Fail2Ban return error on service status

Problems/questions regarding MailCleaner installation

Moderators: FlorianB, Pascal, bourgeois, mentor

cglmicro
Posts: 291
Joined: Thu Mar 07, 2013 2:12 am
How did you hear about Mailcleaner: google

Fail2Ban return error on service status

Postby cglmicro » Sat Mar 03, 2018 10:51 pm

Hi.
I followed RAJBPS and other recommendation, and I've decided to start this new thread to separate the issue from the rest of his thread.

This is the error I get:

Code: Select all

root@mailcleaner:~# service fail2ban status
service fail2ban status
● fail2ban.service - LSB: Start/stop fail2ban
   Loaded: loaded (/etc/init.d/fail2ban)
   Active: active (exited) since Sat 2018-03-03 16:21:57 EST; 26min ago
  Process: 16839 ExecStop=/etc/init.d/fail2ban stop (code=exited, status=0/SUCCESS)
  Process: 16869 ExecStart=/etc/init.d/fail2ban start (code=exited, status=0/SUCCESS)

Mar 03 16:21:57 mailcleaner fail2ban[16869]: ERROR  Error in action definition iptables-repeater[name=smtp]
Mar 03 16:21:57 mailcleaner fail2ban[16869]: ERROR  Errors in jail 'exim2'. Skipping...
Mar 03 16:21:57 mailcleaner systemd[1]: Started LSB: Start/stop fail2ban.


This is the end of my /etc/fail2ban/jail.conf:

Code: Select all


[exim2-repeater]
enabled = true
filter = exim2
action = iptables-repeater[name=exim2]
logpath = /var/mailcleaner/log/exim_stage1/mainlog
maxretry = 3
findtime = 216000
bantime = -1


This is my /etc/fail2ban/filter.d/exim2.conf:

Code: Select all

# Fail2Ban filter for exim
#
# This includes the rejection messages of exim. For spam and filter
# related bans use the exim-spam.conf
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# exim-common.local
# before = exim-common.conf
[Definition]
failregex = \[<HOST>\]: 535 Incorrect authentication data
ignoreregex =


This is my /etc/fail2ban/actoin.d/iptables-repeater.conf:

Code: Select all

# Fail2ban configuration file
#
# Author: Phil Hagen <phil@identityvector.com>
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-REPEAT-<name>
iptables -A fail2ban-REPEAT-<name> -j RETURN
iptables -I INPUT -j fail2ban-REPEAT-<name>
# set up from the static file
cat /etc/fail2ban/ip.blocklist.<name> |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-REPEAT-<name> 1 -s $IP -j DROP; done
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D INPUT -j fail2ban-REPEAT-<name>
iptables -F fail2ban-REPEAT-<name>
iptables -X fail2ban-REPEAT-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L INPUT | grep -q fail2ban-REPEAT-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban-REPEAT-<name> 1 -s <ip> -j DROP
# also put into the static file to re-populate after a restart
! grep -Fq <ip> /etc/fail2ban/ip.blocklist.<name> && echo "<ip> # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): auto-add for repeat offender" >> /etc/fail2ban/ip.blocklist.<name>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = /bin/true
[Init]
# Defaut name of the chain
#
name = REPEAT


and the file exists:

Code: Select all

root@mailcleaner:/etc/fail2ban# touch ip.blocklist.exim2
root@mailcleaner:/etc/fail2ban# ls -latr
total 44
-rw-r--r--  1 root root  1525 Mar 15  2014 fail2ban.conf
drwxr-xr-x  2 root root  4096 Mar 19  2014 jail.d
drwxr-xr-x  2 root root  4096 Mar 19  2014 fail2ban.d
drwxr-xr-x  2 root root  4096 Mar  3 09:42 filter.d
drwxr-xr-x  2 root root  4096 Mar  3 09:42 action.d
drwxr-xr-x  6 root root  4096 Mar  3 09:42 .
drwxr-xr-x 97 root root  4096 Mar  3 15:49 ..
-rw-r--r--  1 root root 13988 Mar  3 16:28 jail.conf
-rw-r--r--  1 root root     0 Mar  3 17:32 ip.blocklist.exim2


What am I missing ?

Thanks.
cglmicro
Posts: 291
Joined: Thu Mar 07, 2013 2:12 am
How did you hear about Mailcleaner: google

Re: Fail2Ban return error on service status

Postby cglmicro » Sun Mar 04, 2018 11:30 pm

...and also, I was trying it to see if my IP was to be jailed with repeated (and fast) bad ssh login/password.

For the test, I had to remove the erroneous EXIM section of jail.conf, and delete the two others conf files.

It was detected and added to the SSH jail in seconds, but I'm still able to log in to the server, and my IP is not whitelisted.

My ssh is on port 12322 (fake port), and my "abusive" IP is 70.53.252.175.

See my jail and an iptables command, what is wrong?

Code: Select all

root@mailcleaner:~# fail2ban-client status ssh
Status for the jail: ssh
|- filter
|  |- File list:        /var/log/auth.log
|  |- Currently failed: 1
|  `- Total failed:     20
`- action
   |- Currently banned: 1
   |  `- IP list:       70.53.252.175
   `- Total banned:     1

root@mailcleaner:~# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12322 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4242 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80:443 -j ACCEPT
-A INPUT -s 185.201.xxx.xxx/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 69.70.xxx.xxx/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A fail2ban-ssh -s 70.53.252.175/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -j RETURN


So why am I still able to reach the server, even with my abusive 70.52.252.175 IP in iptables ?
FlorianB
Posts: 296
Joined: Wed Apr 01, 2015 2:27 pm
How did you hear about Mailcleaner: job

Re: Fail2Ban return error on service status

Postby FlorianB » Mon Mar 05, 2018 9:46 am

Hello cgl,
Look like you have a "fail2ban-ssh" chain added via fail2ban (completely normal) talking about a -d 22 (destination port 22).
You precised your sshd port have been changed so it probably doesn't correspond anymore. Change the ssh port in the fail2ban to make it correspond.
Regards,
Florian
cglmicro
Posts: 291
Joined: Thu Mar 07, 2013 2:12 am
How did you hear about Mailcleaner: google

Re: Fail2Ban return error on service status

Postby cglmicro » Mon Mar 05, 2018 8:49 pm

FlorianB wrote:Hello cgl,
Look like you have a "fail2ban-ssh" chain added via fail2ban (completely normal) talking about a -d 22 (destination port 22).
You precised your sshd port have been changed so it probably doesn't correspond anymore. Change the ssh port in the fail2ban to make it correspond.
Regards,
Florian


Hi Florian.

Do you mean in /etc/fail2ban/jail.conf:

Code: Select all

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6


Should I replace "port = ssh" with "port = 12322" ? (I though it was fetching the port number of the SSHD service itself)
FlorianB
Posts: 296
Joined: Wed Apr 01, 2015 2:27 pm
How did you hear about Mailcleaner: job

Re: Fail2Ban return error on service status

Postby FlorianB » Tue Mar 06, 2018 12:17 pm

Hello,
Yes exactly. Fail2Ban don't use this value for detection as it read the log file, but it use it for blocking purpose so if you let the default, it simply block 22 without detecting the right port.
Regards,
Florian
cglmicro
Posts: 291
Joined: Thu Mar 07, 2013 2:12 am
How did you hear about Mailcleaner: google

Re: Fail2Ban return error on service status

Postby cglmicro » Tue Mar 06, 2018 6:09 pm

Ok, will try. Thanks.

Return to “Installation”

Who is online

Users browsing this forum: No registered users and 5 guests