Starting fail2ban: [FAILED]

Discussion in 'General' started by qvs5010, Nov 4, 2010.

  1. qvs5010

    Joined:
    Jul 20, 2010
    Messages:
    3
    Likes Received:
    0
    Hi


    I have followd the intructions on
    http://www.sunshinenetworks.com.au/how- ... art-1.html

    to get fail2ban installed. i have used the configs on the site. but i keep getting error.


    [root@voip fail2ban]# fail2ban-client start
    WARNING 'action' not defined in 'php-url-fopen'. Using default value
    WARNING 'action' not defined in 'lighttpd-fastcgi'. Using default value
    WARNING 'enabled' not defined in 'asterisk-iptables'. Using default value
    WARNING 'logpath' not defined in 'asterisk-iptables'. Using default value
    WARNING 'filter' not defined in 'asterisk-iptables'. Using default value
    WARNING 'action' not defined in 'asterisk-iptables'. Using default value
    ERROR No section: 'Definition'
    ERROR No section: 'Definition'
    ERROR Error in action definition
    ERROR Errors in jail 'asterisk-iptables'. Skipping...
    [root@voip fail2ban]#



    my jail.conf looks like this....

    [DEFAULT]
    ignoreip = 127.0.0.1

    bantime = 600
    findtime = 600
    maxretry = 3
    backend = auto

    [asterisk-iptables]
    enabled  = true
    filter   = asterisk
    action   = iptables-allports[name=ASTERISK, protocol=all]
               sendmail-whois[name=ASTERISK, dest=qvs5010@xxxxxx.co.za, sender=fail2ban@xxxxxx.co.za]
    logpath  = /var/log/asterisk/fail2ban
    maxretry = 5
    findtime = 300
    bantime = 600
    ignoreip = 127.0.0.1

    and my /etc/fail2ban/filter.d/asterisk.conf

    # /etc/fail2ban/filter.d/asterisk.conf
    # Fail2Ban configuration file
    #
    #
    # $Revision: 250 $
    #

    [INCLUDES]

    # Read common prefixes. If any customizations available -- read them from
    # common.local
    #before = common.conf


    [Definition]

    #_daemon = asterisk

    failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
    NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
    NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
    NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
    NOTICE.* <HOST> failed to authenticate as '.*'$
    NOTICE.* .*: No registration for peer '.*' (from <HOST>)
    NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
    NOTICE.* .*: Failed to authenticate user .*@<HOST>.*


    ignoreregex =


    nothing apears in the log file to say what is wrong and what is not working.

    Can any body help please :(
     
  2. Lee Sharp

    Joined:
    Sep 28, 2010
    Messages:
    332
    Likes Received:
    0
    Well, my jail.conf is much bigger than yours. Is your really that small, or are you just posting the changes? For example,
    Code:
    # Fail2Ban configuration file
    #
    # Author: Cyril Jaquier
    #
    # $Revision: 747 $
    #
    
    # The DEFAULT allows a global definition of the options. They can be override
    # in each jail afterwards.
    
    [DEFAULT]
    
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
    # ban a host which matches an address in this list. Several addresses can be
    # defined using space separator.
    ignoreip = 127.0.0.1 192.168.0.0/16
    
    # "bantime" is the number of seconds that a host is banned.
    bantime  = 600
    
    # A host is banned if it has generated "maxretry" during the last "findtime"
    # seconds.
    findtime  = 600
    
    # "maxretry" is the number of failures before a host get banned.
    maxretry = 3
    
    # "backend" specifies the backend used to get files modification. Available
    # options are "gamin", "polling" and "auto". This option can be overridden in
    # each jail too (use "gamin" for a jail and "polling" for another).
    #
    # gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
    #          is not installed, Fail2ban will use polling.
    # polling: uses a polling algorithm which does not require external libraries.
    # auto:    will choose Gamin if available and polling otherwise.
    backend = auto
    
    
    # This jail corresponds to the standard configuration in Fail2ban 0.6.
    # The mail-whois action send a notification e-mail with a whois request
    # in the body.
    
    [ssh-iptables]
    
    enabled  = true
    filter   = sshd
    action   = iptables[name=SSH, port=ssh, protocol=tcp]
               sendmail-whois[name=SSH, dest=lee.sharp@****.net, sender=fail2ban@****.net]
    logpath  = /var/log/secure
    maxretry = 5
    
    [proftpd-iptables]
    
    enabled  = false
    filter   = proftpd
    action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
               sendmail-whois[name=ProFTPD, dest=you@mail.com]
    logpath  = /var/log/proftpd/proftpd.log
    maxretry = 6
    
    # This jail forces the backend to "polling".
    
    [sasl-iptables]
    
    enabled  = false
    filter   = sasl
    backend  = polling
    action   = iptables[name=sasl, port=smtp, protocol=tcp]
               sendmail-whois[name=sasl, dest=you@mail.com]
    logpath  = /var/log/mail.log
    
    # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
    # used to avoid banning the user "myuser".
    
    [ssh-tcpwrapper]
    
    enabled     = false
    filter      = sshd
    action      = hostsdeny
                  sendmail-whois[name=SSH, dest=you@mail.com]
    ignoreregex = for myuser from
    logpath     = /var/log/sshd.log
    
    # This jail demonstrates the use of wildcards in "logpath".
    # Moreover, it is possible to give other files on a new line.
    
    [apache-tcpwrapper]
    
    enabled  = false
    filter	 = apache-auth
    action   = hostsdeny
    logpath  = /var/log/apache*/*error.log
               /home/www/myhomepage/error.log
    maxretry = 6
    
    # The hosts.deny path can be defined with the "file" argument if it is
    # not in /etc.
    
    [postfix-tcpwrapper]
    
    enabled  = false
    filter   = postfix
    action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
               sendmail[name=Postfix, dest=you@mail.com]
    logpath  = /var/log/postfix.log
    bantime  = 300
    
    # Do not ban anybody. Just report information about the remote host.
    # A notification is sent at most every 600 seconds (bantime).
    
    [vsftpd-notification]
    
    enabled  = false
    filter   = vsftpd
    action   = sendmail-whois[name=VSFTPD, dest=you@mail.com]
    logpath  = /var/log/vsftpd.log
    maxretry = 5
    bantime  = 1800
    
    # Same as above but with banning the IP address.
    
    [vsftpd-iptables]
    
    enabled  = false
    filter   = vsftpd
    action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
               sendmail-whois[name=VSFTPD, dest=you@mail.com]
    logpath  = /var/log/vsftpd.log
    maxretry = 5
    bantime  = 1800
    
    # Ban hosts which agent identifies spammer robots crawling the web
    # for email addresses. The mail outputs are buffered.
    
    [apache-badbots]
    
    enabled  = false
    filter   = apache-badbots
    action   = iptables-multiport[name=BadBots, port="http,https"]
               sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
    logpath  = /var/www/*/logs/access_log
    bantime  = 172800
    maxretry = 1
    
    # Use shorewall instead of iptables.
    
    [apache-shorewall]
    
    enabled  = false
    filter   = apache-noscript
    action   = shorewall
               sendmail[name=Postfix, dest=you@mail.com]
    logpath  = /var/log/apache2/error_log
    
    # Ban attackers that try to use PHP's URL-fopen() functionality
    # through GET/POST variables. - Experimental, with more than a year
    # of usage in production environments.
    
    [php-url-fopen]
    
    enabled = false
    port    = http,https
    filter  = php-url-fopen
    logpath = /var/www/*/logs/access_log
    maxretry = 1
    
    # A simple PHP-fastcgi jail which works with lighttpd.
    # If you run a lighttpd server, then you probably will
    # find these kinds of messages in your error_log:
    # ALERT – tried to register forbidden variable ‘GLOBALS’
    # through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
    # This jail would block the IP 1.2.3.4.
    
    [lighttpd-fastcgi]
    
    enabled = false
    port    = http,https
    filter  = lighttpd-fastcgi
    # adapt the following two items as needed
    logpath = /var/log/lighttpd/error.log
    maxretry = 2
    
    # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
    # option is overridden in this jail. Moreover, the action "mail-whois" defines
    # the variable "name" which contains a comma using "". The characters '' are
    # valid too.
    
    [ssh-ipfw]
    
    enabled  = false
    filter   = sshd
    action   = ipfw[localhost=192.168.0.1]
               sendmail-whois[name="SSH,IPFW", dest=you@mail.com]
    logpath  = /var/log/auth.log
    ignoreip = 168.192.0.1
    
    # These jails block attacks against named (bind9). By default, logging is off
    # with bind9 installation. You will need something like this:
    #
    # logging {
    #     channel security_file {
    #         file "/var/log/named/security.log" versions 3 size 30m;
    #         severity dynamic;
    #         print-time yes;
    #     };
    #     category security {
    #         security_file;
    #     };
    # };
    #
    # in your named.conf to provide proper logging.
    # This jail blocks UDP traffic for DNS requests.
    
    [named-refused-udp]
    
    enabled  = false
    filter   = named-refused
    action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
               sendmail-whois[name=Named, dest=you@mail.com]
    logpath  = /var/log/named/security.log
    ignoreip = 168.192.0.1
    
    # This jail blocks TCP traffic for DNS requests.
    
    [named-refused-tcp]
    
    enabled  = false
    filter   = named-refused
    action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
               sendmail-whois[name=Named, dest=you@mail.com]
    logpath  = /var/log/named/security.log
    ignoreip = 168.192.0.1
    
    [asterisk-iptables]
    enabled  = true
    filter   = asterisk
    action   = iptables-allports[name=ASTERISK, protocol=all]
               sendmail-whois[name=ASTERISK, dest=lee.sharp@****.net, sender=fail2ban@****.net]
    logpath  = /var/log/asterisk/fail2ban
    maxretry = 5
    bantime = 600
    
     
  3. qvs5010

    Joined:
    Jul 20, 2010
    Messages:
    3
    Likes Received:
    0
    hi

    i have found the problem.

    had to change
    NOTICE.* <HOST> failed to authenticate as '.*'$
    to
    NOTICE.* .*: <HOST> failed to authenticate as '.*'$


    thx for the quick post
     
  4. Lee Sharp

    Joined:
    Sep 28, 2010
    Messages:
    332
    Likes Received:
    0
    Those pesky dots and stars... Get you every time. :)
     
  5. sunshinenetworks

    Joined:
    Aug 10, 2010
    Messages:
    12
    Likes Received:
    0
    Hi qvs5010,

    thanks for finding that typo. It's now been corrected. I have recently added some other articles on how to secure Asterisk ( and Elastix ). Feel free to check them out and please let me know if there are any spelling mistakes / typo's in the code.

    Cheers,
    sunshinenetworks
     
  6. rlm

    rlm

    Joined:
    Aug 15, 2012
    Messages:
    3
    Likes Received:
    0
    Hi all,

    My Fail2ban will not start. I get the following message:

    Starting fail2ban: Traceback (most recent call last):
    File "/usr/bin/fail2ban-client", line 401, in ?
    if client.start(sys.argv):
    File "/usr/bin/fail2ban-client", line 370, in start
    return self.__processCommand(args)
    File "/usr/bin/fail2ban-client", line 180, in __processCommand
    ret = self.__readConfig()
    File "/usr/bin/fail2ban-client", line 375, in __readConfig
    ret = self.__configurator.getOptions()
    File "/usr/share/fail2ban/client/configurator.py", line 65, in getOptions
    return self.__jails.getOptions(jail)
    File "/usr/share/fail2ban/client/jailsreader.py", line 64, in getOptions
    ret = jail.getOptions()
    File "/usr/share/fail2ban/client/jailreader.py", line 75, in getOptions
    ret = self.__filter.read()
    File "/usr/share/fail2ban/client/filterreader.py", line 53, in read
    return ConfigReader.read(self, "filter.d/" + self.__file)
    File "/usr/share/fail2ban/client/configreader.py", line 59, in read
    SafeConfigParserWithIncludes.read(self, [bConf, bLocal])
    File "/usr/share/fail2ban/client/configparserinc.py", line 105, in read
    fileNamesFull += SafeConfigParserWithIncludes.getIncludes(filename)
    File "/usr/share/fail2ban/client/configparserinc.py", line 76, in getIncludes
    parser.read(resource)
    File "/usr/lib64/python2.4/ConfigParser.py", line 267, in read
    self._read(fp, filename)
    File "/usr/lib64/python2.4/ConfigParser.py", line 490, in _read
    raise e
    ConfigParser.ParsingError: File contains parsing errors: /etc/fail2ban/filter.d/asterisk.conf
    [line 6]: ' # Notes.: regex to match the password failures messages in the logfile. The\n'
    [line 7]: ' # host must be matched by a group named "host". The tag "<HOST>" can\n'
    [line 8]: ' # be used for standard IP/hostname matching and is only an alias for\n'
    [line 9]: ' # (?:::f{4,6}?(?P<host>\\S+)\n'
    [line 10]: ' # Values: TEXT\n'


    Any ideas? I have gone through the previous posts.


    asterisk.conf:

    [Definition]

    #_daemon = asterisk

    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. The
    # host must be matched by a group named "host". The tag "<HOST>" can
    # be used for standard IP/hostname matching and is only an alias for
    # (?:::f{4,6}?(?P<host>\S+)
    # Values: TEXT

    failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
    NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
    NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
    NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
    NOTICE.*.*: <HOST> failed to authenticate as '.*'$
    NOTICE.* .*: No registration for peer '.*' (from <HOST>)
    NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
    VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')

    # Option: ignoreregex
    # Notes.: regex to ignore. If this regex matches, the line is ignored.
    # Values: TEXT
    #
    ignoreregex =

    Jail.conf:

    [asterisk-iptables]

    enabled = true
    filter = asterisk
    action = iptables-allports[name=ASTERISK, protocol=all]
    sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
    logpath = /var/log/asterisk/fail2ban
    maxretry = 3
    bantime = 600
     

Share This Page