[SOLVED] Is there someone who succeded with Fail2ban?

Support for security such as Firewalls and securing linux
Post Reply
sblantipodi
Posts: 252
Joined: 2009/07/10 09:43:13
Contact:

[SOLVED] Is there someone who succeded with Fail2ban?

Post by sblantipodi » 2011/07/24 19:36:20

As title...

I always used fail2ban without problem with CentOS 5.6 or earlier but now with CentOS 6
I'm not able to make fail2ban works well.

Rules are written ok, log are ok, but fail2ban doesn't but anyone...

keithwright
Posts: 16
Joined: 2011/08/01 18:53:57
Contact:

Re: Is there someone who succeded with Fail2ban?

Post by keithwright » 2011/08/02 17:11:56

I succeeded in getting fail2ban working. I did have to make one change to the /etc/fail2ban/jail.conf file.
By default, only [ssh-iptables] is enabled, but it wasn't working. When I looked at the result of running

iptables -L

I noticed that the chain fail2ban-SSH had zero references to it. On a hunch, I added

bantime = 1800

to the [ssh-iptables] section and restarted fail2ban (service fail2ban restart).
Now, iptables -L showed a rule in the INPUT chain which referenced the fail2ban-SSH chain.

I logged into a remote machine, and purposely failed to authenticate, and fail2ban added a DROP rule for that IP to the fail2ban-SSH chain.
I even changed the bantime, so it was 60, and tested it again. For a minute, the rule was added banning the IP, and then it was cleared.
So, it appears to be working, at least for ssh.

grifs71
Posts: 157
Joined: 2007/10/02 05:15:38
Location: Arkansas, United States

Re: Is there someone who succeded with Fail2ban?

Post by grifs71 » 2011/08/05 01:02:00

Did you install this with yum install or do you have to install it from an rpm approach?

thanks

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

[SOLVED] Is there someone who succeded with Fail2ban?

Post by pschaff » 2011/08/05 10:55:49

Not sure what Keith or the OP did, but fail2ban is yummable (to coin a word) from multiple repos:[code]
yum --noplugins --showduplicates --enablerepo \* --disablerepo \*-source --disablerepo \*-debug\* list fail2ban
...
fail2ban.noarch 0.8.2-3.el6.rf rpmforge
fail2ban.noarch 0.8.4-24.el6 epel
fail2ban.noarch 0.8.4-27.el6 atrpms
[/code]

sblantipodi
Posts: 252
Joined: 2009/07/10 09:43:13
Contact:

Re: Is there someone who succeded with Fail2ban?

Post by sblantipodi » 2011/08/05 10:57:06

I solved the problem with fail2ban, there was a date problem.

I solved by editing:
/etc/fail2ban/filter.d/common.conf

and changing
__prefix_line = \s*(?:\S+ )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*

with this:
__prefix_line = .*?

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: [SOLVED] Is there someone who succeded with Fail2ban?

Post by pschaff » 2011/08/05 10:58:45

Thanks for reporting back. Marking this thread [SOLVED] for posterity.

P.S. It would be good to say which source you used for fail2ban.

Post Reply