Answer the question
In order to leave comments, you need to log in
S
S
smartlight2013-01-24 17:29:56
smartlight, 2013-01-24 17:29:56
Why is fail2ban not working for me?
Available:
1. Debian server 6.0.6
2. Fail2Ban v0.8.4-SVN
cat /etc/fail2ban/jail.local
[ssh-iptables]
enabled = true
filter = sshd
findtime = 600
action = iptables-allports[name=SSH, protocol=all]
logpath = /var/log/auth.log
maxretry = 3
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
logpath = /var/log/asterisk/messages
maxretry = 5
bantime = 259200SSHD is running on a non-standard port −
cat /etc/services |grep ssh
ssh 10022/tcp
ssh 22/udpiptables output:
iptables -v -nL
Chain INPUT (policy ACCEPT 620 packets, 70755 bytes)
pkts bytes target prot opt in out source destination
620 70755 fail2ban-ASTERISK all -- * * 0.0.0.0/0 0.0.0.0/0
620 70755 fail2ban-SSH all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 661 packets, 79310 bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-ASTERISK (1 references)
pkts bytes target prot opt in out source destination
620 70755 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SSH (1 references)
pkts bytes target prot opt in out source destination
620 70755 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0Bottom line: when iterating over sip accounts - fail2ban works and ip is banned
if the password is entered incorrectly via ssh - nothing happens.
But:
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
[SKIPPED]
Date template hits:
11246 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/[email protected]:Minute:Second>
Success, the total number of match is 296THOSE. There are matches, but then why doesn't the action work?
4 answer(s)
@smartlight
How can this be?
And of course the second question - how to fix it?
@stan_jeremy
@mastini
S
smartlight, 2013-01-24 @smartlight
I had my doubts about the timing. And they were confirmed!
date && tail -2 /var/log/auth.log
Thu Jan 24 23:12:31 MSK 2013
Jan 24 20:01:57 c2c sshd[3951]: Failed password for invalid user werwerwerw from 11.11.111.11 port 50701 ssh2
Jan 24 20:01:58 c2c sshd[3951]: Failed password for invalid user werwerwerw from 11.11.111.11 port 50701 ssh2
How can this be?
And of course the second question - how to fix it?
S
stan_jeremy, 2013-01-24 @stan_jeremy
perhaps you need to set a port for it in the config
iptables[name=SSH, port=10002, protocol=tcp]
?
M
mastini, 2013-01-24 @mastini
Well, what about in the logs?
Maybe he doesn't know how to do iptables-allports.
Look in the logs when starting f2b and when banning.
Similar questions
O
Oleg Aksenov2018-03-11 18:23:16
What is the best way to deploy applications across the enterprise?
2Reply
N
J
M
M
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question