HI,
I'm sorry, but my english is worst. I mean "my config". :)
I think, you should have sshd.conf in jail.d/. In my jail.local all rules are
set to "false" and i have 3 files in jail.d/ , sshd.conf, exim.conf,
dovecot.conf and there i set "true". I'll paste my sshd.conf:
[ssh]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected], [email protected],
sendername="Fail2Ban"]
logpath = /var/log/sshd/current
maxretry = 5
bantime = 2592000
findtime = 144000
Cheers
>-------- Оригинално писмо --------
>От: "YouGenom ." [email protected]
>Относно: Re: [Fail2ban-users] Fail2Ban sends mails only once
>До: kuncho pencho
>Изпратено на: 18.01.2016 02:50
Hi,
Sorry about that. There is actually "]" at the end. I have somehow
mistakenly deleted it. Actual file has it.
jail.d directory is completely empty.
What do you mean with "Main config"? Is the suggested/correct way of
using sendmail-whois this: sendmail-whois[name=SSH, dest=
[email protected], sender=
[email protected], sendername="Fail2Ban"] ?
Thanks a lot for the assistance!
On Sun, Jan 17, 2016 at 5:49 PM, kuncho pencho
wrote:
Hi,
Could you try to set sender in ssh section in jail.conf?
Yours config is "sendmail-whois[name=ssh, dest=
[email protected]" ,
here is missing "]" simbol and sender.
Main config is with this line:
sendmail-whois[name=SSH, dest=
[email protected], sender=
[email protected], sendername="Fail2Ban"]
Do you have sshd.conf in jail.d ?
>-------- Оригинално писмо -------- >От: "YouGenom ."
[email protected] >Относно: Re: [Fail2ban-users] Fail2Ban sends mails only
once
>До: kuncho pencho <
[email protected]>
>Изпратено на: 17.01.2016 16:50
Hi,
I did not get any error message after setting up exim4 (but before
that I did not get any mail at all anyway). So at the (first,) second and
further failed logins there are no errors. But I only get the warning mail at
the first failed login. Here is my configuration file (jail.local) attached.
Thanks!
On Sun, Jan 17, 2016 at 1:45 PM, kuncho pencho
wrote:
Hi,
Could you paste your jail.conf and jail.d/sshd.conf? Is there an
error in fail2ban.log?
>-------- Оригинално писмо --------
>От: "YouGenom ."
[email protected]
>Относно: [Fail2ban-users] Fail2Ban sends mails only once
>До:
[email protected]
>Изпратено на: 17.01.2016 13:39
Hi,
I have been trying to set up fail2ban. I have only edited
for the SSH jail to warn me in case of failed login. Other
jails/actions/filters are at default. Then I tried from another machine a
failed login (6 times with wrong password). I have got the mail with whois
info. So this is what I was expecting. Then I have waited for the ban to expire
(10 mins) and retried to failed login. I did not get any mail this time. In
logs, it was mentioned, that a ban was issued for the client IP address.
Interestingly, by using another IP address (through VPN) I could get again an
e-mail warning for the first time but not second time. It seems to me fail2ban
sends e-mail warning only once per IP-address. Moreover, I changed log level to
4 (DEBUG) and ran fail2ban-client reload. Then I tried a failed login with the
old (once banned) IP address. It did not send any mail but I found this in the
logs:
2016-01-17 12:32:08,961 fail2ban.actions.action[21573]:
DEBUG
printf %b "Subject: [Fail2Ban] ssh: banned 192.168.0.11 from `uname -n`
Date: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban
To:
[email protected]\n
Hi,\n
The IP 192.168.0.11 has just been banned by Fail2Ban after
6 attempts against ssh.\n\n
Here is more information about
192.168.0.11:\n
`/usr/bin/whois 192.168.0.11 || echo missing whois
program`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban
[email protected]
2016-01-17 12:32:09,491 fail2ban.actions.action[21573]:
DEBUG
printf %b "Subject: [Fail2Ban] ssh: banned 192.168.0.11 from `uname -n`
Date: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"`
From: Fail2Ban
To:
[email protected]\n
Hi,\n
The IP 192.168.0.11 has just been banned by Fail2Ban after
6 attempts against ssh.\n\n
Here is more information about
192.168.0.11:\n
`/usr/bin/whois 192.168.0.11 || echo missing whois
program`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban
[email protected] returned successfully
I am not sure, if the issue is because of my GMail account
blocking the mails or is it a feature in Fail2Ban to prevent e-mail flood?
Best wishes!
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application
Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions
now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
