这是工作正常,直到我join了一个新的监狱[apache-postflood]。 如果我删除它然后它的作品,所以什么是错误的“findtime”?
。 输出如下: sudo fail2ban-client start
WARNING 'findtime' not defined in 'ssh'. Using default value WARNING 'findtime' not defined in 'dropbear'. Using default value WARNING 'findtime' not defined in 'pam-generic'. Using default value WARNING 'findtime' not defined in 'xinetd-fail'. Using default value WARNING 'findtime' not defined in 'ssh-ddos'. Using default value WARNING 'findtime' not defined in 'apache'. Using default value WARNING 'findtime' not defined in 'apache-multiport'. Using default value WARNING 'findtime' not defined in 'apache-noscript'. Using default value WARNING 'findtime' not defined in 'apache-overflows'. Using default value WARNING 'findtime' not defined in 'apache-phpmyadmin'. Using default value Traceback (most recent call last): File "/usr/bin/fail2ban-client", line 404, in <module> if client.start(sys.argv): File "/usr/bin/fail2ban-client", line 373, in start return self.__processCommand(args) File "/usr/bin/fail2ban-client", line 183, in __processCommand ret = self.__readConfig() File "/usr/bin/fail2ban-client", line 378, in __readConfig ret = self.__configurator.getOptions() File "/usr/share/fail2ban/client/configurator.py", line 68, in getOptions return self.__jails.getOptions(jail) File "/usr/share/fail2ban/client/jailsreader.py", line 67, in getOptions ret = jail.getOptions() File "/usr/share/fail2ban/client/jailreader.py", line 73, in getOptions self.__opts = ConfigReader.getOptions(self, self.__name, opts) File "/usr/share/fail2ban/client/configreader.py", line 87, in getOptions v = self.get(sec, option[1]) File "/usr/lib/python2.7/ConfigParser.py", line 623, in get return self._interpolate(section, option, value, d) File "/usr/lib/python2.7/ConfigParser.py", line 691, in _interpolate self._interpolate_some(option, L, rawval, section, vars, 1) File "/usr/lib/python2.7/ConfigParser.py", line 726, in _interpolate_some section, map, depth + 1) File "/usr/lib/python2.7/ConfigParser.py", line 723, in _interpolate_some option, section, rest, var) ConfigParser.InterpolationMissingOptionError: Bad value substitution: section: [apache-postflood] option : action key : port rawval : ", protocol="%(protocol)s", chain="%(chain)s"] Jail.conf
# Fail2Ban configuration file. # # This file was composed for Debian systems from the original one # provided now under /usr/share/doc/fail2ban/examples/jail.conf # for additional examples. # # To avoid merges during upgrades DO NOT MODIFY THIS FILE # and rather provide your changes in /etc/fail2ban/jail.local # # Author: Yaroslav O. Halchenko <[email protected]> # # $Revision$ # # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1/8 bantime = 86400 maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". # yoh: For some reason Debian shipped python-gamin didn't work as expected # This issue left ToDo, so polling is default backend for now backend = auto # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = root@localhost # # ACTIONS # # Default banning action (eg iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport # email action. Since 0.8.1 upstream fail2ban uses sendmail # MTA for the mailing. Change mta configuration parameter to mail # if you want to revert to conventional 'mail'. mta = sendmail # Default protocol protocol = tcp # Specify chain where jumps would need to be added in iptables-* actions chain = INPUT # # Action shortcuts. To be used to define action parameter # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (eg action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_)s # # JAILS # # Next jails corresponds to the standard configuration in Fail2ban 0.6 which # was shipped in Debian. Enable any defined here jail by including # # [SECTION_NAME] # enabled = true # # in /etc/fail2ban/jail.local. # # Optionally you may override any other parameter (eg banaction, # action, port, logpath, etc) in that section within jail.local [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 [dropbear] enabled = false port = ssh filter = sshd logpath = /var/log/dropbear maxretry = 3 # Generic filter for pam. Has to be used with action which bans all ports # such as iptables-allports, shorewall [pam-generic] enabled = false # pam-generic filter can be customized to monitor specific subset of 'tty's filter = pam-generic # port actually must be irrelevant but lets leave it all for some possible uses port = all banaction = iptables-allports port = anyport logpath = /var/log/auth.log maxretry = 3 [xinetd-fail] enabled = false filter = xinetd-fail port = all banaction = iptables-multiport-log logpath = /var/log/daemon.log maxretry = 2 [ssh-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 2 # # HTTP servers # [apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 # default action is now multiport, so apache-multiport jail was left # for compatibility with previous (<0.7.6-2) releases [apache-multiport] enabled = false port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 [apache-noscript] enabled = true port = http,https filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 6 [apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/apache*/*error.log maxretry = 2 [apache-phpmyadmin] enabled = true port = http,https filter = apache-phpmyadmin logpath = /var/log/apache*/*error.log maxretry = 3 [apache-postflood] enabled = false filter = apache-postflood logpath = /var/log/httpd/access_log findtime = 10 maxretry = 10 # # FTP servers # [vsftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = vsftpd logpath = /var/log/vsftpd.log # or overwrite it in jails.local to be # logpath = /var/log/auth.log # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats maxretry = 6 [proftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = proftpd logpath = /var/log/proftpd/proftpd.log maxretry = 6 [pure-ftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = pure-ftpd logpath = /var/log/auth.log maxretry = 6 [wuftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = wuftpd logpath = /var/log/auth.log maxretry = 6 # # Mail servers # [postfix] enabled = false port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log [couriersmtp] enabled = false port = smtp,ssmtp filter = couriersmtp logpath = /var/log/mail.log # # Mail servers authenticators: might be used for smtp,ftp,imap servers, so # all relevant ports get banned # [courierauth] enabled = false port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = courierlogin logpath = /var/log/mail.log [sasl] enabled = false port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. logpath = /var/log/mail.log [dovecot] enabled = false port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = dovecot logpath = /var/log/mail.log # DNS Servers # These jails block attacks against named (bind9). By default, logging is off # with bind9 installation. You will need something like this: # # logging { # channel security_file { # file "/var/log/named/security.log" versions 3 size 30m; # severity dynamic; # print-time yes; # }; # category security { # security_file; # }; # }; # # in your named.conf to provide proper logging # !!! WARNING !!! # Since UDP is connection-less protocol, spoofing of IP and imitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html # Please DO NOT USE this jail unless you know what you are doing. #[named-refused-udp] # #enabled = false #port = domain,953 #protocol = udp #filter = named-refused #logpath = /var/log/named/security.log [named-refused-tcp] enabled = false port = domain,953 protocol = tcp filter = named-refused logpath = /var/log/named/security.log
Apache的postflood.conf:
# Fail2Ban configuration file # # # $Revision: 1 $ # [Definition] # Option: failregex # Notes.: Regexp to catch known spambots and software alike. Please verify # that it is your intent to block IPs which were driven by # abovementioned bots. # Values: TEXT # failregex = ^ -.*”POST.* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
尝试在jail.conf的[DEFAULT]部分添加findtime的默认值
这里是从Ubuntu 14.04默认安装的一个剪辑
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 maxretry = 3
我也build议尝试使用jail.local,并保持jail.conf不变。 如果您需要将fail2ban升级或迁移到其他服务器或操作系统,可以很容易地告诉您具体更改了哪些内容。 这很奇怪,你的默认jail.conf没有findtime设置。