Agile Aspect wrote: > John Hinton wrote: > >> Agile Aspect wrote: >> >> >>> Devraj Mukherjee wrote: >>> >>> >>> >>>> Hi all, >>>> >>>> I am trying to get fail2ban going on my server and its log message >>>> reports the following error >>>> >>>> 2009-02-16 17:42:05,339 ERROR: 'iptables -L INPUT | grep -q >>>> fail2ban-SSH' returned 256 >>>> 2009-02-16 17:42:05,354 ERROR: 'iptables -D INPUT -p tcp --dport ssh >>>> -j fail2ban-SSH >>>> >>>> Is this because of the way the RedHat tool sets up the firewall? >>>> >>>> Thanks for any responses. >>>> >>>> >>>> >>>> >>>> >>> First, have you installed iptables, shorewall, and tcp-wrappers >>> installed? >>> >>> Second, have you tried the failed grep expression, i.e., have >>> you tried >>> >>> iptables -L INPUT | grep -q fail2ban-SSH >>> >>> As to why this would fail, you need to ask on the fail2ban >>> mailing list since evidently this appears to be part of the >>> installation. >>> >>> The iptables can be setup by anyone - RedHat simply provides >>> a default set of rules. >>> >>> >>> >>> >> Actually, it is a rather OS dependent package and the rules for CentOS >> are difficult to write. That really doesn't belong on the fail2ban list >> either. >> >> > Please post the iptable rule which you is believe is OS dependent. > > >> You don't need shorewall, just the standard CentOS firewall works fine. >> >> > It depends upon what the OP installed. The fail2ban web page > recommends shorewall be installed - so there's a chance the OP > installed it. > > First, I installed the RPM from dag. Some of it was set to go out of the box. Seems like I didn't need to do anything for SSH rules to work besides turning it on. Seems like VSFTP was pretty close. Dovecot was a write I think I might have done... or a major rewrite. Also, as there are differences between CentOS 3, 4 and 5... I'd also need to know which version you're running. This really is a great tool. It is not easy to create rules. I was actually thinking that a CentOS fail2ban wiki or something might be nice. If it were divided into separate versions, we could share rules there. It took me about 3 or 4 hours to write and test just one. But again, I'm really slow at RegEx. I keep seeing more attacks on just about every service available. Dovecot logins being the latest. VSFTP gets hit pretty hard... SSH gets pounded. But, using this also as a spam filter is also another good use. On one of my servers with moderate email traffic, it is banning about 150 IP address per hour based just on multiple Spamhaus rejects. That's a lot of load reduction right there. Now, if I could start pulling out stuff from SpamAssassin rejects... that could drop our loads by a huge amount. Over time, it might even reduce the number of attempts... if they do any purging of old email addresses. John Hinton _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos