EzDevInfo.com

fail2ban interview questions

Top fail2ban frequently asked interview questions

fail2ban custom filter on multiline

Is it possible to catch authentication failure on multiple line with fail2ban regex?

Here is the example :

Sep 08 11:54:59.207814 afpd[16190] {dsi_tcp.c:241} (I:DSI): AFP/TCP session from 10.0.71.149:53863
Sep 08 11:54:59.209504 afpd[16190] {uams_dhx2_pam.c:329} (I:UAMS): DHX2 login: thierry
Sep 08 11:54:59.272092 afpd[16190] {uams_dhx2_pam.c:214} (I:UAMS): PAM DHX2: PAM Success
Sep 08 11:55:01.522258 afpd[16190] {uams_dhx2_pam.c:666} (I:UAMS): DHX2: PAM_Error: Authentication failure

Thanks


Source: (StackOverflow)

Fail2ban add more info to email notificationd

I'd like to append the relevant fail2ban log entry to the notification email I already receive for any given incident.

Does anybody know how this can be done?


Source: (StackOverflow)

Advertisements

fail2ban apache-auth filter not detecting failed passwords

I'm having trouble getting fail2ban to detect failed apache-auth attempts

The filters looks like this:

^%(_apache_error_client)s (AH01617: )?user .* authentication failure for "\S*": Password Mismatch$

^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$

and the errors that comes up:

[Tue Dec 23 13:41:45.870693 2014] [auth_basic:error] [pid 2818] [client 97.171.82.123:91131] AH01617: user miati: authentication failure for "/test/file.html": Password Mismatch, referer: https://example.org/test/file.html
[Tue Dec 23 13:41:45.870693 2014] [auth_basic:error] [pid 2818] [client 97.171.82.123:91131] AH01617: user miati: authentication failure for "/test/file.html": Password Mismatch, referer: https://example.org/test/file.html

Neither work correctly. I would like to get them re-written so they do work but I cannot figure out how the filter works, and googling is not getting me anywhere. Most guides presume I understand the regex, which I do not.

Could anyone explain (or link to) what these parameters in the filter mean so I can modify it on my own?


Source: (StackOverflow)

Howto ban IP with Fail2Ban manually by command line?

How do I ban an attacker IP with Fail2Ban manually by command line?


Source: (StackOverflow)

High CPU usage 130% of a CPU for fail2ban due to epoch datetime retrieval errors

Persistent overseas network attacks being performed on my system without my permission inclined me to install fail2ban since cphulkd does not ban ips. I am monitoring a few services for unwelcome penetration attempts. Once the service was started, I noticed it was using extremely high CPU resources. 22 emails after the startup discloses that the SSH server jail is stopped and started.

Here is my fail2ban.conf http://pastebin.com/ptCLmpqm

my jail.conf http://pastebin.com/KDdmTSCL note my email are obscured for obvious security & spam reasons

fail2ban log pastebin(dot)com/rq0cqm9J


Source: (StackOverflow)

Docker - modifying IPTABLES for host from container

I want to run a docker container with central log and fail2ban service to prevent from dos/ddos attacks.

I'm having a problem to run a container with such capabilities that it could also modify the hosts iptables.

There is a project ianblenke/docker-fail2ban however it does not work...

Giving the container flag privileged only allows me to control iptables on this container. Is there any way to control hosts iptables through container?

Regards.


Source: (StackOverflow)

Can't install fail2ban on Centos 7.1

I am trying to install fail2ban on my centos 7.1 server

I did:

yum install epel-release
yum install fail2ban

But i am getting some error messages:

yum install epel-release
Package epel-release-7-5.noarch already installed and latest version
Nothing to do

-----

[root@elliot ~]# yum install fail2ban
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * atomic: mirror1.34sp.com
 * base: centos.mirror.transip.nl
 * epel: ftp.nluug.nl
 * extras: centos.mirror.transip.nl
 * updates: centos.mirror.transip.nl
Resolving Dependencies
--> Running transaction check
---> Package fail2ban.noarch 0:0.9.2-1.el6 will be installed
--> Processing Dependency: python(abi) = 2.6 for package: fail2ban-0.9.2-1.el6.noarch
--> Processing Dependency: python-inotify for package: fail2ban-0.9.2-1.el6.noarch
--> Processing Dependency: gamin-python for package: fail2ban-0.9.2-1.el6.noarch
--> Running transaction check
---> Package fail2ban.noarch 0:0.9.2-1.el6 will be installed
--> Processing Dependency: python(abi) = 2.6 for package: fail2ban-0.9.2-1.el6.noarch
---> Package gamin-python.x86_64 0:0.1.10-16.el7 will be installed
--> Processing Dependency: gamin = 0.1.10-16.el7 for package: gamin-python-0.1.10-16.el7.x86_64
--> Processing Dependency: libgamin-1.so.0()(64bit) for package: gamin-python-0.1.10-16.el7.x86_64
---> Package python-inotify.noarch 0:0.9.4-4.el7 will be installed
--> Running transaction check
---> Package fail2ban.noarch 0:0.9.2-1.el6 will be installed
--> Processing Dependency: python(abi) = 2.6 for package: fail2ban-0.9.2-1.el6.noarch
---> Package gamin.x86_64 0:0.1.10-16.el7 will be installed
--> Finished Dependency Resolution
Error: Package: fail2ban-0.9.2-1.el6.noarch (epel)
           Requires: python(abi) = 2.6
           Installed: python-2.7.5-18.el7_1.1.x86_64 (@updates)
               python(abi) = 2.7
               python(abi) = 2.7
           Available: python-2.7.5-16.el7.x86_64 (base)
               python(abi) = 2.7
               python(abi) = 2.7
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest
[root@elliot ~]# 

Can someone help me to fix this problem? I also tried to install it on a new server, and i had no problem on that server

I also can give you a fee is someone can help me out with this!

Thank you very much

P.S if you want you can login in my PC

Thanks again!


Source: (StackOverflow)

fail2ban performance considerations regarding log size, complexity, and finditme settings

I'm new to fail2ban and having a hard time figuring out performance considerations for different configurations I'm thinking about setting up. This is running on a raspberry pi board, so performance is a concern.

The obvious optimizations I can think of are using efficient regular expressions and only the minimum number of jails needed. I guess my specific questions are:

  1. How does resource usage increase with respect to findtime values? I'm guessing very small and very large values could both impact the server in different ways regarding RAM vs. CPU.
  2. Similarly, how does the size of a log file and the number of different log files monitored by fail2ban impact overall resource usage?

As an example, this jail would let someone try 3,600 SSH login passwords a day if they figured out the fail2ban config and adjusted their script timing to accommodate.

[ssh]
enabled  = true
action   = iptables-allports[name=ssh]
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6
findtime = 120

If we changed findtime to a different extreme of 86400 (1 day), it would only allow 5 attempts a day, but now it's monitoring a larger portion of the log file. How does this affect resource usage?

Another example, a jail for POST flood attacks:

[apache-post-flood]
enabled  = true
action   = iptables-allports[name=apache-post-flood]
filter   = apache-post-flood
logpath  = /var/log/apache2/*access.log
maxretry = 10
findtime = 10

Here, we have the opposite, where the findtime counter is resetting every 10 seconds. It's also monitoring all *access logs (I'm guessing, again, I'm new to this). That could mean it's monitoring access.log, other_vhosts_access.log, and perhaps an https_access.log for https portions of the site. What if it's been a busy day and these files are all 10-20mb each?

Hope this helps explain what's on my mind. Thanks in advance for your help.


Source: (StackOverflow)

Fail2ban for nginx post flood ignores time intervals

I'm trying to create a fail2ban filter that is going to ban the host when it sends over 100 POST requests over 30 seconds interval.

jail.local:

[nginx-postflood]

enabled = false
filter = nginx-postflood
action = myaction
logpath = /var/log/nginx/access.log
findtime = 30
bantime = 100
maxretry = 100

nginx-postflood.conf

[Definition]
failregex = ^<HOST>.*"POST.*
ignoreregex =

Using GREP i was able to test the regular expressions and indeed it matches Host and POST requests.

Problem is that it bans any Host that performs at least one POST request. This means likely that it's not taking findttime or maxretry options into consideration. In my opinion it's timestamp issue.

Sample line of nginx log:

5.5.5.5 - user [05/Aug/2014:00:00:09 +0200] "POST /auth HTTP/1.1" 200 6714 "http://referer.com" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0"

Any help?


Source: (StackOverflow)

Fail2ban not sending email notifications

My CentOS server has postfix as MTA and it’s working. When I type the command mail -s "testing" <my gmail address>, I receive the email.

However, Fail2ban is unable to send emails to my gmail address when an IP gets banned. I’m probably missing some configuration in jail.conf.

Here is part of my jail.conf file:

destemail = myaddress@gmail.com
sendername = fail2ban
mta = sendmail
protocol = tcp
action = %(action_mwl)s

I already tried mta = postfix and it didn’t work.

Thanks in advance for your help.

EDIT: I was able to make it work. None of the configuration above is correct for my fail2ban v0.8.10 and my linux CentOS 6. In fact, I removed all the lines above (garbage).

I found a pre-defined action in /etc/fail2ban/action.d/mail.conf file. I noticed this action uses "mail -s" command which works on my server. So, I decided to use this action in my jail.conf file as such:

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           mail[name=ssh, dest=my-address@gmail.com]
logpath  = /var/log/secure
maxretry = 5

The only thing that needs to be change to get an email from fail2ban is to add that line below “action” that starts with “mail.” Very simple and easy.


Source: (StackOverflow)

How to install fail2ban using ansible?

I want to use install fail2ban across a range of servers using ansible, ansible is already installed and set up (someone else done this) but my main problem is trying to understand how to create a playbook (which if I'm correct will install fail2ban across the range of servers).

Oh I am also using the jail.conf file from a previous machine which I installed fail2ban on manually as I want the configuration (such as time to ban people, who's on the whitelist etc) to be the same across all the servers!

This is my first ever post so if I've forgotten anything please be gentle!


Source: (StackOverflow)

Fail2Ban v0.9 On Fedora 20 "[Errno 24] Too many open files" error

After successfully installing fail2ban on Fedora 20 server (Running On Digital Ocean) using this guide, I checked the fail2ban logs only to find that there were multiple "[Errno 24] Too many open files" errors.

I googled around and realized that I need to increase the number of file descriptors for fail2ban (which currently stands at 1024), but couldn't find a working solution.

How can I increase the number of file descriptors for fail2ban, or is there any other workaround under this environment?


Source: (StackOverflow)

Fail2ban on ubuntu igonres maxretry settings

I have recently installed fail2ban on my Ubuntu server to protect ssh hack attempts. Everything is working as expected except the maxtetry as I set it to 3 times even though it banned the ip after 1st failed attempt. Below are the jail settings inside /etc/fail2ban/jail.local and when I check auth.log I see one attemp

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 3

Source: (StackOverflow)

How to commit a regex-variable to the action-script in fail2ban?

I'd like to use a regex-variable to commit a CIDR subnet mask from the filter.conf to the action.conf. The idea is to to block/ban an ip-range with fail2ban. Since iptables works with CIDR I would like to use it via fail2ban. Is this possible?


So I would like to commit the failregex variable mask to the action-script. Here is my failregex creating the maskvariable:

filter.d/test-filter.conf

[Definition]
failregex = ^<HOST>\/(?P<mask>(8|16|24|32))


My test-string looks like this: 10.10.10.10/16 [2015-02-11 12:00:00].
This is my action-script which works fine if I set the mask variable directly or via the jail.local (like: action = test-action[mask=16]).

action.d/test-action.conf

[Definition]
...
actionban = iptables -I fail2ban-<name> 1 -s <ip>/<mask> -j DROP
actionunban = iptables -D fail2ban-<name> -s <ip>/<mask> -j DROP
...

[Init]
# Option:  mask
# Notes.:  used to ban an address-range by netmask(s) in CIDR notation.
# Values:  [ 32 | 24 | 16 | 8 ] Default: 32
#
mask = 32

Here is my jail.local (without any variable set).

jail.local

[test]
enabled   = true
action    = test-action
filter    = test-filter
logpath   = /etc/fail2ban/test.log
maxretry  = 5
findtime  = 1000
bantime   = -1

Source: (StackOverflow)

fail2ban not working or not ban ip after login fail

i try fail2ban on my servers atleast 10 times, most of the time it not ban ip

In my jail.local

[ssh]

enabled  = true
port     = ssh,some_port_number
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 2
bantime = 180

and on my server i install fail2ban and configure using this in my sh file

sudo apt-get -y install fail2ban
sudo cp custom_jail.local /etc/fail2ban/jail.local
sudo service fail2ban restart

and also i set RepeatedMsgReduction off in rsyslog.conf and run this service rsyslog restart

after ssh login fail (maxretry limit ) i am still able to login it not ban my ip

auth.log

Jun 20 21:17:29 localhost sshd[4705]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ip  user=username
Jun 20 21:17:32 localhost sshd[4705]: Failed password for username from ip port 36472 ssh2
Jun 20 21:17:36 localhost sshd[4705]: Failed password for username from ip port 36472 ssh2
Jun 20 21:17:41 localhost sshd[4705]: Failed password for username from ip port 36472 ssh2
Jun 20 21:17:41 localhost sshd[4705]: Connection closed by ip [preauth]

fail2ban.log

2015-06-20 21:15:07,186 fail2ban.jail   : INFO   Jail 'ssh' stopped
2015-06-20 21:15:07,209 fail2ban.jail   : INFO   Jail 'ssh-ddos' stopped
2015-06-20 21:15:07,210 fail2ban.server : INFO   Exiting Fail2ban
2015-06-20 21:15:07,790 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11
2015-06-20 21:15:07,791 fail2ban.jail   : INFO   Creating new jail 'ssh'
2015-06-20 21:15:07,821 fail2ban.jail   : INFO   Jail 'ssh' uses pyinotify
2015-06-20 21:15:07,846 fail2ban.jail   : INFO   Initiated 'pyinotify' backend
2015-06-20 21:15:07,848 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2015-06-20 21:15:07,849 fail2ban.filter : INFO   Set maxRetry = 2
2015-06-20 21:15:07,850 fail2ban.filter : INFO   Set findtime = 600
2015-06-20 21:15:07,850 fail2ban.actions: INFO   Set banTime = 180
2015-06-20 21:15:07,884 fail2ban.jail   : INFO   Creating new jail 'ssh-ddos'
2015-06-20 21:15:07,884 fail2ban.jail   : INFO   Jail 'ssh-ddos' uses pyinotify
2015-06-20 21:15:07,891 fail2ban.jail   : INFO   Initiated 'pyinotify' backend
2015-06-20 21:15:07,893 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2015-06-20 21:15:07,894 fail2ban.filter : INFO   Set maxRetry = 2
2015-06-20 21:15:07,894 fail2ban.filter : INFO   Set findtime = 600
2015-06-20 21:15:07,895 fail2ban.actions: INFO   Set banTime = 180
2015-06-20 21:15:07,901 fail2ban.jail   : INFO   Jail 'ssh' started
2015-06-20 21:15:07,907 fail2ban.jail   : INFO   Jail 'ssh-ddos' started

Source: (StackOverflow)