Joined: 16 Apr 2018 Posts: 107 Location: Milwaukee, WI
Posted: Sun Jan 29, 2023 17:36 Post subject: "sudo service fail2ban status" = "What?"
I just installed fail2ban using entware on ddwrt. I am trying to check its status to see if it is up and running when connected via ssh. I used the debian systemd command "sudo service fail2ban status" in my terminal, and ddwrt doesnt seem to recognize it as a command, which tells me ddwrt doesn't use systemd. That being said, what are the equivalent ddwrt commmands these ubuntu commands:
Code:
sudo service fail2ban status
sudo service fail2ban enable
sudo service fail2ban start
Any help is appreciated. _________________ DanRanRocks - Tech Tutorials by Dan Ran
Does not exist under dd-wrt, dd-wrt has its own process manager.
Only it does nothing else than start, stop or restart processes, no status or similar.
but fail2ban writes log files itself.
Code:
cat /var/log/fail2ban.log
2023-01-16 13:27:49,848 fail2ban.server [769]: INFO --------------------------------------------------
2023-01-16 13:27:49,862 fail2ban.server [769]: INFO Starting Fail2ban v1.0.2
2023-01-16 13:27:49,865 fail2ban.observer [769]: INFO Observer start...
2023-01-16 13:27:49,922 fail2ban.database [769]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-01-16 13:27:49,943 fail2ban.jail [769]: INFO Creating new jail 'sshd'
2023-01-16 13:27:50,156 fail2ban.jail [769]: INFO Jail 'sshd' uses pyinotify {}
2023-01-16 13:27:50,165 fail2ban.jail [769]: INFO Initiated 'pyinotify' backend
2023-01-16 13:27:50,172 fail2ban.filter [769]: INFO maxLines: 1
2023-01-16 13:27:50,259 fail2ban.filter [769]: INFO maxRetry: 3
2023-01-16 13:27:50,303 fail2ban.filter [769]: INFO findtime: 3600
2023-01-16 13:27:50,304 fail2ban.actions [769]: INFO banTime: 3600
2023-01-16 13:27:50,304 fail2ban.filter [769]: INFO encoding: UTF-8
2023-01-16 13:27:50,319 fail2ban.filter [769]: INFO Added logfile: '/var/log/auth.log
2023-01-16 13:27:50,339 fail2ban.jail [769]: INFO Jail 'sshd' started
and I guess installing via entware is not enough, fail2ban probably has to be started somehow as well
i don't know which package you are using but the startscript is probably located under /opt/etc/init.d/
Code:
ls -la /opt/etc/init.d/
/opt/etc/init.d/S95fail2ban
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Sun Jan 29, 2023 22:22 Post subject:
I dont have a time nor router in hand to test ATM but i was thinking something like this to call it..
nano /opt/etc/init.d/S95fail2ban.sh
than paste this
#!/bin/sh
logger -t S95fail2ban "Starting fail2ban $0"
# set environment PATH to system binaries
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
ENABLED=yes
PROCS=fail2ban
ARGS="-g -v 5 -C /opt/etc/"full path to fail2ban no quotes" 2>/opt/var/log/fail2ban.log"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func
ctrl+x > yes
than make it executable
chmod +x /opt/etc/init.d/S95fail2ban.sh
than add to usb script as USB must be up and running.. or may be start up script with some more delay...
sleep 10
/opt/etc/init.d/rc.unslung start
as i said im not familiar with fail2ban structure nor its config file...its a bit of a random shot...it wont hurt to try...
also bear in mind forum could play with some spacing so you need to adapt the script and add the full path where the quotes are... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Apr 2018 Posts: 107 Location: Milwaukee, WI
Posted: Sat Feb 04, 2023 17:24 Post subject:
Alozaros wrote:
I dont have a time nor router in hand to test ATM but i was thinking something like this to call it..
nano /opt/etc/init.d/S95fail2ban.sh
than paste this
#!/bin/sh
logger -t S95fail2ban "Starting fail2ban $0"
# set environment PATH to system binaries
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:$PATH
ENABLED=yes
PROCS=fail2ban
ARGS="-g -v 5 -C /opt/etc/"full path to fail2ban no quotes" 2>/opt/var/log/fail2ban.log"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func
ctrl+x > yes
than make it executable
chmod +x /opt/etc/init.d/S95fail2ban.sh
than add to usb script as USB must be up and running.. or may be start up script with some more delay...
sleep 10
/opt/etc/init.d/rc.unslung start
as i said im not familiar with fail2ban structure nor its config file...its a bit of a random shot...it wont hurt to try...
also bear in mind forum could play with some spacing so you need to adapt the script and add the full path where the quotes are...
Thanks for this. But it looks like the default fail2ban installation adds a
As of now, with this file, I don't believe fail2ban is working yet, as there is no file created in
Code:
/opt/var/log/
. I do have
Code:
sleep 10
/opt/etc/init.d/rc.unslung start
in my startup script for the usb device. Would you still suggest using your version of the fail2ban init.d script instead of this default one? _________________ DanRanRocks - Tech Tutorials by Dan Ran
Joined: 16 Nov 2015 Posts: 6410 Location: UK, London, just across the river..
Posted: Sat Feb 04, 2023 18:01 Post subject:
atomicamp i can see export path is missing if this is important at all..and also did you make it executable ?
im also interested of fail2ban and how to make it work with DDWRT...as those are not exactly the same
as some of the OpenWRT guides ive seen in the past(and entware is bound with openwrt) so things could defer... Ijust never had time and commitment to dig deeper..i was more interested of snort/suricata instead... anyway in a week or more ill be back and will heave more testing medium ... to try it...
It will be nice to make it work and post a guide here in DDWRT so, share the knowledge kind of ...
also try to call it from USB script instead of start up as USB need to be up and running to call the script...and load... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
2023-02-04 14:33:51,247 fail2ban.jailreader [9777]: NOTICE No file(s) found for glob /opt/var/log/fail2ban.log
2023-02-04 14:33:51,247 fail2ban [9777]: ERROR Failed during configuration: Have not found any log file for openvpn jail
2023-02-04 14:33:51,260 fail2ban [9777]: ERROR Async configuration of server failed
Traceback (most recent call last):
File "/opt/lib/python3.10/site-packages/fail2ban/client/fail2banserver.py", line 189, in start
fail2ban.client.fail2bancmdline.ServerExecutionException: Async configuration of server failed[/code]
Doesn't work for me. Any advice>
good morning, I have looked at it again.
this is your fault you misconfigured fail2ban
you enabled fail2ban for openvpn and the log path is misconfigured
problem solved / case closed
it tries to read "/opt/var/log/fail2ban.log" as logfile for openvpn, which is completely wrong
I have told you the correct configuration several times