Sign in to follow this  
Followers 0
wilo300zx

Problem with Fail2Ban

9 posts in this topic

As you may have gathered on our #Binrev channel i have been receiving numerous brute force attempts against my Proftpd server.

Its for public use so i cant change the default ftp port. I have added numerous IP's to the Beny All section of proftpd.conf but its a battle that cant be won.

I think someone on #Binrev suggested i should install fail2ban on the server, so i have done that and now i'm having trouble trying to get it to work.

I was following this documentation:

fail2ban article

But i cant seem to get it to work. I am running Ubuntu Server 9.04, and i am aware that the article was written for a older version of Ubuntu, but i figured that it should still work, as all the parameters to the service log files all remain the same.

I have the latest version of fail2ban 8.1 and i have modified the fail2ban.local and fail2ban.conf file accordingly to what i need. I want to be able to stop brute forces against my postfix, apache and proftps deamons.

This is my configuration file:

[DEFAULT]
ignoreip = 127.0.0.1 xxx.xx.xx.xxx
bantime = 600
maxretry = 3

# "backend" specifies the backend used to get files modification.
backend = polling

# Destination email address used to email about attacks
destemail = xxxx@xxx.com


# ACTIONS

# Default banning action
banaction = iptables-multiport
# email action.
mta = sendmail
# Default protocol
protocol = tcp


# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]

# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_mwl)s


[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6



[apache]

enabled = true
port = http
filter = apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 6



[proftpd]

enabled = true
port = ftp
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[

This is the error i get when i try and restart the fail2ban service:

infotech@infotechserver:/etc/fail2ban$ sudo /etc/init.d/fail2ban restart
* Restarting authentication failure monitor fail2ban Traceback (most recent call last):
File "/usr/bin/fail2ban-client", line 401, in <module>
if client.start(sys.argv):
File "/usr/bin/fail2ban-client", line 370, in start
return self.__processCommand(args)
File "/usr/bin/fail2ban-client", line 180, in __processCommand
ret = self.__readConfig()
File "/usr/bin/fail2ban-client", line 374, in __readConfig
self.__configurator.readAll()
File "/usr/share/fail2ban/client/configurator.py", line 58, in readAll
self.__jails.read()
File "/usr/share/fail2ban/client/jailsreader.py", line 41, in read
ConfigReader.read(self, "jail")
File "/usr/share/fail2ban/client/configreader.py", line 59, in read
SafeConfigParserWithIncludes.read(self, [bConf, bLocal])
File "/usr/share/fail2ban/client/configparserinc.py", line 105, in read
fileNamesFull += SafeConfigParserWithIncludes.getIncludes(filename)
File "/usr/share/fail2ban/client/configparserinc.py", line 76, in getIncludes
parser.read(resource)
File "/usr/lib/python2.6/ConfigParser.py", line 286, in read
self._read(fp, filename)
File "/usr/lib/python2.6/ConfigParser.py", line 510, in _read
raise e
ConfigParser.ParsingError: File contains parsing errors: /etc/fail2ban/jail.local
[line 74]: '[\n'
[fail]

Any ideas what i am doing wrong? i have tried google'ling for the answer but i dont get any answers.

0

Share this post


Link to post
Share on other sites

It looks like it might have something to do with the "[" alone on the last line of your config file, though that is coming out of a left field guess with no experience on the subject...

0

Share this post


Link to post
Share on other sites

Yes, it looks like you have a stray [ at the end of the config file. It's really nice of them to give you a useful error message instead of a huge stack trace, but the error you want is at the end of the stack trace.

I just have one question: what is your password policy? If you have a good password policy, then brute force attempts are irrelevant. They eat a little bandwidth and gum up your log files, but do you really need to block them. The concern when implementing something like this is you'll unintentionally ban one of your regular users. If someone forgets their password or just has butterfingers, they're going to end up banning themselves.

0

Share this post


Link to post
Share on other sites
Yes, it looks like you have a stray [ at the end of the config file. It's really nice of them to give you a useful error message instead of a huge stack trace, but the error you want is at the end of the stack trace.

Yeah, I noticed that too, but I was somewhat unsure because it reports the error on "[line 74]", but unless he cropped out some whitespace or something (IPB taking away whitespace?), that trailing '[' is on line 70. Unless it is saying that the exception were raised on line 74 of the source file, in which case this is the worst error reporting system ever devised :huh:

0

Share this post


Link to post
Share on other sites

Wow, it appears that the '[' was the cause of all that debugger crap in terminal. I removed the '[' and restarted the service, all is good. When i saw 14 lines of code saying error i thought i must have deleted half of its dependacies.

Also, the reason im implementing the fail2ban policy is that the attack happens for about 5 hours a day, and even though i use alpha numeric user names, and alpha-numberic-symbol passwords, i hate the thought of someone trying to crack my systems >.<

Failing this, i may have to invest in some defensive enumeration on thie Madrid jerk, teach the kiddie script a lesson ;)

infotech@infotechserver:/etc/fail2ban$ sudo /etc/init.d/fail2ban restart
[sudo] password for infotech:
* Restarting authentication failure monitor fail2ban [ OK ]

0

Share this post


Link to post
Share on other sites

Now when i restart the service and i go to check my fail2ban.log files i get a entry full of this

fail2ban.server : ERROR  Unexpected communication error

I know fail2ban is working for SSH:

2009-06-03 16:14:35,291 fail2ban.actions: WARNING [ssh] Ban 202.169.224.202

But its not working for proftpd, i have tried a few times, any ideas?

These are the errors i get on the fail2ban log's:

2009-06-03 16:14:33,277 fail2ban.server : INFO   Exiting Fail2ban
2009-06-03 16:14:33,808 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2009-06-03 16:14:33,809 fail2ban.jail : INFO Creating new jail 'ssh'
2009-06-03 16:14:33,810 fail2ban.jail : INFO Jail 'ssh' uses poller
2009-06-03 16:14:33,847 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:33,848 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2009-06-03 16:14:33,849 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:33,850 fail2ban.filter : INFO Set maxRetry = 6
2009-06-03 16:14:33,850 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:33,852 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:33,853 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:33,854 fail2ban.filter : INFO Set findtime = 600
2009-06-03 16:14:33,855 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:33,855 fail2ban.actions: INFO Set banTime = 600
2009-06-03 16:14:33,856 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:33,867 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:33,874 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:33,881 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:33,889 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:33,897 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:33,907 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:33,919 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:33,933 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:33,950 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:33,967 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:33,986 fail2ban.jail : INFO Creating new jail 'apache'
2009-06-03 16:14:33,986 fail2ban.jail : INFO Jail 'apache' uses poller
2009-06-03 16:14:33,988 fail2ban.filter : INFO Added logfile = /var/log/apache2/other_vhosts_access.log
2009-06-03 16:14:33,989 fail2ban.filter : INFO Added logfile = /var/log/apache2/access.log
2009-06-03 16:14:33,991 fail2ban.filter : INFO Set maxRetry = 6
2009-06-03 16:14:33,994 fail2ban.filter : INFO Set findtime = 600
2009-06-03 16:14:33,995 fail2ban.actions: INFO Set banTime = 600
2009-06-03 16:14:34,000 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,003 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,004 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,005 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,007 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,008 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,010 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,011 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,012 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,014 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,015 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,016 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,018 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,020 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,022 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,023 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,024 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,026 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,027 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,028 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,029 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,030 fail2ban.jail : INFO Creating new jail 'proftpd'
2009-06-03 16:14:34,030 fail2ban.jail : INFO Jail 'proftpd' uses poller
2009-06-03 16:14:34,032 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,033 fail2ban.filter : INFO Added logfile = /var/log/proftpd/proftpd.log
2009-06-03 16:14:34,034 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,034 fail2ban.filter : INFO Set maxRetry = 6
2009-06-03 16:14:34,035 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,036 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,038 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,038 fail2ban.filter : INFO Set findtime = 600
2009-06-03 16:14:34,039 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,040 fail2ban.actions: INFO Set banTime = 600
2009-06-03 16:14:34,041 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,044 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,047 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,051 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,054 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,055 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,057 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,058 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,060 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,061 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,062 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,064 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,065 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,066 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,068 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,070 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,072 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,073 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,074 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,076 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,077 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,078 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,080 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,081 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,156 fail2ban.jail : INFO Jail 'ssh' started
2009-06-03 16:14:34,162 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,240 fail2ban.jail : INFO Jail 'apache' started
2009-06-03 16:14:34,241 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:34,290 fail2ban.jail : INFO Jail 'proftpd' started
2009-06-03 16:14:34,344 fail2ban.server : ERROR Unexpected communication error
2009-06-03 16:14:35,291 fail2ban.actions: WARNING [ssh] Ban 202.169.224.202

Also this is my iptables, i can see one person has been blocked, but why dont people on ftp that i know are brute forcing, not getting blocked?

infotech@infotechserver:/etc/fail2ban$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-proftpd tcp -- anywhere anywhere multiport dports ftp
fail2ban-apache tcp -- anywhere anywhere multiport dports www
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-apache (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-proftpd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP all -- host-202-169-224-202.jmn.net.id anywhere
RETURN all -- anywhere anywhere

Edited by wilo300zx
0

Share this post


Link to post
Share on other sites

Apparently the Unexpected communication errors (and possibly FTP's non-banning) are a result of Fail2Ban's incompatibility with Python 2.6 (References: [1] [2]). As of now, the best bet is to force Fail2Ban to use Python 2.5 when starting.

Try using the method described in reference 2 (here) and see if that works.

Solution for Ubuntu 9.04

#apt-get install python2.5

Change the python version there execute the fail2ban-server script.

/usr/bin/fail2ban-server (edit)

Change the first line from:

#!/usr/bin/python

--> to

#!/usr/bin/python2.5

After that restart fail2ban

# /etc/init.d/fail2ban restart

Edited by n3xg3n
0

Share this post


Link to post
Share on other sites

n3xg3n thanks, that worked a charm! I feel so stupid, bad formatting and my seemingly inability to use google is my downfall :(

I have had the fail2ban working for about 3 hours now and already have 7 blocked ip's, 4 against my ftp service and 3 against my ssh service.

So much kiddie script shit out there...

Would it be worth while implementing a IDS?

0

Share this post


Link to post
Share on other sites
Yes, it looks like you have a stray [ at the end of the config file. It's really nice of them to give you a useful error message instead of a huge stack trace, but the error you want is at the end of the stack trace.

I just have one question: what is your password policy? If you have a good password policy, then brute force attempts are irrelevant. They eat a little bandwidth and gum up your log files, but do you really need to block them. The concern when implementing something like this is you'll unintentionally ban one of your regular users. If someone forgets their password or just has butterfingers, they're going to end up banning themselves.

It depends on the environment of course, but there are a couple problems with just letting things be. For, example, if you are bound to a Directory Service (LDAP, AD), the requests get passed on, which can overburden those servers. Another issue is that brute force is another step in fingerprinting the server.

In terms of bans, note that fail2ban and denyhosts both have exception policies. So, though a user may temporarily block themselves, you can still protect against non-valid name queries or legit name queries from erroneous IPs.

best,

Pan

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0