Jump to content


Photo
- - - - -

Problem with Fail2Ban


  • Please log in to reply
8 replies to this topic

#1 wilo300zx

wilo300zx

    DDP Fan club member

  • Members
  • 43 posts
  • Location:Australia

Posted 02 June 2009 - 11:41 PM

As you may have gathered on our #Binrev channel i have been receiving numerous brute force attempts against my Proftpd server.

Its for public use so i cant change the default ftp port. I have added numerous IP's to the Beny All section of proftpd.conf but its a battle that cant be won.

I think someone on #Binrev suggested i should install fail2ban on the server, so i have done that and now i'm having trouble trying to get it to work.

I was following this documentation:
fail2ban article

But i cant seem to get it to work. I am running Ubuntu Server 9.04, and i am aware that the article was written for a older version of Ubuntu, but i figured that it should still work, as all the parameters to the service log files all remain the same.

I have the latest version of fail2ban 8.1 and i have modified the fail2ban.local and fail2ban.conf file accordingly to what i need. I want to be able to stop brute forces against my postfix, apache and proftps deamons.

This is my configuration file:
[DEFAULT]
ignoreip = 127.0.0.1 xxx.xx.xx.xxx
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification.
backend = polling

# Destination email address used to email about attacks
destemail = xxxx@xxx.com


# ACTIONS

# Default banning action
banaction = iptables-multiport
# email action.
mta = sendmail
# Default protocol
protocol = tcp


# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
			  %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
			   %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
 
# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section 
action = %(action_mwl)s


[ssh]

enabled = true
port	= ssh
filter	= sshd
logpath  = /var/log/auth.log
maxretry = 6



[apache]

enabled = true
port	= http
filter	= apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 6



[proftpd]

enabled  = true
port	 = ftp
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6
[


This is the error i get when i try and restart the fail2ban service:
infotech@infotechserver:/etc/fail2ban$ sudo /etc/init.d/fail2ban restart
 * Restarting authentication failure monitor fail2ban						   Traceback (most recent call last):
  File "/usr/bin/fail2ban-client", line 401, in <module>
	if client.start(sys.argv):
  File "/usr/bin/fail2ban-client", line 370, in start
	return self.__processCommand(args)
  File "/usr/bin/fail2ban-client", line 180, in __processCommand
	ret = self.__readConfig()
  File "/usr/bin/fail2ban-client", line 374, in __readConfig
	self.__configurator.readAll()
  File "/usr/share/fail2ban/client/configurator.py", line 58, in readAll
	self.__jails.read()
  File "/usr/share/fail2ban/client/jailsreader.py", line 41, in read
	ConfigReader.read(self, "jail")
  File "/usr/share/fail2ban/client/configreader.py", line 59, in read
	SafeConfigParserWithIncludes.read(self, [bConf, bLocal])
  File "/usr/share/fail2ban/client/configparserinc.py", line 105, in read
	fileNamesFull += SafeConfigParserWithIncludes.getIncludes(filename)
  File "/usr/share/fail2ban/client/configparserinc.py", line 76, in getIncludes
	parser.read(resource)
  File "/usr/lib/python2.6/ConfigParser.py", line 286, in read
	self._read(fp, filename)
  File "/usr/lib/python2.6/ConfigParser.py", line 510, in _read
	raise e
ConfigParser.ParsingError: File contains parsing errors: /etc/fail2ban/jail.local
	[line 74]: '[\n'
																		 [fail]

Any ideas what i am doing wrong? i have tried google'ling for the answer but i dont get any answers.

#2 n3xg3n

n3xg3n

    "I Hack, therefore, I am"

  • Members
  • 960 posts
  • Country:
  • Gender:Male
  • Location:(703)

Posted 02 June 2009 - 11:47 PM

It looks like it might have something to do with the "[" alone on the last line of your config file, though that is coming out of a left field guess with no experience on the subject...

#3 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 03 June 2009 - 12:10 AM

Yes, it looks like you have a stray [ at the end of the config file. It's really nice of them to give you a useful error message instead of a huge stack trace, but the error you want is at the end of the stack trace.

I just have one question: what is your password policy? If you have a good password policy, then brute force attempts are irrelevant. They eat a little bandwidth and gum up your log files, but do you really need to block them. The concern when implementing something like this is you'll unintentionally ban one of your regular users. If someone forgets their password or just has butterfingers, they're going to end up banning themselves.

#4 n3xg3n

n3xg3n

    "I Hack, therefore, I am"

  • Members
  • 960 posts
  • Country:
  • Gender:Male
  • Location:(703)

Posted 03 June 2009 - 12:16 AM

Yes, it looks like you have a stray [ at the end of the config file. It's really nice of them to give you a useful error message instead of a huge stack trace, but the error you want is at the end of the stack trace.


Yeah, I noticed that too, but I was somewhat unsure because it reports the error on "[line 74]", but unless he cropped out some whitespace or something (IPB taking away whitespace?), that trailing '[' is on line 70. Unless it is saying that the exception were raised on line 74 of the source file, in which case this is the worst error reporting system ever devised :huh:

#5 wilo300zx

wilo300zx

    DDP Fan club member

  • Members
  • 43 posts
  • Location:Australia

Posted 03 June 2009 - 01:02 AM

Wow, it appears that the '[' was the cause of all that debugger crap in terminal. I removed the '[' and restarted the service, all is good. When i saw 14 lines of code saying error i thought i must have deleted half of its dependacies.

Also, the reason im implementing the fail2ban policy is that the attack happens for about 5 hours a day, and even though i use alpha numeric user names, and alpha-numberic-symbol passwords, i hate the thought of someone trying to crack my systems >.<

Failing this, i may have to invest in some defensive enumeration on thie Madrid jerk, teach the kiddie script a lesson ;)


infotech@infotechserver:/etc/fail2ban$ sudo /etc/init.d/fail2ban restart
[sudo] password for infotech: 
 * Restarting authentication failure monitor fail2ban					[ OK ]


#6 wilo300zx

wilo300zx

    DDP Fan club member

  • Members
  • 43 posts
  • Location:Australia

Posted 03 June 2009 - 01:19 AM

Now when i restart the service and i go to check my fail2ban.log files i get a entry full of this
fail2ban.server : ERROR  Unexpected communication error
I know fail2ban is working for SSH:
2009-06-03 16:14:35,291 fail2ban.actions: WARNING [ssh] Ban 202.169.224.202

But its not working for proftpd, i have tried a few times, any ideas?

These are the errors i get on the fail2ban log's:

2009-06-03 16:14:33,277 fail2ban.server : INFO   Exiting Fail2ban
2009-06-03 16:14:33,808 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2009-06-03 16:14:33,809 fail2ban.jail   : INFO   Creating new jail 'ssh'
2009-06-03 16:14:33,810 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2009-06-03 16:14:33,847 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:33,848 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2009-06-03 16:14:33,849 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:33,850 fail2ban.filter : INFO   Set maxRetry = 6
2009-06-03 16:14:33,850 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:33,852 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:33,853 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:33,854 fail2ban.filter : INFO   Set findtime = 600
2009-06-03 16:14:33,855 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:33,855 fail2ban.actions: INFO   Set banTime = 600
2009-06-03 16:14:33,856 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:33,867 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:33,874 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:33,881 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:33,889 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:33,897 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:33,907 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:33,919 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:33,933 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:33,950 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:33,967 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:33,986 fail2ban.jail   : INFO   Creating new jail 'apache'
2009-06-03 16:14:33,986 fail2ban.jail   : INFO   Jail 'apache' uses poller
2009-06-03 16:14:33,988 fail2ban.filter : INFO   Added logfile = /var/log/apache2/other_vhosts_access.log
2009-06-03 16:14:33,989 fail2ban.filter : INFO   Added logfile = /var/log/apache2/access.log
2009-06-03 16:14:33,991 fail2ban.filter : INFO   Set maxRetry = 6
2009-06-03 16:14:33,994 fail2ban.filter : INFO   Set findtime = 600
2009-06-03 16:14:33,995 fail2ban.actions: INFO   Set banTime = 600
2009-06-03 16:14:34,000 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,003 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,004 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,005 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,007 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,008 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,010 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,011 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,012 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,014 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,015 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,016 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,018 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,020 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,022 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,023 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,024 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,026 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,027 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,028 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,029 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,030 fail2ban.jail   : INFO   Creating new jail 'proftpd'
2009-06-03 16:14:34,030 fail2ban.jail   : INFO   Jail 'proftpd' uses poller
2009-06-03 16:14:34,032 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,033 fail2ban.filter : INFO   Added logfile = /var/log/proftpd/proftpd.log
2009-06-03 16:14:34,034 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,034 fail2ban.filter : INFO   Set maxRetry = 6
2009-06-03 16:14:34,035 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,036 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,038 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,038 fail2ban.filter : INFO   Set findtime = 600
2009-06-03 16:14:34,039 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,040 fail2ban.actions: INFO   Set banTime = 600
2009-06-03 16:14:34,041 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,044 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,047 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,051 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,054 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,055 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,057 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,058 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,060 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,061 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,062 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,064 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,065 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,066 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,068 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,070 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,072 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,073 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,074 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,076 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,077 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,078 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,080 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,081 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,156 fail2ban.jail   : INFO   Jail 'ssh' started
2009-06-03 16:14:34,162 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,240 fail2ban.jail   : INFO   Jail 'apache' started
2009-06-03 16:14:34,241 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:34,290 fail2ban.jail   : INFO   Jail 'proftpd' started
2009-06-03 16:14:34,344 fail2ban.server : ERROR  Unexpected communication error
2009-06-03 16:14:35,291 fail2ban.actions: WARNING [ssh] Ban 202.169.224.202


Also this is my iptables, i can see one person has been blocked, but why dont people on ftp that i know are brute forcing, not getting blocked?
infotech@infotechserver:/etc/fail2ban$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target	 prot opt source			   destination		 
fail2ban-proftpd  tcp  --  anywhere			 anywhere			multiport dports ftp 
fail2ban-apache  tcp  --  anywhere			 anywhere			multiport dports www 
fail2ban-ssh  tcp  --  anywhere			 anywhere			multiport dports ssh 

Chain FORWARD (policy ACCEPT)
target	 prot opt source			   destination		 

Chain OUTPUT (policy ACCEPT)
target	 prot opt source			   destination		 

Chain fail2ban-apache (1 references)
target	 prot opt source			   destination		 
RETURN	 all  --  anywhere			 anywhere			

Chain fail2ban-proftpd (1 references)
target	 prot opt source			   destination		 
RETURN	 all  --  anywhere			 anywhere			

Chain fail2ban-ssh (1 references)
target	 prot opt source			   destination		 
DROP	   all  --  host-202-169-224-202.jmn.net.id  anywhere			
RETURN	 all  --  anywhere			 anywhere

Edited by wilo300zx, 03 June 2009 - 01:24 AM.


#7 n3xg3n

n3xg3n

    "I Hack, therefore, I am"

  • Members
  • 960 posts
  • Country:
  • Gender:Male
  • Location:(703)

Posted 03 June 2009 - 07:46 AM

Apparently the Unexpected communication errors (and possibly FTP's non-banning) are a result of Fail2Ban's incompatibility with Python 2.6 (References: [1] [2]). As of now, the best bet is to force Fail2Ban to use Python 2.5 when starting.

Try using the method described in reference 2 (here) and see if that works.

Solution for Ubuntu 9.04

#apt-get install python2.5

Change the python version there execute the fail2ban-server script.

/usr/bin/fail2ban-server (edit)

Change the first line from:
#!/usr/bin/python
--> to
#!/usr/bin/python2.5

After that restart fail2ban
# /etc/init.d/fail2ban restart


Edited by n3xg3n, 03 June 2009 - 07:47 AM.


#8 wilo300zx

wilo300zx

    DDP Fan club member

  • Members
  • 43 posts
  • Location:Australia

Posted 03 June 2009 - 11:12 PM

n3xg3n thanks, that worked a charm! I feel so stupid, bad formatting and my seemingly inability to use google is my downfall :(

I have had the fail2ban working for about 3 hours now and already have 7 blocked ip's, 4 against my ftp service and 3 against my ssh service.
So much kiddie script shit out there...

Would it be worth while implementing a IDS?

#9 Pan

Pan

    Gibson Hacker

  • Members
  • 94 posts
  • Location:Detroit

Posted 04 June 2009 - 02:43 PM

Yes, it looks like you have a stray [ at the end of the config file. It's really nice of them to give you a useful error message instead of a huge stack trace, but the error you want is at the end of the stack trace.

I just have one question: what is your password policy? If you have a good password policy, then brute force attempts are irrelevant. They eat a little bandwidth and gum up your log files, but do you really need to block them. The concern when implementing something like this is you'll unintentionally ban one of your regular users. If someone forgets their password or just has butterfingers, they're going to end up banning themselves.


It depends on the environment of course, but there are a couple problems with just letting things be. For, example, if you are bound to a Directory Service (LDAP, AD), the requests get passed on, which can overburden those servers. Another issue is that brute force is another step in fingerprinting the server.

In terms of bans, note that fail2ban and denyhosts both have exception policies. So, though a user may temporarily block themselves, you can still protect against non-valid name queries or legit name queries from erroneous IPs.

best,

Pan




BinRev is hosted by the great people at Lunarpages!