Find the answer to your Linux question:
Results 1 to 4 of 4
My externally hosted vserver runs with Debian lenny stable. Fail2ban 0.8.3 (and iptables) have been installed with the package-manager. The intention is to use fail2ban with the messages-file from asterisk, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2010
    Posts
    7

    Fail2Ban fails to ban


    My externally hosted vserver runs with Debian lenny stable. Fail2ban 0.8.3 (and iptables) have been installed with the package-manager. The intention is to use fail2ban with the messages-file from asterisk, i.e. without iptables. The configuration files for fail2ban are according to the fail2ban howto from Voip-Info.org with the following modification in the jail.con under [asterisk-iptables]:

    logpath = /var/log/asterisk/messages

    When I start fail2ban with
    /etc/init.d/fail2ban start
    no further information is given, so I thought it would work. Later I questioned its function and made a
    /etc/init.d/fail2ban reload
    or a
    /etc/init.d/fail2ban restart
    and in both of these cases I obtain each time:

    Reloading authentication failure monitor: fail2ban failed!

    How could I find out why the restart and reload fail?

    Note: I'm not very familiar with Linux, I only use it in the context of the asterisk.

  2. #2
    Just Joined!
    Join Date
    May 2010
    Posts
    7
    Fail2Ban works now. The reload has to be done with

    /usr/bin/fail2ban-client reload

    and not with
    /etc/init.d/fail2ban reload

    However, the log indicates that there is still an issue with the mail message (address changed here):
    2010-05-22 11:57:10,435 fail2ban.actions.action: ERROR printf %b "Hi,\n
    The jail ASTERISK has been started successfully.\n
    Regards,\n
    Fail2Ban"|mail -s "[Fail2Ban] ASTERISK: started" Me@My.net returned 7f00
    Any ideas why the mail-message doesn't work? Could the reason be that the mail-address is hostet on a different server?

  3. #3
    Just Joined!
    Join Date
    May 2010
    Posts
    7
    While I had the jail.conf parameters set for manual testign with:

    maxretry = 3
    findtime = 300
    bantime = 600

    I happened to receive an attack on my asterisk. Fail2ban noticed the attack but didn't ban the IP. The logs show the following:

    Asterisk:
    Code:
    [2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"1249349713"<sip:1249349713@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"100"<sip:100@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"101"<sip:101@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"102"<sip:102@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"103"<sip:103@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:04:05] NOTICE[29225] chan_sip.c: Registration from '"104"<sip:104@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
    ....
    [2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9994"<sip:9994@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9995"<sip:9995@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9996"<sip:9996@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9997"<sip:9997@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9998"<sip:9998@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
    [2010-05-22 16:12:58] NOTICE[29225] chan_sip.c: Registration from '"9999"<sip:9999@12.34.56.78>' failed for '76.76.96.74' - No matching peer found
    Fail2Ban:
    Code:
    2010-05-22 16:04:06,632 fail2ban.actions: WARNING [asterisk-iptables] Ban 76.76.96.74
    2010-05-22 16:04:09,130 fail2ban.actions.action: ERROR printf %b "Hi,\n
    The IP 76.76.96.74 has just been banned by Fail2Ban after
    11 attempts against ASTERISK.\n\n
    Here are more information about 76.76.96.74:\n
    `whois 76.76.96.74`\n
    Regards,\n
    Fail2Ban"|mail -s "[Fail2Ban] ASTERISK: banned 76.76.96.74" Me@My.net returned 7f00
    2010-05-22 16:04:09,130 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:04:10,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:04:11,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:04:12,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:04:13,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:04:14,132 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:04:15,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:04:16,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:04:17,133 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    ...
    2010-05-22 16:12:55,309 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:12:56,311 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:12:57,318 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:12:58,321 fail2ban.actions: WARNING [asterisk-iptables] 76.76.96.74 already banned
    2010-05-22 16:14:07,356 fail2ban.actions: WARNING [asterisk-iptables] Unban 76.76.96.74
    The attack makes about 40 attempts per second whereas fail2ban logs each second "already banned" but fails to block the attack.

    Any ideas why fail2ban failed to ban this IP ?

  4. #4
    Just Joined!
    Join Date
    May 2010
    Posts
    7
    I forgot to mention that fail2ban added the IP correctly into /etc/hosts.deny. But why hasn't then the IP been blocked?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •