Hello.
I was wondering why the attach detector hadn't done anything for a while and also wanted to look at doing something about the hammering against openvpn.
Today I finally had some time and found following:
The last time fail2ban wrote anything to a log was Mar 24/25.
I'm just starting to try to figure this out but am not sure where to start looking. A suggestion on where you start would be appreciated.
Thanks.
I was wondering why the attach detector hadn't done anything for a while and also wanted to look at doing something about the hammering against openvpn.
Today I finally had some time and found following:
systemctl status -l fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2018-05-28 16:39:40 EDT; 3 months 26 days ago
Docs: man:fail2ban(1)
Main PID: 2971 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─2971 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
The last time fail2ban wrote anything to a log was Mar 24/25.
-rw------- 1 root root 0 Mar 25 2018 fail2ban.log
I'm just starting to try to figure this out but am not sure where to start looking. A suggestion on where you start would be appreciated.
Thanks.
Share this post:
Responses (7)
-
Accepted Answer
-
Accepted Answer
Hi Nick,
Life got in the way of trying to figure this all out and today, while a bit brain dead from a busy week, I decided to have a go on this.
I did the restart fail2ban and it never started the logging.
I was unable to restart the rsyslog service.
sysctl status rsyslog
sysctl: cannot stat /proc/sys/status: No such file or directory
sysctl: cannot stat /proc/sys/rsyslog: No such file or directory
Strange.
The logtarget from the fail2ban.conf is:
logtarget = /var/log/fail2ban.log
I am pretty sure that while the fail2ban says its running, there isn't anything happening.
On my old COS5.2 box I was getting notices of banned IP addresses all day long. I haven't gotten any for such a long time. There is nothing in the fail2ban.log file.
systemctl status -l fail2ban.service
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2018-09-26 08:20:12 EDT; 2 months 19 days ago
Docs: man:fail2ban(1)
Main PID: 3632 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─3632 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable. -
Accepted Answer
Nick Howitt wrote:
Typo:
systemctl status rsyslog
Ooophs. Thanks Nick!
Here is the output from the correctly typed command.
systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2018-09-26 08:19:53 EDT; 2 months 20 days ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 1372 (rsyslogd)
CGroup: /system.slice/rsyslog.service
└─1372 /usr/sbin/rsyslogd -n
Dec 15 02:40:49 neukom.ca rsyslogd[1372]: imjournal: journal reloaded... [v8.24.0 try http://www.rsysl.../0 ]
Dec 15 13:29:29 neukom.ca rsyslogd[1372]: imjournal: journal reloaded... [v8.24.0 try http://www.rsysl.../0 ]
Dec 15 13:29:29 neukom.ca rsyslogd[1372]: imjournal: journal reloaded... [v8.24.0 try http://www.rsysl.../0 ]
Dec 15 18:24:59 neukom.ca rsyslogd[1372]: imjournal: journal reloaded... [v8.24.0 try http://www.rsysl.../0 ]
Dec 15 18:24:59 neukom.ca rsyslogd[1372]: imjournal: journal reloaded... [v8.24.0 try http://www.rsysl.../0 ]
Dec 15 22:00:47 neukom.ca rsyslogd[1372]: imjournal: journal reloaded... [v8.24.0 try http://www.rsysl.../0 ]
Dec 15 22:00:47 neukom.ca rsyslogd[1372]: imjournal: journal reloaded... [v8.24.0 try http://www.rsysl.../0 ]
Dec 16 03:23:15 neukom.ca rsyslogd[1372]: [origin software="rsyslogd" swVersion="8.24.0" x-pid="1372"...UPed
Dec 16 09:32:15 neukom.ca rsyslogd[1372]: imjournal: journal reloaded... [v8.24.0 try http://www.rsysl.../0 ]
Dec 16 09:32:15 neukom.ca rsyslogd[1372]: imjournal: journal reloaded... [v8.24.0 try http://www.rsysl.../0 ]
Hint: Some lines were ellipsized, use -l to show in full.
I'll also restart fail2ban and see what happens.
Thanks! -
Accepted Answer
Can I ask which Attack Detector jails do you have enabled and which ports do you have open in your incoming firewall? Currently the cyrus-imap jail does nothing and will not detect intrusion attempts. There is a fix in the pipeline. If you want to test it out, please do a:
yum update app-imap --disablerepo=* --enablerepo=clearos-updates-testing
yum update fail2ban-server --disablerepo=* --enablerepo=epel-unverified
systemctl restart fail2ban
Note that unlike the IDS/IPS, Attack Detector only works on exposed ports. -
Accepted Answer
Nick Howitt wrote:
Can I ask which Attack Detector jails do you have enabled and which ports do you have open in your incoming firewall? Currently the cyrus-imap jail does nothing and will not detect intrusion attempts.
Note that unlike the IDS/IPS, Attack Detector only works on exposed ports.
Nick,
I have cyrus, postfix, sshd & sshd-ddos enabled. I will try the cyrus update you indicated this evening when I get home from work.
Ports open are: 25; 80; 81; 123; 443; 465; 587; 993; 995; 1194; & 1875. All are standard use ports using for standard processes. -
Accepted Answer
So, from your port list, the sshd and sshd-ddos jails will do nothing as you don't have the port open and cyrus-imapd will do nothing until it is updated.
The postfix jail works but I hardly get any hits. I have implemented the More anti-spam and e-mail defence measures (which I wrote ) so I don't have authentication available on port 25. If I had not implemented the guide and left authentication enabled, I'd get a lot more hits. Also note that hits does not equal bans. You need 5 hits from the same IP in 10mins (IIRC) before you get a ban and that never happens to me.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »