I noticed something strange on my Ubuntu Xenial server.
It has SSH on the default port and it has fail2ban.
Fail2ban is detecting brute force attempts on the server and are logged accordingly:
2017-01-12 10:58:19,927 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:03:27,808 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:08:37,936 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:13:51,538 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:18:57,939 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:24:10,399 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:29:23,161 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:34:34,064 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:39:44,540 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
x.x.x.x is the same IP in all instances, and this guy is just phishing random usernames, as seen in auth.log:
Jan 12 12:05:46 MYSERVER sshd[23579]: Invalid user journalist from x.x.x.x
Jan 12 12:05:46 MYSERVER sshd[23579]: input_userauth_request: invalid user journalist [preauth]
Jan 12 12:05:46 MYSERVER sshd[23579]: Received disconnect from x.x.x.x port 47995:11: Normal Shutdown, Thank you for playing [preauth]
Jan 12 12:05:46 MYSERVER sshd[23579]: Disconnected from x.x.x.x port 47995 [preauth]
Fail2ban sees them, he list them as "Found", but not banning. Any ideas?
Edit:
cat /etc/fail2ban/jail.d/myjails.local
[apache-auth]
enabled = true
[sshd-ddos]
enabled = true
[recidive]
enabled = true
[dovecot]
enabled = true
[postfix]
enabled=true
The remaining config files are left as is according to the sane defaults from Ubuntu, namely /etc/fail2ban/jail.conf
has:
[sshd]
port = ssh
logpath = %(sshd_log)s
[sshd-ddos]
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
port = ssh
logpath = %(sshd_log)s
and we have:
cat /etc/fail2ban/jail.d/defaults-debian.conf
[sshd]
enabled = true
Fail2ban appears to be rightfully not banning anyone - Your provided log does not show anyone exceeding the default limits that Ubuntu xenial ships with fail2ban.
Look in your
/etc/fail2ban/jail.conf
, in the[DEFAULT]
section there are the parametersfindtime
(default 600 seconds, so 10 minutes) andmaxretry
(default 5 times, within that find window). Meaning that someone who is trying just a few password an hour will simply not trigger it.Note that you dont need to change this file (and should not, to be able to cleanly upgrade it). You can put the [DEFAULT] block into your
/etc/fail2ban/jail.d/myjails.local
, aswell:jail.conf
it actually gives some hints about how and why.