1 Topic by Ron Oliva

  • Ron Oliva
  • Member
  • Offline
  • Registered: 2016-02-07
  • Posts: 8

Topic: fail2ban not working on ubuntu 14.04 clean install

==== Required information ====
- iRedMail version (check /etc/iredmail-release): iRedMail-0.9.4
- Linux/BSD distribution name and version: Ubuntu 14.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro?no
- Related log if you're reporting an issue:
====
2016-02-07 11:41:36,870 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11
2016-02-07 11:41:36,871 fail2ban.jail   : INFO   Creating new jail 'ssh'
2016-02-07 11:41:36,911 fail2ban.jail   : INFO   Jail 'ssh' uses pyinotify
2016-02-07 11:41:36,936 fail2ban.jail   : INFO   Initiated 'pyinotify' backend
2016-02-07 11:41:36,938 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2016-02-07 11:41:36,939 fail2ban.filter : INFO   Set maxRetry = 6
2016-02-07 11:41:36,940 fail2ban.filter : INFO   Set findtime = 600
2016-02-07 11:41:36,940 fail2ban.actions: INFO   Set banTime = 600
2016-02-07 11:41:36,981 fail2ban.jail   : INFO   Jail 'ssh' started
2016-02-07 11:44:49,966 fail2ban.server : INFO   Stopping all jails
2016-02-07 11:44:50,203 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 100
2016-02-07 11:44:50,204 fail2ban.jail   : INFO   Jail 'ssh' stopped
2016-02-07 11:44:50,205 fail2ban.server : INFO   Exiting Fail2ban

Results for  iptables -L -n:

Chain INPUT (policy DROP)
target     prot opt source               destination
fail2ban-postfix  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,25,587,110,995,143,993,4190
fail2ban-dovecot  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,25,587,110,995,143,993,4190
fail2ban-roundcube  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80,443,25,587,110,995,143,993,4190
fail2ban-default  tcp  --  0.0.0.0/0            0.0.0.0/0
fail2ban-default  tcp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-default (2 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-dovecot (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-postfix (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-roundcube (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0



Fail2ban is not banning after several attempts. Please advice. Thank you.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,166

Re: fail2ban not working on ubuntu 14.04 clean install

Does it work after restarting fail2ban service?

3 Reply by Ron Oliva

  • Ron Oliva
  • Member
  • Offline
  • Registered: 2016-02-07
  • Posts: 8

Re: fail2ban not working on ubuntu 14.04 clean install

Yes, I tried restarting fail2ban,even reinstalling os and iredmail several times but still fail2ban not working on ssh port.
Its on openvz vps with 1GB of ram btw. Can it be due to the os image of the vps provider? Thank you.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,166

Re: fail2ban not working on ubuntu 14.04 clean install

Any error if you run the commands manually?

iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh

5 Reply by Ron Oliva

  • Ron Oliva
  • Member
  • Offline
  • Registered: 2016-02-07
  • Posts: 8

Re: fail2ban not working on ubuntu 14.04 clean install

iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh

result:

Couldn't load target 'fail2ban-ssh' :No such file or directory

iptables -F fail2ban-ssh

result:

No chain/target/match by that name.

iptables -X fail2ban-ssh

result:

No chain/target/match by that name.


Thank you.

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,166

Re: fail2ban not working on ubuntu 14.04 clean install

It works for me. Could you please show us your /etc/fail2ban/jail.local? also, please double check whether the existence of the log files and filter files used in jail.local.

Feb 13 22:12:54 u14 fail2ban.server : INFO   Changed logging target to SYSLOG for Fail2ban v0.8.11
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Creating new jail 'sshd'
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Jail 'sshd' uses pyinotify
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Initiated 'pyinotify' backend
Feb 13 22:12:54 u14 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
Feb 13 22:12:54 u14 fail2ban.filter : INFO   Set maxRetry = 5
Feb 13 22:12:54 u14 fail2ban.filter : INFO   Set findtime = 3600
Feb 13 22:12:54 u14 fail2ban.actions: INFO   Set banTime = 86400
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Creating new jail 'sshd-ddos'
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Jail 'sshd-ddos' uses pyinotify
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Initiated 'pyinotify' backend
Feb 13 22:12:54 u14 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
Feb 13 22:12:54 u14 fail2ban.filter : INFO   Set maxRetry = 5
Feb 13 22:12:54 u14 fail2ban.filter : INFO   Set findtime = 3600
Feb 13 22:12:54 u14 fail2ban.actions: INFO   Set banTime = 86400
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Creating new jail 'roundcube-iredmail'
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Jail 'roundcube-iredmail' uses pyinotify
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Initiated 'pyinotify' backend
Feb 13 22:12:54 u14 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
Feb 13 22:12:54 u14 fail2ban.filter : INFO   Set maxRetry = 5
Feb 13 22:12:54 u14 fail2ban.filter : INFO   Set findtime = 3600
Feb 13 22:12:54 u14 fail2ban.actions: INFO   Set banTime = 86400
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Creating new jail 'dovecot-iredmail'
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Jail 'dovecot-iredmail' uses pyinotify
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Initiated 'pyinotify' backend
Feb 13 22:12:54 u14 fail2ban.filter : INFO   Added logfile = /var/log/dovecot.log
Feb 13 22:12:54 u14 fail2ban.filter : INFO   Set maxRetry = 5
Feb 13 22:12:54 u14 fail2ban.filter : INFO   Set findtime = 3600
Feb 13 22:12:54 u14 fail2ban.actions: INFO   Set banTime = 86400
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Creating new jail 'postfix-iredmail'
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Jail 'postfix-iredmail' uses pyinotify
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Initiated 'pyinotify' backend
Feb 13 22:12:54 u14 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
Feb 13 22:12:54 u14 fail2ban.filter : INFO   Set maxRetry = 5
Feb 13 22:12:54 u14 fail2ban.filter : INFO   Set findtime = 3600
Feb 13 22:12:54 u14 fail2ban.actions: INFO   Set banTime = 86400
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Jail 'sshd' started
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Jail 'sshd-ddos' started
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Jail 'roundcube-iredmail' started
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Jail 'dovecot-iredmail' started
Feb 13 22:12:54 u14 fail2ban.jail   : INFO   Jail 'postfix-iredmail' started

7 Reply by Ron Oliva

  • Ron Oliva
  • Member
  • Offline
  • Registered: 2016-02-07
  • Posts: 8

Re: fail2ban not working on ubuntu 14.04 clean install

From /etc/fail2ban/jail.local

# Refer to /etc/fail2ban/jail.conf for more examples.
[DEFAULT]
# time is in seconds. 3600 = 1 hour, 86400 = 24 hours (1 day)
findtime    = 3600
bantime     = 3600
maxretry    = 5
ignoreip    = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

[sshd]
enabled     = true
filter      = sshd
action      =iptables-allports
logpath     = /var/log/auth.log

[sshd-ddos]
enabled     = true
filter      = sshd-ddos
action      = iptables-allports
logpath     = /var/log/auth.log

[roundcube-iredmail]
enabled     = true
filter      = roundcube.iredmail
action      = iptables-multiport[name=roundcube, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath     = /var/log/mail.log
findtime    = 3600

[dovecot-iredmail]
enabled     = true
filter      = dovecot.iredmail
action      = iptables-multiport[name=dovecot, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath     = /var/log/dovecot.log

[postfix-iredmail]
enabled     = true
filter      = postfix.iredmail
action      = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
#              sendmail[name=Postfix, dest=root, sender=fail2ban@localhost]
logpath     = /var/log/mail.log

[sogo-iredmail]
enabled     = false
filter      = sogo-auth
action      = iptables-multiport[name=SOGo, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath     = /var/log/sogo/sogo.log

Also this is from /etc/fail2ban/action.d/iptables-allports.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
#                       made active on all ports from original iptables.conf
#
#

[INCLUDES]

before = iptables-blocktype.conf


[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -j fail2ban-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>

[Init]

# Default name of the chain
#
name = default

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT

It somehow works after i make changes to /etc/fail2ban/jail.local:


[sshd]
enabled     = true
filter      = sshd
action      = iptables-multiport[name=ssh, port=ssh, protocol=tcp]
logpath     = /var/log/auth.log

I wasn't really sure why though. I never change anything in fail2ban config files before.
Thank you very much sir ZhangHuangbin. I really appreciate your time for looking into this matter:)

8 Reply by Ron Oliva

  • Ron Oliva
  • Member
  • Offline
  • Registered: 2016-02-07
  • Posts: 8

Re: fail2ban not working on ubuntu 14.04 clean install

Also, this is the contents of /etc/fail2ban/action.d/iptables-multiport.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
#

[INCLUDES]

before = iptables-blocktype.conf

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>

[Init]

# Default name of the chain
#
name = default

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
#
port = ssh

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,166

Re: fail2ban not working on ubuntu 14.04 clean install

Ron Oliva wrote:

It somehow works after i make changes to /etc/fail2ban/jail.local:

[sshd]
enabled     = true
filter      = sshd
action      = iptables-multiport[name=ssh, port=ssh, protocol=tcp]
logpath     = /var/log/auth.log

Looks like we need "[name=xxx, protocol=xxx]" for each jail. Could you please try it again?

10 Reply by Ron Oliva

  • Ron Oliva
  • Member
  • Offline
  • Registered: 2016-02-07
  • Posts: 8

Re: fail2ban not working on ubuntu 14.04 clean install

Hi,

I first tried using in action=iptables-allports in /etc/fail2ban/jail.local such as:

[sshd]
enabled     = true
filter      = sshd
action      = iptables-allports[name=ssh, protocol=tcp]
logpath     = /var/log/auth.log

[sshd-ddos]
enabled     = true
filter      = sshd-ddos
action      = iptables-allports[name=ssh, protocol=tcp]
logpath     = /var/log/auth.log

but it does not work.
However using iptables-multiport solves the problem such as:

[sshd]
enabled     = true
filter      = sshd
action      = iptables-multiport[name=ssh, protocol=tcp]
logpath     = /var/log/auth.log

[sshd-ddos]
enabled     = true
filter      = sshd-ddos
action      = iptables-multiport[name=ssh, protocol=tcp]
logpath     = /var/log/auth.log


Thank you very much for helping deal with this issue.
Everything now seems to work fine:)

11 Reply by Ron Oliva (edited by Ron Oliva 2016-02-14 14:28:50)

  • Ron Oliva
  • Member
  • Offline
  • Registered: 2016-02-07
  • Posts: 8

Re: fail2ban not working on ubuntu 14.04 clean install

Also, I recently got my hands on a kvm vps from a different provider.
Installing iredmail in ubuntu 14.04 yields the same error in /var/log/fail2ban.log. Thank you

12 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,166

Re: fail2ban not working on ubuntu 14.04 clean install

OK, next iRedMail release will use 'iptables-multiport' instead of 'iptables-allports'.
Thanks for the feedback. smile