Your message dated Tue, 18 Mar 2014 23:33:31 -0400
with message-id <[email protected]>
and subject line closing due to age/absent followup activity
has caused the Debian Bug report #646460,
regarding fail2ban: fails to monitorize some files, i.e. /var/log/mail.log
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
646460: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646460
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: fail2ban
Version: 0.8.4-3
Severity: normal
fail2ban fails to monitorize some files to find bad logins.
It was unable to find bad squirrelmail login atempts from /var/log/mail.log but
just changing the jail logpath option from /var/log/mail.log to /var/log/syslog
makes it work.
access rights for both files are identical:
www:~# ls -l /var/log/syslog /var/log/mail.log
-rw-r----- 1 root adm 20691 oct 24 13:04 /var/log/mail.log
-rw-r----- 1 root adm 4039078 oct 24 13:08 /var/log/syslog
and fail2ban names seems to understand both names:
www:~# tail -n 1000 /var/log/fail2ban.log | grep logfile
2011-10-24 12:07:52,471 fail2ban.filter : INFO Added logfile =
/var/log/auth.log
2011-10-24 12:07:52,728 fail2ban.filter : INFO Added logfile =
/var/log/mail.log
2011-10-24 12:41:11,795 fail2ban.filter : INFO Added logfile =
/var/log/auth.log
2011-10-24 12:41:12,042 fail2ban.filter : INFO Added logfile = /var/log/syslog
2011-10-24 12:50:16,020 fail2ban.filter : INFO Added logfile =
/var/log/auth.log
Thanks,
-- System Information:
Debian Release: 6.0.3
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages fail2ban depends on:
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii python 2.6.6-3+squeeze6 interactive high-level object-orie
ii python-central 0.6.16+nmu1 register and build utility for Pyt
Versions of packages fail2ban recommends:
ii iptables 1.4.8-3 administration tools for packet fi
ii whois 5.0.10 an intelligent whois client
Versions of packages fail2ban suggests:
ii bsd-mailx [mailx] 8.1.2-0.20100314cvs-1 simple mail user agent
pn python-gamin <none> (no description available)
-- Configuration Files:
/etc/fail2ban.conf changed:
[DEFAULT]
background = true
verbose = 1
debug = false
logtargets = /var/log/fail2ban.log
syslog-target = /dev/log
syslog-facility = 1
pidlock = /var/run/fail2ban.pid
maxfailures = 5
bantime = 600
findtime = 600
ignoreip =
cmdstart =
cmdend =
polltime = 1
reinittime = 10
maxreinits = 1000
protocol = tcp
fwchain = INPUT
fwstart = iptables -N fail2ban-%(__name__)s
iptables -A fail2ban-%(__name__)s -j RETURN
iptables -I %(fwchain)s -p %(protocol)s --dport %(port)s -j
fail2ban-%(__name__)s
fwend = iptables -D %(fwchain)s -p %(protocol)s --dport %(port)s -j
fail2ban-%(__name__)s
iptables -F fail2ban-%(__name__)s
iptables -X fail2ban-%(__name__)s
fwcheck = iptables -L %(fwchain)s | grep -q fail2ban-%(__name__)s
fwban = iptables -I fail2ban-%(__name__)s 1 -s <ip> -j DROP
fwunban = iptables -D fail2ban-%(__name__)s -s <ip> -j DROP
[MAIL]
enabled = true
host = localhost
port = 25
user =
password =
from = fail2ban@www
to = root@localhost
localtime = true
subject = [Fail2Ban] <section>: Banned <ip>
message = Hi,<br>
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <section>.<br>
Regards,<br>
Fail2Ban
[SASL]
enabled = false
port = smtp
logfile = /var/log/mail.log
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex = : warning: [-._\w]+\[(?P<host>[.\d]+)\]: SASL
(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed$
[Apache]
enabled = false
logfile = /var/log/apache/error.log
port = http
timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
timepattern = %%a %%b %%d %%H:%%M:%%S %%Y
failregex = [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not
found)
[ApacheAttacks]
enabled = false
logfile = /var/log/apache/access.log
port = http
maxfailures = 2
timeregex = \d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2}
timepattern = %%d/%%b/%%Y:%%H:%%M:%%S
failregex = ^(?P<host>\S*) -.*"GET
.*(?:awstats\.pl\?configdir=|index2\.php\?_REQUEST\[option\].*)\|echo.*
[VSFTPD]
enabled = false
logfile = /var/log/vsftpd.log
port = ftp
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex = \[.+\] FAIL LOGIN: Client "(?P<host>\S+)"$
[PROFTPD]
enabled = false
logfile = /var/log/proftpd/proftpd.log
port = ftp
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex = USER \S+: no such user found from \S* ?\[(?P<host>\S+)\] to \S+\s*$
[SSH]
enabled = true
logfile = /var/log/auth.log
port = ssh
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex = : (?:(?:Authentication failure|Failed [-/\w+]+) for(?:
[iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED)
.*(?: from|FROM) (?:::f{4,6}:)?(?P<host>\S*)
-- no debconf information
--- End Message ---
--- Begin Message ---
reopen if issue is still relevant
--
Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Senior Research Associate, Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik
--- End Message ---
