Forums

nuke
nuke
Offline
Resolved
0 votes
Hello.
I was wondering why the attach detector hadn't done anything for a while and also wanted to look at doing something about the hammering against openvpn.

Today I finally had some time and found following:

systemctl status -l fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2018-05-28 16:39:40 EDT; 3 months 26 days ago
Docs: man:fail2ban(1)
Main PID: 2971 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─2971 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.


The last time fail2ban wrote anything to a log was Mar 24/25.
-rw-------  1 root         root                0 Mar 25  2018 fail2ban.log


I'm just starting to try to figure this out but am not sure where to start looking. A suggestion on where you start would be appreciated.
Thanks.
Monday, September 24 2018, 02:24 AM
Share this post:
Responses (7)
  • Accepted Answer

    Monday, September 24 2018, 07:09 AM - #Permalink
    Resolved
    0 votes
    For the moment, just restart fail2ban and see if it starts logging again. You should at least see the start up output. If it does not start logging, restart the rsyslog service. What is the logtarget in /etc/fail2ban/fail2ban.conf?
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Saturday, December 15 2018, 07:28 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    Life got in the way of trying to figure this all out and today, while a bit brain dead from a busy week, I decided to have a go on this.

    I did the restart fail2ban and it never started the logging.

    I was unable to restart the rsyslog service.
    sysctl status rsyslog
    sysctl: cannot stat /proc/sys/status: No such file or directory
    sysctl: cannot stat /proc/sys/rsyslog: No such file or directory


    Strange.

    The logtarget from the fail2ban.conf is:
    logtarget = /var/log/fail2ban.log

    I am pretty sure that while the fail2ban says its running, there isn't anything happening.

    On my old COS5.2 box I was getting notices of banned IP addresses all day long. I haven't gotten any for such a long time. There is nothing in the fail2ban.log file.

    systemctl status -l fail2ban.service
    ● fail2ban.service - Fail2Ban Service
    Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
    Active: active (running) since Wed 2018-09-26 08:20:12 EDT; 2 months 19 days ago
    Docs: man:fail2ban(1)
    Main PID: 3632 (fail2ban-server)
    CGroup: /system.slice/fail2ban.service
    └─3632 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

    Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, December 15 2018, 10:03 PM - #Permalink
    Resolved
    0 votes
    Typo:
    systemctl status rsyslog
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Sunday, December 16 2018, 11:35 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    Typo:
    systemctl status rsyslog

    Ooophs. Thanks Nick!

    Here is the output from the correctly typed command.
    systemctl status rsyslog
    ● rsyslog.service - System Logging Service
    Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
    Active: active (running) since Wed 2018-09-26 08:19:53 EDT; 2 months 20 days ago
    Docs: man:rsyslogd(8)
    http://www.rsyslog.com/doc/
    Main PID: 1372 (rsyslogd)
    CGroup: /system.slice/rsyslog.service
    └─1372 /usr/sbin/rsyslogd -n

    Dec 15 02:40:49 neukom.ca rsyslogd[1372]: imjournal: journal reloaded... [v8.24.0 try http://www.rsysl.../0 ]
    Dec 15 13:29:29 neukom.ca rsyslogd[1372]: imjournal: journal reloaded... [v8.24.0 try http://www.rsysl.../0 ]
    Dec 15 13:29:29 neukom.ca rsyslogd[1372]: imjournal: journal reloaded... [v8.24.0 try http://www.rsysl.../0 ]
    Dec 15 18:24:59 neukom.ca rsyslogd[1372]: imjournal: journal reloaded... [v8.24.0 try http://www.rsysl.../0 ]
    Dec 15 18:24:59 neukom.ca rsyslogd[1372]: imjournal: journal reloaded... [v8.24.0 try http://www.rsysl.../0 ]
    Dec 15 22:00:47 neukom.ca rsyslogd[1372]: imjournal: journal reloaded... [v8.24.0 try http://www.rsysl.../0 ]
    Dec 15 22:00:47 neukom.ca rsyslogd[1372]: imjournal: journal reloaded... [v8.24.0 try http://www.rsysl.../0 ]
    Dec 16 03:23:15 neukom.ca rsyslogd[1372]: [origin software="rsyslogd" swVersion="8.24.0" x-pid="1372"...UPed
    Dec 16 09:32:15 neukom.ca rsyslogd[1372]: imjournal: journal reloaded... [v8.24.0 try http://www.rsysl.../0 ]
    Dec 16 09:32:15 neukom.ca rsyslogd[1372]: imjournal: journal reloaded... [v8.24.0 try http://www.rsysl.../0 ]
    Hint: Some lines were ellipsized, use -l to show in full.


    I'll also restart fail2ban and see what happens.

    Thanks!
    The reply is currently minimized Show
  • Accepted Answer

    Monday, December 17 2018, 08:25 AM - #Permalink
    Resolved
    0 votes
    Can I ask which Attack Detector jails do you have enabled and which ports do you have open in your incoming firewall? Currently the cyrus-imap jail does nothing and will not detect intrusion attempts. There is a fix in the pipeline. If you want to test it out, please do a:
    yum update app-imap --disablerepo=* --enablerepo=clearos-updates-testing
    yum update fail2ban-server --disablerepo=* --enablerepo=epel-unverified
    systemctl restart fail2ban


    Note that unlike the IDS/IPS, Attack Detector only works on exposed ports.
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Monday, December 17 2018, 12:11 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    Can I ask which Attack Detector jails do you have enabled and which ports do you have open in your incoming firewall? Currently the cyrus-imap jail does nothing and will not detect intrusion attempts.

    Note that unlike the IDS/IPS, Attack Detector only works on exposed ports.


    Nick,

    I have cyrus, postfix, sshd & sshd-ddos enabled. I will try the cyrus update you indicated this evening when I get home from work.

    Ports open are: 25; 80; 81; 123; 443; 465; 587; 993; 995; 1194; & 1875. All are standard use ports using for standard processes.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, December 17 2018, 12:48 PM - #Permalink
    Resolved
    0 votes
    So, from your port list, the sshd and sshd-ddos jails will do nothing as you don't have the port open and cyrus-imapd will do nothing until it is updated.

    The postfix jail works but I hardly get any hits. I have implemented the More anti-spam and e-mail defence measures (which I wrote ;) ) so I don't have authentication available on port 25. If I had not implemented the guide and left authentication enabled, I'd get a lot more hits. Also note that hits does not equal bans. You need 5 hits from the same IP in 10mins (IIRC) before you get a ban and that never happens to me.
    The reply is currently minimized Show
Your Reply