Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to ban hosts in iptables (from apache-auth) #288

Closed
moneytoo opened this issue Jul 11, 2013 · 11 comments
Closed

Unable to ban hosts in iptables (from apache-auth) #288

moneytoo opened this issue Jul 11, 2013 · 11 comments

Comments

@moneytoo
Copy link

Even after fixing issue with apache-auth detection (#286, Thanks!), I'm still unable to make fail2ban add bans to iptables.

Since I'm on Centos, I have to use iptables. I duplicated my issue on clean Centos 6.4 installation. Iptables are started and with basic config generated by system-config-firewall-tui.

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Modification of jail.conf:

[apache-auth]

enabled  = true
filter   = apache-auth
action   = iptables[name=apache-auth, port="80,443"]
logpath  = /var/log/httpd/error_log
maxretry = 2

However I see errors when fail2ban starts and tries to ban host:

Jul 12 02:29:41 localhost fail2ban.server : INFO   Changed logging target to SYSLOG for Fail2ban v0.8.10
Jul 12 02:29:41 localhost fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
Jul 12 02:29:41 localhost fail2ban.jail   : INFO   Jail 'ssh-iptables' uses pyinotify
Jul 12 02:29:41 localhost ż<31>fail2ban.filter : DEBUG  Setting usedns = warn for FilterPyinotify(Jail('ssh-iptables'))
Jul 12 02:29:41 localhost ż<31>fail2ban.filter : DEBUG  Created FilterPyinotify(Jail('ssh-iptables'))
Jul 12 02:29:41 localhost ż<31>fail2ban.filter : DEBUG  Created FilterPyinotify
Jul 12 02:29:41 localhost fail2ban.jail   : INFO   Initiated 'pyinotify' backend
Jul 12 02:29:41 localhost ż<31>fail2ban.filter : DEBUG  Setting usedns = warn for FilterPyinotify(Jail('ssh-iptables'))
Jul 12 02:29:41 localhost ż<30>fail2ban.filter : INFO   Added logfile = /var/log/secure
Jul 12 02:29:41 localhost ż<31>fail2ban.filter : DEBUG  Added monitor for the parent directory /var/log
Jul 12 02:29:41 localhost ż<31>fail2ban.filter : DEBUG  Added file watcher for /var/log/secure
Jul 12 02:29:41 localhost ż<31>fail2ban.filter.datedetector: DEBUG  Sorting the template list
Jul 12 02:29:41 localhost ż<31>fail2ban.filter.datedetector: DEBUG  Winning template: MONTH Day Hour:Minute:Second with 0 hits
Jul 12 02:29:41 localhost ż<30>fail2ban.filter : INFO   Set maxRetry = 5
Jul 12 02:29:41 localhost ż<31>fail2ban.filter : DEBUG  Add 127.0.0.1/8 to ignore list
Jul 12 02:29:41 localhost ż<30>fail2ban.filter : INFO   Set findtime = 600
Jul 12 02:29:41 localhost fail2ban.actions: INFO   Set banTime = 600
Jul 12 02:29:41 localhost fail2ban.jail   : INFO   Creating new jail 'apache-auth'
Jul 12 02:29:41 localhost fail2ban.jail   : INFO   Jail 'apache-auth' uses pyinotify
Jul 12 02:29:41 localhost ż<31>fail2ban.filter : DEBUG  Setting usedns = warn for FilterPyinotify(Jail('apache-auth'))
Jul 12 02:29:41 localhost ż<31>fail2ban.filter : DEBUG  Created FilterPyinotify(Jail('apache-auth'))
Jul 12 02:29:41 localhost ż<31>fail2ban.filter : DEBUG  Created FilterPyinotify
Jul 12 02:29:41 localhost fail2ban.jail   : INFO   Initiated 'pyinotify' backend
Jul 12 02:29:41 localhost ż<31>fail2ban.filter : DEBUG  Setting usedns = warn for FilterPyinotify(Jail('apache-auth'))
Jul 12 02:29:41 localhost ż<30>fail2ban.filter : INFO   Added logfile = /var/log/httpd/error_log
Jul 12 02:29:41 localhost ż<31>fail2ban.filter : DEBUG  Added monitor for the parent directory /var/log/httpd
Jul 12 02:29:41 localhost ż<31>fail2ban.filter : DEBUG  Added file watcher for /var/log/httpd/error_log
Jul 12 02:29:41 localhost ż<31>fail2ban.filter.datedetector: DEBUG  Sorting the template list
Jul 12 02:29:41 localhost ż<31>fail2ban.filter.datedetector: DEBUG  Winning template: MONTH Day Hour:Minute:Second with 0 hits
Jul 12 02:29:41 localhost ż<30>fail2ban.filter : INFO   Set maxRetry = 2
Jul 12 02:29:41 localhost ż<31>fail2ban.filter : DEBUG  Add 127.0.0.1/8 to ignore list
Jul 12 02:29:41 localhost ż<30>fail2ban.filter : INFO   Set findtime = 600
Jul 12 02:29:41 localhost fail2ban.actions: INFO   Set banTime = 600
Jul 12 02:29:41 localhost fail2ban.jail   : INFO   Jail 'ssh-iptables' started
Jul 12 02:29:41 localhost ż<31>fail2ban.filter : DEBUG  pyinotifier started for ssh-iptables.
Jul 12 02:29:41 localhost fail2ban.jail   : INFO   Jail 'apache-auth' started
Jul 12 02:29:41 localhost ż<31>fail2ban.filter : DEBUG  pyinotifier started for apache-auth.
Jul 12 02:29:41 localhost fail2ban.actions.action: ERROR  iptables -N fail2ban-apache-auth#012iptables -A fail2ban-apache-auth -j RETURN#012iptables -I INPUT -p tcp --dport 80,443 -j fail2ban-apache-auth returned 200
Jul 12 02:29:49 localhost dhclient[1027]: DHCPREQUEST on eth0 to 192.168.131.254 port 67 (xid=0x291f30e0)
Jul 12 02:29:49 localhost dhclient[1027]: DHCPACK from 192.168.131.254 (xid=0x291f30e0)
Jul 12 02:29:51 localhost dhclient[1027]: bound to 192.168.131.157 -- renewal in 809 seconds.
Jul 12 02:30:20 localhost ż<31>fail2ban.filter : DEBUG  Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/httpd/error_log pathname=/var/log/httpd/error_log wd=2 >
Jul 12 02:30:20 localhost ż<31>fail2ban.filter.datedetector: DEBUG  Matched time template MONTH Day Hour:Minute:Second
...
Jul 12 02:30:20 localhost ż<31>fail2ban.filter.datedetector: DEBUG  Matched time template MONTH Day Hour:Minute:Second
Jul 12 02:30:20 localhost ż<31>fail2ban.filter.datedetector: DEBUG  Got time using template MONTH Day Hour:Minute:Second
Jul 12 02:30:20 localhost ż<31>fail2ban.filter : DEBUG  Processing line with time:1373589020.0 and ip:192.168.131.1
Jul 12 02:30:20 localhost ż<31>fail2ban.filter : DEBUG  Found 192.168.131.1
Jul 12 02:30:20 localhost ż<31>fail2ban.filter : DEBUG  Total # of detected failures: 1. Current failures from 1 IPs (IP:count): 192.168.131.1:1
Jul 12 02:30:20 localhost ż<31>fail2ban.filter.datedetector: DEBUG  Sorting the template list
Jul 12 02:30:20 localhost ż<31>fail2ban.filter.datedetector: DEBUG  Winning template: MONTH Day Hour:Minute:Second with 21 hits
Jul 12 02:30:25 localhost ż<31>fail2ban.filter : DEBUG  Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/httpd/error_log pathname=/var/log/httpd/error_log wd=2 >
Jul 12 02:30:25 localhost ż<31>fail2ban.filter.datedetector: DEBUG  Matched time template MONTH Day Hour:Minute:Second
Jul 12 02:30:25 localhost ż<31>fail2ban.filter.datedetector: DEBUG  Got time using template MONTH Day Hour:Minute:Second
Jul 12 02:30:25 localhost ż<31>fail2ban.filter : DEBUG  Processing line with time:1373589025.0 and ip:192.168.131.1
Jul 12 02:30:25 localhost ż<31>fail2ban.filter : DEBUG  Found 192.168.131.1
Jul 12 02:30:25 localhost ż<31>fail2ban.filter : DEBUG  Total # of detected failures: 2. Current failures from 1 IPs (IP:count): 192.168.131.1:2
Jul 12 02:30:25 localhost ż<31>fail2ban.filter.datedetector: DEBUG  Sorting the template list
Jul 12 02:30:25 localhost ż<31>fail2ban.filter.datedetector: DEBUG  Winning template: MONTH Day Hour:Minute:Second with 23 hits
Jul 12 02:30:25 localhost fail2ban.actions: WARNING [apache-auth] Ban 192.168.131.1
Jul 12 02:30:25 localhost fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q 'fail2ban-apache-auth[ \t]' returned 100
Jul 12 02:30:25 localhost fail2ban.actions.action: ERROR  Invariant check failed. Trying to restore a sane environment
Jul 12 02:30:26 localhost fail2ban.actions.action: ERROR  iptables -N fail2ban-apache-auth#012iptables -A fail2ban-apache-auth -j RETURN#012iptables -I INPUT -p tcp --dport 80,443 -j fail2ban-apache-auth returned 200
Jul 12 02:30:26 localhost fail2ban.actions.action: ERROR  iptables -n -L INPUT | grep -q 'fail2ban-apache-auth[ \t]' returned 100
Jul 12 02:30:26 localhost fail2ban.actions.action: CRITICAL Unable to restore environment
Jul 12 02:30:41 localhost ż<31>fail2ban.filter : DEBUG  Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/secure pathname=/var/log/secure wd=2 >

I also tried fail2ban on Ubuntu from their repo. They have jail.conf preconfigured a bit and it works just fine. I'm really not sure what could be wrong with my setup because fail2ban setup seems clear (I hope).
@grooverdan
Copy link
Contributor

can you do the following and if so what's it output.

iptables -n -L INPUT | grep -q 'fail2ban-apache-auth[ \t]'

can you also use strace (package by the same name); strace -fe trace=process -o /tmp/strace.txt -p {pid_of_fail2ban} and attach a link to a pastebin of it.

@moneytoo
Copy link
Author

Grep on iptables doesn't print anything.

I had to start strace in different way to create useful log: strace -fe trace=process -o/tmp/strace.txt /etc/init.d/fail2ban start, see http://pastebin.com/GcQedVn7

@yarikoptic
Copy link
Member

On Thu, 11 Jul 2013, Marcel Dopita wrote:

Jul 12 02:29:41 localhost fail2ban.actions.action: ERROR iptables -N fail2ban-apache-auth#012iptables -A fail2ban-apache-auth -j RETURN#012iptables -I INPUT -p tcp --dport 80,443 -j fail2ban-apache-auth returned 200

yikes -- what is #12 here? on Debian systems it just uses '\n' as
coded in the action:

2013-06-19 22:15:17,439 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'actionstop', 'iptables-multiport', 'iptables -D -p -m multiport --dports -j fail2ban-\niptables -F fail2ban-\niptables -X fail2ban-']
2013-06-19 22:15:17,439 fail2ban.actions.action: DEBUG Set actionStop = iptables -D -p -m multiport --dports -j fail2ban-
iptables -F fail2ban-
iptables -X fail2ban-

I wonder if this is just a logging module customization on centos to replace
all new lines with #12 (which would be in 0C in hex, i.e. form feed -- makes
no sense). Adjusting action file placing all commands in 1 line separated with
';' would be the first thing I have tried.

Jul 12 02:30:20 localhost ż<31>fail2ban.filter : DEBUG Default Callback for Event:

z<31> -- what is that about?

I also tried fail2ban on Ubuntu from their repo. They have jail.conf
preconfigured a bit and it works just fine. I'm really not sure what could
be wrong with my setup because fail2ban setup seems clear (I hope).

do you mean that ubuntu's jail.conf (alone) was good enough or entire
package/software?

Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Senior Research Associate, Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik

@yarikoptic
Copy link
Member

ah -- right -- the problem with troubleshooting is that stdout/err is
swallowed ... it should be logged in 0.9... for current version you can

  1. open terminal and start server manually keeping it in foreground

    fail2ban-server -f

  2. open another terminal and load the beast

    fail2ban-client reload

or smth like that and then see what appears in the server terminal

Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Senior Research Associate, Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik

@moneytoo
Copy link
Author

This is what I get from fail2ban-server:

...
fail2ban.filter : DEBUG  pyinotifier started for apache-auth.
iptables v1.4.7: invalid port/service `http,https' specified
Try `iptables -h' or 'iptables --help' for more information.
...
fail2ban.filter.datedetector: DEBUG  Winning template: MONTH Day Hour:Minute:Second with 56 hits
iptables v1.4.7: invalid port/service `http,https' specified
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.7: invalid port/service `http,https' specified
Try `iptables -h' or 'iptables --help' for more information.
fail2ban.filter : DEBUG  Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/httpd/error_log pathname=/var/log/httpd/error_log wd=2 >
...

Previously I only tried fail2ban on Ubuntu but applying following basic config seems to work on my Centos machine as well:

[DEFAULT]

ignoreip = 127.0.0.1/8
bantime  = 600
maxretry = 3
backend = auto
usedns = warn
destemail = root@localhost
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action = %(action_)s

[apache]

enabled  = true
port     = http,https
filter   = apache-auth
logpath  = /var/log/httpd/error_log
maxretry = 2

It doesn't matter if I use "http,https" or "80,443".

@kwirk
Copy link
Contributor

kwirk commented Jul 12, 2013

@moneytoo Your jail specifies action = iptables[name=apache-auth, port="80,443"], but you are using multiple ports, therefore should read action = iptables-multiport[name=apache-auth, port="80,443"]

@moneytoo
Copy link
Author

@kwirk So does this mean that actions such as action = iptables[name=RoundCube, port="http,https"] from current jail.conf are not functional?

@kwirk
Copy link
Contributor

kwirk commented Jul 12, 2013

@moneytoo Ah, yes. Good catch. I've fixed that with 606e976

@kwirk
Copy link
Contributor

kwirk commented Jul 12, 2013

@moneytoo Hopefully all is working now? If so, please go ahead and close the issue. Thanks 😄

@moneytoo
Copy link
Author

I confirm it fixes my issues. I thought about this but I just couldn't believe that some sample jails are not functional. Such handy piece of software has to be used by many admins... Thanks

@yarikoptic
Copy link
Member

Well -- there are two side of the coin

1. on Debian systems an alternative jail.conf is used (as you discovered
working on ubuntu)

<rant>
2. many people prefer to fix things and proudly blog/twitter/etc
about it instead of reporting issues upstream
</rant>

On Fri, 12 Jul 2013, Marcel Dopita wrote:

I confirm it fixes my issues. I thought about this but I just couldn't
believe that some sample jails are not functional. Such handy piece of
software has to be used by many admins... Thanks

Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Senior Research Associate, Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik

@moneytoo moneytoo mentioned this issue Jul 28, 2013
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yarikoptic @kwirk @grooverdan @moneytoo