Re: [opensuse-factory] fail2ban 0.9.2 for openSUSE and SLE distributions

Dear Greg, sorry for the late response, I didn't see you post earlier. Regarding your issue, I'm seeing the same problem with the 0.8 and 0.9 version, too: https://github.com/fail2ban/fail2ban/issues/1020 . Can you check if fail2ban bans the IP-addresses when you open vi and write the file? I think, there is something wrong with fail2ban. Best regards, Johannes Am 21.05.15 um 00:47 schrieb Greg Freemyer:

On Fri, May 8, 2015 at 3:11 PM, Johannes Weberhofer wrote:

...

Dear all!

Finally I have prepared the long-requested 0.9.x version for fail2ban. With version 0.9 many things changed in fail2ban: It supports systemd logging and improves configuration a lot.

It would be great if some of you could test the versions I have packaged in http://download.opensuse.org/repositories/home:/weberho:/branches:/security/ and give some feedback. Please review all your configurations; I'll highly recommend to have a look at the changelog at https://github.com/fail2ban/fail2ban/blob/master/ChangeLog

If there are no objections, I'd updated the security: repository next week.

Best regards, Johannes

-- Johannes Weberhofer Weberhofer GmbH, Austria, Vienna

Johannes,

I thought I'd give fail2ban a try. I haven't used it much before so I'm a novice.

First I used a very simple jail.local file and it seems to work:

== [DEFAULT] ignoreip = 127.0.0.1/8 destemail = Greg.Freemyer@gmail.com

[sshd] enabled = true

[sshd-ddos] enabled = true ==

But I wanted to add a permanent ban for repeat SSH offenders.

I found a blog post with a recipe: http://stuffphilwrites.com/2013/03/permanently-ban-repeat-offenders-fail2ban...

Following that 2 year old recipe doesn't seem to work with v0.9

Do you know of one that does?

fyi: Here's the 2-year old recipe from the blog post

Add this to jail.local ================================= [ssh-repeater] enabled = true filter = sshd action = iptables-repeater[name=ssh] sendmail-whois[name=SSH-repeater, dest=root, sender=root, sendername="Fail2Ban"] logpath = /var/log/messages maxretry = 21 findtime = 31536000 bantime = 31536000 ==================================

Create a file /etc/fail2ban/action.d/iptables-repeater.conf with content:

=================================== # Fail2ban configuration file # # Author: Phil Hagen #

[Definition]

# Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = iptables -N fail2ban-REPEAT-<name> iptables -A fail2ban-REPEAT-<name> -j RETURN iptables -I INPUT -j fail2ban-REPEAT-<name> # set up from the static file cat /etc/fail2ban/ip.blocklist.<name> |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-REPEAT-<name> 1 -s $IP -j DROP; done

# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D INPUT -j fail2ban-REPEAT-<name> iptables -F fail2ban-REPEAT-<name> iptables -X fail2ban-REPEAT-<name>

# Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L INPUT | grep -q fail2ban-REPEAT-<name>

# Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionban = iptables -I fail2ban-REPEAT-<name> 1 -s <ip> -j DROP # also put into the static file to re-populate after a restart ! grep -Fq <ip> /etc/fail2ban/ip.blocklist.<name> && echo "<ip> # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): auto-add for repeat offender" >> /etc/fail2ban/ip.blocklist.<name>

# Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionunban = /bin/true

[Init]

# Defaut name of the chain # name = REPEAT =====================================

Thanks Greg

-- Johannes Weberhofer Weberhofer GmbH, Austria, Vienna -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org