System Admin Intrusion Detection problem

Distro Discussion & Help
1

  1. To test the intrusion detection system we configured an ATA with wrong password and connected it to the Internet at our ofice. Within seconds my IP was locked out from the system HOWEVER my IP is whitelisted!!!

  2. GUI and SSH was all locked out from my whitelisted IP.

  3. I changed my IP address and tried again to access the GUI but it still did not work. Gui access was locked from any IP. I opened an SSH session and reset the webserver (service httpd restart) but that didn’t do anything either. Nothing worked until I turned off fail2ban with “service fail2ban stop”

I don’t think this is way it’s supposed to work.

FAIL2BAN log
2011-06-14 17:05:39,962 fail2ban.actions: WARNING [asterisk-iptables] Ban 64.xxx.xxx.xxx
2011-06-14 17:30:39,553 fail2ban.actions: WARNING [asterisk-iptables] Unban 64.xxx.xxx.xxx
2011-06-14 18:07:04,970 fail2ban.jail : INFO Using Gamin
2011-06-14 18:07:04,983 fail2ban.filter : INFO Created Filter
2011-06-14 18:07:04,984 fail2ban.filter : INFO Created FilterGamin
2011-06-14 18:07:04,985 fail2ban.filter : INFO Added logfile = /var/log/secure
2011-06-14 18:07:04,991 fail2ban.filter : INFO Set maxRetry = 5
2011-06-14 18:07:04,992 fail2ban.filter : INFO Set findtime = 600
2011-06-14 18:07:04,993 fail2ban.actions: INFO Set banTime = 1800
2011-06-14 18:07:05,021 fail2ban.actions.action: INFO Set actionBan = iptables -I fail2ban- 1 -s -j DROP
2011-06-14 18:07:05,022 fail2ban.actions.action: INFO Set actionStop = iptables -D INPUT -p -j fail2ban-
iptables -F fail2ban-
iptables -X fail2ban-
2011-06-14 18:07:05,022 fail2ban.actions.action: INFO Set actionStart = iptables -N fail2ban-
iptables -A fail2ban- -j RETURN
iptables -I INPUT -p -j fail2ban-
2011-06-14 18:07:05,023 fail2ban.actions.action: INFO Set actionUnban = iptables -D fail2ban- -s -j DROP
2011-06-14 18:07:05,023 fail2ban.actions.action: INFO Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-
2011-06-14 18:07:05,025 fail2ban.actions.action: INFO Set actionBan = printf %b “Subject: [Fail2Ban] : banned
From: Fail2Ban <>
To: \n
Hi,\n
The IP has just been banned by Fail2Ban after
attempts against .\n\n
Here are more information about :\n
/usr/bin/whois <ip>\n
Regards,\n
Fail2Ban” | /usr/sbin/sendmail -f

2

Can you re-create this. All fail2ban does is setup iptable rules. We dont do anything special with fail2ban. Not sure how it would block everything.

Check iptable rules next time and see what it shows is blocked.

iptables -L -v

This will show you all blocked items.

3

There was a bug in the previous version of fail2ban where only the first ignoreip was read but that’s supposedly fixed in this version. Maybe in some cases it’s still a problem but like you said it’s fail2ban not your distro. We added our IP to jail.conf (just in case jail.local is the problem).