fail2ban interview questions
Top fail2ban frequently asked interview questions
Is it possible to catch authentication failure on multiple line with fail2ban regex?
Here is the example :
Sep 08 11:54:59.207814 afpd[16190] {dsi_tcp.c:241} (I:DSI): AFP/TCP session from 10.0.71.149:53863
Sep 08 11:54:59.209504 afpd[16190] {uams_dhx2_pam.c:329} (I:UAMS): DHX2 login: thierry
Sep 08 11:54:59.272092 afpd[16190] {uams_dhx2_pam.c:214} (I:UAMS): PAM DHX2: PAM Success
Sep 08 11:55:01.522258 afpd[16190] {uams_dhx2_pam.c:666} (I:UAMS): DHX2: PAM_Error: Authentication failure
Thanks
Source: (StackOverflow)
I'd like to append the relevant fail2ban log entry to the notification email I already receive for any given incident.
Does anybody know how this can be done?
Source: (StackOverflow)
I'm having trouble getting fail2ban to detect failed apache-auth attempts
The filters looks like this:
^%(_apache_error_client)s (AH01617: )?user .* authentication failure for "\S*": Password Mismatch$
^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$
and the errors that comes up:
[Tue Dec 23 13:41:45.870693 2014] [auth_basic:error] [pid 2818] [client 97.171.82.123:91131] AH01617: user miati: authentication failure for "/test/file.html": Password Mismatch, referer: https://example.org/test/file.html
[Tue Dec 23 13:41:45.870693 2014] [auth_basic:error] [pid 2818] [client 97.171.82.123:91131] AH01617: user miati: authentication failure for "/test/file.html": Password Mismatch, referer: https://example.org/test/file.html
Neither work correctly. I would like to get them re-written so they do work but I cannot figure out how the filter works, and googling is not getting me anywhere. Most guides presume I understand the regex, which I do not.
Could anyone explain (or link to) what these parameters in the filter mean so I can modify it on my own?
Source: (StackOverflow)
Persistent overseas network attacks being performed on my system without my permission inclined me to install fail2ban since cphulkd does not ban ips. I am monitoring a few services for unwelcome penetration attempts. Once the service was started, I noticed it was using extremely high CPU resources. 22 emails after the startup discloses that the SSH server jail is stopped and started.
Here is my fail2ban.conf
http://pastebin.com/ptCLmpqm
my jail.conf
http://pastebin.com/KDdmTSCL
note my email are obscured for obvious security & spam reasons
fail2ban log
pastebin(dot)com/rq0cqm9J
Source: (StackOverflow)
I want to run a docker container with central log and fail2ban
service to prevent from dos/ddos attacks.
I'm having a problem to run a container with such capabilities that it could also modify the hosts iptables.
There is a project ianblenke/docker-fail2ban however it does not work...
Giving the container flag privileged only allows me to control iptables
on this container. Is there any way to control hosts iptables
through container?
Regards.
Source: (StackOverflow)
I am trying to install fail2ban on my centos 7.1 server
I did:
yum install epel-release
yum install fail2ban
But i am getting some error messages:
yum install epel-release
Package epel-release-7-5.noarch already installed and latest version
Nothing to do
-----
[root@elliot ~]# yum install fail2ban
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* atomic: mirror1.34sp.com
* base: centos.mirror.transip.nl
* epel: ftp.nluug.nl
* extras: centos.mirror.transip.nl
* updates: centos.mirror.transip.nl
Resolving Dependencies
--> Running transaction check
---> Package fail2ban.noarch 0:0.9.2-1.el6 will be installed
--> Processing Dependency: python(abi) = 2.6 for package: fail2ban-0.9.2-1.el6.noarch
--> Processing Dependency: python-inotify for package: fail2ban-0.9.2-1.el6.noarch
--> Processing Dependency: gamin-python for package: fail2ban-0.9.2-1.el6.noarch
--> Running transaction check
---> Package fail2ban.noarch 0:0.9.2-1.el6 will be installed
--> Processing Dependency: python(abi) = 2.6 for package: fail2ban-0.9.2-1.el6.noarch
---> Package gamin-python.x86_64 0:0.1.10-16.el7 will be installed
--> Processing Dependency: gamin = 0.1.10-16.el7 for package: gamin-python-0.1.10-16.el7.x86_64
--> Processing Dependency: libgamin-1.so.0()(64bit) for package: gamin-python-0.1.10-16.el7.x86_64
---> Package python-inotify.noarch 0:0.9.4-4.el7 will be installed
--> Running transaction check
---> Package fail2ban.noarch 0:0.9.2-1.el6 will be installed
--> Processing Dependency: python(abi) = 2.6 for package: fail2ban-0.9.2-1.el6.noarch
---> Package gamin.x86_64 0:0.1.10-16.el7 will be installed
--> Finished Dependency Resolution
Error: Package: fail2ban-0.9.2-1.el6.noarch (epel)
Requires: python(abi) = 2.6
Installed: python-2.7.5-18.el7_1.1.x86_64 (@updates)
python(abi) = 2.7
python(abi) = 2.7
Available: python-2.7.5-16.el7.x86_64 (base)
python(abi) = 2.7
python(abi) = 2.7
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
[root@elliot ~]#
Can someone help me to fix this problem?
I also tried to install it on a new server, and i had no problem on that server
I also can give you a fee is someone can help me out with this!
Thank you very much
P.S if you want you can login in my PC
Thanks again!
Source: (StackOverflow)
I'm new to fail2ban and having a hard time figuring out performance considerations for different configurations I'm thinking about setting up. This is running on a raspberry pi board, so performance is a concern.
The obvious optimizations I can think of are using efficient regular expressions and only the minimum number of jails needed. I guess my specific questions are:
- How does resource usage increase with respect to findtime values? I'm guessing very small and very large values could both impact the server in different ways regarding RAM vs. CPU.
- Similarly, how does the size of a log file and the number of different log files monitored by fail2ban impact overall resource usage?
As an example, this jail would let someone try 3,600 SSH login passwords a day if they figured out the fail2ban config and adjusted their script timing to accommodate.
[ssh]
enabled = true
action = iptables-allports[name=ssh]
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
findtime = 120
If we changed findtime to a different extreme of 86400 (1 day), it would only allow 5 attempts a day, but now it's monitoring a larger portion of the log file. How does this affect resource usage?
Another example, a jail for POST flood attacks:
[apache-post-flood]
enabled = true
action = iptables-allports[name=apache-post-flood]
filter = apache-post-flood
logpath = /var/log/apache2/*access.log
maxretry = 10
findtime = 10
Here, we have the opposite, where the findtime counter is resetting every 10 seconds. It's also monitoring all *access logs (I'm guessing, again, I'm new to this). That could mean it's monitoring access.log, other_vhosts_access.log, and perhaps an https_access.log for https portions of the site. What if it's been a busy day and these files are all 10-20mb each?
Hope this helps explain what's on my mind. Thanks in advance for your help.
Source: (StackOverflow)
I'm trying to create a fail2ban filter that is going to ban the host when it sends over 100 POST requests over 30 seconds interval.
jail.local:
[nginx-postflood]
enabled = false
filter = nginx-postflood
action = myaction
logpath = /var/log/nginx/access.log
findtime = 30
bantime = 100
maxretry = 100
nginx-postflood.conf
[Definition]
failregex = ^<HOST>.*"POST.*
ignoreregex =
Using GREP i was able to test the regular expressions and indeed it matches Host and POST requests.
Problem is that it bans any Host that performs at least one POST request. This means likely that it's not taking findttime or maxretry options into consideration. In my opinion it's timestamp issue.
Sample line of nginx log:
5.5.5.5 - user [05/Aug/2014:00:00:09 +0200] "POST /auth HTTP/1.1" 200 6714 "http://referer.com" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0"
Any help?
Source: (StackOverflow)
My CentOS server has postfix as MTA and it’s working.
When I type the command mail -s "testing" <my gmail address>
, I receive the email.
However, Fail2ban is unable to send emails to my gmail address when an IP gets banned. I’m probably missing some configuration in jail.conf.
Here is part of my jail.conf file:
destemail = myaddress@gmail.com
sendername = fail2ban
mta = sendmail
protocol = tcp
action = %(action_mwl)s
I already tried mta = postfix
and it didn’t work.
Thanks in advance for your help.
EDIT: I was able to make it work. None of the configuration above is correct for my fail2ban v0.8.10 and my linux CentOS 6. In fact, I removed all the lines above (garbage).
I found a pre-defined action in /etc/fail2ban/action.d/mail.conf file.
I noticed this action uses "mail -s" command which works on my server.
So, I decided to use this action in my jail.conf file as such:
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
mail[name=ssh, dest=my-address@gmail.com]
logpath = /var/log/secure
maxretry = 5
The only thing that needs to be change to get an email from fail2ban is to add that line below “action” that starts with “mail.” Very simple and easy.
Source: (StackOverflow)
I want to use install fail2ban across a range of servers using ansible, ansible is already installed and set up (someone else done this) but my main problem is trying to understand how to create a playbook (which if I'm correct will install fail2ban across the range of servers).
Oh I am also using the jail.conf file from a previous machine which I installed fail2ban on manually as I want the configuration (such as time to ban people, who's on the whitelist etc) to be the same across all the servers!
This is my first ever post so if I've forgotten anything please be gentle!
Source: (StackOverflow)
After successfully installing fail2ban on Fedora 20 server (Running On Digital Ocean) using this guide, I checked the fail2ban logs only to find that there were multiple "[Errno 24] Too many open files" errors.
I googled around and realized that I need to increase the number of file descriptors for fail2ban (which currently stands at 1024), but couldn't find a working solution.
How can I increase the number of file descriptors for fail2ban, or is there any other workaround under this environment?
Source: (StackOverflow)
I have recently installed fail2ban on my Ubuntu server to protect ssh hack attempts. Everything is working as expected except the maxtetry as I set it to 3 times even though it banned the ip after 1st failed attempt. Below are the jail settings inside /etc/fail2ban/jail.local and when I check auth.log I see one attemp
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
Source: (StackOverflow)
I'd like to use a regex-variable
to commit a CIDR subnet mask from the filter.conf to the action.conf. The idea is to to block/ban an ip-range with fail2ban. Since iptables works with CIDR I would like to use it via fail2ban. Is this possible?
So I would like to commit the
failregex variable mask
to the action-script. Here is my failregex creating the
mask
variable:
filter.d/test-filter.conf
[Definition]
failregex = ^<HOST>\/(?P<mask>(8|16|24|32))
My test-string looks like this:
10.10.10.10/16 [2015-02-11 12:00:00]
.
This is my
action-script which works fine if I set the
mask
variable directly or via the
jail.local (like:
action = test-action[mask=16]
).
action.d/test-action.conf
[Definition]
...
actionban = iptables -I fail2ban-<name> 1 -s <ip>/<mask> -j DROP
actionunban = iptables -D fail2ban-<name> -s <ip>/<mask> -j DROP
...
[Init]
# Option: mask
# Notes.: used to ban an address-range by netmask(s) in CIDR notation.
# Values: [ 32 | 24 | 16 | 8 ] Default: 32
#
mask = 32
Here is my jail.local (without any variable set).
jail.local
[test]
enabled = true
action = test-action
filter = test-filter
logpath = /etc/fail2ban/test.log
maxretry = 5
findtime = 1000
bantime = -1
Source: (StackOverflow)
i try fail2ban on my servers atleast 10 times, most of the time it not ban ip
In my jail.local
[ssh]
enabled = true
port = ssh,some_port_number
filter = sshd
logpath = /var/log/auth.log
maxretry = 2
bantime = 180
and on my server i install fail2ban and configure using this in my sh file
sudo apt-get -y install fail2ban
sudo cp custom_jail.local /etc/fail2ban/jail.local
sudo service fail2ban restart
and also i set RepeatedMsgReduction off in rsyslog.conf
and run this service rsyslog restart
after ssh login fail (maxretry limit ) i am still able to login it not ban my ip
auth.log
Jun 20 21:17:29 localhost sshd[4705]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ip user=username
Jun 20 21:17:32 localhost sshd[4705]: Failed password for username from ip port 36472 ssh2
Jun 20 21:17:36 localhost sshd[4705]: Failed password for username from ip port 36472 ssh2
Jun 20 21:17:41 localhost sshd[4705]: Failed password for username from ip port 36472 ssh2
Jun 20 21:17:41 localhost sshd[4705]: Connection closed by ip [preauth]
fail2ban.log
2015-06-20 21:15:07,186 fail2ban.jail : INFO Jail 'ssh' stopped
2015-06-20 21:15:07,209 fail2ban.jail : INFO Jail 'ssh-ddos' stopped
2015-06-20 21:15:07,210 fail2ban.server : INFO Exiting Fail2ban
2015-06-20 21:15:07,790 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11
2015-06-20 21:15:07,791 fail2ban.jail : INFO Creating new jail 'ssh'
2015-06-20 21:15:07,821 fail2ban.jail : INFO Jail 'ssh' uses pyinotify
2015-06-20 21:15:07,846 fail2ban.jail : INFO Initiated 'pyinotify' backend
2015-06-20 21:15:07,848 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2015-06-20 21:15:07,849 fail2ban.filter : INFO Set maxRetry = 2
2015-06-20 21:15:07,850 fail2ban.filter : INFO Set findtime = 600
2015-06-20 21:15:07,850 fail2ban.actions: INFO Set banTime = 180
2015-06-20 21:15:07,884 fail2ban.jail : INFO Creating new jail 'ssh-ddos'
2015-06-20 21:15:07,884 fail2ban.jail : INFO Jail 'ssh-ddos' uses pyinotify
2015-06-20 21:15:07,891 fail2ban.jail : INFO Initiated 'pyinotify' backend
2015-06-20 21:15:07,893 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2015-06-20 21:15:07,894 fail2ban.filter : INFO Set maxRetry = 2
2015-06-20 21:15:07,894 fail2ban.filter : INFO Set findtime = 600
2015-06-20 21:15:07,895 fail2ban.actions: INFO Set banTime = 180
2015-06-20 21:15:07,901 fail2ban.jail : INFO Jail 'ssh' started
2015-06-20 21:15:07,907 fail2ban.jail : INFO Jail 'ssh-ddos' started
Source: (StackOverflow)