Fail2ban: an enemy of script-kiddies

April 29th, 2007 edited by ana

I bet there is only a little part of auth.log-aware GNU/Linux users, who has not experienced a pleasure of browsing thousand of lines of the failed authentication attempts. If you do not yet know what to look for in your auth.log, just run:

> zgrep 'Failed password for illegal user' /var/log/auth.log* | wc -l

On the system which I just tried, the result is 125835! since July of 2006. Yeah yeah — 99.999% of those failed logins are due to silly dictionary attacks, which (unfortunately) work in some % of the cases. Are you sure that your password and passwords of all the users on your system are strong enough to survive such an attack?

Also, I guess, there is a (hopefully small) group of system administrators, who experienced a pleasure of DoS attack on their services. Or web-server admins, who have a pleasure to stare at the attempts to access non-existing (most of the time) on the webserver /php/bla-admin.X.Y.bleh.

For both those groups (as well as for other problems too), there is a straightforward solution — just reject (or in other terms - ban) abuser’s IP as soon as you detect an attempt to get an unauthorized access to your box. Unfortunately, we do not stare at the log files 24×7, so we can not react in time. To substitute such a weak part of the chain in this process, i.e. a human operator, Fail2ban tool was created by Cyril Jaquier.

The idea behind Fail2ban is very simple: temporarily or permanently ban an IP which performed multiple undesired actions, such as unsuccessful authentication, access to restricted area, etc.
Originally it was developed to catch illegal SSH login attempts, but later on it grew up into an easily customizable toolkit for speedy reaction on some events (such as detected failed login attempts) recorded in the log files.

In the following sections I will describe a bit more of internals of Fail2ban configuration, but that knowledge is not really required to get the tool working for you. For that, it is sufficient to run “apt-get install fail2ban”. You might like to read the section on jails below if you simply want to enable some additional jails shipped with the Fail2ban package.

Debian/Ubuntu Presence of Fail2ban

Fail2ban is present in sarge from, and it is native to Etch and Sid. Sarge version in backports is from a 0.6 branch of the Fail2ban, and it has different configuration scheme than current 0.7 (soon 0.8) branch. 0.7 uses split configuration files and orthogonally separates notions of a filter (pretty much a python regular expression with associated set of files) and an action to be taken (banning via iptables/hosts.deny, or sending an email).

Fail2ban is also present in Ubuntu releases since Dapper release.


Default configuration in both branches (0.6 and 0.7) enables ssh logins monitoring right out of the box, so no changes are necessary to get Fail2ban running.

If necessary, all changes in the configuration of Fail2ban 0.6.x have to be made in the original configuration file, and sections can be also enabled via command line switch (-e iirc) (N.B. this cmdline option is specific to Debian release of Fail2ban and is not present in upstream version). 0.7 branch uses completely different configuration scheme, and it is very convenient: any change or addition which has to be done in file /etc/fail2ban/X.conf can simply be made in file /etc/fail2ban/X.local — parameters in .local override ones in .conf. This way .conf file stays intact, and during your upgrade there is no necessity to mess with patching config files if they get changed upstream. Since I prefer 0.7 branch, I will describe details of its configuration.

As I mentioned above, 0.7 branch comes with an orthogonal configuration between filters and actions. A filter specifies what to
look for (like a ‘failed login attempt from …’ in auth.log, or a message ‘please brew some coffee, Mike’ in your .xchat/history/private.log), and an action describes possible scenario to play (to ban an IP, or to send an a single packet authenticator to a coffee maker to start brewing a fresh cup of coffee).


So here is an example of a filter:

> grep -v  '^#' /etc/fail2ban/filter.d/sshd.conf


failregex = Authentication failure for .* from <HOST>
            Failed [-/\w]+ for .* from <HOST>
            [iI](?:llegal|nvalid) user .* from <HOST>

ignoreregex =

“failregex” is a list of python regular expressions (with “” simply be a shortcut for “(?:::f{4,6}:)?(?P<host>\S+)” to match an IP or a host name. “ignoreregex” allows to infiltrate some false positives.

Standard sid Debian installation of Fail2ban comes with filters for various services (ssh, ftp, http), various implementations (exim, postfix; proftpd, pure-ftpd, wuftpd, etc), and for some additional events (normal illegal login in ssh vs DDOS attack on sshd).

If you want to write your own filter to store under /etc/fail2ban/filter.d/blah.conf, there is a very handy helper tool: fail2ban-regex, which can test your regular expression on the existing logfile and tell if you it works fine.

> fail2ban-regex /var/log/auth.log 'Failed [-/\w]+ for .* from <HOST>’

Running tests

Use regex line : Failed [-/\w]+ for .* from <HOST>
Use log file   : /var/log/auth.log


[1] Failed [-/\w]+ for .* from <HOST>

Number of matches:
[1] 2 match(es)

Addresses found:
[1] (Sun Apr 01 23:58:20 2007) (Sun Apr 01 23:58:27 2007)

Date template hits:
2 hit: Month Day Hour:Minute:Second
0 hit: Weekday Month Day Hour:Minute:Second Year
0 hit: Year/Month/Day Hour:Minute:Second
0 hit: Day/Month/Year:Hour:Minute:Second
0 hit: Year-Month-Day Hour:Minute:Second
0 hit: TAI64N
0 hit: Epoch

Success, the total number of match is 2

However, look at the above section ‘Running tests’ which could contain important

Here instead of regular expression to test, you could simply provide the file of you tentative filter.


A typical action for most of the cases would be to ban detected IP of an abuser using iptables, and that action is described in the following Fail2ban action definition:

> sudo grep -v  '^#' /etc/fail2ban/action.d/iptables.conf


actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I INPUT -p <protocol> –dport <port> -j fail2ban-<name>

actionstop = iptables -D INPUT -p <protocol> –dport <port> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP


name = default
port = ssh
protocol = tcp

Default action in 0.7 branch of Debian package though is iptables-multiport, which can be used to ban multiple ports at once. Besides it, there are other actions available such as

  • hostsdeny — ban using hosts.deny mechanism
  • shorewall,ipfw — use firewall cmdline interfact to ban/allow an IP
  • mail-* — email about the performed action to a sysadmin


And now we came to a point where both notions (filter + action) should be used together. “Jail” is the specification containing a filter and desired set of actions to be performed. Here is an example from original upstream version of /etc/fail2ban/jail.conf.


enabled  = false
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/sshd.log
maxretry = 5

In this example, the jail ssh-iptables defines the name of the filter to be used (so the full file name is implied to be /etc/fail2ban/filters.d/sshd.conf). Also it defines the list of actions to be performed: TCP port 22 has to be banned after 5 unsuccessful attempts, and an email has to be sent to informing about such action.

While preparing Debian package of Fail2ban, I tuned up Debian-shipped version of jail.conf so that jail specifications becomes minimalistic, since most often all the jails should perform the same chosen action. If there is a need in a jail-specific action, it can always be specified in “action” parameter of the jail. The same jail in Debian-shipped jail.conf looks like


enabled = true
port    = ssh,sftp
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6

Since the rest of the jails present in jail.conf are not active by default, desired jails can easily be enabled in /etc/fail2ban/jail.local. Here you can see a part of my locally customized jail.local:


bantime  = 3600
destemail = root@localhost

banaction = shorewall
action = %(action_mwl)s

enabled = true
maxretry = 4

enabled  = true

enabled  = true

# custom jail which used to be not present in shipped jail.conf
enabled = true
port    = http
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6



Posted in Debian, Ubuntu | 16 Comments »

Amarok: listening to music will never be the same

April 25th, 2007 edited by Tincho

Entry submitted by Grant Thomas. DPOTD needs your help, please contribute !

Amarok is a fully featured music player well integrated into the KDE environment. Amarok uses a database (SQLite, MySQL, PostgreSQL) delivering fast collection access, and a wide array of searching/sorting methods.

Current Feature list: (credited to

  • Quick and simple drag and drop play list creation
  • Super eye-candy interface
  • Multiple back ends supported (xine, NMM and Helix)
  • 10 band equaliser
  • Automatic cover art download using Amazon services
  • The unique and powerful Context Browser
  • Automatic play-statistics generation (iRate style)
  • Full lyrics download
  • Funky visualisations from libvisual and XMMS
  • Streaming from any KIO source
  • Cross-fading
  • Fully configurable translucent OSD for track changes
  • K3B (CD-burning) integration
  • KDE integration
  • Style your Context Browser with custom CSS styles.
  • Save space in your Context Browser with collapsible boxes
  • Show the Context Browser without Amarok open through the Konqueror sidebar!
  • Full support for! Share your music taste with friends on the net
  • Generate dynamic play lists based on suggestions
  • Support for SQLite, MySQL and PostgreSQL databases ensuring fast collection access
  • Support for iPod®, iRiver® and generic UMS mp3 players with the all new media-browser
  • Powerful scripting interface, allowing for easy extension of Amarok
  • Complete DCOP access
  • Translated into more than 35 languages, thanks to the KDE internationalisation team

Amarok can play many audio formats through one of the back end engines. Formats include mp3, ogg, flac, wma, wav, and others. Basically any file format that the selected engine can play, Amarok can use. For more information, see

Amarok includes full support of, which allows users to record each track played in an online community. From, Amarok can bring back similar artists and tracks, as well as other recommended artists / tracks. Amarok also supports play lists, which are play lists of music stored on’s website, allowing a user to share their music taste with the world.

Suggested songs

Amarok also supports the Magnatune album label and online purchase of Magnatune’s albums. Magnatune albums aren’t inflicted with DRM, which allows complete freedom of how a user can listen to their personally purchased music. Follow this link for a little more information about Magnatune.

Amarok is extensible, and already has a growing library of scripts and plug-ins. For your convenience: Scripts available for Download

Amarok also has integrated support with Musicbrainz, allowing a track, for example, with no id3 or other tags, and named generically to be analysed, and identified. The section immediately below will illustrate some support of Musicbrainz

Retrieving the information:
Musicbrainz 1

Applying the information:
Musicbrainz 2

The following screen shots show a small example of how a search may be done.

The following image shows a search done with the simple string ‘america’. Notice how Amarok searches through all fields to search for ‘america’.

search 1

This image shows a search with the string ‘artist:america’. This tells Amarok to search only the artist column for ‘america’.

Search 2

This image shows a search further filtering the results with the search string ‘artist:america title:horse’. Note that searches can be filtered by fields not showing at the time.

search 3

Note that when you filter the play list and Amarok changes songs, it will pick from the filtered list. This can be a boon or a burden depending on what you are doing, just keep this in mind.

Amarok also has quite a few User Interface goodies…

  • Use the mouse wheel over the volume bar in the Amarok window, or the task bar icon to adjust the volume up and down.
  • Use the mouse wheel over the time bar to seek forward / backward
  • The Amarok task bar icon shows the percent complete on the icon. The icon is bright at the beginning, and dark at the end of a track. In between it’s as if it is emptying of a liquid:
  • Right click on the task bar icon to use previous track, play / pause, stop, and next track functions
  • Most functions are able to be mapped through DCOP, allowing for quick, easy keyboard shortcuts
  • Using DCOP, it is possible to use a remote control to manipulate Amarok
  • Notice the context menu on the image below:
    Context clues
    • The “Write ‘Iron Maiden’ for Selected Tracks” button will write the selected field to all tracks currently selected. Below, it will write ‘Iron Maiden’ for the Artist track below where it is blank. This also works on multiple records, so it is easy to make a change to selected songs, or all using (shift+right click) or (ctrl+right click)
    • Also notice the “Edit ‘Artist’ Tag” entry; This will allow you to edit the selected track’s Tag field, and when you are finished editing, it populates the new information in any selected tracks.
  • Amarok will also organise and rename your files based upon tags and a little user input:
    organize 1organize 2

Amarok is available in all recent releases of Debian and Ubuntu

Posted in Debian, Ubuntu | 14 Comments »

sshfs: Easy (and secure) access to a remote file system

April 22nd, 2007 edited by Tincho

Entry submitted by Diego Essaya. DPOTD needs your help, please contribute !

I’m sure you are already familiar with the ssh command. (If that’s not the case, maybe this article is not for you). Most likely you have also discovered scp ages ago. But it is probable that you have never heard of sshfs before.

SSHFS is a file system client based on the SSH File Transfer Protocol. It allows to mount a remote file system in your box, and use it as if it was a local directory. Besides the fact that it is a secure protocol, the main advantage of SSHFS is that it is very easy to setup and use. It has only two easy to meet requisites:

  1. The local system needs to have the FUSE kernel module loaded.
  2. The remote machine needs to be running a SSH server that understands the SSHFS protocol.


First of all we must install the SSHFS package in the local system:

# apt-get install sshfs

The package is available in both Debian and Ubuntu repositories.

Next, let’s make sure that condition #1 is met. In the local system, type (as root):

# modprobe fuse

This will load the FUSE kernel module. Besides SSHFS, the FUSE module allows to do lots of other nifty tricks with file systems, such as the BitTorrent file system, the Bluetooth file system, the User-level versioning file system, the CryptoFS, the Compressed read-only file system and many others.

As for condition #2, chances are it is already met: the OpenSSH server is
already installed and running in most Debian and Ubuntu systems. If this is not your case, just run the following command on the remote system:

# apt-get install ssh


Luckily, SSHFS is very simple to use. The following command:

$ sshfs user@host: mountpoint

will mount the home directory of the user@host account into the local directory named mountpoint. That’s as easy as it gets. (Of course, the mountpoint directory must already exist and have the appropriate permissions).

If you want to mount a directory other than the home directory, you can specify it after the colon. Actually, a generic sshfs command looks like this:

$ sshfs [user@]host:[dir] mountpoint [options]


The classic alternatives to access remote file systems are NFS and SMBFS. The main advantages of SSHFS are:

  • Easy to setup and run
  • Secure link

If you are sharing files between Windows machines, perhaps SMBFS is the best option. If you are not concerned about security and you need a faster alternative to SSHFS, go for NFS.


Posted in Debian, Ubuntu | 15 Comments »

most: an alternative and powerful pager program

April 20th, 2007 edited by lucas

Entry submitted by Emmanuel Bouthenot. DPOTD needs your help, please contribute !

Most is a powerful “pager”, similar to more and less. It is written in C using the slang library. It can display:

  • compressed (bzip, gzip) files on the fly
  • manpages with fancy output
  • one or multiples files in windowed mode
  • arbitrary binary files


To use most as the default pager you can add this into your start-up user script (~/.bashrc, ~/.zshrc, etc.)

[ -x /usr/bin/most ] && export PAGER=most

You could also set it up to replace more and less:

[ -x /usr/bin/most ] && alias more=’most’ && alias less=’most’


Manpage view :
most - manpage view

Windowed view of compressed files :
most - Windowed view of compressed files

Binary file view:
most - Binary file view

Most has been available in Debian and Ubuntu for a long time now, and is well maintained.

Posted in Debian, Ubuntu | 13 Comments »

enigma: addictive puzzle game with a high dose of dexterity

April 18th, 2007 edited by Tincho

This week, an extra DPOTD article will be published on Friday, remember to check it out!

Shameless self-promotion submitted by Erich Schubert. DPOTD needs your help, please contribute !

Enigma is an addictive puzzle game

A re-invention of the discontinued game “Oxyd” available for Atari, Mac and (some versions) DOS, with hundreds of levels and improved graphics.

The game principle of Enigma is simple: uncover pairs of stones as in the “Concentration” (also known as “Memory” or “Pairs”) board game.

Simple? Yes. Easy? Not by far!

You’ll first have to reach these stones. Your actor is a black marble controlled via the mouse - and influenced heavily by physics. Different floors show different friction properties, blocks might need a good bump to move in the intended direction, bouncers, slopes and rubber bands might be pushing or pulling your marble in a different direction than you’d like it to go. Sometimes you have to hit exactly the right angle to make the marble bounce of a block in space right towards your goal.

And then the blocks are hidden in labyrinths, protected by lasers and traps, and all kinds of puzzles you’ll have to solve first before being able to reach them. There are dozens of items you’ll discover and need to find out how to use right to reach the goal.

Enigma levels are very different in nature. Some levels are well-known Sokoban levels (except you’ll have to be careful to not move boxes you didn’t intend to) and similar well known puzzles ported to be controlled with a marble, some are vast labyrinths where you have to carefully balance your marble on a small ledge. Some levels require speed and mouse dexterity, others can only be solved by bright minds. Having to control 10 marbles connected with rubber bands and charged with different magnetic charges at the same time is just one of the challenges you’ll be facing in enigma. Such levels, that blend all these features into a unique mix can best be described as “Enigma”.

Here are some screenshots, you can find more in the homepage.

Game screenshot Game screenshot Levels menu

Enigma is available in Debian since Sarge and in Ubuntu since Warty. Unfortunately, Enigma 1.00 was not released on time to be included with Debian Etch. Enigma 0.92 was in Etch when the freeze was called.

Posted in Debian, Ubuntu | 6 Comments »

« Previous Entries