Unban ip Failban

Step 1: Find IP Address to Unblock

Log in to your server via SSH and type in the following command:

iptables -L -n

Look for the IP address you want to unblock / unban.

Step 2: Get Jail Name of fail2ban Blocked IP Address

Now we must find the jail name this IP address is in. To do so, type the following to find the jail list settings:

fail2ban-client status

Step 3: Unban IP Address from fail2ban

For this example, we will remove an IP address jailed within ssh. To do so, type in the following:

fail2ban-client set <jail-name> unbanip 123.123.123.123

The IP address should now be unbanned from fail2ban.

Fail2ban Error in file postfix-sasl.conf

my old file conf was :
failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$

If you go to https://regex101.com/ you can test the regular expression on the log string :

May 10 15:57:59 mail postfix/smtpd[28617]: warning: ip43.ip-192-99-125.net[192.99.125.43]: SASL LOGIN authentication failed: Connection lost to authentication server

I corrected the error and the the configuration is :

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+:]*={0,2})?\s*$

You can leave also the first setting but it is not necessary.

 

 

Fail2ban and wordpress

Find the wordpress log file.

normally is configured in httpd.conf (if u are using apache web server)
Find the wordpress log file.
normally is configured in httpd.conf (if u are using apache web server)

    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #

    #LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    LogFormat "%h %v %l %u %t \"%r\" %>s %b" comonvhost

    
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio

    
    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a 
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per- access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    #CustomLog "logs/access_log" common
    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    CustomLog "logs/access_log" combined

here the log file parameters

My server example of failed login to wordpress


%v       %h                     %l %u %t                     \"%r\"                        %>s
saic.it 85.10.117.176 - -       [30/Sep/2017:09:29:02 +0200] "POST /wp-login.php HTTP/1.1" 200 
%b   \"%{Referer}i\"                   \"%{User-Agent}i\""
5444 "http://www.saic.it/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0"

Link

Link2

How to unban ip with Failban

fail2ban-client set postfix unban ip 32.227.233.171

how to show jail list :
fail2ban-client status

how to view the status of a jail:
fail2ban-client status roundcube
show all the ipa for all jails
fail2ban-client status | grep “Jail list:” | sed “s/ //g” | awk ‘{split($2,a,”,”);for(i in a) system(“fail2ban-client status ” a[i])}’ | grep “Status\|IP list”
Esfor jail in $(fail2ban-client status | grep ‘Jail list:’ | sed ‘s/.*Jail list://’ | sed ‘s/,//g’); do fail2ban-client set $jail unbanip 185.41.34.122; done

 

List of banned or recidive ip

iptables -L -n

Failban Error – Centos 7

Hi,

from logwatch I saw this error :

ERROR   Failed to execute ban jail ‘ssh-iptables’ action ‘iptables’ info ‘CallingMap({‘ipjailmatches’: <function <lambda> at 0x7f8e24d2b578>, ‘matches’: u’Jan 28 00:15:51 saic sshd[30705]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ti0100a400-1587.bb.online.no  user=root\n

Failed password for root from 85.165.177.58 port 45430 ssh2\n

Failed password for root from 85.165.177.58 port 45430 ssh2′, ‘ip’: ‘85.165.177.58’, ‘ipmatches’: <function <lambda> at 0x7f8e24d2b488>, ‘ipfailures’: <function <lambda> at 0x7f8e24d2bb90>, ‘time’: 1485558957.444361, ‘failures’: 3, ‘ipjailfailures’: <function <lambda> at 0x7f8e24d2b5f0>})’: Error starting action

To solve I follow this : https://github.com/fail2ban/fail2ban/issues/973

and than this : https://github.com/fail2ban/fail2ban/issues/878#issuecomment-65732113

Not necessarily… But if you will really stand-alone fail2ban, so download direct from github or checkout via git (from github). – master – https://github.com/fail2ban/fail2ban/archive/master.zip – debian – https://github.com/fail2ban/fail2ban/archive/debian.zip – repo – git://github.com/fail2ban/fail2ban.git
Hereafter unzip it and run install:

cd /tmp/f2b
?sudo? python setup.py install

So I reinstalled fail2ban, previous backup fine (/etc/fail2ban).

After installation I overwrote /etc/fail2ban with my previous file.

Failban Configuration file for WordPress

a) Create configuration file
vim /etc/fail2ban/filter.d/wordpress.conf

# Fail2Ban filter for WordPress hard failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (?:wordpress|wp)

failregex = .*<HOST> – – .* “POST \/wp-login\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
.*<HOST> – – .* “POST \/xmlrpc\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
.*<HOST> – – .* “POST \/blog\/wp-login\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
.*<HOST> – – .* “POST \/web\/wp-login\.php HTTP\/1\.1” 200 (5127|5128|5129|5130) .*
ignoreregex =

b) set jail.conf

[wordpress]

enabled = true
filter = wordpress
action = iptables-multiport[name=wordpress, port=”http,https”, dest=postmaster@saic.it, sender=postmaster@saic.it]
logpath = /var/log/httpd/access_log
maxretry = 5
port = http,https
findtime = 300
bantime = 10800

restart failban

 

 

Failban Configuration for ISPConfig

vi /etc/fail2ban/filter.d/ispconfig.conf
The first thing we need to do is create a filter for ISPconfig in the /etc/fail2ban/filter.d/ directory.

vi /etc/fail2ban/filter.d/ispconfig.conf
Add the following definition so the filter knows what to look for in the /var/log/ispconfig/auth.log for ISPConfig 3.

# Fail2Ban filter for ISPConfig hard failures
#

[INCLUDES]

before = common.conf

[Definition]

_daemon = (?:ispconfig)

failregex = Failed login for user .* from <HOST>
ignoreregex =

vim /etc/fail2ban/jail.conf

add this line

[ispconfig]
enabled = true
port = 8080
filter = ispconfig
action = iptables-multiport[name=wordpress, port=”http,https”, dest=postmaster@saic.it, sender=postmaster@saic.it]
logpath = /var/log/ispconfig/auth.log
maxretry = 3
findtime = 300
bantime = 10800
You can/should test the new configuration by running the following command.

fail2ban-regex /var/log/ispconfig/auth.log /etc/fail2ban/filter.d/ispconfig.conf

THEN Restart fail2ban to load your new jail for ISPConfig 3 failed login attempts.

service fail2ban restart

usefull

https://www.digitalocean.com/community/tutorials/how-fail2ban-works-to-protect-services-on-a-linux-server

Failban configuration

Today I found an error in the regular expression of failban filter :

/etc/fail2ban/filter.d/postfix-sasl.conf

with this useful site https://regex101.com/ gave me an error so I changed the expression from

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*     

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+\/:]*={0,2})?\s*     

failban conf file : jail.conf

[postfix-sasl]

enabled = true
filter = postfix-sasl
action = iptables[name=postfix-sasl, port=”smtp,465,submission,imap3,imaps,pop3,pop3s”, protocol=tcp]
sendmail-whois[name=postfix-sasl, dest=postmaster@saic.it, sender=postmaster@saic.it]
#port = smtp,465,submission,imap3,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# “warn” level but overall at the smaller filesize.
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 3
bantime = 10800

here /etc/fail2ban/paths-fedora.conf the configuration of the variable postfix_log and postfix_backend

http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal