Security :: Fail2ban Stops Loggs In Auth.log?
Feb 11, 2011
I yesterday installed fail2ban on my server and I see I am not getting logs for the genuine people also who log in to my machine.In
Quote:
/var/log/auth.log
It is a Ubuntu server and I had installed fail2ban via
Quote:
apt-get install
I thought some thing might be in
Quote:
/var/log/fail2ban.log
but there I do not see any thing
Quote:
2011-02-10 20:26:35,002 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2011-02-10 20:26:35,003 fail2ban.jail : INFO Creating new jail 'ssh'
2011-02-10 20:26:35,003 fail2ban.jail : INFO Jail 'ssh' uses poller
2011-02-10 20:26:35,031 fail2ban.filter : INFO Added logfile = /var/log/auth.log
[Code].....
View 1 Replies
ADVERTISEMENT
Feb 5, 2011
I installed fail2ban from the Ubuntu Software Center (Ubuntu 10.10) and everything seemed to go fine. But when I try to access the client I get this output:
Code:
wolfgang@Culture:/var/log$ fail2ban-client status
ERROR Unable to contact server. Is it running?
[code]....
View 2 Replies
View Related
Apr 12, 2010
I'm trying to implement this method to block php injection attack using fail2ban: here it is, however I'm not sure it applies to Ubuntu. You see, there's this filter that must be added to the fail2ban jail file:
HTML Code:
[php-url-fopen]
enabled = true
port = http,https
filter = php-url-fopen
[Code]....
View 7 Replies
View Related
May 10, 2010
Currently suffering from this bug:If you don't want to read the whole thing, it appears fail2ban overloads IPTables when you have too many jails, and sends a whole load of commands at once.I attempted to use the workaround making it sleep for a random period of time, but this does not help at all, it still fails like it used to.Any ideas? Fail2ban is a pretty popular app...Ubuntu 9.10.
Code:
$ aptitude show fail2ban
Package: fail2ban
[code]...
View 6 Replies
View Related
Mar 29, 2010
I got some entries in my auth log that I am puzzled by. What could be the cause? I was not using my machine at the time of the logging.
Code:
View 8 Replies
View Related
May 7, 2010
I am using auth_param basic program /usr/lib/squid/squid_ldap_auth to authenticate users using squid from ldap. The user and pass is in clear text over the network between the browser and the squid server. Any way to send it in an encrypted format??
View 2 Replies
View Related
Jan 8, 2010
I was considering adding the below to my RHEL5 system's /etc/pam.d/system-auth file.
password required pam_cracklib.so try_first_pass retry=3 minlen=8
dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0
auth required pam_unix.so nullok try_first_pass
[code]...
View 1 Replies
View Related
Jan 10, 2011
Lately I have been receiving this in my auth.log file. It seems to be repeating over and over, and I didn't know if was anything normal or something I should be worried about...
Code:
View 1 Replies
View Related
Mar 8, 2010
I don't think it would be harmful to run ssh on the default port of 22. Especially since the machine will only accept key-based logins and only accept traffic on port 22 from external IP addresses that I specify.
View 8 Replies
View Related
Mar 8, 2011
internal system mail revealed an error. Part of the mail is the below:
Feb 25 00:00:01 mbdba crond[1025]: PAM (system-auth) illegal module type: ccount
Feb 25 00:00:01 mbdba crond[1027]: PAM (system-auth) illegal module type: ccount
Feb 25 00:01:01 mbdba crond[1122]: PAM (system-auth) illegal module type: ccount
Feb 25 00:02:01 mbdba crond[1152]: PAM (system-auth) illegal module type: ccount
Feb 25 00:04:01 mbdba crond[1275]: PAM (system-auth) illegal module type: ccount
Feb 25 00:06:01 mbdba crond[1397]: PAM (system-auth) illegal module type: ccount
i have check /etc/pam.d/system-auth for the "ccount" entry, but it does not exist. "ccount" existed before in /etc/pam.d/system-auth but i managed to change it back to "account." i have grepd for the "ccount" string in all files under /etc/pam.d and i was not able to find it.
it seems that the system-auth is not able to take the now "account" string insted of "ccount" altough i have restarted crond
here is my system-auth file on the affected server:
auth required /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
code....
View 1 Replies
View Related
Mar 3, 2010
A few minutes ago I was using google chrome when suddenly the scroll-lock indicator on my keyboard turned on... I pressed the scroll-lock key, but nothing happened, the light remained. I opened a terminal and ran "top" to find what processes were running when I was automatically logged out. I logged back and checked the logs and found the following entries in my auth.log:
Code:
CRON[2971]: pam_unix(cron:session): session opened for user root by (uid=0)
CRON[2971]: pam_unix(cron:session): session closed for user root
[code]....
View 1 Replies
View Related
Mar 24, 2010
a client asked me to install ettercap on their linux gateway machine - two ethernet machine. I tried it in bridged mode, it but as soon as I start it, the traffic stops and no one can access anything. Did anyone ever succeed in running it on the gateway?
View 1 Replies
View Related
Dec 2, 2015
I'm getting loads of hacking attempts on my pop3 daemon. Looks like fail2ban is not stopping it. How to ban these type of attacks?
Dec 2 12:14:49 sosaria pop3d: Disconnected, ip=[::ffff:109.81.181.238]
Dec 2 12:14:49 sosaria pop3d: Connection, ip=[::ffff:109.81.181.238]
Dec 2 12:14:49 sosaria pop3d: LOGIN FAILED, user=duky, ip=[::ffff:109.81.181.238]
Dec 2 12:14:54 sosaria pop3d: Disconnected, ip=[::ffff:109.81.181.238]
Dec 2 12:14:54 sosaria pop3d: Connection, ip=[::ffff:109.81.181.238]
[Code] ....
I've got in my /etc/fail2ban/jail.local:
[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/mail.log
maxretry = 3
[Code] .....
View 10 Replies
View Related
May 10, 2010
Currently suffering from this bug:If you don't want to read the whole thing, it appears fail2ban overloads IPTables when you have too many jails, and sends a wholeload of commands at once.I attempted to use the workaround making it sleep for a random period of time, but this does not help at all, it still fails like it used to.Any ideas? Fail2ban is a pretty popular app...Ubuntu 9.10.
Code:
$ aptitude show fail2ban
Package: fail2ban
[code]...
View 1 Replies
View Related
Sep 28, 2010
My fail2ban won't block relay attempts (it does block ssh)
mail.log contains lots of
Code:
NOQUEUE: reject: RCPT from 118-167-6-196.dynamic.hinet.net[118.167.6.196]: 554 5.7.1 <333@fgytry.myip.org>: Relay access denied
jail.conf
[Code]....
View 4 Replies
View Related
Aug 26, 2010
I've had fail2ban setup for awhile for my SSH server, and that works beautifully (I had someone I knew attempt to access it and get banned) however I then tried to set it up to ban people scanning my webserver for lots of other pages which dont exist (and have never been linked to) such as phpMyAdmin.
In my jail.conf I have:
Code:
However Looking at this I realise I need to edit the filter.d/apache-error.conf
I'm not sure exactly how to setup the regex to ban the correct hosts
The errors from the scanners are like this:
Code:
View 1 Replies
View Related
Sep 9, 2010
I am having issues getting yum to work with the repos for fail2ban and denyhosts. I followed the centos link on installing/cfg repos. However every time i run yum install fail2ban or denyhosts it does not find the software. I read in several google searches that I should be able to install it using yum. Is that info wrong? These are the link I was s reading too from centos. [URL]. I know I can download the rpm or a tar file but I would like to keep it in sync with yum if possible. May be I have the wrong repo? CentOSPlus is enabled also.
View 3 Replies
View Related
Oct 16, 2010
I'm trying to use a technique suggested by a fella at this website....
[URL]
He suggests adding an echo line to the actionban line in order to create or add to a file that will contain a list of all the IP's that fail2ban has banned.....but it doesn't seem to generate any output. .....here is the command.....
actionban = iptables -I fail2ban- 1 -s -j DROP
echo >> /etc/shitlist
I never get any IP's in the file so the echo part does not seem to work.
View 5 Replies
View Related
Sep 14, 2010
i have fail2ban on server but everytime fail2ban conducts a log rotation it unbans all the banned IP's. I have ip's to be banned for a week whenever a log rotation happens or i restart fail2ban i dont want all the ip's released! I was thinking there was a script or patch that would fix this but i have come up short.
View 2 Replies
View Related
Nov 18, 2009
I have been trying for days now to get this to work. didn't want to bother people with my questions, i have installed Fail2Ban 0.8.4 on CentOS 5.4.
I get the email notifications from Fail2Ban stating that it just blocked another IP, however, when i look at the iptables through webmin, nothing is actually in there, also the log/secure file dose not show that the ip has been blocked.
Even when I try to log-in with the wrong password, after a few tries i get the email telling me that my ip is blocked, however, I can still SSH using my 'blocked' IP.
View 7 Replies
View Related
Nov 13, 2010
I'm running Ubuntu 10.10 Maverick Meerkat 64-bit on my desktop with a wired internet connection (with no firewall). For the past 2 days, I have observed that1. Firefox randomly throws up errors like "Problem loading page" whenever I click on a hyperlink. When I click on Reload, the page loads up just fine. This has been happening a lot recently..and I do not remember updating anything consciously. By the way, ipv6 is disabled in Firefox.2. The network stops working all of a sudden (usually indicated by the Firefox error). The Autho Eth0 indication is active, but I am unable to connect to any external machine.
3. Needless to say, this error is manifesting itself in apt-get as well. I get "something wicked happened" errors all the time, and am unable to download or install anything.That this is not a problem with the ISP is obvious because I also have Windows (from which I'm typing this, ironically), which is able to access the internet.Is this a bug in Ubuntu 10.10?
View 9 Replies
View Related
Mar 2, 2010
I have a problem with the logrotate of auth.log, it is not working. I tried using 'kill -HUP `cat /var/run/sshd.pid`'. This restarts sshd but does not create a new auth.log. Also tried "/etc/etc/init.d/ssh restart" and "/etc/init.d/ssh reload"
View 3 Replies
View Related
May 30, 2010
On Ubuntu 10.04 with x11Vnc server, if the screen requires logon (such as if locked or upon reboot), through the VNC terminal, I always get authentication error (incorrect password). Sitting at the keyboard, I can logon just fine. Once logged on, I can access everything through VNC just fine.
Error in auth.log (username = bob):
unix_chkpwd[3926]: password check failed for user (bob)
gnome-screensaver-dialog: pam_unix(gnome-screensaver:auth): authentication failure; logname= uid=1000
[code]....
View 9 Replies
View Related
Jun 25, 2010
I have edited /etc/logrotate.conf to include
/var/log/auth.log {
rotate 6
monthly
copytruncate
compress
}
To try and prevent auth.log rotating daily and change it to monthly but it doesnt seem to work.
Either im doing it wrong or i need to restart some service?
View 5 Replies
View Related
Feb 28, 2011
I've been using CentOS for quite a long time, and I've recently switched to Ubuntu 10.10 as a desktop. I'm having one small stumbling block, I can't seem to setup LDAP authentication via a GUI. I found this post here.
[URL]
Is there a GUI application that allows LDAP configuration similar to the Cent OS one?
View 3 Replies
View Related
Jul 29, 2010
Been a while but have a few scripts that need to hit a website that's local to that network, but also a public site. Currently there is an .htaccess in that folder with this lockdown;
AuthType Basic
AuthName "Restricated"
Require valid-user
Now, can I break that somehow and say (here is my english translation)
[Code]..
View 1 Replies
View Related
Feb 10, 2010
Sometime after I upgraded to ubuntu 9.10 I've been having trouble with my wireless network connection.It will usually log on to the network, then disconnect a shortly after. Then try to connect again, usually successfully, then it cuts off again. Then connects again, then disconnects. FWIW, ubuntu 9.10 works on a different machine pretty consistently, so I don't think its a problem with the router.
View 2 Replies
View Related
May 21, 2010
I'm trying to add the -audit option to X Server. I run ps -ef | grep -v grep | grep "bin/X" and get: root 2511 2506 0 10:35 tty7 00:00:09 /usr/bin/X:0 -br -verbose -auth /var/run/dgm/auth-for-gdm-sScn1P/database -nolisten tcp vt7 So I'm thinking that I need to add -audit to the /usr/bin/X file, but I believe that it's binary and created by something else, but I can't find that "something else". How on earth can I add this option? I have opened up 1,000,000,000,000,000,000,000 files (slight exaggeration) and I've come up empty.
View 1 Replies
View Related
Oct 22, 2010
As far as I understand ssh runs on port 22 but in my /var/log/auth.log I see
Quote:
why is this logged 48504 different than ssh port 22?
View 2 Replies
View Related
Oct 29, 2010
When ever I restart ssh
Quote:
/etc/init.d/ssh restart
I see following line in auth.log
Quote:
sshd[5678]: error: Bind to port 22 on :: failed: Address already in use.
That is a headless server. What does the above line signify or tell and why am I seeing that? Ubuntu 10.04 64 bit server edition
View 9 Replies
View Related
