Fail2ban does not work after upgrade to 12.0.18

[Onir-Hexa]

Hello,

Since upgrading to 12.0.18 Update # 5 fail2ban stopped working.
I did several tests but have not found the issue!

[nimda4597@xxxx fail2ban]# service fail2ban status
fail2ban-server (pid  1881) is running...
Status
|- Number of jail:      8
`- Jail list:           recidive, plesk-roundcube, plesk-panel, plesk-courierimap, ssh, plesk-postfix, plesk-horde, plesk-proftpd

I did not understand how works "fail2ban" with plesk 12, usually in the file jail.conf there are default options and the list of jails.

jail.conf after the upgrade is as follows:

#              If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#              If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external libraries.
# auto:      will try to use the following backends, in order:
#              pyinotify, gamin, polling.
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
#   warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes:   if a hostname is encountered, a DNS lookup will be performed.
# warn:  if a hostname is encountered, a DNS lookup will be performed,
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
usedns = no


# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh]

enabled  = false
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/secure
maxretry = 5


# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]

enabled  = false
filter   = recidive
logpath  = /var/log/fail2ban.log
action   = iptables-allports[name=recidive]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 5

plesk uses different conf file? where are other jail settings?
I also found jail.conf but it seems incomplete....

[DEFAULT]
maxretry = 3
destemail = xxx@xxxx
findtime = 600
bantime = 600

[plesk-apache-badbot]
enabled = false

[recidive]
enabled = true

[plesk-roundcube]
enabled = true

[plesk-panel]
enabled = true

[plesk-apache]
enabled = false

[plesk-courierimap]
enabled = true

[ssh]
enabled = true

[plesk-postfix]
enabled = true

[plesk-horde]
enabled = true

[plesk-proftpd]
enabled = true

this is the log file after "service fail2ban start"

2014-07-01 02:42:39,492 fail2ban.server [3244]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.13
2014-07-01 02:42:39,493 fail2ban.jail   [3244]: INFO    Creating new jail 'recidive'
2014-07-01 02:42:39,512 fail2ban.jail   [3244]: INFO    Jail 'recidive' uses pyinotify
2014-07-01 02:42:39,523 fail2ban.jail   [3244]: INFO    Initiated 'pyinotify' backend
2014-07-01 02:42:39,524 fail2ban.filter [3244]: INFO    Added logfile = /var/log/fail2ban.log
2014-07-01 02:42:39,524 fail2ban.filter [3244]: INFO    Set maxRetry = 5
2014-07-01 02:42:39,525 fail2ban.filter [3244]: INFO    Set findtime = 86400
2014-07-01 02:42:39,525 fail2ban.actions[3244]: INFO    Set banTime = 604800
2014-07-01 02:42:39,531 fail2ban.jail   [3244]: INFO    Creating new jail 'plesk-roundcube'
2014-07-01 02:42:39,531 fail2ban.jail   [3244]: INFO    Jail 'plesk-roundcube' uses pyinotify
2014-07-01 02:42:39,531 fail2ban.jail   [3244]: INFO    Initiated 'pyinotify' backend
2014-07-01 02:42:39,532 fail2ban.filter [3244]: INFO    Added logfile = /var/log/plesk-roundcube/errors
2014-07-01 02:42:39,532 fail2ban.filter [3244]: INFO    Set maxRetry = 5
2014-07-01 02:42:39,533 fail2ban.filter [3244]: INFO    Set findtime = 600
2014-07-01 02:42:39,533 fail2ban.actions[3244]: INFO    Set banTime = 600
2014-07-01 02:42:39,537 fail2ban.jail   [3244]: INFO    Creating new jail 'plesk-courierimap'
2014-07-01 02:42:39,537 fail2ban.jail   [3244]: INFO    Jail 'plesk-courierimap' uses pyinotify
2014-07-01 02:42:39,537 fail2ban.jail   [3244]: INFO    Initiated 'pyinotify' backend
2014-07-01 02:42:39,538 fail2ban.filter [3244]: INFO    Added logfile = /var/log/maillog
2014-07-01 02:42:39,538 fail2ban.filter [3244]: INFO    Set maxRetry = 5
2014-07-01 02:42:39,539 fail2ban.filter [3244]: INFO    Set findtime = 600
2014-07-01 02:42:39,539 fail2ban.actions[3244]: INFO    Set banTime = 600
2014-07-01 02:42:39,545 fail2ban.jail   [3244]: INFO    Creating new jail 'ssh'
2014-07-01 02:42:39,545 fail2ban.jail   [3244]: INFO    Jail 'ssh' uses pyinotify
2014-07-01 02:42:39,546 fail2ban.jail   [3244]: INFO    Initiated 'pyinotify' backend
2014-07-01 02:42:39,546 fail2ban.filter [3244]: INFO    Added logfile = /var/log/secure
2014-07-01 02:42:39,547 fail2ban.filter [3244]: INFO    Set maxRetry = 5
2014-07-01 02:42:39,547 fail2ban.filter [3244]: INFO    Set findtime = 600
2014-07-01 02:42:39,548 fail2ban.actions[3244]: INFO    Set banTime = 600
2014-07-01 02:42:39,670 fail2ban.jail   [3244]: INFO    Creating new jail 'plesk-postfix'
2014-07-01 02:42:39,670 fail2ban.jail   [3244]: INFO    Jail 'plesk-postfix' uses pyinotify
2014-07-01 02:42:39,670 fail2ban.jail   [3244]: INFO    Initiated 'pyinotify' backend
2014-07-01 02:42:39,671 fail2ban.filter [3244]: INFO    Added logfile = /var/log/maillog
2014-07-01 02:42:39,671 fail2ban.filter [3244]: INFO    Set maxRetry = 5
2014-07-01 02:42:39,672 fail2ban.filter [3244]: INFO    Set findtime = 600
2014-07-01 02:42:39,672 fail2ban.actions[3244]: INFO    Set banTime = 600
2014-07-01 02:42:39,678 fail2ban.jail   [3244]: INFO    Creating new jail 'plesk-panel'
2014-07-01 02:42:39,678 fail2ban.jail   [3244]: INFO    Jail 'plesk-panel' uses pyinotify
2014-07-01 02:42:39,678 fail2ban.jail   [3244]: INFO    Initiated 'pyinotify' backend
2014-07-01 02:42:39,679 fail2ban.filter [3244]: INFO    Added logfile = /var/log/plesk/panel.log
2014-07-01 02:42:39,679 fail2ban.filter [3244]: INFO    Set maxRetry = 5
2014-07-01 02:42:39,680 fail2ban.filter [3244]: INFO    Set findtime = 600
2014-07-01 02:42:39,680 fail2ban.actions[3244]: INFO    Set banTime = 600
2014-07-01 02:42:39,684 fail2ban.jail   [3244]: INFO    Creating new jail 'plesk-horde'
2014-07-01 02:42:39,684 fail2ban.jail   [3244]: INFO    Jail 'plesk-horde' uses pyinotify
2014-07-01 02:42:39,684 fail2ban.jail   [3244]: INFO    Initiated 'pyinotify' backend
2014-07-01 02:42:39,685 fail2ban.filter [3244]: INFO    Added logfile = /var/log/psa-horde/psa-horde.log
2014-07-01 02:42:39,685 fail2ban.filter [3244]: INFO    Set maxRetry = 5
2014-07-01 02:42:39,686 fail2ban.filter [3244]: INFO    Set findtime = 600
2014-07-01 02:42:39,686 fail2ban.actions[3244]: INFO    Set banTime = 600
2014-07-01 02:42:39,690 fail2ban.jail   [3244]: INFO    Creating new jail 'plesk-proftpd'
2014-07-01 02:42:39,690 fail2ban.jail   [3244]: INFO    Jail 'plesk-proftpd' uses pyinotify
2014-07-01 02:42:39,690 fail2ban.jail   [3244]: INFO    Initiated 'pyinotify' backend
2014-07-01 02:42:39,691 fail2ban.filter [3244]: INFO    Added logfile = /var/log/secure
2014-07-01 02:42:39,692 fail2ban.filter [3244]: INFO    Set maxRetry = 5
2014-07-01 02:42:39,692 fail2ban.filter [3244]: INFO    Set findtime = 600
2014-07-01 02:42:39,692 fail2ban.actions[3244]: INFO    Set banTime = 600
2014-07-01 02:42:39,713 fail2ban.jail   [3244]: INFO    Jail 'recidive' started
2014-07-01 02:42:39,715 fail2ban.jail   [3244]: INFO    Jail 'plesk-roundcube' started
2014-07-01 02:42:39,727 fail2ban.jail   [3244]: INFO    Jail 'plesk-courierimap' started
2014-07-01 02:42:39,733 fail2ban.jail   [3244]: INFO    Jail 'ssh' started
2014-07-01 02:42:39,734 fail2ban.jail   [3244]: INFO    Jail 'plesk-postfix' started
2014-07-01 02:42:39,736 fail2ban.jail   [3244]: INFO    Jail 'plesk-panel' started
2014-07-01 02:42:39,737 fail2ban.jail   [3244]: INFO    Jail 'plesk-horde' started
2014-07-01 02:42:39,739 fail2ban.jail   [3244]: INFO    Jail 'plesk-proftpd' started

I thought it would be a mistake to regex, but the check was successful

[nimda4597@xxxx fail2ban]# fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix-sasl.conf

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/postfix-sasl.conf
Use         log file : /var/log/maillog


Results
=======

Failregex: 4293 total
|-  #) [# of hits] regular expression
|   1) [4293] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?|[\[\(]?postfix/smtpd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [248025] MONTH Day Hour:Minute:Second
`-

Lines: 248025 lines, 0 ignored, 4293 matched, 243732 missed
Missed line(s): too many to print.  Use --print-all-missed to print all 243732 lines

even if the regex is correct fail2ban "fails to ban":

[[nimda4597@xxxx fail2ban]# fail2ban-client status plesk-postfix
Status for the jail: plesk-postfix
|- filter
|  |- File list:        /var/log/maillog
|  |- Currently failed: 0
|  `- Total failed:     0
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     0

What do you think? any suggestion is appreciated!

Regards

 

[Simonv4549]

Did you find an answer to this, I have the same question? I have multiple logon attempts when checking /var/log/secure but fail2ban is not acting on them.

 

[wurzelpete]

I had to enable the jails in the corresponding page
Server Management => Tools & Settings => IP Address Banning (Fail2Ban) => Jails
There I selected all jails and clicked "switch on", as they had not been active after the upgrade.

 

[tajt02]

For me it worked after a server restart.

 

[oviliz]

I'm wondering on why the Banned IP Addresses page removes everything after a change into the Fail2Ban settings?

 

[tajt02]

Hi,

I think: When you make settings on fail2ban, whether through the user interface in Plesk or directly in f2b, you need to restart f2b (which Plesk makes automatically). And with the restart all entries in the iptables are gone.

I've tested it with a normal restart of fail2ban (service fail2ban restart) and after it there were no more entries in the firewall (iptables -L).

I think it's normal.

tajt02

 

[oviliz]

To me is still quite strange. As you have the Trusted IP Addresses list that are keep in memory, as well you should have the Banned IP Addresses. Otherwise what's the point to clear that list after a simple service restart (each time when you made a change :O)?

 

[tajt02]

But what I wanted to say is it comes by fail2ban itself. When you make settings in f2b a restart is required, and when you restart f2b, all current banned IPs are removed. Even if you restart your server, then the temp iptables are also empty.

http://techpain.blogspot.de/2011/03/fail2ban-reload-banned-ips-after.html

 

[Simonv4549]

I managed to fix my issues and get it working. I had two issues:

1. My server time and log times were not the same so ensuring that the "hwclock" and "date" were the same then restarting the log service was one part
2. Then the "backend" setting was set to auto and Gamin was being selected by fail2ban. Manually setting the backend setting to polling got auto banning working.