Why is fail2ban not working?

G

gto61202016-11-23 13:58:16

linux

gto6120, 2016-11-23 13:58:16

Good afternoon. Centos7, firewalld, fail2ban ((
jail.local

[DEFAULT]
findtime  = 3600
[sshd]
enabled = true
port = ssh
maxretry = 3
action = firewallcmd-ipset

When setting bantime = x, x is ignored, they are banned anyway for 600 seconds as by default.
And I don’t understand where to look for the full list of banned ones. In theory, when using action = firewallcmd-ipset, the check should be like this: ipset --list, and there are sometimes several addresses there, but there are lines in the secure log:

2016-11-23 13:52:05,603 fail2ban.filter         [31078]: INFO    [sshd] Found 221.229.172.103
2016-11-23 13:52:05,706 fail2ban.filter         [31078]: INFO    [sshd] Found 221.229.172.103
2016-11-23 13:52:06,122 fail2ban.actions        [31078]: NOTICE  [sshd] 221.229.172.103 already banned
2016-11-23 13:52:06,706 fail2ban.filter         [31078]: INFO    [sshd] Found 221.229.172.103
2016-11-23 13:52:07,259 fail2ban.filter         [31078]: INFO    [sshd] Found 221.229.172.103
2016-11-23 13:52:07,285 fail2ban.filter         [31078]: INFO    [sshd] Found 221.229.172.103
2016-11-23 13:52:07,484 fail2ban.filter         [31078]: INFO    [sshd] Found 221.229.172.103
2016-11-23 13:52:08,125 fail2ban.actions        [31078]: NOTICE  [sshd] 221.229.172.103 already banned
2016-11-23 13:52:08,885 fail2ban.filter         [31078]: INFO    [sshd] Found 221.229.172.103
2016-11-23 13:52:09,127 fail2ban.actions        [31078]: NOTICE  [sshd] 221.229.172.103 already banned
2016-11-23 13:52:12,242 fail2ban.filter         [31078]: INFO    [sshd] Found 221.229.172.103
2016-11-23 13:52:44,789 fail2ban.filter         [31078]: INFO    [sshd] Found 221.229.172.103
2016-11-23 13:52:45,371 fail2ban.filter         [31078]: INFO    [sshd] Found 221.229.172.103
2016-11-23 13:52:46,174 fail2ban.actions        [31078]: NOTICE  [sshd] 221.229.172.103 already banned

for the same period of time, which says that the address 221.229.172.103 should have been banned, but no, it does not appear in the list.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

G

gto6120, 2016-11-23
@gto6120

I solved the problem simply - I made authorization by key, and access by password for ssh was closed tightly. (having previously checked with technical support the possibility of restoring access in case of loss of the key and pushing it across all available media). And fail2ban sent me to the ban.

A

Alexander Apokin, 2017-04-22
@apokin

There was also a question about this. CentOS 7. Decided as follows.
Added jail.loc file to /etc/fail2ban folder

[DEFAULT]
##, <здесь можно написать свой ip>
ignoreip = 127.0.0.1/8 

[sshd]
findtime  = 3600
maxretry    = 3
##имеется максимально возможное значение!
bantime  = 86400 

enabled = true

##это корень зол
action = iptables  
## по крайней мере у меня 
##через firewalld подавались неправильные команды
##(их можно настроить в файлах папки action.d, 
##но не стал с этим заморачиваться)

Pay attention to action.
My ips are banned and visible with the iptables -L -n -v command