Join Log in
Score:0
itarill avatar Server

fail2ban does not work for ssh except on port 22

vn flag
itarill

My fail2ban is not working for sshd except for the default port 22/tcp.

My old, working config in jail.local:

[sshd]
enabled  = true
port     = ssh

Tested fail2ban, did ban me after 3 failed attempts as intended.

I explicitly specified a different port afterwards in jail.local; ssh tunnel works on the new port, but when I consciously err with wrong ssh password I do not receive a ban after any number of attempts.

sshd.service, fail2ban.service already restarted, also tried rebooting.

I DO get the email message about being banned, however, I can still (successfully) attempt to log in.

Edit: This is the pastebin of fail2ban-client -d | grep 'ssh'

176
0 + 0
ssh
Chris avatar
it flag
Chris
*I explicitly specified a different port afterwards in jail.local* If you use a custom ssh port, you need to explicitly set it in your conf (ex. port = 12345), otherwise fail2ban will ban on the default ssh port (22).
1
Reply
itarill avatar
vn flag
itarill
That is what I did. Hence my surprise.
0
Reply
itarill avatar
vn flag
itarill
My ban time is 10 minutes - if I change the IP for sshd to 22 and start a new tunnel for port 22, it is also not banned.
0
Reply
sebix avatar
ie flag
sebix
Without further information (shown configuration, logs, etc.) it is hard to guess what is wrong.
0
Reply
Score:0
sebres avatar Server
il flag
sebres

Something may be not correct in your configuration.

For example, fail2ban default jail section for sshd is [sshd], whereas your example shows [ssh]. Do you have 2 jails? Or did you make some customization with own jail or defaults? (for instance default action is overwritten).

To inspect it deeper you could show the dump of fail2ban (merged) configuration:

fail2ban-client -d | grep 'ssh'

Interesting are the values of actionstart (and actionban) and whether the port is interpolated in the action definitions.

Small hint: for customization (if you need to overwrite the action for some reason), either set the banaction only (it will be interpolated in default action declaration):

[jail]
banaction = iptables-ipset-proto6

or use all parameters the action expects:

[jail]
action = iptables-ipset-proto6[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

Otherwise the action could use its default port (which may be indeed 22).

0 + 0
itarill avatar
vn flag
itarill
You are right with the [ssh] vs [sshd] thing. It was a typo in the post on my end, the config file has it right. I added a pastebin with the fail2ban-client -d.
0
Reply
sebres avatar
il flag
sebres
See in the dump the port is `ssh`: `<iptables> -I INPUT -p tcp -m multiport --dports ssh -j f2b-sshd'`. So either you have still other configs overwriting the port of sshd jail (e. g. in `/etc/fail2ban/jail.d`, you can check which config files gets included with `fail2ban-client -vvd`) or your `jail.local` is not at right place (it must be in `/etc/fail2ban` directly) or your configs are still wrong (see my answer attentively, for instance the `action` of jail is overwritten and port specified in jail is not supplied to the action).
0
Reply
itarill avatar
vn flag
itarill
According to this pastebin of [fail2ban-client -vvd](https://pastebin.com/RhE44Mst) config should be fine, all ports are overwritten to 31222. My jail local was basically a copy of jail.conf copied to a jail.local in the same directory.
0
Reply
itarill avatar
vn flag
itarill
I cleaned up my jail.local, there it is [in whole](https://pastebin.com/qsnAhGB8).
0
Reply
sebres avatar
il flag
sebres
There still many entries duplicating original jail.conf (which can be deleted), but... as regards the port, the jail.local seems to be alright. If I try dump over your config with stock `/etc/fail2ban` with `fail2ban-client -d | grep 'dports'`, it shows pretty well the correct port for `sshd` jail:<br> `['actionstart', '<iptables> -N f2b-sshd\n<iptables> -A f2b-sshd -j RETURN\n<iptables> -I INPUT -p tcp -m multiport --dports 31222 -j f2b-sshd'], ['actionban', '<iptables> -I f2b-sshd 1 -s <ip> -j <blocktype>']`. So please read attentive what I wrote above and check carefully the rest of config.
0
Reply
sebres avatar
il flag
sebres
... and if your dump becomes correct (you'll see `--dports 31222`), don't forget to restart fail2ban (or at least the `sshd` jail).
0
Reply
itarill avatar
vn flag
itarill
Thanks, it now works properly. I had to clean up my `jail.local`some more (previously it wouldn't work even though `dports` were showing correctly already in the dump). One more thing, my `action` and `banaction` are defined by `jail.conf`. When I had overridden one of them them with `iptables-ipset-proto6` (per your comment) it would render the jail useless on all ports (incl. 22), even though `fail2ban-client status sshd` did show the ban. I cannot really tell what the differences are between them, where can I read up about it briefly? :)
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.