Open fstltna opened 6 years ago
mitchellkrogza
commented
6 years ago Please do this for me, in order
sudo service fail2ban stop sudo fail2ban-client -vvv -x stop sudo fail2ban-client -vvv -x start
this will indicate to you exactly where the startup is failing
This is referenced from my article at
https://ubuntu101.co.za/security/fail2ban/fail2ban-persistent-bans-ubuntu/
fstltna
commented
6 years ago I get no errors displayed when starting the client, only when doing
service fail2ban start
Your article is what I was using to set it up....
If I do
fail2ban-server status
i get:
2018-05-11 17:43:55,804 fail2ban.server [545]: INFO Starting Fail2ban v0.9.3
2018-05-11 17:43:55,804 fail2ban.server [545]: INFO Starting in daemon modeCan you post your jail.local file, it's possible a simple typo somewhere which does not reflect in the client startup
fstltna
commented
6 years ago mitchellkrogza
commented
6 years ago It's late here and dinner time now can I test this for you in the morning
fstltna
commented
6 years ago Ok, thanks!
mitchellkrogza
commented
6 years ago @fstltna will test it now and get back to you
mitchellkrogza
commented
6 years ago @fstltna your problem is with this jail you have (below). There is no such jail that comes with Fail2ban by default, if you installed this new jail/filter yourself it's broken. Take this out of your jail.local and Fail2ban will start.
To troubleshoot in future with fail2ban set ALL jails to enabled = false then enable them one at a time and start the service until you find the culprit.
Take this out (or set enabled = false) and your Fail2Ban service will start
##To stop DOS attack from remote host.
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache*/access.log
maxretry = 400
findtime = 400
bantime = 200
ignoreip = 127.0.0.1/8 111.111.111.111 222.222.222.222 67.170.205.61 104.237.152.181
action = iptables[name=HTTP, port=http, protocol=tcp]You also have some bad formatting in your jail.local, also spaces at the ends of many lines. I've cleaned it up for you. Use this jail.local attached and you should be up and running. Be very careful when copying and pasting from web pages or tutorials as often formatting can be messed up.
mitchellkrogza
commented
6 years ago @fstltna also you don't need to put the ignore IP line in all the jails, only once at the top of your jail.local
fstltna
commented
6 years ago Tried that and still have the issue - i even tried it without the jail.local at all and still get it...
mitchellkrogza
commented
6 years ago Zip your entire fail2ban folder for me and email it to me so I can test it in a VM for you mitchellkrog@gmail.com
robert1112
commented
6 years ago Hi @mitchellkrogza I got the same issue.
$ sudo service fail2ban start
Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details.$ cat jail.local (I just run sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local like on the post on your blog) Thank you.
#
# WARNING: heavily refactored in 0.9.0 release. Please review and
# customize settings for your setup.
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file,
# or separate .conf files under jail.d/ directory, e.g.:
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwritten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
#
# [DEFAULT]
# bantime = 3600
#
# [sshd]
# enabled = true
#
# See jail.conf(5) man page for more information
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
[INCLUDES]
#before = paths-distro.conf
before = paths-debian.conf
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
#
# MISCELLANEOUS OPTIONS
#
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
#
# Note: if systemd backend is choses as the default but you enable a jail
# for which logs are present only in its own log files, specify some other
# backend for that jail (e.g. polling) and provide empty value for
# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
backend = auto
# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = warn
# "logencoding" specifies the encoding of the log files handled by the jail
# This is used to decode the lines from the log file.
# Typical examples: "ascii", "utf-8"
#
# auto: will use the system locale setting
logencoding = auto
# "enabled" enables the jails.
# By default all jails are disabled, and it should stay this way.
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true: jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = false
# "filter" defines the filter to use by the jail.
# By default jails have names matching their filter name
#
filter = %(__name__)s
#
# ACTIONS
#
# Some options used for actions
# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost
# Sender email address used solely for some actions
sender = root@localhost
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535
#
# Action shortcuts. To be used to define action parameter
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
#
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
# to the destemail.
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
# to the destemail.
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Report block via blocklist.de fail2ban reporting service API
#
# See the IMPORTANT note in action.d/blocklist_de.conf for when to
# use this action. Create a file jail.d/blocklist_de.local containing
# [Init]
# blocklist_de_apikey = {api key from registration]
#
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
# Report ban via badips.com, and use as blacklist
#
# See BadIPsAction docstring in config/action.d/badips.py for
# documentation for this action.
#
# NOTE: This action relies on banaction being present on start and therefore
# should be last action defined for a jail.
#
action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
#
# JAILS
#
#
# SSH servers
#
[sshd]
port = ssh
logpath = %(sshd_log)s
[sshd-ddos]
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
port = ssh
logpath = %(sshd_log)s
[dropbear]
port = ssh
logpath = %(dropbear_log)s
[selinux-ssh]
port = ssh
logpath = %(auditd_log)s
maxretry = 5
#
# HTTP servers
#
[apache-auth]
port = http,https
logpath = %(apache_error_log)s
[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
port = http,https
logpath = %(apache_access_log)s
bantime = 172800
maxretry = 1
[apache-noscript]
port = http,https
logpath = %(apache_error_log)s
maxretry = 6
[apache-overflows]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-nohome]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-botsearch]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-fakegooglebot]
port = http,https
logpath = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
[apache-modsecurity]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-shellshock]
port = http,https
logpath = %(apache_error_log)s
maxretry = 1
[nginx-http-auth]
port = http,https
logpath = %(nginx_error_log)s
[nginx-botsearch]
port = http,https
logpath = %(nginx_error_log)s
maxretry = 2
# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.
[php-url-fopen]
port = http,https
logpath = %(nginx_access_log)s
%(apache_access_log)s
[suhosin]
port = http,https
logpath = %(suhosin_log)s
[lighttpd-auth]
# Same as above for Apache's mod_auth
# It catches wrong authentifications
port = http,https
logpath = %(lighttpd_error_log)s
#
# Webmail and groupware servers
#
[roundcube-auth]
port = http,https
logpath = logpath = %(roundcube_errors_log)s
[openwebmail]
port = http,https
logpath = /var/log/openwebmail.log
[horde]
port = http,https
logpath = /var/log/horde/horde.log
[groupoffice]
port = http,https
logpath = /home/groupoffice/log/info.log
[sogo-auth]
# Monitor SOGo groupware server
# without proxy this would be:
# port = 20000
port = http,https
logpath = /var/log/sogo/sogo.log
[tine20]
logpath = /var/log/tine20/tine20.log
port = http,https
maxretry = 5
#
# Web Applications
#
#
[drupal-auth]
port = http,https
logpath = %(syslog_daemon)s
[guacamole]
port = http,https
logpath = /var/log/tomcat*/catalina.out
[monit]
#Ban clients brute-forcing the monit gui login
filter = monit
port = 2812
logpath = /var/log/monit
[webmin-auth]
port = 10000
logpath = %(syslog_authpriv)s
[froxlor-auth]
port = http,https
logpath = %(syslog_authpriv)s
#
# HTTP Proxy servers
#
#
[squid]
port = 80,443,3128,8080
logpath = /var/log/squid/access.log
[3proxy]
port = 3128
logpath = /var/log/3proxy.log
#
# FTP servers
#
[proftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(proftpd_log)s
[pure-ftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(pureftpd_log)s
maxretry = 6
[gssftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(syslog_daemon)s
maxretry = 6
[wuftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(wuftpd_log)s
maxretry = 6
[vsftpd]
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
#
# Mail servers
#
# ASSP SMTP Proxy Jail
[assp]
port = smtp,465,submission
logpath = /root/path/to/assp/logs/maillog.txt
[courier-smtp]
port = smtp,465,submission
logpath = %(syslog_mail)s
[postfix]
port = smtp,465,submission
logpath = %(postfix_log)s
[postfix-rbl]
port = smtp,465,submission
logpath = %(syslog_mail)s
maxretry = 1
[sendmail-auth]
port = submission,465,smtp
logpath = %(syslog_mail)s
[sendmail-reject]
port = smtp,465,submission
logpath = %(syslog_mail)s
[qmail-rbl]
filter = qmail
port = smtp,465,submission
logpath = /service/qmail/log/main/current
# dovecot defaults to logging to the mail syslog facility
# but can be set by syslog_facility in the dovecot configuration.
[dovecot]
port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
[sieve]
port = smtp,465,submission
logpath = %(dovecot_log)s
[solid-pop3d]
port = pop3,pop3s
logpath = %(solidpop3d_log)s
[exim]
port = smtp,465,submission
logpath = %(exim_main_log)s
[exim-spam]
port = smtp,465,submission
logpath = %(exim_main_log)s
[kerio]
port = imap,smtp,imaps,465
logpath = /opt/kerio/mailserver/store/logs/security.log
#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#
[courier-auth]
port = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath = %(syslog_mail)s
[postfix-sasl]
port = smtp,465,submission,imap3,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = %(postfix_log)s
[perdition]
port = imap3,imaps,pop3,pop3s
logpath = %(syslog_mail)s
[squirrelmail]
port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
[cyrus-imap]
port = imap3,imaps
logpath = %(syslog_mail)s
[uwimap-auth]
port = imap3,imaps
logpath = %(syslog_mail)s
#
#
# DNS servers
#
# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks UDP traffic for DNS requests.
# [named-refused-udp]
#
# filter = named-refused
# port = domain,953
# protocol = udp
# logpath = /var/log/named/security.log
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.
[named-refused]
port = domain,953
logpath = /var/log/named/security.log
[nsd]
port = 53
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/nsd.log
#
# Miscellaneous
#
[asterisk]
port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/messages
maxretry = 10
[freeswitch]
port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/freeswitch.log
maxretry = 10
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
# equivalent section:
# log-warning = 2
#
# for syslog (daemon facility)
# [mysqld_safe]
# syslog
#
# for own logfile
# [mysqld]
# log-error=/var/log/mysqld.log
[mysqld-auth]
port = 3306
logpath = %(mysql_log)s
maxretry = 5
# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
# to maintain entries for failed logins for sufficient amount of time
[recidive]
logpath = /var/log/fail2ban.log
banaction = iptables-allports
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
# Generic filter for PAM. Has to be used with action which bans all
# ports such as iptables-allports, shorewall
[pam-generic]
# pam-generic filter can be customized to monitor specific subset of 'tty's
banaction = iptables-allports
logpath = %(syslog_authpriv)s
[xinetd-fail]
banaction = iptables-multiport-log
logpath = %(syslog_daemon)s
maxretry = 2
# stunnel - need to set port for this
[stunnel]
logpath = /var/log/stunnel4/stunnel.log
[ejabberd-auth]
port = 5222
logpath = /var/log/ejabberd/ejabberd.log
[counter-strike]
logpath = /opt/cstrike/logs/L[0-9]*.log
# Firewall: http://www.cstrike-planet.com/faq/6
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
# consider low maxretry and a long bantime
# nobody except your own Nagios server should ever probe nrpe
[nagios]
enabled = false
logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility
maxretry = 1
[oracleims]
# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
enabled = false
logpath = /opt/sun/comms/messaging64/log/mail.log_current
maxretry = 6
banaction = iptables-allports
[directadmin]
enabled = false
logpath = /var/log/directadmin/login.log
port = 2222
[portsentry]
enabled = false
logpath = /var/lib/portsentry/portsentry.history
maxretry = 1
[pass2allow-ftp]
# this pass2allow example allows FTP traffic after successful HTTP authentication
port = ftp,ftp-data,ftps,ftps-data
# knocking_url variable must be overridden to some secret value in filter.d/apache-pass.local
filter = apache-pass
# access log of the website with HTTP auth
logpath = %(apache_access_log)s
blocktype = RETURN
returntype = DROP
bantime = 3600
maxretry = 1
findtime = 1It's late here in South Africa I'll have to look at this in the morning but here's an article of mine worth reading https://ubuntu101.co.za/security/fail2ban/fail2ban-persistent-bans-ubuntu/
mitchellkrogza
commented
6 years ago Make sure you use a jail.local file and not the main jail.conf for your own configurations my article has lots of info in it read carefully and slowly
robert1112
commented
6 years ago It is 1 am here too. Sleep tight. Thank you so much.
mitchellkrogza
commented
6 years ago Another tip... disable ALL jails and enable them one by one, EACH time starting and stopping the Fail2Ban service... that way you quickly find a jail with a messy configuration.
robert1112
commented
6 years ago so for now, I should only look at jail.local file ? Can I have empty one?
robert1112
commented
6 years ago I follow your previous suggestions. Here is the output. Thank you so much. I need to head to bed too. sudo fail2ban-client -vvv -x start
INFO Loading configs for fail2ban under /etc/fail2ban
DEBUG Reading configs for fail2ban under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/fail2ban.conf, /etc/fail2ban/fail2ban.local
INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
INFO Loading files: ['/etc/fail2ban/fail2ban.local']
INFO Loading files: ['/etc/fail2ban/fail2ban.conf', '/etc/fail2ban/fail2ban.local']
INFO Using socket file /var/run/fail2ban/fail2ban.sock
INFO Loading configs for jail under /etc/fail2ban
DEBUG Reading configs for jail under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.d/defaults-debian.conf, /etc/fail2ban/jail.local
INFO Loading files: ['/etc/fail2ban/jail.conf']
INFO Loading files: ['/etc/fail2ban/paths-debian.conf']
INFO Loading files: ['/etc/fail2ban/paths-common.conf']
INFO Loading files: ['/etc/fail2ban/paths-overrides.local']
INFO Loading files: ['/etc/fail2ban/jail.d/defaults-debian.conf']
INFO Loading files: ['/etc/fail2ban/jail.local']
INFO Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-debian.conf', '/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.d/defaults-debian.conf', '/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-debian.conf', '/etc/fail2ban/jail.local']
INFO Loading configs for filter.d/sshd under /etc/fail2ban
DEBUG Reading configs for filter.d/sshd under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/filter.d/sshd.conf
INFO Loading files: ['/etc/fail2ban/filter.d/sshd.conf']
INFO Loading files: ['/etc/fail2ban/filter.d/common.conf']
INFO Loading files: ['/etc/fail2ban/filter.d/common.local']
INFO Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/sshd.conf']
INFO Loading configs for action.d/iptables-multiport under /etc/fail2ban
DEBUG Reading configs for action.d/iptables-multiport under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/action.d/iptables-multiport.conf
INFO Loading files: ['/etc/fail2ban/action.d/iptables-multiport.conf']
INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.conf']
INFO Loading files: ['/etc/fail2ban/action.d/iptables-blocktype.local']
INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.local']
INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.conf', '/etc/fail2ban/action.d/iptables-multiport.conf']
INFO Loading configs for action.d/mail-whois-lines under /etc/fail2ban
DEBUG Reading configs for action.d/mail-whois-lines under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/action.d/mail-whois-lines.conf
INFO Loading files: ['/etc/fail2ban/action.d/mail-whois-lines.conf']
INFO Loading files: ['/etc/fail2ban/action.d/mail-whois-common.conf']
INFO Loading files: ['/etc/fail2ban/action.d/mail-whois-common.local']
INFO Loading files: ['/etc/fail2ban/action.d/mail-whois-common.conf', '/etc/fail2ban/action.d/mail-whois-lines.conf']
INFO Loading configs for filter.d/sshd-ddos under /etc/fail2ban
DEBUG Reading configs for filter.d/sshd-ddos under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/filter.d/sshd-ddos.conf
INFO Loading files: ['/etc/fail2ban/filter.d/sshd-ddos.conf']
INFO Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/sshd-ddos.conf']
INFO Loading configs for filter.d/nginx-http-auth under /etc/fail2ban
DEBUG Reading configs for filter.d/nginx-http-auth under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/filter.d/nginx-http-auth.conf
INFO Loading files: ['/etc/fail2ban/filter.d/nginx-http-auth.conf']
INFO Loading files: ['/etc/fail2ban/filter.d/nginx-http-auth.conf']
INFO Loading configs for filter.d/nginx-botsearch under /etc/fail2ban
DEBUG Reading configs for filter.d/nginx-botsearch under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/filter.d/nginx-botsearch.conf
INFO Loading files: ['/etc/fail2ban/filter.d/nginx-botsearch.conf']
INFO Loading files: ['/etc/fail2ban/filter.d/botsearch-common.conf']
INFO Loading files: ['/etc/fail2ban/filter.d/botsearch-common.conf', '/etc/fail2ban/filter.d/nginx-botsearch.conf']
INFO Loading configs for filter.d/nginx-noscript under /etc/fail2ban
DEBUG Reading configs for filter.d/nginx-noscript under /etc/fail2ban
DEBUG Reading config files: /etc/fail2ban/filter.d/nginx-noscript.conf
INFO Loading files: ['/etc/fail2ban/filter.d/nginx-noscript.conf']
INFO Loading files: ['/etc/fail2ban/filter.d/nginx-noscript.conf']
INFO Loading configs for filter.d/blacklist under /etc/fail2ban
DEBUG Reading configs for filter.d/blacklist under /etc/fail2ban
ERROR Found no accessible config files for 'filter.d/blacklist' under /etc/fail2ban
ERROR No section: 'Definition'
ERROR No section: 'Definition'
ERROR Unable to read the filter
ERROR Errors in jail 'blacklist'. Skipping...$ sudo cat jail.local
#
# Local Jail.conf File
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
[INCLUDES]
before = paths-debian.conf
[DEFAULT]
# Add any IP's to ignore below - all on one line with spaces
# between them remove 111.111.111.111 and 222.222.222.222
# they are just here to demonstrate syntax
ignoreip = 127.0.0.1/8 111.111.111.111 222.222.222.222
ignorecommand =
# Ban and Fine Time in Seconds
bantime = 600
findtime = 600
# Maximum attempts before banning intruder
maxretry = 6
backend = auto
usedns = warn
logencoding = auto
# Default Action All Filters Disabled
enabled = false
# Default Filter Name Uses Jail Name
filter = %(__name__)s
# Mail Settings
destemail = me@mydomain.com
sender = fail2ban@mydomain.com
sendername = Fail2Ban
mta = mail
# Firewall Defaults
protocol = tcp
chain = INPUT
port = 0:65535
banaction = iptables-multiport
# Our Banning Action
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Choose default action.
action = %(action_mwl)s
# NOTE: Other actions removed. Review jail.conf file for all
# other available options like action_ action_mw action_xarf
# action_cf_mwl action_blocklist_de and action_badips
# I find action_mwl to be more than adequate for my needs and
# the others especially xarf, blocklist_de and badips should
# be used with utmost care and only when you know what you are doing
#
# JAILS
#
#
# SSH servers
#
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.*
maxretry = 6
[sshd-ddos]
enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.*
maxretry = 6
#
# HTTP servers
#
[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /ebs/containers/web2/bvpyek/a.wooshop.com.tw-access.log*
maxretry = 6
[nginx-botsearch]
enabled = true
port = http,https
filter = nginx-botsearch
logpath = /ebs/containers/web2/bvpyek/a.wooshop.com.tw-access.log*
maxretry = 6
[nginx-noscript]
enabled = true
port = http,https
filter = nginx-noscript
logpath = /ebs/containers/web2/bvpyek/a.wooshop.com.tw-access.log*
maxretry = 6
# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
# to maintain entries for failed logins for sufficient amount of time
[blacklist]
enabled = true
logpath = /var/log/fail2ban.*
banaction = blacklist
bantime = 31536000 ; 1 year
findtime = 31536000 ; 1 year
maxretry = 10Problem seems to be solved after follow your post and create those conf files. I got no error now after running sudo service fail2ban restart
I will have a better look tomorrow. Thank you.
mitchellkrogza
commented
6 years ago Awesome well done you are learning fast. Seems I will have some competition from you one day.
robert1112
commented
6 years ago ha I am the master of "copy and paste". Thank you so much for your patience and support.
I have tried it without the code but still see it failing. I am running this:
service fail2ban startand I get:Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details.running:systemctl status fail2ban.servicegives me: