   = sshd

action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]

logpath  = /var/log/sshd.log

maxretry = 5

[ssh-iptables-ipset6]

enabled  = false

filter   = sshd

action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]

logpath  = /var/log/sshd.log

maxretry = 5

# bsd-ipfw is ipfw used by BSD. It uses ipfw tables.

# table number must be unique.

# 

# This will create a deny rule for that table ONLY if a rule 

# for the table doesn't ready exist.

#

[ssh-bsd-ipfw]

enabled  = false

filter   = sshd

action   = bsd-ipfw[port=ssh,table=1]

logpath  = /var/log/auth.log

maxretry = 5

# This jail demonstrates the use of wildcards in "logpath".

# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled  = false

filter    = apache-auth

action   = hostsdeny

logpath  = /var/log/apache*/*error.log

           /home/www/myhomepage/error.log

maxretry = 6

[apache-modsecurity]

enabled  = false

filter    = apache-modsecurity

action   = iptables-multiport[name=apache-modsecurity,port="80,443"]

logpath  = /var/log/apache*/*error.log

           /home/www/myhomepage/error.log

maxretry = 2

[apache-overflows]

enabled  = false

filter    = apache-overflows

action   = iptables-multiport[name=apache-overflows,port="80,443"]

logpath  = /var/log/apache*/*error.log

           /home/www/myhomepage/error.log

maxretry = 2

[apache-nohome]

enabled  = false

filter    = apache-nohome

action   = iptables-multiport[name=apache-nohome,port="80,443"]

logpath  = /var/log/apache*/*error.log

           /home/www/myhomepage/error.log

maxretry = 2

[nginx-http-auth]

enabled = false

filter  = nginx-http-auth

action  = iptables-multiport[name=nginx-http-auth,port="80,443"]

logpath = /var/log/nginx/error.log

[squid]

enabled = false

filter  = squid

action  = iptables-multiport[name=squid,port="80,443,8080"]

logpath = /var/log/squid/access.log

# The hosts.deny path can be defined with the "file" argument if it is

# not in /etc.

[postfix-tcpwrapper]

enabled  = false

filter   = postfix

action   = hostsdeny[file=/not/a/standard/path/hosts.deny]

           sendmail[name=Postfix, dest=you@example.com]

logpath  = /var/log/postfix.log

bantime  = 300

[cyrus-imap]

enabled = false

filter  = cyrus-imap

action  = iptables-multiport[name=cyrus-imap,port="143,993"]

logpath = /var/log/mail*log

[courierlogin]

enabled = false

filter  = courierlogin

action  = iptables-multiport[name=courierlogin,port="25,110,143,465,587,993,995"]

logpath = /var/log/mail*log

[couriersmtp]

enabled = false

filter  = couriersmtp

action  = iptables-multiport[name=couriersmtp,port="25,465,587"]

logpath = /var/log/mail*log

[qmail-rbl]

enabled = false

filter  = qmail

action  = iptables-multiport[name=qmail-rbl,port="25,465,587"]

logpath = /service/qmail/log/main/current

[sieve]

enabled = false

filter  = sieve

action  = iptables-multiport[name=sieve,port="25,465,587"]

logpath = /var/log/mail*log

# Do not ban anybody. Just report information about the remote host.

# A notification is sent at most every 600 seconds (bantime).

[vsftpd-notification]

enabled  = false

filter   = vsftpd

action   = sendmail-whois[name=VSFTPD, dest=you@example.com]

logpath  = /var/log/vsftpd.log

maxretry = 5

bantime  = 1800

# Same as above but with banning the IP address.

[vsftpd-iptables]

enabled  = false

filter   = vsftpd

action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]

           sendmail-whois[name=VSFTPD, dest=you@example.com]

logpath  = /var/log/vsftpd.log

maxretry = 5

bantime  = 1800

# Ban hosts which agent identifies spammer robots crawling the web

# for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled  = false

filter   = apache-badbots

action   = iptables-multiport[name=BadBots, port="http,https"]

           sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]

logpath  = /var/www/*/logs/access_log

bantime  = 172800

maxretry = 1

# Use shorewall instead of iptables.

[apache-shorewall]

enabled  = false

filter   = apache-noscript

action   = shorewall

           sendmail[name=Postfix, dest=you@example.com]

logpath  = /var/log/apache2/error_log

# Monitor roundcube server

[roundcube-iptables]

enabled  = false

filter   = roundcube-auth

action   = iptables-multiport[name=RoundCube, port="http,https"]

logpath  = /var/log/roundcube/userlogins

# Monitor SOGo groupware server

[sogo-iptables]

enabled  = false

filter   = sogo-auth

# without proxy this would be:

# port    = 20000

action   = iptables-multiport[name=SOGo, port="http,https"]

logpath  = /var/log/sogo/sogo.log

[groupoffice]

enabled  = false

filter   = groupoffice

action   = iptables-multiport[name=groupoffice, port="http,https"]

logpath  = /home/groupoffice/log/info.log 

[openwebmail]

enabled  = false

filter   = openwebmail

logpath  = /var/log/openwebmail.log

action   = ipfw

           sendmail-whois[name=openwebmail, dest=you@example.com]

maxretry = 5

[horde]

enabled  = false

filter   = horde

logpath  = /var/log/horde/horde.log

action   = iptables-multiport[name=horde, port="http,https"]

maxretry = 5

# Ban attackers that try to use PHP's URL-fopen() functionality

# through GET/POST variables. - Experimental, with more than a year

# of usage in production environments.

[php-url-fopen]

enabled  = false

action   = iptables-multiport[name=php-url-open, port="http,https"]

filter   = php-url-fopen

logpath  = /var/www/*/logs/access_log

maxretry = 1

# Ban attackers that try to use PHP's URL-fopen() functionality

# through GET/POST variables. - Experimental, with more than a year

# of usage in production environments.

[php-url-fopen]

enabled  = false

action   = iptables-multiport[name=php-url-open, port="http,https"]

filter   = php-url-fopen

logpath  = /var/www/*/logs/access_log

maxretry = 1

[suhosin]

enabled  = false

filter   = suhosin

action   = iptables-multiport[name=suhosin, port="http,https"]

# adapt the following two items as needed

logpath  = /var/log/lighttpd/error.log

maxretry = 2

[lighttpd-auth]

enabled  = false

filter   = lighttpd-auth

action   = iptables-multiport[name=lighttpd-auth, port="http,https"]

# adapt the following two items as needed

logpath  = /var/log/lighttpd/error.log

maxretry = 2

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"

# option is overridden in this jail. Moreover, the action "mail-whois" defines

# the variable "name" which contains a comma using "". The characters '' are

# valid too.

[ssh-ipfw]

enabled  = false

filter   = sshd

action   = ipfw[localhost=192.168.0.1]

           sendmail-whois[name="SSH,IPFW", dest=you@example.com]

logpath  = /var/log/auth.log

ignoreip = 168.192.0.1

# !!! WARNING !!!

#   Since UDP is connection-less protocol, spoofing of IP and imitation

#   of illegal actions is way too simple.  Thus enabling of this filter

#   might provide an easy way for implementing a DoS against a chosen

#   victim. See

#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html

#   Please DO NOT USE this jail unless you know what you are doing.

#

# IMPORTANT: see filter.d/named-refused for instructions to enable logging

# This jail blocks UDP traffic for DNS requests.

# [named-refused-udp]

#

# enabled  = false

# filter   = named-refused

# action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]

#            sendmail-whois[name=Named, dest=you@example.com]

# logpath  = /var/log/named/security.log

# ignoreip = 168.192.0.1

# IMPORTANT: see filter.d/named-refused for instructions to enable logging

# This jail blocks TCP traffic for DNS requests.

[named-refused-tcp]

enabled  = false

filter   = named-refused

action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]

           sendmail-whois[name=Named, dest=you@example.com]

logpath  = /var/log/named/security.log

ignoreip = 168.192.0.1

[nsd]

enabled = false

filter  = nsd

action  = iptables-multiport[name=nsd-tcp, port="domain", protocol=tcp]

          iptables-multiport[name=nsd-udp, port="domain", protocol=udp]

logpath = /var/log/nsd.log

[asterisk]

enabled  = false

filter   = asterisk

action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]

           iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]

           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]

logpath  = /var/log/asterisk/messages

maxretry = 10

[freeswitch]

enabled  = false

filter   = freeswitch

logpath  = /var/log/freeswitch.log

maxretry = 10

action   = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp]

           iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp]

[ejabberd-auth]

enabled = false

filter = ejabberd-auth

logpath = /var/log/ejabberd/ejabberd.log

action   = iptables[name=ejabberd, port=xmpp-client, protocol=tcp]

#  Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )

#  use [asterisk] for new jails

[asterisk-tcp]

enabled  = false

filter   = asterisk

action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]

           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]

logpath  = /var/log/asterisk/messages

maxretry = 10

#  Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )

#  use [asterisk] for new jails

[asterisk-udp]

enabled  = false

filter    = asterisk

action   = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]

           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]

logpath  = /var/log/asterisk/messages

maxretry = 10

[mysqld-iptables]

enabled  = false

filter   = mysqld-auth

action   = iptables[name=mysql, port=3306, protocol=tcp]

           sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]

logpath  = /var/log/mysqld.log

maxretry = 5

[mysqld-syslog]

enabled  = false

filter   = mysqld-auth

action   = iptables[name=mysql, port=3306, protocol=tcp]

logpath  = /var/log/daemon.log

maxretry = 5

# Jail for more extended banning of persistent abusers

# !!! WARNING !!!

#   Make sure that your loglevel specified in fail2ban.conf/.local

#   is not at DEBUG level -- which might then cause fail2ban to fall into

#   an infinite loop constantly feeding itself with non-informative lines

[recidive]

enabled  = false

filter   = recidive

logpath  = /var/log/fail2ban.log

action   = iptables-allports[name=recidive,protocol=all]

           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]

bantime  = 604800  ; 1 week

findtime = 86400   ; 1 day

maxretry = 5

# PF is a BSD based firewall

[ssh-pf]

enabled  = false

filter   = sshd

action   = pf

logpath  = /var/log/sshd.log

maxretry = 5

[3proxy]

enabled = false

filter  = 3proxy

action  = iptables[name=3proxy, port=3128, protocol=tcp]

logpath = /var/log/3proxy.log

[exim]

enabled = false

filter  = exim

action  = iptables-multiport[name=exim,port="25,465,587"]

logpath = /var/log/exim/mainlog

[exim-spam]

enabled = false

filter  = exim-spam

action  = iptables-multiport[name=exim-spam,port="25,465,587"]

logpath = /var/log/exim/mainlog

[perdition]

enabled = false

filter  = perdition

action  = iptables-multiport[name=perdition,port="110,143,993,995"]

logpath = /var/log/maillog

[uwimap-auth]

enabled = false

filter  = uwimap-auth

action  = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]

logpath = /var/log/maillog

[osx-ssh-ipfw]

enabled  = false

filter   = sshd

action   = osx-ipfw

logpath  = /var/log/secure.log

maxretry = 5

[ssh-apf]

enabled = false

filter  = sshd

action  = apf[name=SSH]

logpath = /var/log/secure

maxretry = 5

[osx-ssh-afctl]

enabled  = false

filter   = sshd

action   = osx-afctl[bantime=600]

logpath  = /var/log/secure.log

maxretry = 5

[webmin-auth]

enabled = false

filter  = webmin-auth

action  = iptables-multiport[name=webmin,port="10000"]

logpath = /var/log/auth.log

# dovecot defaults to logging to the mail syslog facility

# but can be set by syslog_facility in the dovecot configuration.

[dovecot]

enabled = false

filter  = dovecot

action  = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]

logpath = /var/log/mail.log

[dovecot-auth]

enabled = false

filter  = dovecot

action  = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]

logpath = /var/log/secure

[solid-pop3d]

enabled = false

filter  = solid-pop3d

action  = iptables-multiport[name=solid-pop3, port="pop3,pop3s", protocol=tcp]

logpath = /var/log/mail.log

[selinux-ssh]

enabled  = false

filter   = selinux-ssh

action   = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]

logpath  = /var/log/audit/audit.log

maxretry = 5

# See the IMPORTANT note in action.d/blocklist_de.conf for when to

# use this action

#

# Report block via blocklist.de fail2ban reporting service API

# See action.d/blocklist_de.conf for more information

[ssh-blocklist]

enabled  = false

filter   = sshd

action   = iptables[name=SSH, port=ssh, protocol=tcp]

           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]

           blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s]

logpath  = /var/log/sshd.log

maxretry = 20
```

----------

## elmar283

I think I solved the problem.

The file '/var/log/sshd.log' does not excist. I changed this line to '/var/log/auth.log'.

I'm going to do some more checks tomorrow. (It is getting late in the Netherlands  :Wink:  ).

If everything works again then I'm going to add [solved] to the subject.

Thanks for helping out!  :Very Happy: 

----------

## 666threesixes666

no problem, ill put it on my 2 do list to wiki up more of fail2ban here.  i suggest making your services to be jailed in the format of /etc/fail2ban/jail.d/sshd.conf and splitting them up instead of having everything all in 1 file.  that way sshd can be renamed to sshd.conf.backup, restart fail2ban and everything but sshd would be jailed and protected again.

----------

## elmar283

I began with filling jail.d and have turned all off in jail.conf.

Here the results:

- sshd-iptables is working

- when reloading I get the warning: "WARNING 'ignoreregex' not defined in 'Definition'. Using default one: ''"

So don't know how to fix that warning.

----------

## 666threesixes666

default config doesn't throw any errors for me....  http://bpaste.net/show/181501/ <--- my default

i only have 1 jail sshd via syslog-ng & ufw for when i populated jails.d example on fail2ban wiki found here...  https://wiki.gentoo.org/wiki/Fail2ban#jail.d

again same plan, back off your settings till it works perfectly then introduce configs and restart introduce more restart until you find the jail throwing problems.....

https://github.com/fail2ban/fail2ban/issues/485

they say a malformed jail is causing the error....

im trying to get it so there is only a single point of failure, and that is wrapped within the jail.d directory....  id probably name the tested and confirmed working jails to jail.conf.good until you complete populating the jail.d directory.

----------

## elmar283

Now I only have sshd no warning is given anymore. I have /etc/fail2ban/jail.d/sshd.conf:

```

[ssh-iptables]

enabled  = true

filter   = sshd

action   = iptables[name=SSH, port=ssh, protocol=tcp]

logpath  = /var/log/messages

maxretry = 5
```

The only thing I still do not understand is the logpath. Is this where jail2ban logs or is this where jail2ban looks for intruders?

----------

## 666threesixes666

/var/log/fail2ban.log is where fail2ban logs to...  /var/log/messages is what that particular jail is scanning for ssh messages to determine clowns failing to log in, needing banning.

----------

## elmar283

That means that if ssh logs to /var/log/auth.log the config should be:

```

[ssh-iptables]

enabled  = true

filter   = sshd

action   = iptables[name=SSH, port=ssh, protocol=tcp]

logpath  = /var/log/auth.log

maxretry = 5

```

----------

## 666threesixes666

correct.

my sshd does not log there.  maybe post your ssh config to show how to do that?

----------

## elmar283

I know it logs there because when I do tail -f /var/log/auth.log and then login width ssh I see a log about it.

I'm not sure why it is being logged there. I have syslog-ng and a hardened kernel and profile. I used http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=3#doc_chap4 for splitting the logs up.

Total off topic:

There are two lines that makes it go there I guess:

```

log { source(src); filter(f_authpriv); destination(authlog); }; and

destination authlog { file("/var/log/auth.log"); };

```

End total off topic.

Thanks for the help! fail2ban is now working like it should again.

----------

