2

This below is the output of fail2ban log. Nothing more shows up, but in auth.log I see like hundreds of failures for root user login (someone is bad ass brute forcing). 

2011-07-06 01:48:16,249 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2011-07-06 01:48:16,250 fail2ban.jail   : INFO   Creating new jail 'ssh'
2011-07-06 01:48:16,250 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2011-07-06 01:48:16,251 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2011-07-06 01:48:16,252 fail2ban.filter : INFO   Set maxRetry = 3
2011-07-06 01:48:16,253 fail2ban.filter : INFO   Set findtime = 600
2011-07-06 01:48:16,253 fail2ban.actions: INFO   Set banTime = 600
2011-07-06 01:48:16,329 fail2ban.jail   : INFO   Jail 'ssh' started

Why isn't it blocking them? I haven't changed (except the maxRetry) anything in the configurations - I just installed it on my Linux Debian Lenny and it started, but it isn't blocking anyone. :/
What could I do to fix this?

I can share some of the attacks:

Jul  6 01:02:24 tornado sshd[19768]: Failed password for root from 200.63.212.41 port 43457 ssh2
Jul  6 01:02:26 tornado sshd[19771]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.gamavision.com  user=root
Jul  6 01:02:27 tornado sshd[19771]: Failed password for root from 200.63.212.41 port 43565 ssh2
Jul  6 01:02:29 tornado sshd[19773]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.gamavision.com  user=root
Jul  6 01:02:31 tornado sshd[19773]: Failed password for root from 200.63.212.41 port 43662 ssh2
Jul  6 01:02:32 tornado sshd[19775]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.gamavision.com  user=root

By the way, does it change something that server time is 1 hour off as I see? ;D

Edit:

Status for the jail: ssh
|- filter
|  |- File list:        /var/log/auth.log
|  |- Currently failed: 0
|  `- Total failed:     0
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     0

Before I had installed fail2ban in auth.log I noticed such lines:

reverse mapping checking getaddrinfo for server1.intensevps.com [94.75.242.39] failed - POSSIBLE BREAK-IN ATTEMPT!

Could it be that fail2ban is conflicting with something else? I just don't know what that thing is which detected the possible break in thing. Now it doesn't detect anything once fail2ban is installed.

Rihards
  • 759
  • 2
  • 12
  • 22

3 Answers3

5

I had exactly the same problem. Actually, the time was not sync.

dpkg-reconfigure tzdata
cp /usr/share/zoneinfo/Europe/Paris /etc/localtime
vim /etc/rsyslog.conf
#see all messages
$RepeatedMsgReduction off
service rsyslog restart
Kenton
  • 66
  • 1
  • 3
  • Can you clarify what is happening here? It is unclear to me how this is related. . . – meawoppl Jul 16 '13 at 16:58
  • Setting '$RepeatedMsgReduction off' is what does the magic. If it was on, that changes the format of /var/log/auth.log (or wherever login failures are logged on your system), which messes up fail2ban. See [this](https://stackoverflow.com/questions/20542758/rsyslog-conditional-repeatedmsgreduction) for how to turn off RepeatedMsgReduction only for auth logging. – Alexander Garden Apr 10 '14 at 04:16
0

You need to enable fail to ban for it to work right. Just run "service fail2ban start"

Al Katawazi
  • 233
  • 3
  • 11
0

Try with the "logpath" set as "/var/log/secure".

Max
  • 151
  • 1
  • 7