CentOS 6.3 – Fail2ban Not Working Properly + Workaround

Home » CentOS » CentOS 6.3 – Fail2ban Not Working Properly + Workaround
CentOS 5 Comments

Theo Band wrote:

I’m running fail2ban on my server (under CentOS-6.4)
and it seems to be running according to
———————–

5 thoughts on - CentOS 6.3 – Fail2ban Not Working Properly + Workaround

  • It sets up iptables rules for every jail that is configured (iptables
    -L). You seem to have only the ssh-iptables configured. Check the date of the logfile. I noticed that SYSLOG is now used for logging. It used to be /var/log/fail2ban.log in the past. I removed the old log file. If SSH is the only public service you want to protect against brute force, then you don’t need to setup anything. But have a look in
    /etc/fail2ban/jail.conf and add at least your email address to get a notification when it blocks access. There lots of other “jails” that can be enabled. Normally I receive several messages a day. So not receiving them means that the service is no longer protecting. Simply because it watches a renamed no longer updated version of /var/log/secure:

    ls -l /var/log/secure*
    -rw——- 1 root root 2130892 Mar 12 18:25 /var/log/secure
    -rw——- 1 root root 1374710 Feb 17 01:31 /var/log/secure-20130217
    -rw——- 1 root root 1482646 Feb 24 03:09 /var/log/secure-20130224
    -rw——- 1 root root 1732930 Mar 3 03:13 /var/log/secure-20130303
    -rw——- 1 root root 656454 Mar 10 03:12 /var/log/secure-20130310

    Once a week fail2ban stops working as a new secure log file is created
    (logrotate) and it seems to watch the only old name. You will not see any error message and status show as running. But I have no proof that it keeps working with the gamin fix.

    Theo

  • 2013/3/12 Theo Band :

    I too have the same problem but couldn’t figure where is the issue. It stops working even if the service says all is right. I have to restart the service to let it work again…

    I will try to find through your idea.

    Thanks, Fabien

  • Dne 12.3.2013 19:03, Fabien Archambault napsal(a):

    As temporary solution you can always use fail2ban from Repoforge. It’s a little bit older, but works on 6.x. Regards, David Hrbac

  • First off, as a good security practice do not let SSH open to the world unless you have to (and even then I’d go so far as to say restrict it the best you can). Fail2ban can become a band aid for good security practices.

    I’d suggest at least checking out information on fail2ban’s wiki and perusing the config files (especially jail.conf).

    You can tweak things quite a bit to make sure logs are going where you want them to and that fail2ban is watching the right files.

    I’ll add that if someone decides to restart iptables, your fail2ban chains will be removed. So you’ll need to restart fail2ban and check that the chains and rules are present again. Otherwise fail2ban will report, but won’t be able to actually add a firewall rule to block the brute forcing host.

    I’ve not seen any problems since I switched to the gamin backend some time ago. As you do, I generally get at least one daily notification email that my FTP daemon is being brute forced. So I’d say it’s working fine.

LEAVE A COMMENT