Fail2ban ne démarre pas

J'ai effectué quelques modifications dans le file /etc/fail2ban/jail.local (une copy de /etc/fail2ban/jail.conf) et enregistré, mais maintenant fail2ban ne démarre pas. Si j'efface jail.local, il recommence. Donc, le problème se trouve dans ce file (jail.local), mais après 2 heures pour le problème, je ne sais vraiment pas où est l'erreur.

S'il vous plaît, quelqu'un peut-il m'aider pour find le (s) problème (s)? Je vous remercie.

C'est le file

# # WARNING: heavily refactored in 0.9.0 release. Please review and # customize settings for your setup. # # Changes: in most of the cases you should not modify this # file, but provide customizations in jail.local file, # or separate .conf files under jail.d/ directory, eg: # # HOW TO ACTIVATE JAILS: # # YOU SHOULD NOT MODIFY THIS FILE. # # It will probably be overwritten or improved in a dissortingbution update. # # Provide customizations in a jail.local file or a jail.d/customisation.local. # For example to change the default bantime for all jails and to enable the # ssh-iptables jail the following (uncommented) would appear in the .local file. # See man 5 jail.conf for details. # # [DEFAULT] # bantime = 3600 # # [sshd] # enabled = true # # See jail.conf(5) man page for more information # Comments: use '#' for comment lines and ';' (following a space) for inline comments [INCLUDES] #before = paths-distro.conf before = paths-fedora.conf # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # # MISCELLANEOUS OPTIONS # # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 199.27.128.0/21 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/12 # External command that will take an tagged arguments to ignore, eg <ip>, # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command <ip> ignorecommand = # "bantime" is the number of seconds that a host is banned. bantime = 2700000 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 5 # "backend" specifies the backend used to get files modification. # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". # This option can be overridden in each jail as well. # # pyinotify: requires pyinotify (a file alteration monitor) to be installed. # If pyinotify is not installed, Fail2ban will use auto. # gamin: requires Gamin (a file alteration monitor) to be installed. # If Gamin is not installed, Fail2ban will use auto. # polling: uses a polling algorithm which does not require external libraries. # systemd: uses systemd python library to access the systemd journal. # Specifying "logpath" is not valid for this backend. # See "journalmatch" in the jails associated filter config # auto: will try to use the following backends, in order: # pyinotify, gamin, polling. backend = auto # "usedns" specifies if jails should trust hostnames in logs, # warn when DNS lookups are performed, or ignore all hostnames in logs # # yes: if a hostname is encountered, a DNS lookup will be performed. # warn: if a hostname is encountered, a DNS lookup will be performed, # but it will be logged as a warning. # no: if a hostname is encountered, will not be used for banning, # but it will be logged as info. usedns = warn # "logencoding" specifies the encoding of the log files handled by the jail # This is used to decode the lines from the log file. # Typical examples: "ascii", "utf-8" # # auto: will use the system locale setting logencoding = auto # "enabled" enables the jails. # By default all jails are disabled, and it should stay this way. # Enable only relevant to your setup jails in your .local or jail.d/*.conf # # true: jail will be enabled and log files will get monitored for changes # false: jail is not enabled enabled = false # "filter" defines the filter to use by the jail. # By default jails have names matching their filter name # filter = %(__name__)s # # ACTIONS # # Some options used for actions # Destination email address used solely for the interpolations in # jail.{conf,local,d/*} configuration files. destemail = root@localhost # Sender email address used solely for some actions sender = root@localhost # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the # mailing. Change mta configuration parameter to mail if you want to # revert to conventional 'mail'. mta = sendmail # Default protocol protocol = tcp # Specify chain where jumps would need to be added in iptables-* actions chain = INPUT # Ports to be banned # Usually should be overridden in a particular jail port = 0:65535 # # Action shortcuts. To be used to define action parameter # Default banning action (eg iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action # # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines # to the destemail. action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] # Report block via blocklist.de fail2ban reporting service API # # See the IMPORTANT note in action.d/blocklist_de.conf for when to # use this action. Create a file jail.d/blocklist_de.local containing # [Init] # blocklist_de_apikey = {api key from registration] # action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"] # Report ban via badips.com, and use as blacklist # # See BadIPsAction docssortingng in config/action.d/badips.py for # documentation for this action. # # NOTE: This action relies on banaction being present on start and therefore # should be last action defined for a jail. # action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (eg action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_)s # # JAILS # # # SSH servers # [sshd] enabled = true port = ssh filter = sshd logpath = %(sshd_log)s maxretry = 5 [sshd-ddos] # This jail corresponds to the standard configuration in Fail2ban. # The mail-whois action send a notification e-mail with a whois request # in the body. enabled = true port = ssh filter = sshd-ddos logpath = %(sshd_log)s maxretry = 5 [dropbear] port = ssh logpath = %(dropbear_log)s [selinux-ssh] port = ssh logpath = %(auditd_log)s maxretry = 5 # # HTTP servers # [apache-auth] enabled = true port = http,https filter = apache-auth logpath = %(apache_error_log)s maxretry = 5 [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. port = http,https logpath = %(apache_access_log)s bantime = 172800 maxretry = 1 [apache-noscript] enabled = true port = http,https filter = apache-noscript logpath = %(apache_error_log)s maxretry = 6 [apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = %(apache_error_log)s maxretry = 3 [apache-nohome] port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-modsecurity] port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] enabled = true port = http,https filter = apache-shellshock logpath = $(apache_error_log)s maxretry = 1 [nginx-http-auth] ports = http,https logpath = %(nginx_error_log)s # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year # of usage in production environments. [php-url-fopen] port = http,https logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] port = http,https logpath = %(suhosin_log)s [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications port = http,https logpath = %(lighttpd_error_log)s # # Webmail and groupware servers # [roundcube-auth] port = http,https logpath = /var/log/roundcube/userlogins [openwebmail] port = http,https logpath = /var/log/openwebmail.log [horde] port = http,https logpath = /var/log/horde/horde.log [groupoffice] port = http,https logpath = /home/groupoffice/log/info.log [sogo-auth] # Monitor SOGo groupware server # without proxy this would be: # port = 20000 port = http,https logpath = /var/log/sogo/sogo.log [tine20] logpath = /var/log/tine20/tine20.log port = http,https maxretry = 5 # # Web Applications # # [guacamole] port = http,https logpath = /var/log/tomcat*/catalina.out [monit] #Ban clients brute-forcing the monit gui login filter = monit port = 2812 logpath = /var/log/monit [webmin-auth] enabled = true port = 10000 filter = webmin-auth logpath = %(syslog_authpriv)s maxretry = 5 # # HTTP Proxy servers # # [squid] port = 80,443,3128,8080 logpath = /var/log/squid/access.log [3proxy] port = 3128 logpath = /var/log/3proxy.log # # FTP servers # [proftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data filter = proftpd logpath = %(proftpd_log)s maxretry = 5 [pure-ftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(pureftpd_log)s maxretry = 6 [gssftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(syslog_daemon)s maxretry = 6 [wuftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(wuftpd_log)s maxretry = 6 [vsftpd] # or overwrite it in jails.local to be # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats port = ftp,ftp-data,ftps,ftps-data logpath = %(vsftpd_log)s # # Mail servers # # ASSP SMTP Proxy Jail [assp] port = smtp,465,submission logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] port = smtp,465,submission logpath = %(syslog_mail)s [postfix] enabled = true port = smtp,465,submission logpath = %(postfix_log)s [sendmail-auth] enabled = true port = submission,465,smtp logpath = %(syslog_mail)s [sendmail-reject] enabled = true port = smtp,465,submission logpath = %(syslog_mail)s [qmail-rbl] filter = qmail port = smtp,465,submission logpath = /service/qmail/log/main/current # dovecot defaults to logging to the mail syslog facility # but can be set by syslog_facility in the dovecot configuration. [dovecot] enabled = true port = pop3,pop3s,imap,imaps,submission,465,sieve logpath = %(dovecot_log)s [sieve] port = smtp,465,submission logpath = %(dovecot_log)s [solid-pop3d] port = pop3,pop3s logpath = %(solidpop3d_log)s [exim] port = smtp,465,submission logpath = %(exim_main_log)s [exim-spam] port = smtp,465,submission logpath = %(exim_main_log)s [kerio] port = imap,smtp,imaps,465 logpath = /opt/kerio/mailserver/store/logs/security.log # # Mail servers authenticators: might be used for smtp,ftp,imap servers, so # all relevant ports get banned # [courier-auth] port = smtp,465,submission,imap3,imaps,pop3,pop3s logpath = %(syslog_mail)s [postfix-sasl] port = smtp,465,submission,imap3,imaps,pop3,pop3s # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. logpath = %(postfix_log)s [perdition] port = imap3,imaps,pop3,pop3s logpath = %(syslog_mail)s [squirrelmail] port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] port = imap3,imaps logpath = %(syslog_mail)s [uwimap-auth] port = imap3,imaps logpath = %(syslog_mail)s # # # DNS servers # # !!! WARNING !!! # Since UDP is connection-less protocol, spoofing of IP and imitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html # Please DO NOT USE this jail unless you know what you are doing. # # IMPORTANT: see filter.d/named-refused for instructions to enable logging # This jail blocks UDP traffic for DNS requests. # [named-refused-udp] # # filter = named-refused # port = domain,953 # protocol = udp # logpath = /var/log/named/security.log # IMPORTANT: see filter.d/named-refused for instructions to enable logging # This jail blocks TCP traffic for DNS requests. [named-refused] port = domain,953 logpath = /var/log/named/security.log [nsd] port = 53 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log # # Miscellaneous # [asterisk] port = 5060,5061 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/asterisk/messages maxretry = 10 [freeswitch] port = 5060,5061 action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/freeswitch.log maxretry = 10 # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or # equivalent section: # log-warning = 2 # # for syslog (daemon facility) # [mysqld_safe] # syslog # # for own logfile # [mysqld] # log-error=/var/log/mysqld.log [mysqld-auth] port = 3306 logpath = %(mysql_log)s maxretry = 5 # Jail for more extended banning of persistent abusers # !!! WARNING !!! # Make sure that your loglevel specified in fail2ban.conf/.local # is not at DEBUG level -- which might then cause fail2ban to fall into # an infinite loop constantly feeding itself with non-informative lines [recidive] logpath = /var/log/fail2ban.log port = all protocol = all bantime = 604800 ; 1 week findtime = 86400 ; 1 day maxretry = 5 # Generic filter for PAM. Has to be used with action which bans all # ports such as iptables-allports, shorewall [pam-generic] # pam-generic filter can be customized to monitor specific subset of 'tty's banaction = iptables-allports logpath = %(syslog_authpriv)s [xinetd-fail] banaction = iptables-multiport-log logpath = %(syslog_daemon)s maxretry = 2 # stunnel - need to set port for this [stunnel] logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] port = 5222 logpath = /var/log/ejabberd/ejabberd.log [counter-ssortingke] logpath = /opt/cssortingke/logs/L[0-9]*.log # Firewall: http://www.cssortingke-planet.com/faq/6 tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] # consider low maxretry and a long bantime # nobody except your own Nagios server should ever probe nrpe [nagios] enabled = false logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility maxretry = 1 [oracleims] # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above enabled = false logpath = /opt/sun/comms/messaging64/log/mail.log_current maxretry = 6 banaction = iptables-allports [directadmin] enabled = false logpath = /var/log/directadmin/login.log port = 2222 [portsentry] enabled = false logpath = /var/lib/portsentry/portsentry.history maxretry = 1 

g C'est l'erreur que je reçois lorsque j'essaie de démarrer fail2ban

 Job for fail2ban.service failed. See 'systemctl status fail2ban.service' and 'journalctl -xn' for details. 

et c'est l'erreur que j'ai lorsque je tapez systemctl status fail2ban.service

  Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled) Active: failed (Result: start-limit) since Sun 2015-02-01 17:20:19 CET; 50s ago Docs: man:fail2ban(1) Process: 18318 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS) Process: 19570 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=255) Main PID: 18304 (code=killed, signal=TERM) 

in /var/log/fail2ban.log n'apparaît aucune erreur

Des conseils pour résoudre ce problème? Je vous remercie

One Solution collect form web for “Fail2ban ne démarre pas”

Vous devez vérifier que chacun des services que vous avez activés possède un file journal qui correspond à ce que fail2ban attend.

Par exemple:

sshd possède un file journal défini dans fail2ban comme suit:

 logpath = %(sshd_log)s 

qui correspond à:

 sshd_log = %(syslog_authpriv)s 

et dépend ensuite d'un file distro spécifique comme

 paths-fedora.conf:syslog_authpriv = /var/log/secure 

Si le file n'est pas trouvé, fail2ban ne démarre pas. Si vous savez où le file est alors, modifiez manuellement la ligne logpath et cela corrigera votre problème.

  • fail2ban s'exécutant sur CentOS 7 et obtenant "la connection ssh refusée"
  • Fail2ban enregistre l'IP correct sur le vernis mais n'est toujours pas verrouillé
  • Fail2ban ne démarre pas via /etc/init.d/fail2ban mais via / usr / bin / fail2ban-client
  • Utilisez fail2ban pour Samba
  • Comment configurer des groupes d'hôtes sur Fail2ban pour Wordpress?
  • Comment utiliser les variables d'action appelées dans fail2ban?
  • Comment puis-je spécifier plusieurs files journaux pour une prison dans fail2ban?
  • Fail2ban ne veut pas démarrer le server
  • Comment configurer correctement fail2ban pour interdire IP s'il accède à de mauvais files
  • Fail2ban sur Ubuntu 11.10 n'interdit pas le filter / la prison personnalisé
  • Fail2ban maxretry meaning
  • Les astuces du serveur de linux et windows, tels que ubuntu, centos, apache, nginx, debian et des sujets de rĂ©seau.