Package: fail2ban
Version: 0.8.4-3+squeeze1
fail2ban fails to detect
the second log rotation for the ssj jail. Another custom ssh-root jail
which looks at the same logfile is instead handled properly. I suspect
an interaction between the two jails, which both look at /var/log/auth.
log
My configuration only has custom jail.local and sshd-root.conf
files (attached below). All else is pristine, out of the latest package
in squeeze.
Worthy of noting:
- every jail detects the log rotation
twice, once when the log is actually rotated, and once when the first
line is written to it.
- the ssh jail only detects the first log
rotation
- the ssh-root jail continues to work without problems
-
fail2ban keeps the pre-rotation file (/var/log/auth.log.1) open
/etc/fail2ban/jail.local:
[DEFAULT]
findtime = 21600
bantime = 43200
banaction = shorewall
[ssh]
enabled =
true
maxretry = 5
[ssh-root]
enabled = true
maxretry
= 1
findtime = 3600
bantime = 86400
port = all
filter = sshd-root
logpath = /var/log/auth.log
/etc/fail2ban/sshd-root.conf:
[INCLUDES]
# Read common
prefixes. If any customizations available -- read them from
#
common.local
before = common.conf
[Definition]
_daemon =
sshd
# Option: failregex
# Notes.: regex to match the
password failures messages in the logfile. The
# host must
be matched by a group named "host". The tag "<HOST>" can
#
be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)sFailed password for root from <HOST>
(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT
LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)
sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S*
rhost=<HOST>(?:\s+user=root)?\s*$
# Option: ignoreregex
#
Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
/var/log/fail2ban.log.1
2012-12-14 22:09:59,323 fail2ban.server : INFO Changed logging
target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2012-12-14
22:09:59,324 fail2ban.jail : INFO Creating new jail 'ssh-root'
2012-12-14 22:09:59,324 fail2ban.jail : INFO Jail 'ssh-root' uses
poller
2012-12-14 22:09:59,343 fail2ban.filter : INFO Added
logfile = /var/log/auth.log
2012-12-14 22:09:59,344 fail2ban.filter
: INFO Set maxRetry = 1
2012-12-14 22:09:59,345 fail2ban.filter :
INFO Set findtime = 3600
2012-12-14 22:09:59,346 fail2ban.
actions: INFO Set banTime = 86400
2012-12-14 22:09:59,376
fail2ban.jail : INFO Creating new jail 'ssh'
2012-12-14 22:09:
59,376 fail2ban.jail : INFO Jail 'ssh' uses poller
2012-12-14
22:09:59,377 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2012-12-14 22:09:59,378 fail2ban.filter : INFO Set maxRetry = 5
2012-12-14 22:09:59,379 fail2ban.filter : INFO Set findtime =
21600
2012-12-14 22:09:59,380 fail2ban.actions: INFO Set banTime
= 43200
2012-12-14 22:09:59,497 fail2ban.jail : INFO Jail 'ssh-
root' started
2012-12-14 22:09:59,502 fail2ban.jail : INFO Jail
'ssh' started
2012-12-15 06:25:09,903 fail2ban.filter : INFO Log
rotation detected for /var/log/auth.log
2012-12-15 06:25:09,905
fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2012-12-15 06:39:02,069 fail2ban.filter : INFO Log rotation
detected for /var/log/auth.log
2012-12-15 06:39:02,069 fail2ban.
filter : INFO Log rotation detected for /var/log/auth.log
2012-12-
15 06:52:56,023 fail2ban.actions: WARNING [ssh-root] Ban 203.125.96.195
/var/log/fail2ban.log
2012-12-16 06:25:11,853 fail2ban.server :
INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.
8.4-SVN
2012-12-16 06:25:12,865 fail2ban.filter : INFO Log
rotation detected for /var/log/auth.log
2012-12-16 06:39:01,992
fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2012-12-16 06:52:56,800 fail2ban.actions: WARNING [ssh-root] Unban
203.125.96.195
2012-12-16 12:34:30,162 fail2ban.actions: WARNING
[ssh-root] Ban 117.21.208.26
2012-12-16 14:33:49,832 fail2ban.
actions: WARNING [ssh-root] Ban 203.125.96.195
/var/log/auth.log.1
Dec 15 06:39:01 einstein CRON[13327]: pam_unix(cron:session): session
opened for user root by (uid=0)
Dec 15 06:39:02 einstein CRON
[13327]: pam_unix(cron:session): session closed for user root
Dec
15 06:52:52 einstein sshd[13344]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.125.96.195
user=root
Dec 15 06:52:54 einstein sshd[13344]: Failed password for
root from 203.125.96.195 port 55884 ssh2
.
.
.
Dec 16
06:25:01 einstein CRON[6795]: pam_unix(cron:session): session opened
for user root by (uid=0)
/var/log/auth.log
Dec 16 06:39:01
einstein CRON[7146]: pam_unix(cron:session): session opened for user
root by (uid=0)
Dec 16 06:39:01 einstein CRON[7146]: pam_unix(cron:
session): session closed for user root
Dec 16 06:47:01 einstein CRON
[7156]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 16 06:47:10 einstein CRON[7156]: pam_unix(cron:session):
session closed for user root
Dec 16 06:56:49 einstein CRON[6795]:
pam_unix(cron:session): session closed for user root
.
.
.
Dec 16 08:42:44 einstein sshd[9213]: Invalid user Admin from
203.125.96.195
Dec 16 08:42:44 einstein sshd[9213]: pam_unix(sshd:
auth): check pass; user unknown
Dec 16 08:42:44 einstein sshd
[9213]: pam_unix(sshd:auth): authentication failure; logname= uid=0
euid=0 tty=ssh ruser= rhost=203.125.96.195
Dec 16 08:42:46 einstein
sshd[9213]: Failed password for invalid user Admin from 203.125.96.195
port 57022 ssh2
Dec 16 08:42:49 einstein sshd[9215]: Invalid user
admin from 203.125.96.195
Dec 16 08:42:49 einstein sshd[9215]:
pam_unix(sshd:auth): check pass; user unknown
Dec 16 08:42:49
einstein sshd[9215]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=203.125.96.195
Dec 16 08:
42:52 einstein sshd[9215]: Failed password for invalid user admin from
203.125.96.195 port 57232 ssh2
Dec 16 08:42:55 einstein sshd[9217]:
Invalid user Admin from 203.125.96.195
Dec 16 08:42:55 einstein sshd
[9217]: pam_unix(sshd:auth): check pass; user unknown
Dec 16 08:42:
55 einstein sshd[9217]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=203.125.96.195
Dec 16 08:
42:57 einstein sshd[9217]: Failed password for invalid user Admin from
203.125.96.195 port 57417 ssh2
Dec 16 08:43:00 einstein sshd[9219]:
Invalid user admin from 203.125.96.195
Dec 16 08:43:00 einstein sshd
[9219]: pam_unix(sshd:auth): check pass; user unknown
Dec 16 08:43:
00 einstein sshd[9219]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=203.125.96.195
Dec 16 08:
43:02 einstein sshd[9219]: Failed password for invalid user admin from
203.125.96.195 port 57610 ssh2
Dec 16 08:43:05 einstein sshd[9221]:
Invalid user admin from 203.125.96.195
Dec 16 08:43:05 einstein sshd
[9221]: pam_unix(sshd:auth): check pass; user unknown
Dec 16 08:43:
05 einstein sshd[9221]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=203.125.96.195
Dec 16 08:
43:07 einstein sshd[9221]: Failed password for invalid user admin from
203.125.96.195 port 57777 ssh2
.
.
.
Dec 16 12:34:17
einstein sshd[13310]: Invalid user system from 117.21.208.26
Dec 16
12:34:17 einstein sshd[13310]: pam_unix(sshd:auth): check pass; user
unknown
Dec 16 12:34:17 einstein sshd[13310]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.
21.208.26
Dec 16 12:34:19 einstein sshd[13310]: Failed password for
invalid user system from 117.21.208.26 port 39146 ssh2
Dec 16 12:34:
27 einstein sshd[13315]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=117.21.208.26 user=root
Dec 16 12:34:29 einstein sshd[13315]: Failed password for root from
117.21.208.26 port 41113 ssh2
.
.
.
Dec 16 14:33:36
einstein sshd[15628]: Invalid user user1 from 203.125.96.195
Dec 16
14:33:36 einstein sshd[15628]: pam_unix(sshd:auth): check pass; user
unknown
Dec 16 14:33:36 einstein sshd[15628]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.
125.96.195
Dec 16 14:33:38 einstein sshd[15628]: Failed password
for invalid user user1 from 203.125.96.195 port 55181 ssh2
Dec 16
14:33:41 einstein sshd[15630]: Invalid user user2 from 203.125.96.195
Dec 16 14:33:41 einstein sshd[15630]: pam_unix(sshd:auth): check
pass; user unknown
Dec 16 14:33:41 einstein sshd[15630]: pam_unix
(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=203.125.96.195
Dec 16 14:33:43 einstein sshd[15630]:
Failed password for invalid user user2 from 203.125.96.195 port 55359
ssh2
Dec 16 14:33:46 einstein sshd[15632]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.
125.96.195 user=root
Dec 16 14:33:48 einstein sshd[15632]: Failed
password for root from 203.125.96.195 port 55548 ssh2
fail2ban-client
status
Status
|- Number of jail: 2
`- Jail
list: ssh, ssh-root
fail2ban-client status ssh
Status
for the jail: ssh
|- filter
| |- File list:
/var/log/auth.log
| |- Currently failed: 0
| `- Total
failed: 0
`- action
|- Currently banned: 0
| `-
IP list:
`- Total banned: 0
fail2ban-client status ssh-
root
Status for the jail: ssh-root
|- filter
| |- File
list: /var/log/auth.log
| |- Currently failed: 0
| `-
Total failed: 3
`- action
|- Currently banned: 2
| `- IP list: 117.21.208.26 203.125.96.195
`- Total
banned: 3
lsof | grep fail2ban
fail2ban- 4335 root
cwd DIR 254,2 4096 2 /
fail2ban-
4335 root rtd DIR 254,2 4096 2 /
fail2ban- 4335 root txt REG 254,2
2617520 2754167 /usr/bin/python2.6
fail2ban- 4335 root
mem REG 254,2 85920 2758495 /usr/lib/python2.
6/lib-dynload/datetime.so
fail2ban- 4335 root mem
REG 254,2 22256 2758480 /usr/lib/python2.6/lib-
dynload/_heapq.so
fail2ban- 4335 root mem
REG 254,2 1527584 2757358 /usr/lib/locale/locale-
archive
fail2ban- 4335 root mem REG
254,2 1437064 1183121 /lib/libc-2.11.3.so
fail2ban- 4335
root mem REG 254,2 530736 1183134 /lib/libm-
2.11.3.so
fail2ban- 4335 root mem REG
254,2 93936 2755595 /usr/lib/libz.so.1.2.3.4
fail2ban-
4335 root mem REG 254,2 1693344 2753938
/usr/lib/libcrypto.so.0.9.8
fail2ban- 4335 root mem
REG 254,2 349248 2753940 /usr/lib/libssl.so.0.9.8
fail2ban- 4335 root mem REG 254,2
10648 1183122 /lib/libutil-2.11.3.so
fail2ban- 4335 root
mem REG 254,2 14696 1183133 /lib/libdl-2.11.3.
so
fail2ban- 4335 root mem REG 254,2
131258 1183116 /lib/libpthread-2.11.3.so
fail2ban- 4335
root mem REG 254,2 128744 1183117 /lib/ld-
2.11.3.so
fail2ban- 4335 root 0r CHR
1,3 0t0 545 /dev/null
fail2ban- 4335 root
1u CHR 1,3 0t0 545 /dev/null
fail2ban- 4335 root 2u CHR 1,3
0t0 545 /dev/null
fail2ban- 4335 root 3u unix
0xffff880000664900 0t0 343521 /var/run/fail2ban/fail2ban.sock
fail2ban- 4335 root 6w REG 254,2
1364 1836760 /var/log/fail2ban.log
fail2ban- 4335 root
8r REG 254,2 29454 1837437 /var/log/auth.log.1
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
