fail2ban installed and default configuration does not seem to work

youds

Verified User
Joined
Jul 11, 2008
Messages
490
Location
Lancashire, UK
Hi

I hope you are all well.

I have had fail2ban installed for some time and am getting messages saying failed login attempts in the thousands, now i know that is not possible with fail2ban working correctly. Before fail2ban ran from fail ban command, but when it changed to fail2ban-server and fail2ban-client problems started happening and I think I've been exposed ever since.

Here are the output of some logs:
/var/log/messages
Code:
Jun 11 17:00:11 europa freshclam[1094]: Received signal: wake up
Jun 11 17:00:11 europa freshclam[1094]: ClamAV update process started at Sat Jun 11 17:00:11 2016
Jun 11 17:00:11 europa freshclam[1094]: Your ClamAV installation is OUTDATED!
Jun 11 17:00:11 europa freshclam[1094]: Local version: 0.99 Recommended version: 0.99.2
Jun 11 17:00:11 europa freshclam[1094]: DON'T PANIC! Read http://www.clamav.net/support/faq
Jun 11 17:00:11 europa freshclam[1094]: main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
Jun 11 17:00:11 europa freshclam[1094]: daily.cld is up to date (version: 21712, sigs: 264117, f-level: 63, builder: neo)
Jun 11 17:00:11 europa freshclam[1094]: bytecode.cld is up to date (version: 278, sigs: 50, f-level: 63, builder: neo)
Jun 11 17:00:11 europa freshclam[1094]: --------------------------------------
Jun 11 17:02:07 europa named[1652]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/A/IN': 2a01:8840:9::1#53
Jun 11 17:02:07 europa named[1652]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/AAAA/IN': 2a01:8840:9::1#53
Jun 11 17:02:07 europa named[1652]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/A/IN': 2a01:8840:8::1#53
Jun 11 17:02:07 europa named[1652]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/AAAA/IN': 2a01:8840:8::1#53
Jun 11 17:02:07 europa named[1652]: error (network unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 2001:500:71::29#53
Jun 11 17:02:08 europa named[1652]: error (network unreachable) resolving 'ns1.isc.ultradns.net/A/IN': 2610:a1:1015::e8#53
Jun 11 17:02:08 europa named[1652]: error (network unreachable) resolving 'ns1.isc.ultradns.net/AAAA/IN': 2610:a1:1015::e8#53
Jun 11 17:02:08 europa named[1652]: error (network unreachable) resolving 'pdns196.ultradns.info/A/IN': 2001:500:1a::1#53
Jun 11 17:02:08 europa named[1652]: error (network unreachable) resolving 'pdns196.ultradns.info/AAAA/IN': 2001:500:1a::1#53
Jun 11 17:02:08 europa named[1652]: error (network unreachable) resolving 'pdns196.ultradns.info/AAAA/IN': 2610:a1:1016::e8#53
Jun 11 17:48:12 europa named[1652]: client 113.17.184.25#20000: query (cache) '3895082674.www.baidu.com/A/IN' denied
Jun 11 18:02:08 europa named[1652]: error (network unreachable) resolving './DNSKEY/IN': 2001:500:2f::f#53
Jun 11 18:02:08 europa named[1652]: error (network unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 2001:500:71::30#53
Jun 11 18:02:08 europa named[1652]: error (network unreachable) resolving './NS/IN': 2001:500:2f::f#53
Jun 11 18:02:08 europa named[1652]: error (network unreachable) resolving './DNSKEY/IN': 2001:7fd::1#53
Jun 11 18:02:08 europa named[1652]: error (network unreachable) resolving './NS/IN': 2001:7fd::1#53
Jun 11 18:02:08 europa named[1652]: error (network unreachable) resolving './DNSKEY/IN': 2001:500:2d::d#53
Jun 11 18:02:08 europa named[1652]: error (network unreachable) resolving './NS/IN': 2001:500:2d::d#53
Jun 11 18:02:08 europa named[1652]: error (network unreachable) resolving './DNSKEY/IN': 2001:dc3::35#53
Jun 11 18:02:08 europa named[1652]: error (network unreachable) resolving './NS/IN': 2001:dc3::35#53
Jun 11 18:19:46 europa fail2ban.server[8643]: INFO Stopping all jails
Jun 11 18:19:46 europa fail2ban.action[8643]: ERROR iptables  -D INPUT -p tcp -m multiport --dports pop3,pop3s,imap,imaps -j f2b-dovecot-pop3imap#012iptables  -F f2b-dovecot-pop3imap#012iptables  -X f2b-dovecot-pop3imap -- stdout: ''
Jun 11 18:19:46 europa fail2ban.action[8643]: ERROR iptables  -D INPUT -p tcp -m multiport --dports pop3,pop3s,imap,imaps -j f2b-dovecot-pop3imap#012iptables  -F f2b-dovecot-pop3imap#012iptables  -X f2b-dovecot-pop3imap -- stderr: "iptables v1.4.7: Couldn't load target `f2b-dovecot-pop3imap':/lib64/xtables/libipt_f2b-dovecot-pop3imap.so: cannot open shared object file: No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
Jun 11 18:19:46 europa fail2ban.action[8643]: ERROR iptables  -D INPUT -p tcp -m multiport --dports pop3,pop3s,imap,imaps -j f2b-dovecot-pop3imap#012iptables  -F f2b-dovecot-pop3imap#012iptables  -X f2b-dovecot-pop3imap -- returned 1
Jun 11 18:19:46 europa fail2ban.actions[8643]: ERROR Failed to stop jail 'dovecot-pop3imap' action 'iptables-multiport': Error stopping action
Jun 11 18:19:46 europa fail2ban.jail[8643]: INFO Jail 'dovecot-pop3imap' stopped
Jun 11 18:19:46 europa fail2ban.server[8643]: INFO Exiting Fail2ban
Jun 11 18:19:47 europa fail2ban.server[430]: INFO Changed logging target to SYSLOG (/dev/log) for Fail2ban v0.9.3
Jun 11 18:19:47 europa fail2ban.database[430]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
Jun 11 18:19:47 europa fail2ban.jail[430]: INFO Creating new jail 'dovecot-pop3imap'
Jun 11 18:19:47 europa fail2ban.jail[430]: INFO Jail 'dovecot-pop3imap' uses pyinotify
Jun 11 18:19:47 europa fail2ban.filter[430]: INFO Set jail log file encoding to UTF-8
Jun 11 18:19:47 europa fail2ban.jail[430]: INFO Initiated 'pyinotify' backend
Jun 11 18:19:47 europa fail2ban.filter[430]: INFO Added logfile = /var/log/maillog
Jun 11 18:19:47 europa fail2ban.filter[430]: INFO Set maxRetry = 20
Jun 11 18:19:47 europa fail2ban.filter[430]: INFO Set jail log file encoding to UTF-8
Jun 11 18:19:47 europa fail2ban.actions[430]: INFO Set banTime = 1200
Jun 11 18:19:47 europa fail2ban.filter[430]: INFO Set findtime = 1200
Jun 11 18:19:47 europa fail2ban.jail[430]: INFO Jail 'dovecot-pop3imap' started
Jun 11 18:44:56 europa fail2ban.server[430]: INFO Stopping all jails
Jun 11 18:44:57 europa fail2ban.jail[430]: INFO Jail 'dovecot-pop3imap' stopped
Jun 11 18:44:57 europa fail2ban.server[430]: INFO Exiting Fail2ban
Jun 11 18:44:57 europa fail2ban.server[603]: INFO Changed logging target to SYSLOG (/dev/log) for Fail2ban v0.9.3
Jun 11 18:44:57 europa fail2ban.database[603]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
Jun 11 18:44:57 europa fail2ban.jail[603]: INFO Creating new jail 'dovecot-pop3imap'
Jun 11 18:44:57 europa fail2ban.jail[603]: INFO Jail 'dovecot-pop3imap' uses pyinotify
Jun 11 18:44:57 europa fail2ban.filter[603]: INFO Set jail log file encoding to UTF-8
Jun 11 18:44:57 europa fail2ban.jail[603]: INFO Initiated 'pyinotify' backend
Jun 11 18:44:57 europa fail2ban.filter[603]: INFO Added logfile = /var/log/maillog
Jun 11 18:44:57 europa fail2ban.filter[603]: INFO Set maxRetry = 20
Jun 11 18:44:57 europa fail2ban.filter[603]: INFO Set jail log file encoding to UTF-8
Jun 11 18:44:57 europa fail2ban.actions[603]: INFO Set banTime = 1200
Jun 11 18:44:57 europa fail2ban.filter[603]: INFO Set findtime = 1200
Jun 11 18:44:57 europa fail2ban.jail[603]: INFO Jail 'dovecot-pop3imap' started

And besides that the configuration is the same as other systems. I'm running CentOS release 6.7 (Final).

Any help would be appreciated; have I missed some article on how to integrate fail2ban with DirectAdmin these days?

Seems stupid it doesn't work out of the box...

Thanks in advance
 
Confirmation of the problem:

Code:
[root@europa custombuild]# service fail2ban status
fail2ban-server (pid  26072) is running...
Status
|- Number of jail:	0
`- Jail list:	
[root@europa custombuild]#
 
Fail2Ban has changed their configs recently and you need to look at what you have configured. You are showing that you have 0 jails enabled, so nothing is being monitored. Take a look at your jail.local and that is the config file you would use to enable the jails. Here is basically what mine looks like:
[DEFAULT]
bantime = 43200
findtime = 3600
ignoreip = 127.0.0.1 $MYHOMEIP $MYWORKIP
[sshd]
enabled = true
[sshd-ddos]
enabled = true
[pure-ftpd]
enabled = true
[dovecot]
enabled = true
[exim]
enabled = true
logpath = /var/log/exim/mainlog
logencoding = auto
[directadmin]
enabled = true
 
Weirdly I'm now getting problems after installing a new CentOS 7 Server with DirectAdmin.

Code:
[root@neptune libpng-1.4.4]# service fail2ban start
Starting fail2ban (via systemctl):  Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details.
                                                           [FAILED]

Outputs of which are here:
Code:
[root@neptune libpng-1.4.4]# systemctl status fail2ban.service
● fail2ban.service - SYSV: Fail2ban daemon
   Loaded: loaded (/etc/rc.d/init.d/fail2ban)
   Active: failed (Result: exit-code) since Wed 2016-08-03 14:29:38 CEST; 31s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 7105 ExecStop=/etc/rc.d/init.d/fail2ban stop (code=exited, status=0/SUCCESS)
  Process: 7299 ExecStart=/etc/rc.d/init.d/fail2ban start (code=exited, status=255)

Aug 03 14:29:38 neptune.youds.com systemd[1]: Starting SYSV: Fail2ban daemon...
Aug 03 14:29:38 neptune.youds.com fail2ban[7299]: Starting fail2ban: [FAILED]
Aug 03 14:29:38 neptune.youds.com systemd[1]: fail2ban.service: control process exited, code=exited status=255
Aug 03 14:29:38 neptune.youds.com systemd[1]: Failed to start SYSV: Fail2ban daemon.
Aug 03 14:29:38 neptune.youds.com systemd[1]: Unit fail2ban.service entered failed state.
Aug 03 14:29:38 neptune.youds.com systemd[1]: fail2ban.service failed.
Code:
Aug 03 14:31:01 neptune.youds.com systemd[1]: Starting Session c1657 of user root.
-- Subject: Unit session-c1657.scope has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit session-c1657.scope has begun starting up.
Aug 03 14:31:01 neptune.youds.com CROND[7359]: (root) CMD (/usr/local/directadmin/dataskq)
Aug 03 14:31:01 neptune.youds.com CROND[7360]: (root) CMD (/usr/local/rtm/bin/rtm 33 > /dev/null 2> /dev/null)
Aug 03 14:32:01 neptune.youds.com systemd[1]: Started Session c1658 of user root.
-- Subject: Unit session-c1658.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit session-c1658.scope has finished starting up.
-- 
-- The start-up result is done.
Aug 03 14:32:01 neptune.youds.com systemd[1]: Starting Session c1658 of user root.
-- Subject: Unit session-c1658.scope has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit session-c1658.scope has begun starting up.
Aug 03 14:32:01 neptune.youds.com systemd[1]: Started Session c1659 of user root.
-- Subject: Unit session-c1659.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit session-c1659.scope has finished starting up.
-- 
-- The start-up result is done.
Aug 03 14:32:01 neptune.youds.com systemd[1]: Starting Session c1659 of user root.
-- Subject: Unit session-c1659.scope has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit session-c1659.scope has begun starting up.
Aug 03 14:32:01 neptune.youds.com CROND[7406]: (root) CMD (/usr/local/rtm/bin/rtm 33 > /dev/null 2> /dev/null)
Aug 03 14:32:01 neptune.youds.com CROND[7407]: (root) CMD (/usr/local/directadmin/dataskq)
Aug 03 14:32:05 neptune.youds.com polkitd[1058]: Registered Authentication Agent for unix-process:7471:8600708 (system bus name :1.3471 [<unknown>], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Aug 03 14:32:05 neptune.youds.com systemd[1]: Starting SYSV: Fail2ban daemon...
-- Subject: Unit fail2ban.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit fail2ban.service has begun starting up.
Aug 03 14:32:05 neptune.youds.com fail2ban[7476]: Starting fail2ban: [FAILED]
Aug 03 14:32:05 neptune.youds.com systemd[1]: fail2ban.service: control process exited, code=exited status=255
Aug 03 14:32:05 neptune.youds.com systemd[1]: Failed to start SYSV: Fail2ban daemon.
-- Subject: Unit fail2ban.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit fail2ban.service has failed.
-- 
-- The result is failed.
Aug 03 14:32:05 neptune.youds.com systemd[1]: Unit fail2ban.service entered failed state.
Aug 03 14:32:05 neptune.youds.com systemd[1]: fail2ban.service failed.
Aug 03 14:32:05 neptune.youds.com polkitd[1058]: Unregistered Authentication Agent for unix-process:7471:8600708 (system bus name :1.3471, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected

Any help or advice appreciated. Same setup, followed the same installation guide and so on.
 
Just to say, if I comment out all the jails in the .local file everything starts as expected, without any jails obviously. See below.

Code:
[root@neptune ~]# tail -10 /var/log/fail2ban.log
2016-08-03 12:36:18,947 fail2ban.server : INFO   Exiting Fail2ban
2016-08-03 13:04:17,438 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.7
2016-08-03 13:04:57,422 fail2ban.server : INFO   Stopping all jails
2016-08-03 13:04:57,422 fail2ban.server : INFO   Exiting Fail2ban
2016-08-03 13:06:46,703 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.7
2016-08-03 13:09:48,010 fail2ban.server : INFO   Stopping all jails
2016-08-03 13:09:48,011 fail2ban.server : INFO   Exiting Fail2ban
2016-08-03 14:24:43,501 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.7
2016-08-03 14:27:00,395 fail2ban.server : INFO   Stopping all jails
2016-08-03 14:27:00,395 fail2ban.server : INFO   Exiting Fail2ban
[root@neptune ~]# vi /etc/fail2ban/jail.local
[root@neptune ~]# service fail2ban start
Starting fail2ban (via systemctl):                         [  OK  ]
[root@neptune ~]# cat /etc/fail2ban/jail.local
[DEFAULT]
bantime = 43200
findtime = 3600
ignoreip = 127.0.0.1 $MYHOMEIP $MYWORKIP
#[sshd]
#enabled = true
#[sshd-ddos]
#enabled = true
#[pure-ftpd]
#enabled = true
#[dovecot]
#enabled = true
#[exim]
#enabled = true
#logpath = /var/log/exim/mainlog
#logencoding = auto
#[directadmin]
#enabled = true
[root@neptune ~]# service fail2ban status
Fail2ban (pid 12902) is running...
Status
|- Number of jail:	0
`- Jail list:		
[root@neptune ~]#
 
Back
Top