Join Log in
Score:1
zaheerk avatar Server

fail2ban ssh not banning any IP

ws flag
zaheerk

I started fail2ban service as sudo systemctl restart fail2ban.service, it successfully started. But my ssh attempts with the wrong password from remote PCs are not blocking, There is no IP listed in Banned IP list

  • It works only with fail2ban-client set sshd banip <remote_pc_IP>
  • Banned IP list not updating as per maxretry attempt

/etc/fail2ban/jail.local

[DEFAULT]
default_backend = auto

[sshd]
enabled = true
mode = aggressive
port = ssh
filter = sshd
# I added the below logpath since No file(s) found for glob /var/log/auth.log
# below file only giving ssh connection log
logpath = /var/volatile/log/messages
maxretry = 1
#backend = systemd
  • backend commented since no sshd log was found in journal

sudo tail -f /var/volatile/log/messages | grep "172.16.0."

Apr 11 13:27:25  auth.info sshd[1873]: Failed password for guest from 172.16.0.80 port 60486 ssh2
Apr 11 13:27:25  auth.info sshd[1873]: Failed password for guest from 172.16.0.80 port 60486 ssh2
Apr 11 13:27:25  auth.info sshd[1873]: Connection closed by authenticating user guest 172.16.0.80 port 60486 [preauth]

fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/volatile/log/messages
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

/var/log/fail2ban.log

2023-04-11 12:54:15,500 fail2ban.server         [692]: INFO    Starting Fail2ban v0.10.3.fix1
2023-04-11 12:54:15,516 fail2ban.database       [692]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-04-11 12:54:15,525 fail2ban.jail           [692]: INFO    Creating new jail 'sshd'
2023-04-11 12:54:15,574 fail2ban.jail           [692]: INFO    Jail 'sshd' uses pyinotify {}
2023-04-11 12:54:15,586 fail2ban.jail           [692]: INFO    Initiated 'pyinotify' backend
2023-04-11 12:54:15,589 fail2ban.filter         [692]: INFO      maxLines: 1
2023-04-11 12:54:15,756 fail2ban.server         [692]: INFO    Jail sshd is not a JournalFilter instance
2023-04-11 12:54:15,761 fail2ban.filter         [692]: INFO    Added logfile: '/var/volatile/log/messages' (pos = 0, hash = 133455cd694ec2584c1defa33b1d1eef)
2023-04-11 12:54:15,780 fail2ban.filter         [692]: INFO      maxRetry: 1
2023-04-11 12:54:15,782 fail2ban.filter         [692]: INFO      encoding: ANSI_X3.4-1968
2023-04-11 12:54:15,783 fail2ban.actions        [692]: INFO      banTime: 600
2023-04-11 12:54:15,786 fail2ban.filter         [692]: INFO      findtime: 600
2023-04-11 12:54:15,800 fail2ban.jail           [692]: INFO    Jail 'sshd' started
270
1 + 1
ssh
paladin avatar
id flag
paladin
You also need to set a `bantime` and a `findtime`, for how long an IP is being banned when `maxretry` was found in `findtime`. -> https://linuxhint.com/change-ban-time-fail2ban/
0
Reply
Score:0
zaheerk avatar Server
ws flag
zaheerk

This issue was resolved by disabling the syslog from busybox component and enabling only the journal log. So all the SSH attempt logs are hitting on the journal, leading to successful fail2ban tracking

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.