Home / server / Questions / 811772
Accepted
elbarna
Asked: 2016-10-28 14:03:31 +0800 CST

fail2ban and ssh don't work

  • 772

I have configured ssh with port 2122 and pubkey only. I secured but i want more banning the lamers wich try bruteforce auth.

My configuration of fail2ban

jail.local

[INCLUDES]
before = paths-slackware.conf
[DEFAULT]
ignoreip = 127.0.0.1/8
ignorecommand =
bantime  = 10800
findtime  = 600
maxretry = 3
backend = auto
usedns = warn
logencoding = auto
enabled = true
filter = %(__name__)s
destemail = root@localhost
sender = root@localhost
mta = mail
protocol = tcp
chain = INPUT
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = iptables-multiport
banaction_allports = iptables-allports
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
action = %(action_)s
[ssh]
enabled  = true
port     = 22
filter   = sshd
logpath  = /var/log/messages
maxretry = 3
findtime = 10800
bantime = 21600
[apache]
enabled  = true
port     = http,https
filter   = apache-auth
logpath  = /var/chroothttp/var/log/httpd/error_log
maxretry = 3
findtime = 10800
bantime = 21600

Apache is working perfect,I have tried some bad logins and ban the ip's But ssh try and retry..no ban!

ssh fail2ban

3 Answers

  1. If SSH is not running on port 22, there will not be failed login attempts logged into /var/log/messages, and therefore Fail2Ban has no information on which IP addresses to ban.

    However, since you don't have any service running on port 22, you don't actually need banning.

    • 1

  2. If you're running ssh on a non-standard port, you need to update your fail2ban config to pay attention to that port, not just the named service (because it assumes the named service is running on its standard port).

    Quoting from another answer:

    fail2ban will detect login attemps with log content. fail2ban don't use ports for detection, only to block. To block the right port, you have to tell fail2ban which one in order to correctly setup iptable. Into /etc/fail2ban/jail.local:

    [ssh]
    enabled = true
    port = ssh <-- just modify this with your port port = 1234

    Then restart fail2ban.

    • 1
  3. Best Answer

    ATM the solution is: fail2ban not ban if pubkey only auth is enabled. If someone find another solution...reply.

    • -3