Tag Archives: fail2ban

Knocking out multiple fail2ban notifications to admin

Ever since I’ve been troubleshooting and tweaking Fail2ban, it seems the ban notifications sent to the server admin email address has steadily increased. For example, a ban event currently sends 5 identical emails to the server admin.

I thought it was my limited understanding of how Fail2ban worked. But I soon realized that the culprit had to be multiple instances of Fail2ban causing the behavior. I had to dig up some Linux/Centos knowledge on how to figure out where to pull up processes (similar to the Windows services and task manager).

To show a master list of processes and pids:
ps aux || less

To display a list of pids with the name “fail2ban”:
pgrep fail2ban

To kill all pids with the name “fail2ban”:
pkill fail2ban

However, this kills all but one server instance of the Fail2ban server. I still had to start the server, reload the configuration and verify the status to ensure that it worked.

Remember to save and reload iptables prior to and after the above operations.

Fail2Ban configs

I was fed up with all the dictionary attacks on POP3. So I decided to lookup configuring Fail2ban on that port.

First off, always remember to save your iptables: service iptables save

Next, I located the jail.local file saved under /etc/fail2ban. This file is a copy of the original /etc/fail2ban/jail.conf which I want to leave untouched.

Based on the following code, I will modify it to follow the current filters in my jail.local file. So that:

[courierauth]

enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log

Will turn into this:

[pop3]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
action = iptables[name=POP3, port="smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s" protocol=tcp]
sendmail-whois[name=POP3, dest=anna@ffdepot.com, sender=fail2ban@ffdepot.com]
logpath = /var/log/maillog
maxretry = 3
ignoreip = 184.7.254.24 202.62.124.147 200.74.244.86 127.0.0.1

The newly revised code is enabled and scans the default mail ports. It creates a jail called POP3 and scans the appropriate mail log specified by logpath. The maxretry before banning is set to 3 tries. Fail2ban will then email the whois info of the IP to me, similar to what it does for SSH attempts today. The filter calls on /etc/fail2ban/filter.d/courierlogin.conf which contains the regex format which Fail2ban uses to scan mail log entries:

failregex = LOGIN FAILED, .*, ip=\[\]$

Once the jail.local file is saved, restart the Fail2ban server:


fail2ban-server -x
fail2ban-client reload
fail2ban-client status

Which responds with the corresponding number of jails, which includes one called POP3.

Afterwards, I reloaded my iptables again:

service iptables restart

Then to view the iptables: iptables -nL
Stay tuned this weekend to see if this new config pays off.

Fail2ban usage pains

What a pain it’s been trying to figure out how to get Fail2ban working again. I discovered that I no longer was receiving Fail2ban notifications some time mid January, and it’s been annoying as hell trying to get it to restart. The magic command line that got me back on track was to restart the server instance by deleting the socket file:

fail2ban-server -x

This command kick-started the service into daemon mode. So now it was a matter of reloading the configuration:

fail2ban-client reload

Thus when running fail2ban-client status, the system responded with the number of jails and a jail list.

Retrieving the status of the jail, I could already see that Fail2ban had gone straight to work:

fail2ban-client status ssh-iptables

Therefore, when I checked iptables -L, the newest banned IP showed up at the top of the list for the fail2ban-SSH chain. And, I was getting my ban notification emails again.

Unban me!

If you’ve found yourself unfortunate to lock yourself out of SSH and banning yourself from your own server via Fail2Ban, then here’s how to unban yourself:


iptables -L
look at the Chain fail2ban-ssh
notice the ip address to unban and count at which line number this is.
e.g.:
Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP 0 -- 61.236.117.xxx anywhere
DROP 0 -- 61.236.117.yyy anywhere
RETURN 0 -- anywhere anywhere
execute the following command:
iptables -D fail2ban-ssh if you want to unban user 61.236.117.yyy use:
iptables -D fail2ban-ssh 2

The Ban-mobile

I’ve been using a lot of this lately:

iptables -A INPUT -s IP-ADDRESS -j DROP
service iptables save

I’ve noticed that pop3 attempts aren’t being filtered by Fail2Ban; I’ve seen an increase in dictionary attacks on this port and have had to resort to manually banning the offenders. I’ve also installed a LogViewer in WHM to assist in the fight.