Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
O
O
Onotolius2018-06-15 17:06:43
linux
Onotolius, 2018-06-15 17:06:43

Why is fail2ban not working on Debian 9?

Hello dear experts. I am new to linux.
I am setting up my first VPS in my life, and I decided to install this malicious fail2ban that refuses to work.
According to the manuals from the Internet, I configured everything as it should in the file /etc/fail2ban/jail.conf

[sshd]
enabled = true
port    = 3476
logpath = %(sshd_log)s
backend = %(sshd_backend)s
bantime = 86400
findtime = 600
maxretry = 3

True, everywhere they write "look for the [ssh] section", but I don’t have one at all, there is only [sshd]
And in general they write that this utility is already ready in principle and can work out of the box, like you can not configure it.
In short, I restart this fail2ban and re-enter SSH. I use putty, I enter my login, then I deliberately enter the wrong password 5 times, 10 times, nothing happens. Then I enter the correct password and calmly go. Somebody didn't ban me.
Then I look at the logs..
Here is what is in the fail2ban logs ( /var/log/fail2ban.log )
. . .
. . .
. . .
2018-06-15 13:44:41,695 fail2ban.jail           [7433]: INFO    Jail 'sshd' stopped
2018-06-15 13:44:41,697 fail2ban.server         [7433]: INFO    Exiting Fail2ban
2018-06-15 13:44:41,927 fail2ban.server         [7569]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6
2018-06-15 13:44:41,928 fail2ban.database       [7569]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-06-15 13:44:41,930 fail2ban.jail           [7569]: INFO    Creating new jail 'sshd'
2018-06-15 13:44:41,944 fail2ban.jail           [7569]: INFO    Jail 'sshd' uses pyinotify {}
2018-06-15 13:44:41,960 fail2ban.jail           [7569]: INFO    Initiated 'pyinotify' backend
2018-06-15 13:44:41,962 fail2ban.filter         [7569]: INFO    Added logfile = /var/log/auth.log
2018-06-15 13:44:41,963 fail2ban.actions        [7569]: INFO    Set banTime = 86400
2018-06-15 13:44:41,964 fail2ban.filter         [7569]: INFO    Set maxRetry = 3
2018-06-15 13:44:41,964 fail2ban.filter         [7569]: INFO    Set findtime = 600
2018-06-15 13:44:41,965 fail2ban.filter         [7569]: INFO    Set jail log file encoding to UTF-8
2018-06-15 13:44:41,965 fail2ban.filter         [7569]: INFO    Set maxlines = 10
2018-06-15 13:44:42,057 fail2ban.server         [7569]: INFO    Jail sshd is not a JournalFilter instance
2018-06-15 13:44:42,067 fail2ban.jail           [7569]: INFO    Jail 'sshd' started

Here's what's in the auth logs ( /var/log/auth.log )
Jun 15 15:37:30 Hahahaha systemd-logind[372]: Removed session 275.
Jun 15 15:38:21 Hahahaha sshd[7460]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.121.23.238  user=onotole
Jun 15 15:38:23 Hahahaha sshd[7460]: Failed password for onotole from 178.121.23.238 port 52253 ssh2
Jun 15 15:38:26 Hahahaha sshd[7460]: Failed password for onotole from 178.121.23.238 port 52253 ssh2
Jun 15 15:38:32 Hahahaha sshd[7460]: Failed password for onotole from 178.121.23.238 port 52253 ssh2
Jun 15 15:38:38 Hahahaha sshd[7460]: Failed password for onotole from 178.121.23.238 port 52253 ssh2
Jun 15 15:38:44 Hahahaha sshd[7460]: Failed password for onotole from 178.121.23.238 port 52253 ssh2
Jun 15 15:38:49 Hahahaha sshd[7460]: Failed password for onotole from 178.121.23.238 port 52253 ssh2
Jun 15 15:38:50 Hahahaha sshd[7460]: Accepted password for onotole from 178.121.23.238 port 52253 ssh2
Jun 15 15:38:50 Hahahaha sshd[7460]: pam_unix(sshd:session): session opened for user onotole by (uid=0)
Jun 15 15:38:50 Hahahaha systemd: pam_unix(systemd-user:session): session opened for user onotole by (uid=0)
Jun 15 15:38:50 Hahahaha systemd-logind[372]: New session 278 of user onotole.
Jun 15 15:39:01 Hahahaha CRON[7480]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 15 15:39:01 Hahahaha CRON[7480]: pam_unix(cron:session): session closed for user root
Jun 15 15:39:03 Hahahaha sudo: pam_unix(sudo:auth): authentication failure; logname=onotole uid=1000 euid=0 tty=/dev/pts/0 ruser=onotole rhost=  user=onotole
Jun 15 15:39:10 Hahahaha sudo:   onotole : TTY=pts/0 ; PWD=/home/onotole ; USER=root ; COMMAND=/bin/nano /etc/fail2ban/jail.conf
Jun 15 15:39:10 Hahahaha sudo: pam_unix(sudo:session): session opened for user root by onotole(uid=0)
Jun 15 15:40:15 Hahahaha sudo: pam_unix(sudo:session): session closed for user root
Jun 15 15:40:38 Hahahaha sudo:   onotole : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/bin/nano auth.log
Jun 15 15:40:38 Hahahaha sudo: pam_unix(sudo:session): session opened for user root by onotole(uid=0)
Jun 15 15:41:16 Hahahaha sudo: pam_unix(sudo:session): session closed for user root
Jun 15 15:41:32 Hahahaha sudo:   onotole : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/bin/nano faillog
Jun 15 15:41:32 Hahahaha sudo: pam_unix(sudo:session): session opened for user root by onotole(uid=0)
Jun 15 15:41:36 Hahahaha sudo: pam_unix(sudo:session): session closed for user root
Jun 15 15:41:46 Hahahaha sudo:   onotole : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/bin/nano fail2ban.log
Jun 15 15:41:46 Hahahaha sudo: pam_unix(sudo:session): session opened for user root by onotole(uid=0)
Jun 15 15:42:08 Hahahaha sudo: pam_unix(sudo:session): session closed for user root
Jun 15 15:42:30 Hahahaha sudo:   onotole : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/bin/nano /etc/fail2ban/jail.conf
Jun 15 15:42:30 Hahahaha sudo: pam_unix(sudo:session): session opened for user root by onotole(uid=0)
Jun 15 15:44:29 Hahahaha sudo: pam_unix(sudo:session): session closed for user root
Jun 15 15:44:40 Hahahaha sudo:   onotole : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/usr/sbin/service fail2ban restart
Jun 15 15:44:40 Hahahaha sudo: pam_unix(sudo:session): session opened for user root by onotole(uid=0)
Jun 15 15:44:42 Hahahaha sudo: pam_unix(sudo:session): session closed for user root
Jun 15 15:44:48 Hahahaha sudo:   onotole : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/usr/sbin/service fail2ban status

Help razobratsya how to make the parasite work?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
K
ky0, 2018-06-15
@ky0

Purge the package, kill all your configs and reinstall normally - SSH log parsing works out of the box.

Report
F
fluffybear, 2018-06-15
@fluffybear

If systemd and journald are used in Debian9, then remove the following lines from the config:
port = 3476
logpath = %(sshd_log)s
backend = %(sshd_backend)s
and add
backend=systemd
In this case, Fail2ban will monitor events from journald

Report
O
Onotoliy, 2018-06-16
@Login8

In short, the solution to the problem for those who come across ..
The point here is not in Debian9, my time on the machine was set to UTC, i.e. I set it up myself, initially it was not UTC. That's why the utility didn't work.
You need to correctly set the time (hardware and system) and then reboot the machine!
That's when everything will work.
All.

Similar questions
C
crdrads2018-12-10 21:31:08
Why is it said that clip and mask are better for SVG than native CSS? 6Reply
I
Ilya Derevyannykh2020-10-07 22:21:50
Is it possible to automatically change prices in Woocommerc? 4Reply
B
Bliss022021-05-03 18:53:48
How to remove selection from margin? 2Reply
K
khataev2014-08-03 22:45:16
What is missing to display an image as the background of an html page? 4Reply
V
vlarkanov2018-10-24 11:33:40
MySQL (Percona XtreDB Cluster) - how to properly rotate logs? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question