Develop Reference

Fail2ban - creating second sshd-jail for docker-container log does not work

I have a Linux box on Ubuntu 18.04.3 and have a working fail2ban configuration (like on all my hosts).
In this case I setup a docker-container which acts as a sftp-server for several users - the docker-container has a running rsyslogd and writes login events to /var/log/auth.log - /var/log is mounted to the host-system to /myapp/log/sftp.
So I created a second sshd-jail with this config snippet in jail.local
[myapp-sftp]
filter=sshd
enabled = true
findtime = 1200
maxretry = 2
mode = aggressive
backend = polling
logpath=/myapp/log/sftp/auth.log
The logfile /myapp/log/sftp/auth.log is absolutely there and filled with a lot of failed login tries - from myself and others.
But the jail never gets triggered with a found log entry in fail2ban.log.
I already reset the fail2ban database ... and have no clue what might be wrong.
I tried backend = polling and the default pyinotify.
Checking with fail2ban-regex says that it matches..
# fail2ban-regex /myapp/log/sftp/auth.log /etc/fail2ban/filter.d/sshd.conf
Running tests
=============
Use failregex filter file : sshd, basedir: /etc/fail2ban
Use maxlines : 1
Use datepattern : Default Detectors
Use log file : /myapp/log/sftp/auth.log
Use encoding : UTF-8
Results
=======
Failregex: 268 total
|- #) [# of hits] regular expression
| 3) [64] ^Failed \S+ for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
| 4) [29] ^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
| 6) [64] ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?\s*$
| 21) [111] ^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [642] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 642 lines, 0 ignored, 268 matched, 374 missed
[processed in 0.13 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 374 lines
and
# fail2ban-client status myapp-sftp
Status for the jail: myapp-sftp
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /myapp/log/sftp/auth.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
# cat /var/log/fail2ban.log | grep myapp
2019-08-21 10:35:33,647 fail2ban.jail [649]: INFO Creating new jail 'wippex-sftp'
2019-08-21 10:35:33,647 fail2ban.jail [649]: INFO Jail 'myapp-sftp' uses pyinotify {}
2019-08-21 10:35:33,664 fail2ban.server [649]: INFO Jail myapp-sftp is not a JournalFilter instance
2019-08-21 10:35:33,665 fail2ban.filter [649]: INFO Added logfile: '/wippex/log/sftp.log' (pos = 0, hash = 287d8cc2e307c5f427aa87c4c649ced889d6bf6a)
2019-08-21 10:35:33,689 fail2ban.jail [649]: INFO Jail 'myapp-sftp' started
I really never get an expected found entry... nor a ban.
Any ideas are welcome.
# fail2ban-server -V
Fail2Ban v0.10.2
Copyright (c) 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors
Copyright of modifications held by their respective authors.
log sample from /myapp/log/sftp/auth.log
Aug 21 14:03:13 a9ede63166d9 sshd[202]: Failed password for invalid user mapp from 95.85.16.178 port 41766 ssh2
Aug 21 14:03:13 a9ede63166d9 sshd[202]: Received disconnect from 95.85.16.178 port 41766:11: Normal Shutdown, Thank you for playing [preauth]
Aug 21 14:03:13 a9ede63166d9 sshd[202]: Disconnected from 95.85.16.178 port 41766 [preauth]
Aug 21 14:03:49 a9ede63166d9 sshd[204]: Connection from 95.85.16.178 port 34722 on 172.17.0.3 port 22
Aug 21 14:03:49 a9ede63166d9 sshd[204]: Invalid user mapp from 95.85.16.178 port 34722
Aug 21 14:03:49 a9ede63166d9 sshd[204]: input_userauth_request: invalid user mapp [preauth]
Aug 21 14:03:49 a9ede63166d9 sshd[204]: error: Could not get shadow information for NOUSER
Aug 21 14:03:49 a9ede63166d9 sshd[204]: Failed password for invalid user mapp from 95.85.16.178 port 34722 ssh2
Aug 21 14:03:49 a9ede63166d9 sshd[204]: Received disconnect from 95.85.16.178 port 34722:11: Normal Shutdown, Thank you for playing [preauth]
Aug 21 14:03:49 a9ede63166d9 sshd[204]: Disconnected from 95.85.16.178 port 34722 [preauth]

Problem is "solved". The docker container simply used a different timezone than the host and the logfile timestamps didnt contain the timezone.
So fail2ban assumed the timestamps were written in the same timezone as it´s running environment (on host) and didn´t interprete "old" log entries (2 hr. diff).
See https://github.com/fail2ban/fail2ban/issues/2486
I simply set the host timezone to UTC now - but will try now to set rsyncd to use a timezoned dateformat

NodeMCU traceback on reboot

I have an embedded application running NodeMCU that is not connected to a console as the UART has been repurposed to obtain serial data from an attached device.
During testing the application ran for about 15 hours then rebooted 5 times in a row before "settling" and continuing to run correctly.
Is it possible to log to a file a traceback of what caused the reboots? I am assuming some kind of PANIC error caused the reboot. I don't think it is a memory issue as the application reports the heap size (via http to a local server) every 30 seconds. Here is a log extract:
Wed May 18 00:46:37 2016 -> '{"s":"1782","i":"1afe34d26348", "d":"heap=12408
Wed May 18 00:47:08 2016 -> '{"s":"1783","i":"1afe34d26348", "d":"heap=12408
Wed May 18 00:47:39 2016 -> '{"s":"1784","i":"1afe34d26348", "d":"heap=12408
Wed May 18 00:48:19 2016 -> '{"s":"1785","i":"1afe34d26348", "d":"heap=11432
Wed May 18 00:50:06 2016 -> '{"s":"0","i":"1afe34d26348", "d":"heap=14560
Wed May 18 00:51:25 2016 -> '{"s":"0","i":"1afe34d26348", "d":"heap=14584
Wed May 18 00:52:45 2016 -> '{"s":"0","i":"1afe34d26348", "d":"heap=14560
Wed May 18 00:54:04 2016 -> '{"s":"0","i":"1afe34d26348", "d":"heap=14584
Wed May 18 00:55:24 2016 -> '{"s":"0","i":"1afe34d26348", "d":"heap=14608
Wed May 18 00:55:55 2016 -> '{"s":"1","i":"1afe34d26348", "d":"heap=12608
Wed May 18 00:56:26 2016 -> '{"s":"2","i":"1afe34d26348", "d":"heap=12600
Wed May 18 00:56:56 2016 -> '{"s":"3","i":"1afe34d26348", "d":"heap=12624
Wed May 18 00:57:27 2016 -> '{"s":"4","i":"1afe34d26348", "d":"heap=12600
I the above log "s" is a sequential counter that is reset to 0 when the device reboots, and "d" is the heap size (you can ignore the "i" entry, it is just the MAC address of the device that is sending the data).
xpcall won't work in the case of a PANIC device reset.
I tried logging node.bootreason() to a file on reboot, but it doesn't contain a traceback to where the error occurred.
Is there some method for troubleshooting nodemcu applications that aren't connected to a console?

Cloudflare & Heroku (DNS): An A, AAAA or CNAME record was not found

I have tried to apply free SSL service provided by Cloudflare to my Heroku app.
Although I registered my domain about 4 days ago, it doesn't work.
When I try to access my domain (example.com and www.example.com) with Chrome, This site can’t be reached example.com’s server DNS address could not be found. is displayed.
The following messages are displayed when I check the Cloudflare site.
An A, AAAA or CNAME record was not found for the www subdomain. The www.example.com subdomain will not resolve.
An A, AAAA or CNAME record was not found pointing to the root domain. The example.com domain will not resolve.
An MX record was not found for your root domain. An MX record is required for mail to reach #example.com addresses.
I could access my domain www.example.com before using Cloudflare.
How can I use my domain with SSL?
My setting summary in Cloudflare is as follows;
Security Level: Medium
SSL: Full
I get my domain and set up as below on the home page which I get my domain.
sub domain: www
type: CNAME
content: floating-fortress-999999.herokuapp.com
name server1: foo.ns.cloudflare.com
name server2: bar.ns.cloudflare.com
When I try to dig command, the followings are displayed.
$ dig example.com
; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 301
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com. IN A
;; AUTHORITY SECTION:
example.com. 9999 IN SOA foo.ns.cloudflare.com. dns.cloudflare.com. 2021450999 10000 0000 999900 9900
;; Query time: 53 msec
;; SERVER: 999.99.9.9#53(999.99.9.9)
;; WHEN: Fri May 13 21:11:54 UTC 2016
;; MSG SIZE rcvd: 101
When I try to dig command with ns, the followings are dispaleyed.
$ dig example.com ns
; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> example.com ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9999
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com. IN NS
;; ANSWER SECTION:
example.com. 99999 IN NS bar.ns.cloudflare.com.
example.com. 99999 IN NS foo.ns.cloudflare.com.
;; Query time: 173 msec
;; SERVER: 999.99.9.9#53(999.99.9.9)
;; WHEN: Fri May 13 21:12:53 UTC 2016
;; MSG SIZE rcvd: 96
It would be appreciated if you give me any suggestion.

Unable to start Rails Server with Amazon Route 53 DNS

I have been trying hard to up my Rails Server which is deployed in Amazon EC2 and access it using Route 53.
I have create a simple record sets for students.aalizwel.com in Route 53 console and also
mapped my Registrar name servers with Amazon's nameservers.
Following is the screenshot.
I have my Rails server running in Amazon EC2 with elastic IP as mentioned above
in record set students.aalizwel.com.
I have started the server as usual :
~/aalizwel$ rails s
Digest::Digest is deprecated; use Digest
=> Booting WEBrick
=> Rails 3.2.19 application starting in development on http://0.0.0.0:3000
=> Call with -d to detach
=> Ctrl-C to shutdown server
....
Following are issues I am facing:
Unable to ping aalizwel.com.
Able to ping students.aalizwel.com but can't able to access rails server through
url http://students.aalizwel.com:3000
Could anybody help me where I might go wrong?

Unable to ping aalizwel.com
You can't ping it because there is no A record at that name, only the SOA.
; <<>> DiG 9.8.3-P1 <<>> aalizwel.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41528
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;aalizwel.com. IN A
;; AUTHORITY SECTION:
aalizwel.com. 899 IN SOA ns-1191.awsdns-20.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
;; Query time: 161 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Sep 16 09:02:16 2014
;; MSG SIZE rcvd: 112
Able to ping students.aalizwel.com but can't able to access rails server through url http://students.aalizwel.com:3000
There is an nginx server running on port 80:
HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Tue, 16 Sep 2014 07:03:04 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 05 Aug 2014 11:18:35 GMT
Connection: keep-alive
ETag: "53e0bd8b-264"
Accept-Ranges: bytes
You will likely need to get your Rails app running so it is proxied from the nginx server over to the port 3000 running instance. I am guessing port 3000 is blocked at the firewall, which would be standard default behavior for an EC2 instance unless you change the firewall rules.
Look into running nginx as a reverse proxy with Rails - you should provide articles on your favorite search engine providing guidance.

What does Diagnostic-Code: SMTP; 573 mean?

I am using sendmail to send mail from my Rails application. But, there seems to be a error happening while sending mails to a specific user domain. The error from /var/mail/*** is as follows:
Date: Tue, 11 Oct 2011 16:33:46 GMT
From: Mail Delivery Subsystem <MAILER-DAEMON#*****>
Message-Id: <201110111633.p9BGXkpR010310#******>
To: <****#*****>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="p9BGXkpR010310.1318350826/******"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
This is a MIME-encapsulated message
--p9BGXkpR010310.1318350826/*******
The original message was received at Tue, 11 Oct 2011 16:33:42 GMT
from localhost [127.0.0.1]
----- The following addresses had permanent fatal errors -----
<****#{domain}.com>
(reason: 573 ********#****** failed to route the address)
<*****#{domain}.com>
(reason: 573 *******#****** failed to route the address)
<*****#{domain}.com>
(reason: 573 *******#******* failed to route the address)
----- Transcript of session follows -----
... while talking to *********.com.1.0001.arsmtp.com.:
>>> MAIL From:<*******#*******> SIZE=1273
<<< 573 ********#********* failed to route the address
554 5.0.0 Service unavailable
--p9BGXkpR010310.1318350826/*******
Content-Type: message/delivery-status
Reporting-MTA: dns; StreetSense
Received-From-MTA: DNS; localhost
Arrival-Date: Tue, 11 Oct 2011 16:33:42 GMT
Final-Recipient: RFC822; ****#*******.com
Action: failed
Status: 5.0.0
Diagnostic-Code: SMTP; 573 *******#******* failed to route the address
Last-Attempt-Date: Tue, 11 Oct 2011 16:33:46 GMT
Final-Recipient: RFC822; *******#********.com
Action: failed
Status: 5.0.0
Diagnostic-Code: SMTP; 573 *******#******** failed to route the address
Last-Attempt-Date: Tue, 11 Oct 2011 16:33:46 GMT
Final-Recipient: RFC822; ******#*********.com
Action: failed
Status: 5.0.0
Diagnostic-Code: SMTP; 573 *****#******** failed to route the address
Last-Attempt-Date: Tue, 11 Oct 2011 16:33:46 GMT
The bounced back emails are all from the same domain, and mails are being successfully sent to other domains. When I looked for SMTP 573 diagnostic codes, I got this "573 Internal server error, IP address related.". But I dont know what it means. Can anyone help me?
Update
From #guenter's answer, I got these commands and I run it and got the following outputs:
# dig streetsense.com MX
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> xxxxx.com MX
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61139
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;xxxxx.com. IN MX
;; ANSWER SECTION:
xxxxx.com. 3600 IN MX 10 xxxxx.com.1.0001.arsmtp.com.
xxxxxx.com. 3600 IN MX 20 xxxxx.com.2.0001.arsmtp.com.
;; AUTHORITY SECTION:
xxxxx.com. 155394 IN NS ns04.ntiva.net.
xxxxx.com. 155394 IN NS ns01.ntiva.net.
xxxxx.com. 155394 IN NS ns02.ntiva.net.
xxxxx.com. 155394 IN NS ns03.ntiva.net.
;; ADDITIONAL SECTION:
ns01.ntiva.net. 147 IN A xxx.xx.xx.xxx
ns02.ntiva.net. 147 IN A xxx.xx.xx.xxx
ns03.ntiva.net. 147 IN A xxx.xx.xx.xxx
ns04.ntiva.net. 147 IN A xxx.xx.xx.xxx
;; Query time: 45 msec
;; SERVER: xxx.xxx.x.x#xx(xxx.xxx.x.x)
;; WHEN: Tue Oct 11 18:08:23 2011
;; MSG SIZE rcvd: 262
ping also seem to be working:
# ping xxxxxxx.com
PING xxxxxxxx.com (xxx.xx.xx.xx) xx(xx) bytes of data.
64 bytes from linux06.ntiva.com (xxx.xx.xx.xx): icmp_seq=1 ttl=53 time=29.0 ms
64 bytes from linux06.ntiva.com (xxx.xx.xx.xx): icmp_seq=2 ttl=53 time=27.4 ms
64 bytes from linux06.ntiva.com (xxx.xx.xx.xx): icmp_seq=3 ttl=53 time=27.4 ms
64 bytes from linux06.ntiva.com (xxx.xx.xx.xx): icmp_seq=4 ttl=53 time=27.4 ms
Edit
also my hostname of my server seems to be same as the domain name causing issue
# hostname
xxxxxxx
This is same as the domain xxxxxxx.com. Can this cause the issue?

failed to route the address is the key here.
Seems that your sendmail doesn't know how to route that address. You need some mail-debugging here. First step could be to check the DNS for MX-records for this domain - dig example.com MX.
If there is no MX record, that is the problem. If there are MX record(s), you might try to ping that hosts.