Join Log in
Score:0
Deeepdigger avatar Server

Fail2ban not blocking ssh attempts

cn flag
Deeepdigger

I have set up fail2ban to block failed ssh attempts. I checked the rule with fail2ban-regex and and an extract from my logs, this works fine.

I also checked the logs for the "Ban" notice and the IP in question and it's there:

zgrep 'Ban.*202.29.214.13' /var/log/fail2ban.log*
/var/log/fail2ban.log:2021-08-23 01:27:19,023 fail2ban.actions        [1460]: NOTICE  [sshd] Ban 202.29.214.13

However, my ssh / auth logs still show attempts from that IP after the timestamp in question:

Aug 23 01:27:23 myhost123 sshd[4526]: message repeated 2 times: [ Failed password for root from 202.29.214.13 port 47633 ssh2]
Aug 23 01:27:23 myhost123 sshd[4526]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 47633 ssh2 [preauth]
Aug 23 01:27:23 myhost123 sshd[4526]: Disconnecting authenticating user root 202.29.214.13 port 47633: Too many authentication failures [preauth]
Aug 23 01:27:31 myhost123 sshd[4533]: message repeated 2 times: [ Failed password for root from 202.29.214.13 port 50424 ssh2]
Aug 23 01:27:31 myhost123 sshd[4533]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 50424 ssh2 [preauth]
Aug 23 01:27:31 myhost123 sshd[4533]: Disconnecting authenticating user root 202.29.214.13 port 50424: Too many authentication failures [preauth]
Aug 23 01:27:39 myhost123 sshd[4535]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 53056 ssh2 [preauth]
Aug 23 01:27:39 myhost123 sshd[4535]: Disconnecting authenticating user root 202.29.214.13 port 53056: Too many authentication failures [preauth]
Aug 23 01:27:48 myhost123 sshd[4542]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 55901 ssh2 [preauth]
Aug 23 01:27:48 myhost123 sshd[4542]: Disconnecting authenticating user root 202.29.214.13 port 55901: Too many authentication failures [preauth]
Aug 23 01:27:55 myhost123 sshd[4551]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 58908 ssh2 [preauth]
Aug 23 01:27:55 myhost123 sshd[4551]: Disconnecting authenticating user root 202.29.214.13 port 58908: Too many authentication failures [preauth]
Aug 23 01:28:03 myhost123 sshd[4565]: error: maximum authentication attempts exceeded for root from 202.29.214.13 port 61129 ssh2 [preauth]
Aug 23 01:28:03 myhost123 sshd[4565]: Disconnecting authenticating user root 202.29.214.13 port 61129: Too many authentication failures [preauth]
Aug 23 01:28:23 myhost123 sshd[4577]: error: maximum authentication attempts exceeded for invalid user admin from 202.29.214.13 port 3511 ssh2 [preauth]
Aug 23 01:29:24 myhost123 sshd[4613]: error: maximum authentication attempts exceeded for invalid user oracle from 202.29.214.13 port 24149 ssh2 [preauth]
Aug 23 01:30:07 myhost123 sshd[4641]: error: maximum authentication attempts exceeded for invalid user usuario from 202.29.214.13 port 37311 ssh2 [preauth]
Aug 23 01:30:15 myhost123 sshd[4647]: error: maximum authentication attempts exceeded for invalid user usuario from 202.29.214.13 port 39486 ssh2 [preauth]
Aug 23 01:30:58 myhost123 sshd[4684]: error: maximum authentication attempts exceeded for invalid user test from 202.29.214.13 port 52882 ssh2 [preauth]
Aug 23 01:31:33 myhost123 sshd[4699]: error: maximum authentication attempts exceeded for invalid user user from 202.29.214.13 port 64849 ssh2 [preauth]

Should fail2ban not block all requests from that IP completely? Any hints on what to check appreciated.

134
1 + 1
ssh
jp flag
Dom
Check if "iptables -L -nv" returns something about f2b-ssh. Check fail2ban logs arround the ban log : there is maybe an error when trying to put the iptables in place.
1
Reply
Score:0
Deeepdigger avatar Server
cn flag
Deeepdigger

Thanks to Dom's hint: the iptables limit is the root cause of the issue.

Checking with:

grep "iptables: Memory allocation problem" /var/log/fail2ban.log

egrep "failcnt|numiptent" /proc/user_beancounters

It seems I cannot change the iptables limit, only my provider can.

0 + 2
Michael Hampton avatar
cz flag
Michael Hampton
This is yet another problem with OpenVZ. It is recommended to avoid OpenVZ and use a VPS with true virtualization.
0
Reply
sebres avatar
il flag
sebres
if your host's kernel supports `ipset` and you can use it over OpenVZ, you could switch to some of iptables-ipset action, so it is creating only one iptables chain per jail and all the IPs going to `ipset` (which is much faster and hopefully doesn't affected by such strict limits on your system as `iptables`).
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.