|
|
| (One intermediate revision by the same user not shown) |
| Line 10: |
Line 10: |
| sudo nano /var/log/fail2ban.log | | sudo nano /var/log/fail2ban.log |
|
| |
|
| ==trying to resolve errors:== | | ==Configuration== |
| | | [sshd] |
| <poem>
| | # To use more aggressive sshd modes set filter parameter "mode" in jail.local: |
| 018-03-14 19:45:55,363 fail2ban.action [571]: ERROR iptables -w -D INPUT -p tcp -j f2b-recidive
| | # normal (default), ddos, extra or aggressive (combines all). |
| iptables -w -F f2b-recidive
| | # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. |
| iptables -w -X f2b-recidive -- stdout: b''
| | #mode = normal |
| 2018-03-14 19:45:55,364 fail2ban.action [571]: ERROR iptables -w -D INPUT -p tcp -j f2b-recidive
| | enabled = true |
| iptables -w -F f2b-recidive
| | port = ssh |
| iptables -w -X f2b-recidive -- stderr: b'iptables: Too many links.\n'
| | # initial ban time: |
| 2018-03-14 19:45:55,365 fail2ban.action [571]: ERROR iptables -w -D INPUT -p tcp -j f2b-recidive
| | bantime = 1h |
| iptables -w -F f2b-recidive
| | # incremental banning: |
| iptables -w -X f2b-recidive -- returned 1
| | bantime.increment = true |
| 2018-03-14 19:45:55,366 fail2ban.actions [571]: ERROR Failed to stop jail 'recidive' action 'iptables-allports': Error stopping action
| | # default factor (causes increment - 1h -> 1d 2d 4d 8d 16d 32d ...): |
| 2018-03-14 19:45:55,367 fail2ban.jail [571]: INFO Jail 'recidive' stopped
| | bantime.factor = 24 |
| 2018-03-14 19:45:56,450 fail2ban.action [571]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports 2222 -j f2b-sshd
| | # max banning time = 5 week: |
| iptables -w -F f2b-sshd
| | bantime.maxtime = 5w |
| iptables -w -X f2b-sshd -- stdout: b''
| | logpath = %(sshd_log)s |
| 2018-03-14 19:45:56,451 fail2ban.action [571]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports 2222 -j f2b-sshd
| | backend = %(sshd_backend)s |
| iptables -w -F f2b-sshd
| |
| iptables -w -X f2b-sshd -- stderr: b'iptables: Too many links.\n'
| |
| 2018-03-14 19:45:56,452 fail2ban.action [571]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports 2222 -j f2b-sshd
| |
| iptables -w -F f2b-sshd
| |
| iptables -w -X f2b-sshd -- returned 1
| |
| 2018-03-14 19:45:56,453 fail2ban.actions [571]: ERROR Failed to stop jail 'sshd' action 'iptables-multiport': Error stopping action
| |
| 2018-03-14 19:45:56,454 fail2ban.jail [571]: INFO Jail 'sshd' stopped
| |
| 2018-03-14 19:45:57,452 fail2ban.jail [571]: INFO Jail 'sshd-ddos' stopped
| |
| 2018-03-14 19:45:57,457 fail2ban.server [571]: INFO Exiting Fail2ban
| |
| 2018-03-14 19:46:16,950 fail2ban.server [588]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6
| |
| 2018-03-14 19:46:16,972 fail2ban.database [588]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
| |
| 2018-03-14 19:46:16,992 fail2ban.jail [588]: INFO Creating new jail 'sshd'
| |
| 2018-03-14 19:46:17,099 fail2ban.jail [588]: INFO Jail 'sshd' uses pyinotify {}
| |
| 2018-03-14 19:46:17,200 fail2ban.jail [588]: INFO Initiated 'pyinotify' backend
| |
| 2018-03-14 19:46:17,203 fail2ban.filter [588]: INFO Set jail log file encoding to UTF-8
| |
| </poem>
| |
| | |
| steps taken:
| |
| sudo apt install python-pyinotify | |
| | |
| sudo nano /etc/fail2ban/jail.local
| |
| | |
| changed: <code>backend = auto</code>
| |
| to: <code>backend = pyinotify</code>
| |
| | |
| then: sudo systemctl restart fail2ban
| |
| | |
| I notice restarting f2b re-created the errors in the logs. It seems that the problem is with deleting the iptables rules (banned ips from recdrive)...it gets the 'too many links' error when it tries.
| |
| | |
| I think this is a pretty minor problem but it would be nice to fix. note the the attempt to fix above did nothing.
| |
| | |
| UPDATE 9/2/18
| |
| I figured out that ignorecommand (jail.local) was causing problems..temporarily commented the line out entirely will have to figure something out with thing in the future to whitelist local ip's
| |
| | |
| | |
| | |
| | |
|
| |
|
| ==unban== | | ==unban== |
| Line 71: |
Line 34: |
| The hard part is finding the right jail: | | The hard part is finding the right jail: |
|
| |
|
| Use iptables -L -n to find the rule name...
| | Use iptables -L -n to find the rule name... |
| ...then use fail2ban-client status to get the actual jail names. The rule name and jail name may not be the same but it should be clear which one is related to which.
| | ...then use fail2ban-client status to get the actual jail names. The rule name and jail name may not be the same but it should be clear which one is related to which. |
sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
to edit config edit the jail.local file!!!
sudo nano /etc/fail2ban/jail.local
Log Files
sudo nano /var/log/fail2ban.log
Configuration
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
enabled = true
port = ssh
# initial ban time:
bantime = 1h
# incremental banning:
bantime.increment = true
# default factor (causes increment - 1h -> 1d 2d 4d 8d 16d 32d ...):
bantime.factor = 24
# max banning time = 5 week:
bantime.maxtime = 5w
logpath = %(sshd_log)s
backend = %(sshd_backend)s
unban
fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE
The hard part is finding the right jail:
Use iptables -L -n to find the rule name...
...then use fail2ban-client status to get the actual jail names. The rule name and jail name may not be the same but it should be clear which one is related to which.
