Solved Need help with fail2ban

[olafz]

Hi all,

I have installed fail2ban on my 10.1 box. As it does not work out of the box, I have tried to customize it to my needs.

First, I have built my own action in action.d/ipfw-oz.conf:

[Definition]
actionstart =
actionstop = ipfw table 1 flush
actioncheck =
actionban = ipfw table 1 add <ip>
actionban = ipfw table 1 delete <ip>

[Init]
blocktype = deny

Next, I have customized my ipfw script:

-q flush
-q add deny log logamount 20 ip from table(1) to me
-q add check-state
-q add allow ip from any to any via lo0
-q add allow tcp from any to any established
-q add allow tcp from me to any out setup
-q add allow udp from me to any out keep-state
[...]

My assumption: all IP addresses in table 1 should be blocked.

Last, I have set up jail.local:

[DEFAULT]
banaction = ipfw-oz
bantime = 3600
maxretry = 3
destemail = [email]olaf@zaplinski.de[/email]
sender = [email]root@betsy.tuxfriends.net[/email]
mta = mail
action = %(action_mwl)s
[sshd]
port    = ssh
logpath = %(sshd_log)s
enabled = true
[sshd-ddos]
port    = ssh
logpath = %(sshd_log)s
enabled = true

My problem: fail2ban does not detect brute force SSH login attempts. auth.log says:

error: Received disconnect from 1.2.3.4: 14: No supported authentication methods available [preauth]

Meanwhile, the fail2ban log shows nothing new. It looks as if it could not detect SSH login attempts as root with password authentication.

sshd's loggin is set to verbose.

Any ideas?

Olaf

 

[SirDice]

Are you only using it to protect SSH or is it protecting other services too? If you only protect SSH you may want to have a look at security/sshguard-ipfw. It's a lot smaller and has no dependencies. It is, however, a little bit less configurable.

 

[olafz]

I would like to start with sshd and to add more services later on, e.g. postfix.

 

[SirDice]

Alright. I don't have fail2ban installed but I looked at a Linux install. Have a look in the filter.d/ directory. There should be a sshd.conf and a sshd-dos.conf. This is where the regexp is defined that triggers it. You may need to adjust them. Sometimes the messages are slightly different between FreeBSD and Linux.

 

[junovitch@]

Posting the interesting stuff from PR 201108 that you opened against the security/py-fail2ban port:

2015-06-25 18:04:09,540 fail2ban.action [605]: ERROR ipfw table 1 delete 5.190.61.182 -- stdout: ''
2015-06-25 18:04:09,540 fail2ban.action [605]: ERROR ipfw table 1 delete 5.190.61.182 -- stderr: 'ipfw: setsockopt(IP_FW_TABLE_XDEL): No such process\n'
2015-06-25 18:04:09,541 fail2ban.action [605]: ERROR ipfw table 1 delete 5.190.61.182 -- returned 71

Ok, so it looked like you had adapted your configuration as you went since you started with IPTables. Starting from the bottom the issue seems to be ipfw(8) configuration related since that is returning an error when it gets a valid IP address from Fail2Ban.

Same comment applies. Can you show more on your IPFW configuration? Your blurb that you showed above appears to be missing the typical ${fwcmd} that you see at the start of most scripts. I'm not sure if it was edited to keep things short for the forum. Does IPFW show that the table is successfully configured?

 

[olafz]

Hi Jason,

my rc.conf:

firewall_enable="YES"
firewall_logging="YES"
firewall_type="/etc/rc.fw"

my complete rc.fw:

-q flush
-q add deny log logamount 20 ip from table(1) to me
-q add check-state
#
# -- lo0
-q add allow ip from any to any via lo0
#
# -- any established
-q add allow tcp from any to any established
#
# -- all outgoing
-q add allow tcp from me to any out setup
-q add allow udp from me to any out keep-state
-q add allow icmp from me to any out
#
# -- all friends
-q add allow ip from 217.12.199.66 to me in via vtnet0
-q add allow ip6 from 2a00:12c0:1015:100:1::2 to me6 in via vtnet0
#
# -- icmp
-q add allow icmp from any to me in via vtnet0
-q add allow icmp6 from any to me6 in via vtnet0
#
# -- smtp
-q add allow tcp from any to me 25 in setup
#
# -- ssh for all
-q add allow log logamount 20 tcp from any to me 22 in setup
#
# -- cleanup
-q add reset log logamount 20 tcp from any to me in via vtnet0
-q add unreach port log logamount 20 udp from any to me in via vtnet0
-q add deny log logamount 20 ip from any to me in via vtnet0

When starting ipfw, I get no errors:

[root@betsy /etc]# /etc/rc.d/ipfw stop
net.inet.ip.fw.enable: 1 -> 0
net.inet6.ip6.fw.enable: 1 -> 0
[root@betsy /etc]# /etc/rc.d/ipfw start
Flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
Firewall rules loaded.
Firewall logging enabled.

The ipfw list looks okay to me:

[root@betsy /etc]# ipfw list
00100 deny log logamount 20 ip from table(1) to me
00200 check-state
00300 allow ip from any to any via lo0
00400 allow tcp from any to any established
00500 allow tcp from me to any out setup
00600 allow udp from me to any out keep-state
00700 allow icmp from me to any out
00800 allow ip from 217.12.199.66 to me in via vtnet0
00900 allow ip6 from 2a00:12c0:1015:100:1::2 to me6 in via vtnet0
01000 allow icmp from any to me in via vtnet0
01100 allow ipv6-icmp from any to me6 in via vtnet0
01200 allow tcp from any to me dst-port 25 in setup
01300 allow log logamount 20 tcp from any to me dst-port 22 in setup
01400 reset log logamount 20 tcp from any to me in via vtnet0
01500 unreach port log logamount 20 udp from any to me in via vtnet0
01600 deny log logamount 20 ip from any to me in via vtnet0
65535 allow ip from any to any

Olaf

 

[junovitch@]

Posting the interesting stuff from PR 201108 that you opened against the security/py-fail2ban port:

2015-06-25 18:04:09,540 fail2ban.action [605]: ERROR ipfw table 1 delete 5.190.61.182 -- stdout: ''
2015-06-25 18:04:09,540 fail2ban.action [605]: ERROR ipfw table 1 delete 5.190.61.182 -- stderr: 'ipfw: setsockopt(IP_FW_TABLE_XDEL): No such process\n'
2015-06-25 18:04:09,541 fail2ban.action [605]: ERROR ipfw table 1 delete 5.190.61.182 -- returned 71

That error looks like what was documented against Fail2ban and fixed for 0.9.2. What is the behavior when you use the bsd-ipfw.conf as suggested by the port's maintainer in PR 201108?
https://github.com/fail2ban/fail2ban/issues/893

 

[olafz]

Okay, I have now started from scratch. Everything is default now, except for my jail.local:

[DEFAULT]
bantime  = 600
findtime  = 600
maxretry = 3

[sshd]
port    = ssh
logpath = %(sshd_log)s
filter  = bsd-sshd.conf
enabled = true

Log file:

2015-07-01 10:59:53,542 fail2ban.server         [5520]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2b                                   an v0.9.2
2015-07-01 10:59:53,546 fail2ban.database       [5520]: INFO    Connected to fail2ban persistent database '/var/db/fail2ba                                   n/fail2ban.sqlite3'
2015-07-01 10:59:53,597 fail2ban.database       [5520]: WARNING New database created. Version '2'
2015-07-01 10:59:53,598 fail2ban.jail           [5520]: INFO    Creating new jail 'sshd'
2015-07-01 10:59:53,601 fail2ban.jail           [5520]: INFO    Jail 'sshd' uses poller
2015-07-01 10:59:53,616 fail2ban.filter         [5520]: INFO    Set jail log file encoding to US-ASCII
2015-07-01 10:59:53,616 fail2ban.jail           [5520]: INFO    Initiated 'polling' backend
2015-07-01 10:59:53,624 fail2ban.filter         [5520]: INFO    Added logfile = /var/log/auth.log
2015-07-01 10:59:53,624 fail2ban.filter         [5520]: INFO    Set maxRetry = 3
2015-07-01 10:59:53,625 fail2ban.filter         [5520]: INFO    Set jail log file encoding to US-ASCII
2015-07-01 10:59:53,625 fail2ban.actions        [5520]: INFO    Set banTime = 600
2015-07-01 10:59:53,626 fail2ban.filter         [5520]: INFO    Set findtime = 600
2015-07-01 10:59:53,670 fail2ban.jail           [5520]: INFO    Jail 'sshd' started
2015-07-01 10:59:53,786 fail2ban.action         [5520]: ERROR   iptables -N f2b-sshd
iptables -A f2b-sshd -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j f2b-sshd -- stdout: ''
2015-07-01 10:59:53,787 fail2ban.action         [5520]: ERROR   iptables -N f2b-sshd
iptables -A f2b-sshd -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j f2b-sshd -- stderr: 'iptables: not found\niptables: not found\niptab                                   les: not found\n'
2015-07-01 10:59:53,787 fail2ban.action         [5520]: ERROR   iptables -N f2b-sshd
iptables -A f2b-sshd -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j f2b-sshd -- returned 127
2015-07-01 10:59:53,788 fail2ban.action         [5520]: INFO    HINT on 127: "Command not found".  Make sure that all comm                                   ands in 'iptables -N f2b-sshd\niptables -A f2b-sshd -j RETURN\niptables -I INPUT -p tcp -m multiport --dports ssh -j f2b-s                                   shd' are in the PATH of fail2ban-server process (grep -a PATH= /proc/`pidof -x fail2ban-server`/environ). You may want to                                    start "fail2ban-server -f" separately, initiate it with "fail2ban-client reload" in another shell session and observe if a                                   dditional informative error messages appear in the terminals.
2015-07-01 10:59:53,788 fail2ban.actions        [5520]: ERROR   Failed to start jail 'sshd' action 'iptables-multiport': E                                   rror starting action

Why does a port start with iptables as default?

So I edited my jail.local again:

[DEFAULT]
banaction = bsd-ipfw
bantime  = 600
findtime  = 600
maxretry = 3

[sshd]
port    = ssh
logpath = %(sshd_log)s
filter  = bsd-sshd
enabled = true

And now, fail2ban does not detect anything.

 

[SirDice]

Why does a port start with iptables as default?

Because it's the default of fail2ban.

 

[olafz]

What should be my next step? I want to make fail2ban recognize failed ssh logins.

 

[SirDice]

Looking at the output that use IPTables there's no indication it's actually detecting anything. The error you're seeing is because fail2ban inserts a specific chain to add IP addresses to.

I'm not sure if the %(sshd_log)s string actually resolves to the correct log file. Try setting it specifically to /var/log/auth.log. Also verify sshd(8) is configured with the default logging options:

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

Any other LogLevel may produce slightly different log entries which fail2ban may not recognize.

 

[olafz]

sshd's log level was VERBOSE, I have changed it to INFO now.

And now it is getting clearer: the filter bsd-sshd.conf is incomplete. When password logins are disabled for sshd (which is normal for almost every host, I think), sshd logs

error: Received disconnect from 10.2.3.4: 14: No supported authentication methods available [preauth]

This line is not included in that filter.

I am not good at regex'ing. My additional filter line

^%(__prefix_line)serror: Received disconnect from <HOST>:.*No supported authentication methods available$

does not work:

2015-07-01 14:24:49,413 fail2ban.server         [6107]: INFO    Starting Fail2ban v0.9.2
2015-07-01 14:24:49,413 fail2ban.server         [6107]: INFO    Starting in daemon mode
ERROR  NOK: ("No 'host' group in '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[ *\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*No supported authentication methods'",)

Can you help me?

 

[SirDice]

Not tested but this may do the trick. It should also catch a few other 'preauth' failures.

^%(__prefix_line)sReceived disconnect from <HOST>:.*\[preauth\]$

 

[olafz]

Thank you very much!

Recognition works, and my table 1 construct also:

# ipfw -a list

00001      3      180 unreach port ip from table(1) to me dst-port 22
00100      0        0 check-state
00200   3825   412880 allow ip from any to any via lo0
00300 171287 99624781 allow tcp from any to any established
00400     24     1680 allow tcp from me to any out setup

# ipfw table 1 list

10.2.3.4/32 0

fail2ban.log:

==> fail2ban.log <==
2015-07-02 09:51:51,254 fail2ban.filter         [12081]: INFO    [sshd] Found 10.2.3.4
2015-07-02 09:51:56,454 fail2ban.filter         [12081]: INFO    [sshd] Found 10.2.3.4
2015-07-02 09:52:00,618 fail2ban.filter         [12081]: INFO    [sshd] Found 10.2.3.4
2015-07-02 09:52:00,910 fail2ban.actions        [12081]: NOTICE  [sshd] Ban 10.2.3.4

 

[wblock@]

Why does a port start with iptables as default?

Because ports often come from other platforms. Have you considered security/sshguard instead? There are a couple of versions of the port for different firewalls: security/sshguard-pf and security/sshguard-ipfw.

 

[SirDice]

Have you considered security/sshguard instead?

See post #2

 

[olafz]

Please close this bug.Thank you for helping!

 

[junovitch@]

Please close this bug.Thank you for helping!

The thread is solved so that is good but the PR you opened in PR 201108 is still open. You can edit your own PR to mark it closed since you made it.