Linode Forum

[sblantipodi]

As title,
I always used fail2ban with my CentOS box but now with CentOS 6 I'm not able to get it to work again.

Service starts without error, all is configured ok, no error on logs but fail2ban doesn't ban anyone on my box.

Is there an alternative software to fail2ban with similar functionalities?

I need to ban IP that fails auth on squirrelmail (I have installed squirrel_logger), on php, on apache and on phpmyadmin, ah and dovecot.

[sblantipodi]

it seems that fail2ban doesn't work with python 2.6 except for ssh...

its really sad to see a good software like this to fail in this way.
Four years without any new features, three years without a decent fix to major problem, two years and no fix to phyton compatibility problems, board is full of spam without any moderation.

Its a dead software but I don't see any alternatives.
The only one could be denyhosts but it isn't an alternatives, at all, since it only protect the ssh port.

[waldo]

Looks like Python 2.6 should work with the latest version of Fail2ban:

http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#Python_2.6_support_.28relevant_only_for_0.8.3_and_older.29

I know on Debian 6.0, fail2ban works just fine with python 2.6.6

[sblantipodi]

waldo wrote: Looks like Python 2.6 should work with the latest version of Fail2ban:

http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#Python_2.6_support_.28relevant_only_for_0.8.3_and_older.29

I know on Debian 6.0, fail2ban works just fine with python 2.6.6

On the net I find only complaints about fail2ban and Python 2.6, the only regexpr that works ok is the one for SSH.
Probably the debian you are talking about uses only ssh protection.

[waldo]

That's primarily all I use it for, but as far as I can tell, the Debian guys have filters for apache, courier, exmin, gssftpd, lighttpd, pam, postfix, pure-ftpd, gmail, sasl, sieve, sshd-ddos, sshd, vsftpd, webmin-auth, wuftpd, xinetd and a few others.

Seeing how fail2ban, python 2.6 and all just worked right out of the box for me on Debian, I'm assuming the others work just fine.

[sblantipodi]

waldo wrote: That's primarily all I use it for, but as far as I can tell, the Debian guys have filters for apache, courier, exmin, gssftpd, lighttpd, pam, postfix, pure-ftpd, gmail, sasl, sieve, sshd-ddos, sshd, vsftpd, webmin-auth, wuftpd, xinetd and a few others.

Seeing how fail2ban, python 2.6 and all just worked right out of the box for me on Debian, I'm assuming the others work just fine.

can you give me some output of fail2ban-regexpr with some of your filter.d/files ?

[waldo]

Sure:
If you download:
http://ftp.de.debian.org/debian/pool/main/f/fail2ban/fail2ban_0.8.4.orig.tar.gz

from:
http://packages.debian.org/squeeze/fail2ban

Then dig into config/filter.d those are the same files I'm using. From what I can tell, it appears the Debian maintainer has modified the following files in the package:

action.d/iptables-multiport.conf
action.d/iptables-new.conf
action.d/mail-whois-lines.conf
action.d/iptables-all-ports.conf
jail.conf
filter.d/apache-nohome.conf
filter.d/named-refused.conf
filter.d/apache-badbots.conf
filter.d/proftpd.conf
filter.d/pure-ftpd.conf
filter.d/wuftpd.conf
filter.d/common.conf
filter.d/ssdh-ddos.conf
filter.d/pam-generic.conf
filter.d/sasl.conf

[sblantipodi]

in my case
regexpr are correct (checked with regexpr calculator for python), fail2ban is well configured and it doesn't match anything.

I have founded dozens of other users with my same problem on the net, it could be interesting to see how debian modified that files to make it work.

in any case this is a dead software since many years, its best to find a new one but the problem is that I cannot find an alternatives.

[waldo]

Why do you say it's dead? Because it's not in constant development with regular releases?

Sure the last release was 2 years ago:
http://www.fail2ban.org/wiki/index.php/Main_Page

Perhaps it's mature and because of it's very nature doesn't need to be constantly updated. It just reads log files and runs some external commands (usually to make changes to standard firewalls, like iptables). You do have a firewall installed, right?

If you've installed fail2ban from the Centos repository and it's not working, sounds like they broke something, or the package maintainer never tested....

This is the only browsable repo I can find for Centos:
http://pkgs.repoforge.org/fail2ban/

Looks like the newest version of fail2ban available from the Centos repos is quite old

Though Fedora is current:
http://download.fedora.redhat.com/pub/epel/6/x86_64/repoview/fail2ban.html

I'd check to see what version of fail2ban got installed on your server.

[sblantipodi]

waldo wrote: Why do you say it's dead? Because it's not in constant development with regular releases?

Sure the last release was 2 years ago:
http://www.fail2ban.org/wiki/index.php/Main_Page

Perhaps it's mature and because of it's very nature doesn't need to be constantly updated. It just reads log files and runs some external commands (usually to make changes to standard firewalls, like iptables). You do have a firewall installed, right?

If you've installed fail2ban from the Centos repository and it's not working, sounds like they broke something, or the package maintainer never tested....

This is the only browsable repo I can find for Centos:
http://pkgs.repoforge.org/fail2ban/

Looks like the newest version of fail2ban available from the Centos repos is quite old

Though Fedora is current:
http://download.fedora.redhat.com/pub/epel/6/x86_64/repoview/fail2ban.html

I'd check to see what version of fail2ban got installed on your server.

I'm using the latest 0.8.4 from fedora epel

[haus]

There's always the LFD component of CSF:

http://www.configserver.com/cp/csf.html

My personal favorite. And yes, it can do squirrelmail as I wrote a rule for it some time ago.

[sblantipodi]

I solved the problem with fail2ban, there was a date problem.

I solved by editing:
/etc/fail2ban/filter.d/common.conf

and changing
__prefix_line = \s*(?:\S+ )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*

with this:
__prefix_line = .*?

[GLaDOSDan]

haus wrote: There's always the LFD component of CSF:

http://www.configserver.com/cp/csf.html

My personal favorite. And yes, it can do squirrelmail as I wrote a rule for it some time ago.

Agreed, I love CSF/LFD.

[captainkrtek]

CSF + LFD work very well and are easily configured via their webmin module, would also highly reccomend it :D

[node_tux]

fail2ban-regex is a command line utility to test your filters against a log file.

man fail2ban-regex for usage.