How does changes in /etc/pam.d/common-session-noninteractive affect fail2ban and possibly other programs/services?error in auth.log but can login; LDAP/PAMLinux (Ubuntu vs CentOS) LDAP Client for 389-ds - password policyfail2ban not working on fresh install of ubuntu 14.04, why?Fail2Ban is not adding iptables rulesipTables IP Range will not be blockedLDAP Not working for SSH connections on ubuntu 12.04Fail2Ban regex in sshd.conf not catching failed root logins in /var/log/auth.logFail2Ban emails not showing extracts from Apache logfilesPowerBroker (PBIS) Restricted login list - couldn't resolve srvDomainUsers [40071]Linux Mint 18 - AD Users cannot login to GUI

Effects of ~10atm pressure on engine design

Anabelian geometry ~ higher category theory

Program which behaves differently in/out of a debugger

Solubility in different pressure conditions

What to do if SUS scores contradict qualitative feedback?

Why do the lights go out when someone enters the dining room on this ship?

If current results hold, Man City would win PL title

Does Lawful Interception of 4G / the proposed 5G provide a back door for hackers as well?

How exactly does artificial gravity work?

Why was Thor doubtful about his worthiness to Mjolnir?

Help in identifying a mystery wall socket

Is there any good reason to write "it is easy to see"?

Could there be a material that inverts the colours seen through it?

Tikz draw contour without some edges, and fill

Was this character’s old age look CGI or make-up?

Jumping frame contents with beamer and pgfplots

correct spelling of "carruffel" (fuzz, hustle, all that jazz)

Why is a set not a partition of itself?

Longest Text in Latin

How does emacs `shell-mode` know to prompt for sudo?

Rounding a number extracted by jq to limit the decimal points

Smallest Guaranteed hash collision cycle length

Would an 8% reduction in drag outweigh the weight addition from this custom CFD-tested winglet?

On what legal basis did the UK remove the 'European Union' from its passport?



How does changes in /etc/pam.d/common-session-noninteractive affect fail2ban and possibly other programs/services?


error in auth.log but can login; LDAP/PAMLinux (Ubuntu vs CentOS) LDAP Client for 389-ds - password policyfail2ban not working on fresh install of ubuntu 14.04, why?Fail2Ban is not adding iptables rulesipTables IP Range will not be blockedLDAP Not working for SSH connections on ubuntu 12.04Fail2Ban regex in sshd.conf not catching failed root logins in /var/log/auth.logFail2Ban emails not showing extracts from Apache logfilesPowerBroker (PBIS) Restricted login list - couldn't resolve srvDomainUsers [40071]Linux Mint 18 - AD Users cannot login to GUI






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








2















Fail2Ban on Ubuntu 10.04



Configuration files



/etc/fail2ban/jail.local



[DEFAULT]

ignoreip = 127.0.0.1
bantime = 10 # made for test purposes
maxretry = 3

backend = polling

destemail = email@mycompany.com


banaction = iptables-multiport

mta = sendmail

protocol = tcp

action = %(action_mw)s

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

[pam-generic]

enabled = true
filter = pam-generic
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6


The rest of the fail2ban configs are just the default ones.



default /etc/pam.d/common-session-noninteractive



session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so 
session optional pam_winbind.so 
session required pam_loginuid.so


changed /etc/pam.d/common-session-noninteractive



session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid
session required pam_unix.so 
session optional pam_winbind.so 
session required pam_loginuid.so


Please note the only difference is adding session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid.



Logs



extract from /var/log/auth.log with default /etc/pam.d/common-session-noninteractive



May 22 15:30:01 node1 CRON[16029]: pam_unix(cron:session): session opened for user root by (uid=0)
May 22 15:30:01 node1 CRON[16029]: pam_unix(cron:session): session closed for user root
May 22 15:35:01 node1 CRON[16514]: pam_unix(cron:session): session opened for user root by (uid=0)
May 22 15:35:01 node1 CRON[16514]: pam_unix(cron:session): session closed for user root


Summary



  1. If I execute fail2ban-client set ssh banip 1.2.3.4 in 15:26 the IP will get banned at 15:30. This is why I associate it with the above listed cron job.

  2. If I modify /etc/pam.d/common-session-noninteractive and repeat the fail2ban-client command, got no entry in /var/log/auth.log and no ban.

More info:




  1. default /etc/pam.d/common-session-noninteractive:



    fail2ban-client set ssh banip 1.2.3.4 -> the IP gets banned by an invisible cron job, which runs every 5 minutes. I checked every single file in /etc/cron* and /var/spool/cron/* and there was no such job present. Bottom line: the manual ban works with up to 5 minutes delay.




  2. added session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid in /etc/pam.d/common-session-noninteractive as suggested here:



    fail2ban-client set ssh banip 1.2.3.4 -> the invisible cron job does not run and no ban happens.



My question:



how does the change in /etc/pam.d/common-session-noninteractive prevents the fail2ban-client to ban an IP? And why?



Edit



  • Running in debug:


root@node1:~# fail2ban-client set loglevel 4
Current logging level is DEBUG
root@node1:~# fail2ban-client -vvv set ssh banip 1.2.3.4
DEBUG Reading /etc/fail2ban/fail2ban
DEBUG Reading files: ['/etc/fail2ban/fail2ban.conf', '/etc/fail2ban/fail2ban.local']
INFO Using socket file /var/run/fail2ban/fail2ban.sock
DEBUG OK : '1.2.3.4'
DEBUG Beautify '1.2.3.4' with ['set', 'ssh', 'banip', '1.2.3.4']
1.2.3.4
root@zap:~# tail -f /var/log/fail2ban.log
2013-05-24 21:32:07,695 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'banip', '1.2.3.4']
2013-05-24 21:32:07,696 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:32:07,696 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:32:07,696 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']



Result: No Ban.



  • Removing quiet from session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid in /etc/pam.d/common-session-noninteractive:

Result: Successful Ban.



/var/log/auth.log:



May 24 22:00:01 node1 CRON[22483]: pam_succeed_if(cron:session): requirement "service in cron" was met by user "root"
May 24 22:00:01 node1 CRON[22483]: pam_succeed_if(cron:session): requirement "service in cron" was met by user "root"


/var/log/fail2ban.log:



2013-05-24 21:56:07,955 fail2ban.comm : DEBUG Command: ['set', 'loglevel', '4']
2013-05-24 21:56:20,155 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'banip', '1.2.3.4']
2013-05-24 21:56:20,156 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:56:20,156 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:56:20,156 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 22:00:01,079 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2013-05-24 22:00:01,079 fail2ban.filter.datedetector: DEBUG Sorting the template list
2013-05-24 22:00:01,853 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2013-05-24 22:00:01,853 fail2ban.filter.datedetector: DEBUG Sorting the template list
2013-05-24 22:00:01,870 fail2ban.actions: WARNING [ssh] Ban 1.2.3.4
2013-05-24 22:00:01,870 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-ssh
2013-05-24 22:00:01,876 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-ssh returned successfully
2013-05-24 22:00:01,877 fail2ban.actions.action: DEBUG iptables -I fail2ban-ssh 1 -s 1.2.3.4 -j DROP
2013-05-24 22:00:01,919 fail2ban.actions.action: DEBUG iptables -I fail2ban-ssh 1 -s 1.2.3.4 -j DROP
2013-05-24 22:00:01,920 fail2ban.actions.action: DEBUG 
2013-05-24 22:00:01,923 fail2ban.actions.action: DEBUG returned successfully
...


Fail2Ban version



fail2ban 0.8.7.1-2~ppa7~lucid from here. The stock one (version 0.8.4) kept failing with: 



"global name 'time' is not defined"


which prompt me to look for newer version.






linux ubuntu pam fail2ban







share|improve this question



















  • 1





    There is no invisible cron job. fail2ban-server is daemon that bans the IP.

    – Mark Wagner
    May 22 '13 at 22:34












  • @MarkWagner - why fail2ban-server don't immediately ban the IP instead of waiting for up to 5 minutes? I can supply logs to prove it.

    – grs
    May 23 '13 at 2:36











  • @grs Please post your fail2ban config and demonstrate your concern with an example. As worded this question relies on too much conjecture.

    – Andrew B
    May 23 '13 at 15:35












  • @AndrewB - please see the updated question. Thank you!

    – grs
    May 23 '13 at 19:18











  • Strange...I cannot repro. Can you execute fail2ban-client set loglevel 4 and fail2ban-client -vvv set ssh banip 1.2.3.4 and post output and the relevant fail2ban log file lines?

    – Mark Wagner
    May 24 '13 at 23:00


















2















Fail2Ban on Ubuntu 10.04



Configuration files



/etc/fail2ban/jail.local



[DEFAULT]

ignoreip = 127.0.0.1
bantime = 10 # made for test purposes
maxretry = 3

backend = polling

destemail = email@mycompany.com


banaction = iptables-multiport

mta = sendmail

protocol = tcp

action = %(action_mw)s

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

[pam-generic]

enabled = true
filter = pam-generic
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6


The rest of the fail2ban configs are just the default ones.



default /etc/pam.d/common-session-noninteractive



session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so 
session optional pam_winbind.so 
session required pam_loginuid.so


changed /etc/pam.d/common-session-noninteractive



session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid
session required pam_unix.so 
session optional pam_winbind.so 
session required pam_loginuid.so


Please note the only difference is adding session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid.



Logs



extract from /var/log/auth.log with default /etc/pam.d/common-session-noninteractive



May 22 15:30:01 node1 CRON[16029]: pam_unix(cron:session): session opened for user root by (uid=0)
May 22 15:30:01 node1 CRON[16029]: pam_unix(cron:session): session closed for user root
May 22 15:35:01 node1 CRON[16514]: pam_unix(cron:session): session opened for user root by (uid=0)
May 22 15:35:01 node1 CRON[16514]: pam_unix(cron:session): session closed for user root


Summary



  1. If I execute fail2ban-client set ssh banip 1.2.3.4 in 15:26 the IP will get banned at 15:30. This is why I associate it with the above listed cron job.

  2. If I modify /etc/pam.d/common-session-noninteractive and repeat the fail2ban-client command, got no entry in /var/log/auth.log and no ban.

More info:




  1. default /etc/pam.d/common-session-noninteractive:



    fail2ban-client set ssh banip 1.2.3.4 -> the IP gets banned by an invisible cron job, which runs every 5 minutes. I checked every single file in /etc/cron* and /var/spool/cron/* and there was no such job present. Bottom line: the manual ban works with up to 5 minutes delay.




  2. added session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid in /etc/pam.d/common-session-noninteractive as suggested here:



    fail2ban-client set ssh banip 1.2.3.4 -> the invisible cron job does not run and no ban happens.



My question:



how does the change in /etc/pam.d/common-session-noninteractive prevents the fail2ban-client to ban an IP? And why?



Edit



  • Running in debug:


root@node1:~# fail2ban-client set loglevel 4
Current logging level is DEBUG
root@node1:~# fail2ban-client -vvv set ssh banip 1.2.3.4
DEBUG Reading /etc/fail2ban/fail2ban
DEBUG Reading files: ['/etc/fail2ban/fail2ban.conf', '/etc/fail2ban/fail2ban.local']
INFO Using socket file /var/run/fail2ban/fail2ban.sock
DEBUG OK : '1.2.3.4'
DEBUG Beautify '1.2.3.4' with ['set', 'ssh', 'banip', '1.2.3.4']
1.2.3.4
root@zap:~# tail -f /var/log/fail2ban.log
2013-05-24 21:32:07,695 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'banip', '1.2.3.4']
2013-05-24 21:32:07,696 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:32:07,696 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:32:07,696 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']



Result: No Ban.



  • Removing quiet from session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid in /etc/pam.d/common-session-noninteractive:

Result: Successful Ban.



/var/log/auth.log:



May 24 22:00:01 node1 CRON[22483]: pam_succeed_if(cron:session): requirement "service in cron" was met by user "root"
May 24 22:00:01 node1 CRON[22483]: pam_succeed_if(cron:session): requirement "service in cron" was met by user "root"


/var/log/fail2ban.log:



2013-05-24 21:56:07,955 fail2ban.comm : DEBUG Command: ['set', 'loglevel', '4']
2013-05-24 21:56:20,155 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'banip', '1.2.3.4']
2013-05-24 21:56:20,156 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:56:20,156 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:56:20,156 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 22:00:01,079 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2013-05-24 22:00:01,079 fail2ban.filter.datedetector: DEBUG Sorting the template list
2013-05-24 22:00:01,853 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2013-05-24 22:00:01,853 fail2ban.filter.datedetector: DEBUG Sorting the template list
2013-05-24 22:00:01,870 fail2ban.actions: WARNING [ssh] Ban 1.2.3.4
2013-05-24 22:00:01,870 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-ssh
2013-05-24 22:00:01,876 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-ssh returned successfully
2013-05-24 22:00:01,877 fail2ban.actions.action: DEBUG iptables -I fail2ban-ssh 1 -s 1.2.3.4 -j DROP
2013-05-24 22:00:01,919 fail2ban.actions.action: DEBUG iptables -I fail2ban-ssh 1 -s 1.2.3.4 -j DROP
2013-05-24 22:00:01,920 fail2ban.actions.action: DEBUG 
2013-05-24 22:00:01,923 fail2ban.actions.action: DEBUG returned successfully
...


Fail2Ban version



fail2ban 0.8.7.1-2~ppa7~lucid from here. The stock one (version 0.8.4) kept failing with: 



"global name 'time' is not defined"


which prompt me to look for newer version.






linux ubuntu pam fail2ban







share|improve this question



















  • 1





    There is no invisible cron job. fail2ban-server is daemon that bans the IP.

    – Mark Wagner
    May 22 '13 at 22:34












  • @MarkWagner - why fail2ban-server don't immediately ban the IP instead of waiting for up to 5 minutes? I can supply logs to prove it.

    – grs
    May 23 '13 at 2:36











  • @grs Please post your fail2ban config and demonstrate your concern with an example. As worded this question relies on too much conjecture.

    – Andrew B
    May 23 '13 at 15:35












  • @AndrewB - please see the updated question. Thank you!

    – grs
    May 23 '13 at 19:18











  • Strange...I cannot repro. Can you execute fail2ban-client set loglevel 4 and fail2ban-client -vvv set ssh banip 1.2.3.4 and post output and the relevant fail2ban log file lines?

    – Mark Wagner
    May 24 '13 at 23:00














2












2








2








Fail2Ban on Ubuntu 10.04



Configuration files



/etc/fail2ban/jail.local



[DEFAULT]

ignoreip = 127.0.0.1
bantime = 10 # made for test purposes
maxretry = 3

backend = polling

destemail = email@mycompany.com


banaction = iptables-multiport

mta = sendmail

protocol = tcp

action = %(action_mw)s

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

[pam-generic]

enabled = true
filter = pam-generic
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6


The rest of the fail2ban configs are just the default ones.



default /etc/pam.d/common-session-noninteractive



session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so 
session optional pam_winbind.so 
session required pam_loginuid.so


changed /etc/pam.d/common-session-noninteractive



session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid
session required pam_unix.so 
session optional pam_winbind.so 
session required pam_loginuid.so


Please note the only difference is adding session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid.



Logs



extract from /var/log/auth.log with default /etc/pam.d/common-session-noninteractive



May 22 15:30:01 node1 CRON[16029]: pam_unix(cron:session): session opened for user root by (uid=0)
May 22 15:30:01 node1 CRON[16029]: pam_unix(cron:session): session closed for user root
May 22 15:35:01 node1 CRON[16514]: pam_unix(cron:session): session opened for user root by (uid=0)
May 22 15:35:01 node1 CRON[16514]: pam_unix(cron:session): session closed for user root


Summary



  1. If I execute fail2ban-client set ssh banip 1.2.3.4 in 15:26 the IP will get banned at 15:30. This is why I associate it with the above listed cron job.

  2. If I modify /etc/pam.d/common-session-noninteractive and repeat the fail2ban-client command, got no entry in /var/log/auth.log and no ban.

More info:




  1. default /etc/pam.d/common-session-noninteractive:



    fail2ban-client set ssh banip 1.2.3.4 -> the IP gets banned by an invisible cron job, which runs every 5 minutes. I checked every single file in /etc/cron* and /var/spool/cron/* and there was no such job present. Bottom line: the manual ban works with up to 5 minutes delay.




  2. added session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid in /etc/pam.d/common-session-noninteractive as suggested here:



    fail2ban-client set ssh banip 1.2.3.4 -> the invisible cron job does not run and no ban happens.



My question:



how does the change in /etc/pam.d/common-session-noninteractive prevents the fail2ban-client to ban an IP? And why?



Edit



  • Running in debug:


root@node1:~# fail2ban-client set loglevel 4
Current logging level is DEBUG
root@node1:~# fail2ban-client -vvv set ssh banip 1.2.3.4
DEBUG Reading /etc/fail2ban/fail2ban
DEBUG Reading files: ['/etc/fail2ban/fail2ban.conf', '/etc/fail2ban/fail2ban.local']
INFO Using socket file /var/run/fail2ban/fail2ban.sock
DEBUG OK : '1.2.3.4'
DEBUG Beautify '1.2.3.4' with ['set', 'ssh', 'banip', '1.2.3.4']
1.2.3.4
root@zap:~# tail -f /var/log/fail2ban.log
2013-05-24 21:32:07,695 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'banip', '1.2.3.4']
2013-05-24 21:32:07,696 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:32:07,696 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:32:07,696 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']



Result: No Ban.



  • Removing quiet from session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid in /etc/pam.d/common-session-noninteractive:

Result: Successful Ban.



/var/log/auth.log:



May 24 22:00:01 node1 CRON[22483]: pam_succeed_if(cron:session): requirement "service in cron" was met by user "root"
May 24 22:00:01 node1 CRON[22483]: pam_succeed_if(cron:session): requirement "service in cron" was met by user "root"


/var/log/fail2ban.log:



2013-05-24 21:56:07,955 fail2ban.comm : DEBUG Command: ['set', 'loglevel', '4']
2013-05-24 21:56:20,155 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'banip', '1.2.3.4']
2013-05-24 21:56:20,156 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:56:20,156 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:56:20,156 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 22:00:01,079 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2013-05-24 22:00:01,079 fail2ban.filter.datedetector: DEBUG Sorting the template list
2013-05-24 22:00:01,853 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2013-05-24 22:00:01,853 fail2ban.filter.datedetector: DEBUG Sorting the template list
2013-05-24 22:00:01,870 fail2ban.actions: WARNING [ssh] Ban 1.2.3.4
2013-05-24 22:00:01,870 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-ssh
2013-05-24 22:00:01,876 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-ssh returned successfully
2013-05-24 22:00:01,877 fail2ban.actions.action: DEBUG iptables -I fail2ban-ssh 1 -s 1.2.3.4 -j DROP
2013-05-24 22:00:01,919 fail2ban.actions.action: DEBUG iptables -I fail2ban-ssh 1 -s 1.2.3.4 -j DROP
2013-05-24 22:00:01,920 fail2ban.actions.action: DEBUG 
2013-05-24 22:00:01,923 fail2ban.actions.action: DEBUG returned successfully
...


Fail2Ban version



fail2ban 0.8.7.1-2~ppa7~lucid from here. The stock one (version 0.8.4) kept failing with: 



"global name 'time' is not defined"


which prompt me to look for newer version.






linux ubuntu pam fail2ban







share|improve this question
















Fail2Ban on Ubuntu 10.04



Configuration files



/etc/fail2ban/jail.local



[DEFAULT]

ignoreip = 127.0.0.1
bantime = 10 # made for test purposes
maxretry = 3

backend = polling

destemail = email@mycompany.com


banaction = iptables-multiport

mta = sendmail

protocol = tcp

action = %(action_mw)s

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

[pam-generic]

enabled = true
filter = pam-generic
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6


The rest of the fail2ban configs are just the default ones.



default /etc/pam.d/common-session-noninteractive



session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so 
session optional pam_winbind.so 
session required pam_loginuid.so


changed /etc/pam.d/common-session-noninteractive



session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid
session required pam_unix.so 
session optional pam_winbind.so 
session required pam_loginuid.so


Please note the only difference is adding session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid.



Logs



extract from /var/log/auth.log with default /etc/pam.d/common-session-noninteractive



May 22 15:30:01 node1 CRON[16029]: pam_unix(cron:session): session opened for user root by (uid=0)
May 22 15:30:01 node1 CRON[16029]: pam_unix(cron:session): session closed for user root
May 22 15:35:01 node1 CRON[16514]: pam_unix(cron:session): session opened for user root by (uid=0)
May 22 15:35:01 node1 CRON[16514]: pam_unix(cron:session): session closed for user root


Summary



  1. If I execute fail2ban-client set ssh banip 1.2.3.4 in 15:26 the IP will get banned at 15:30. This is why I associate it with the above listed cron job.

  2. If I modify /etc/pam.d/common-session-noninteractive and repeat the fail2ban-client command, got no entry in /var/log/auth.log and no ban.

More info:




  1. default /etc/pam.d/common-session-noninteractive:



    fail2ban-client set ssh banip 1.2.3.4 -> the IP gets banned by an invisible cron job, which runs every 5 minutes. I checked every single file in /etc/cron* and /var/spool/cron/* and there was no such job present. Bottom line: the manual ban works with up to 5 minutes delay.




  2. added session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid in /etc/pam.d/common-session-noninteractive as suggested here:



    fail2ban-client set ssh banip 1.2.3.4 -> the invisible cron job does not run and no ban happens.



My question:



how does the change in /etc/pam.d/common-session-noninteractive prevents the fail2ban-client to ban an IP? And why?



Edit



  • Running in debug:


root@node1:~# fail2ban-client set loglevel 4
Current logging level is DEBUG
root@node1:~# fail2ban-client -vvv set ssh banip 1.2.3.4
DEBUG Reading /etc/fail2ban/fail2ban
DEBUG Reading files: ['/etc/fail2ban/fail2ban.conf', '/etc/fail2ban/fail2ban.local']
INFO Using socket file /var/run/fail2ban/fail2ban.sock
DEBUG OK : '1.2.3.4'
DEBUG Beautify '1.2.3.4' with ['set', 'ssh', 'banip', '1.2.3.4']
1.2.3.4
root@zap:~# tail -f /var/log/fail2ban.log
2013-05-24 21:32:07,695 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'banip', '1.2.3.4']
2013-05-24 21:32:07,696 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:32:07,696 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:32:07,696 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']



Result: No Ban.



  • Removing quiet from session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid in /etc/pam.d/common-session-noninteractive:

Result: Successful Ban.



/var/log/auth.log:



May 24 22:00:01 node1 CRON[22483]: pam_succeed_if(cron:session): requirement "service in cron" was met by user "root"
May 24 22:00:01 node1 CRON[22483]: pam_succeed_if(cron:session): requirement "service in cron" was met by user "root"


/var/log/fail2ban.log:



2013-05-24 21:56:07,955 fail2ban.comm : DEBUG Command: ['set', 'loglevel', '4']
2013-05-24 21:56:20,155 fail2ban.comm : DEBUG Command: ['set', 'ssh', 'banip', '1.2.3.4']
2013-05-24 21:56:20,156 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:56:20,156 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 21:56:20,156 fail2ban.filter : DEBUG Currently have failures from 1 IPs: ['1.2.3.4']
2013-05-24 22:00:01,079 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2013-05-24 22:00:01,079 fail2ban.filter.datedetector: DEBUG Sorting the template list
2013-05-24 22:00:01,853 fail2ban.filter : DEBUG /var/log/auth.log has been modified
2013-05-24 22:00:01,853 fail2ban.filter.datedetector: DEBUG Sorting the template list
2013-05-24 22:00:01,870 fail2ban.actions: WARNING [ssh] Ban 1.2.3.4
2013-05-24 22:00:01,870 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-ssh
2013-05-24 22:00:01,876 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-ssh returned successfully
2013-05-24 22:00:01,877 fail2ban.actions.action: DEBUG iptables -I fail2ban-ssh 1 -s 1.2.3.4 -j DROP
2013-05-24 22:00:01,919 fail2ban.actions.action: DEBUG iptables -I fail2ban-ssh 1 -s 1.2.3.4 -j DROP
2013-05-24 22:00:01,920 fail2ban.actions.action: DEBUG 
2013-05-24 22:00:01,923 fail2ban.actions.action: DEBUG returned successfully
...


Fail2Ban version



fail2ban 0.8.7.1-2~ppa7~lucid from here. The stock one (version 0.8.4) kept failing with: 



"global name 'time' is not defined"


which prompt me to look for newer version.






linux ubuntu pam fail2ban




linux ubuntu pam fail2ban






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jun 5 '13 at 6:25









Iain

106k14166259




106k14166259










asked May 22 '13 at 22:06









grsgrs

1,46552133




1,46552133







  • 1





    There is no invisible cron job. fail2ban-server is daemon that bans the IP.

    – Mark Wagner
    May 22 '13 at 22:34












  • @MarkWagner - why fail2ban-server don't immediately ban the IP instead of waiting for up to 5 minutes? I can supply logs to prove it.

    – grs
    May 23 '13 at 2:36











  • @grs Please post your fail2ban config and demonstrate your concern with an example. As worded this question relies on too much conjecture.

    – Andrew B
    May 23 '13 at 15:35












  • @AndrewB - please see the updated question. Thank you!

    – grs
    May 23 '13 at 19:18











  • Strange...I cannot repro. Can you execute fail2ban-client set loglevel 4 and fail2ban-client -vvv set ssh banip 1.2.3.4 and post output and the relevant fail2ban log file lines?

    – Mark Wagner
    May 24 '13 at 23:00













  • 1





    There is no invisible cron job. fail2ban-server is daemon that bans the IP.

    – Mark Wagner
    May 22 '13 at 22:34












  • @MarkWagner - why fail2ban-server don't immediately ban the IP instead of waiting for up to 5 minutes? I can supply logs to prove it.

    – grs
    May 23 '13 at 2:36











  • @grs Please post your fail2ban config and demonstrate your concern with an example. As worded this question relies on too much conjecture.

    – Andrew B
    May 23 '13 at 15:35












  • @AndrewB - please see the updated question. Thank you!

    – grs
    May 23 '13 at 19:18











  • Strange...I cannot repro. Can you execute fail2ban-client set loglevel 4 and fail2ban-client -vvv set ssh banip 1.2.3.4 and post output and the relevant fail2ban log file lines?

    – Mark Wagner
    May 24 '13 at 23:00








1




1





There is no invisible cron job. fail2ban-server is daemon that bans the IP.

– Mark Wagner
May 22 '13 at 22:34






There is no invisible cron job. fail2ban-server is daemon that bans the IP.

– Mark Wagner
May 22 '13 at 22:34














@MarkWagner - why fail2ban-server don't immediately ban the IP instead of waiting for up to 5 minutes? I can supply logs to prove it.

– grs
May 23 '13 at 2:36





@MarkWagner - why fail2ban-server don't immediately ban the IP instead of waiting for up to 5 minutes? I can supply logs to prove it.

– grs
May 23 '13 at 2:36













@grs Please post your fail2ban config and demonstrate your concern with an example. As worded this question relies on too much conjecture.

– Andrew B
May 23 '13 at 15:35






@grs Please post your fail2ban config and demonstrate your concern with an example. As worded this question relies on too much conjecture.

– Andrew B
May 23 '13 at 15:35














@AndrewB - please see the updated question. Thank you!

– grs
May 23 '13 at 19:18





@AndrewB - please see the updated question. Thank you!

– grs
May 23 '13 at 19:18













Strange...I cannot repro. Can you execute fail2ban-client set loglevel 4 and fail2ban-client -vvv set ssh banip 1.2.3.4 and post output and the relevant fail2ban log file lines?

– Mark Wagner
May 24 '13 at 23:00






Strange...I cannot repro. Can you execute fail2ban-client set loglevel 4 and fail2ban-client -vvv set ssh banip 1.2.3.4 and post output and the relevant fail2ban log file lines?

– Mark Wagner
May 24 '13 at 23:00











1 Answer
1






active

oldest

votes


















0














I think (but not confirmed) what fail2ban simply waits for new lines in auth.log before applying fail2ban-client command, so ban is done not by "an invisible cron job, which runs every 5 minutes" but "by infinite loop which reads 'logpath'", auth.log in the particular case. If this is true, change you have done in /etc/pam.d/common-session-noninteractive does not prevent the fail2ban-client to ban an IP, but postpones it till any new line appear in auth.log. New log lines appear less frequently, because you disabled cron messages, and it is necessary to wait longer for IP ban.






share|improve this answer























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "2"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f510066%2fhow-does-changes-in-etc-pam-d-common-session-noninteractive-affect-fail2ban-and%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    I think (but not confirmed) what fail2ban simply waits for new lines in auth.log before applying fail2ban-client command, so ban is done not by "an invisible cron job, which runs every 5 minutes" but "by infinite loop which reads 'logpath'", auth.log in the particular case. If this is true, change you have done in /etc/pam.d/common-session-noninteractive does not prevent the fail2ban-client to ban an IP, but postpones it till any new line appear in auth.log. New log lines appear less frequently, because you disabled cron messages, and it is necessary to wait longer for IP ban.






    share|improve this answer



























      0














      I think (but not confirmed) what fail2ban simply waits for new lines in auth.log before applying fail2ban-client command, so ban is done not by "an invisible cron job, which runs every 5 minutes" but "by infinite loop which reads 'logpath'", auth.log in the particular case. If this is true, change you have done in /etc/pam.d/common-session-noninteractive does not prevent the fail2ban-client to ban an IP, but postpones it till any new line appear in auth.log. New log lines appear less frequently, because you disabled cron messages, and it is necessary to wait longer for IP ban.






      share|improve this answer

























        0












        0








        0







        I think (but not confirmed) what fail2ban simply waits for new lines in auth.log before applying fail2ban-client command, so ban is done not by "an invisible cron job, which runs every 5 minutes" but "by infinite loop which reads 'logpath'", auth.log in the particular case. If this is true, change you have done in /etc/pam.d/common-session-noninteractive does not prevent the fail2ban-client to ban an IP, but postpones it till any new line appear in auth.log. New log lines appear less frequently, because you disabled cron messages, and it is necessary to wait longer for IP ban.






        share|improve this answer













        I think (but not confirmed) what fail2ban simply waits for new lines in auth.log before applying fail2ban-client command, so ban is done not by "an invisible cron job, which runs every 5 minutes" but "by infinite loop which reads 'logpath'", auth.log in the particular case. If this is true, change you have done in /etc/pam.d/common-session-noninteractive does not prevent the fail2ban-client to ban an IP, but postpones it till any new line appear in auth.log. New log lines appear less frequently, because you disabled cron messages, and it is necessary to wait longer for IP ban.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Sep 27 '14 at 19:05









        PavelPavel

        1




        1



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Server Fault!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f510066%2fhow-does-changes-in-etc-pam-d-common-session-noninteractive-affect-fail2ban-and%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            How to write a 12-bar blues melodyI-IV-V blues progressionHow to play the bridges in a standard blues progressionHow does Gdim7 fit in C# minor?question on a certain chord progressionMusicology of Melody12 bar blues, spread rhythm: alternative to 6th chord to avoid finger stretchChord progressions/ Root key/ MelodiesHow to put chords (POP-EDM) under a given lead vocal melody (starting from a good knowledge in music theory)Are there “rules” for improvising with the minor pentatonic scale over 12-bar shuffle?Confusion about blues scale and chords

            Image
            Why is a set not a partition of itself? Would an 8% reduction in drag outweigh the weight addition from this custom CFD-tested winglet? Labeling matrices/rectangles and drawing Sigma inside rectangle Unexpected Netflix account registered to my Gmail address - any way it could be a hack attempt? 51% attack - apparently very easy? refering to CZ's "rollback btc chain" - How to make sure such corruptible scenario can never happen so easily? Missouri raptors have wild hairdos Can someone explain homicide-related death rates? Why is tomato paste so cheap? What are the implications of the new alleged key recovery attack preprint on SIMON? Effects of ~10atm pressure on engine design Is taking modulus on both sides of an equation valid? Jumping frame contents with beamer and pgfplots Are there any established rules for splitting books into parts, chapters, sections etc? Anatomically Correct Carnivorous Tree Why do I get two different answers when solvi...
            Read more

            What if the end-user didn't have the required library?What is setup.py?What is a clean, pythonic way to have multiple constructors in Python?What does Ruby have that Python doesn't, and vice versa?What is the reason for having '//' in Python?How do I create a namespace package in Python?How to package shared objects that python modules depend on?setuptools vs. distutils: why is distutils still a thing?Navigation in Windows 10 vs code not going to virtualenv library when the same library is installed at user levelPython create package for local usePackaging a project that uses multiple python versionsWhy is permission denied on pip install except for when “--user” is included at end of command?

            Image
            Can a tourist shoot a gun in the USA? Will a coyote attack my dog on a leash while I'm on a hiking trail? Labeling matrices/rectangles and drawing Sigma inside rectangle How can I answer high-school writing prompts without sounding weird and fake? Is there ever any indication in the MCU as to how Spider-Man got his powers? Jumping frame contents with beamer and pgfplots Would an 8% reduction in drag outweigh the weight addition from this custom CFD-tested winglet? Is it possible to create different colors in rocket exhaust? German characters on US-International keyboard layout Does gravity affect the time evolution of a QM wave function? 51% attack - apparently very easy? refering to CZ's "rollback btc chain" - How to make sure such corruptible scenario can never happen so easily? Why are solar panels kept tilted? Is Germany still exporting arms to countries involved in Yemen? Unexpected Netflix account registered to my Gmail address - any wa...
            Read more

            Esgonzo ibérico Índice Descrición Distribución Hábitat Ameazas Notas Véxase tamén "Acerca dos nomes dos anfibios e réptiles galegos""Chalcides bedriagai"Chalcides bedriagai en Carrascal, L. M. Salvador, A. (Eds). Enciclopedia virtual de los vertebrados españoles. Museo Nacional de Ciencias Naturales, Madrid. España.Fotos

            Image
            escíncidospenínsula Ibéricaesgonzo comúnJacques von Bedriagaesgonzo comúndimorfismo sexualovovivíparaendémicaPenínsula IbéricaCordilleira CantábricaAsturiasPaís VascoGaliciaRías BaixasMurosCarnotaillas CíesOnsAtlánticoIllas CíesIlla de Onsilla do PesegueiroIlla de Sancti PetriMediterráneoMar MenorIlla de TabarcaGaliciaCantabriaBurgossolosdestrución do hábitatIUCN Abrir o menú principal Procurar Esgonzo ibérico Ler noutra lingua Vixiar esta páxina Editar function mfTempOpenSection(id)var block=document.getElementById("mf-section-"+id);block.className+=" open-block";block.previousSibling.className+=" open-block"; Esgonzo ibérico Estado de conservación Case ameazada Clasificaci...
            Read more