RSS

fail2ban: timezone problems

12 Apr

Just a short note for fail2ban users (and me) which is already stated at the end of FAQ:

“So, check that all your logs are synchronized: all logs files (auth.log, syslog,..) must use the same time reference (if your server is not very busy, there will probably be an important difference between the output of date command and the last event logged in syslog. You can force to generate a log in syslog using the logger command and check then with the output of date command)”


# date
Wed Nov 28 13:49:02 CET 2007
# tail -2 /var/log/auth.log
Nov 28 13:39:12 sudo: pam_unix(sudo:session): session opened for user root by user(uid=0)
Nov 28 13:39:12 sudo: pam_unix(sudo:session): session closed for user root

If time reference is not the same everywhere, then fail2ban won’t ban any IP!

That means if you somehow played with your timezone (e.g. ran dpkg-reconfigure tzdata command) and the time information from your auth.log and date does not match anymore then fail2ban is not going to block / ban the IP addresses that it should even though it matched them perfectly.

Advertisements
 
Leave a comment

Posted by on April 12, 2010 in Linux, security, sysadmin

 

Tags:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: