Fail2ban not working on apache Ubuntu

apache-2.2fail2ban

Nothing happens even though it detects in the logs. It does not block the IP. It works fine forVSFTP but not for apache. Please help. You can see the config and log below.

jail.local config file:

[apache]
enabled  = true
port     = 80,443
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
maxretry = 2

    # default action is now multiport, so apache-multiport jail was left
    # for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled   = true
port      = http,https
filter    = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6

Apache-Auth config file

[INCLUDES]
before = apache-common.conf
[Definition]
failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$
ignoreregex =

Apache-Error Log:

[Fri Jul 25 11:31:20.758218 2014] [auth_basic:error] [pid 4959] [client 8.8.8.8:12767] AH01617: user GOLD: authentication failure for "/Folder": Password Mismatch
[Fri Jul 25 11:31:22.941978 2014] [auth_basic:error] [pid 4959] [client 8.8.8.8:12767] AH01618: user asd not found: /Folder

fail2ban-regex result:

Running tests
=============
Use regex file : /etc/fail2ban/filter.d/apache-auth.conf
Use log file   : /var/log/apache2/error.log
Matched time template MONTH Day Hour:Minute:Second
Matched time template MONTH Day Hour:Minute:Second
Matched time template MONTH Day Hour:Minute:Second
Matched time template MONTH Day Hour:Minute:Second
Matched time template MONTH Day Hour:Minute:Second
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Summary
=======
Sorry, no match

Fail2Ban Log:

    2014-07-25 15:16:49,010 fail2ban.filter.datedetector: DEBUG  Matched time template MONTH Day Hour:Minute:Second

    2014-07-25 15:16:49,010 fail2ban.filter.datedetector: DEBUG  Sorting the template list

    2014-07-25 15:16:49,011 fail2ban.filter.datedetector: DEBUG  Winning template: MONTH Day Hour:Minute:Second with 994 hits

    2014-07-25 15:16:52,214 fail2ban.filter : DEBUG  Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/apache2/error.log pathname=/var/log/apache2/error.log wd=2 >

    2014-07-25 15:16:52,214 fail2ban.filter.datedetector: DEBUG  Matched time template MONTH Day Hour:Minute:Second

    2014-07-25 15:16:52,215 fail2ban.filter.datedetector: DEBUG  Sorting the template list

    2014-07-25 15:16:52,215 fail2ban.filter.datedetector: DEBUG  Winning template: MONTH Day Hour:Minute:Second with 995 hits

    2014-07-25 15:16:52,215 fail2ban.filter : DEBUG  Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/apache2/error.log pathname=/var/log/apache2/error.log wd=2 >

    2014-07-25 15:16:52,215 fail2ban.filter.datedetector: DEBUG  Matched time template MONTH Day Hour:Minute:Second

    2014-07-25 15:16:52,215 fail2ban.filter.datedetector: DEBUG  Sorting the template list

    2014-07-25 15:16:52,215 fail2ban.filter.datedetector: DEBUG  Winning template: MONTH Day Hour:Minute:Second with 995 hits

    2014-07-25 15:16:52,215 fail2ban.filter : DEBUG  Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/apache2/error.log pathname=/var/log/apache2/error.log wd=2 >

    2014-07-25 15:16:52,216 fail2ban.filter.datedetector: DEBUG  Matched time template MONTH Day Hour:Minute:Second

    2014-07-25 15:16:52,216 fail2ban.filter.datedetector: DEBUG  Sorting the template list

    2014-07-25 15:16:52,216 fail2ban.filter.datedetector: DEBUG  Winning template: MONTH Day Hour:Minute:Second with 995 hits

    2014-07-25 15:16:54,790 fail2ban.filter : DEBUG  Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/apache2/error.log pathname=/var/log/apache2/error.log wd=2 >

    2014-07-25 15:16:54,791 fail2ban.filter.datedetector: DEBUG  Matched time template MONTH Day Hour:Minute:Second

    2014-07-25 15:16:54,791 fail2ban.filter.datedetector: DEBUG  Sorting the template list

    2014-07-25 15:16:54,791 fail2ban.filter.datedetector: DEBUG  Winning template: MONTH Day Hour:Minute:Second with 996 hits

    2014-07-25 15:16:54,791 fail2ban.filter : DEBUG  Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/apache2/error.log pathname=/var/log/apache2/error.log wd=2 >

    2014-07-25 15:16:54,792 fail2ban.filter.datedetector: DEBUG  Matched time template MONTH Day Hour:Minute:Second

    2014-07-25 15:16:54,792 fail2ban.filter.datedetector: DEBUG  Sorting the template list

    2014-07-25 15:16:54,792 fail2ban.filter.datedetector: DEBUG  Winning template: MONTH Day Hour:Minute:Second with 996 hits

    2014-07-25 15:16:54,792 fail2ban.filter : DEBUG  Default Callback for Event: <Event dir=False mask=0x2 maskname=IN_MODIFY name='' path=/var/log/apache2/error.log pathname=/var/log/apache2/error.log wd=2 >

Best Answer

Try using the official apache-auth.conf file:

https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/apache-auth.conf

Related Solutions

Linux – Apache2 quietly breaking, won’t make apache2.pid

Hmm, I am pretty suspicious of the config file

/etc/apache2/vhosts.d/30_subversion_ssl_vhost.conf

When you remove the '-D SSL' you will cause all parts of the configuration files that are enclosed in ... to be skipped. The default SSL vhost file on my Gentoo box is wrapped in that tag so I wonder if, by removing the '-D SSL', you are preventing the config in 30_subversion_ssl_vhost.conf from being run at all and if that is what is allowing Apache to start.

If you temporarily remove the file 30_subversion_ssl_vhost.conf from /etc/apache2/vhosts.d does Apache run? Are there any other SSL related vhost.conf files in vhosts.d? My reasonably fresh/unused Apache install's vhosts.d directory looks like this:

# pwd && ls
/etc/apache2/vhosts.d
00_default_ssl_vhost.conf  00_default_vhost.conf  default_vhost.include

edit 1:

So much for that theory :) I am now wondering if the problem is with the Apache SSL setup itself. I apologize if I am covering ground you have already checked but I am wondering if you could do the following to help verify your Apache install.

On my Apache install with working SSL the use flags are as follows:

# emerge -av apache

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild     U ] www-servers/apache-2.2.11-r2 [2.2.11] USE="ssl -debug -doc -ldap (-selinux) -sni -static -suexec -threads" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias -asis -auth_digest -authn_dbd -cern_meta -charset_lite -dbd -dumpio -ident -imagemap -log_forensic -proxy -proxy_ajp -proxy_balancer -proxy_connect -proxy_ftp -proxy_http -substitute -version" APACHE2_MPMS="-event -itk -peruser -prefork -worker" 64 kB

In particular do you have the 'ssl' USE flag set?

Also, could you use equery to verify the integrity of your apache2 install? If you do not have the equery command you can install it by running 'emerge -av gentoolkit'. The following command should verify the integrity of your apache install:

equery check apache

On my server the above command gives the following output:

[ Checking www-servers/apache-2.2.11 ]
!!! /etc/apache2/vhosts.d/00_default_ssl_vhost.conf has wrong mtime (is 1256620928, should be 1246793824)
!!! /etc/apache2/modules.d/00_default_settings.conf has wrong mtime (is 1246796304, should be 1246793824)
!!! /etc/conf.d/apache2 has incorrect md5sum
 * 429 out of 432 files good

edit 2:

Well the install looks good to me, so much for theory 2. I am wondering if we can coax Apache into giving some more information on startup. In /etc/conf.d/apache2 if you change your APACHE2_OPTS line from:

APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D SSL -D SSL_DEFAULT_VHOST -D LANGUAGE"

APACHE2_OPTS="-X -e debug -D DEFAULT_VHOST -D INFO -D SSL -D SSL_DEFAULT_VHOST -D LANGUAGE"

and then start Apache (/etc/init.d/apache2 start) the daemon should stay in the foreground (the -X flag) and output debuging messages as it starts (the -e debug option). Maybe this will give a clue as to why it is dying on startup.

HTTP 500 error from POST reuqest to django vai WSGI and apache

Ok, so once again we come down to user error. At some point the problem changed because I changed some of the code above, so that

def post_authentication_api(request):

became

def post_authentication_api(self, request):

this doesnt work because as Graham said at the django mailing list

"If you ... have a 'self' first argument for a function which isn't a method of a class, it is obvious you are going to get:"

Exception Type: TypeError at /auth/post_authentication_api 
  Exception Value: post_authentication_api() takes exactly 2 arguments 
(1 given)

So after I fixed that up I came to the root of the problem (as far as I can tell) which was that wsgi was blocking sys.stdout. which I think seems fair to me, and I had some print statements in my code and this is why it wasnt running. A very simple problem that for some reason became very complicated.

Anyway, Great thanks to Graham who has helped me out for the last week on this. He has been tireless and very accommodating to someone who is quite embarrassed about the final outcome. Some votes will be coming his way for the comments and my many thanks as well.

Thanks again

Mark

Best Answer

Related Solutions

Linux – Apache2 quietly breaking, won’t make apache2.pid

HTTP 500 error from POST reuqest to django vai WSGI and apache

Related Topic