Page 1 of 1

[SOLVED] Is there someone who succeded with Fail2ban?

Posted: 2011/07/24 19:36:20
by sblantipodi
As title...

I always used fail2ban without problem with CentOS 5.6 or earlier but now with CentOS 6
I'm not able to make fail2ban works well.

Rules are written ok, log are ok, but fail2ban doesn't but anyone...

Re: Is there someone who succeded with Fail2ban?

Posted: 2011/08/02 17:11:56
by keithwright
I succeeded in getting fail2ban working. I did have to make one change to the /etc/fail2ban/jail.conf file.
By default, only [ssh-iptables] is enabled, but it wasn't working. When I looked at the result of running

iptables -L

I noticed that the chain fail2ban-SSH had zero references to it. On a hunch, I added

bantime = 1800

to the [ssh-iptables] section and restarted fail2ban (service fail2ban restart).
Now, iptables -L showed a rule in the INPUT chain which referenced the fail2ban-SSH chain.

I logged into a remote machine, and purposely failed to authenticate, and fail2ban added a DROP rule for that IP to the fail2ban-SSH chain.
I even changed the bantime, so it was 60, and tested it again. For a minute, the rule was added banning the IP, and then it was cleared.
So, it appears to be working, at least for ssh.

Re: Is there someone who succeded with Fail2ban?

Posted: 2011/08/05 01:02:00
by grifs71
Did you install this with yum install or do you have to install it from an rpm approach?

thanks

[SOLVED] Is there someone who succeded with Fail2ban?

Posted: 2011/08/05 10:55:49
by pschaff
Not sure what Keith or the OP did, but fail2ban is yummable (to coin a word) from multiple repos:[code]
yum --noplugins --showduplicates --enablerepo \* --disablerepo \*-source --disablerepo \*-debug\* list fail2ban
...
fail2ban.noarch 0.8.2-3.el6.rf rpmforge
fail2ban.noarch 0.8.4-24.el6 epel
fail2ban.noarch 0.8.4-27.el6 atrpms
[/code]

Re: Is there someone who succeded with Fail2ban?

Posted: 2011/08/05 10:57:06
by sblantipodi
I solved the problem with fail2ban, there was a date problem.

I solved by editing:
/etc/fail2ban/filter.d/common.conf

and changing
__prefix_line = \s*(?:\S+ )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*

with this:
__prefix_line = .*?

Re: [SOLVED] Is there someone who succeded with Fail2ban?

Posted: 2011/08/05 10:58:45
by pschaff
Thanks for reporting back. Marking this thread [SOLVED] for posterity.

P.S. It would be good to say which source you used for fail2ban.