Fail2Ban doesn´t ban webinterface

fail2ban

(Till) #1

Hi,

i´ve installed the Fail2Ban module from https://wiki.nethserver.org/doku.php?id=module:fail2ban
I turned all necessary jails on but when trying to login my nethserver webinterface and entering up to 5 bad user/password combinations it´s still not banning my ip.

Can anyone tell me why?


Fail2ban does huge logs
Fail2ban does huge logs
(Stéphane de Labrusse) #2

can you check in which log file you can found this line

192.168.xxx.xxx - - [19/Oct/2017:17:28:35 +0200] “POST /en-US/Login.json HTTP/1.1” 400 550

when you have a failed attempt in nethgui this line can be found in /var/log/httpd-admin/access_log

my concern is that I have the same issue than you, because the failed attempt are logged in /var/log/httpd-admin/access_log-20171012

do you have something written in /var/log/httpd-admin/access_log


(Till) #3

yeah i think it´s the same issue…
My access_log file is empty. The log is generated in something like access_log-yyddmm:

Any ideas what to do?

Btw.: My bad login attemps are shown as
192.168.xxx.xxx - - [19/Oct/2017:19:33:33 +0200] “POST /en-US/Login.json HTTP/1.1” 400 543

In my logfile.


(Stéphane de Labrusse) #4

I can see the same issue with also httpd…after a log rotate, the httpd file (access,error) are empty and a new one is created with a date in the name.

@davidep do you have some clues

fail2ban grep the file /var/log/httpd-admin/*log if they are empty, we have a problem :frowning:


(Stéphane de Labrusse) #5

I believe I have a workaround

add a wildcard '*' to the watched log (eg /var/log/httpd-admin/access_log*)
reload the fail2ban configuration when the fail2ban logs are rotated

The banned IPs before the log rotation are banned again after the reloaded configurations


(Till) #6

If i do so - restarting the fail2ban service ends up with an error:

[root@net01 ~]# service fail2ban restart
Redirecting to /bin/systemctl restart fail2ban.service
Job for fail2ban.service failed because the control process exited with error code. See "systemctl status fail2ban.service" and "journalctl -xe" for details.
[root@net01 ~]# systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
   Active: failed (Result: start-limit) since Thu 2017-10-19 21:51:24 CEST; 9s ago
     Docs: man:fail2ban(1)
  Process: 27432 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
  Process: 27443 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=255)
 Main PID: 23375 (code=killed, signal=TERM)

Oct 19 21:51:24 net01.mynethserver.co systemd[1]: Failed to start Fail2Ban Service.
Oct 19 21:51:24 net01.mynethserver.co systemd[1]: Unit fail2ban.service entered failed state.
Oct 19 21:51:24 net01.mynethserver.co systemd[1]: fail2ban.service failed.
Oct 19 21:51:24 net01.mynethserver.co systemd[1]: fail2ban.service holdoff time over, scheduling restart.
Oct 19 21:51:24 net01.mynethserver.co systemd[1]: start request repeated too quickly for fail2ban.service
Oct 19 21:51:24 net01.mynethserver.co systemd[1]: Failed to start Fail2Ban Service.
Oct 19 21:51:24 net01.mynethserver.co systemd[1]: Unit fail2ban.service entered failed state.
Oct 19 21:51:24 net01.mynethserver.co systemd[1]: fail2ban.service failed.

Did you change anything else?


(Stéphane de Labrusse) #7

well in fact the wildcard must be added in the jail.local but it is a templated file you cannot add it directly.
I pushed an update to solve you issue, do a yum update in few hours and remove the '*' of the httpd file


(Till) #8

Thank you that worked!