3

This question is almost same problem like mine but accepted answer doesn't solve my issues

In Fail2Ban, How to Change the SSH port number?

SSH on port 22 everything works great. After 5 attempts fail2ban reads from logs and bans my ip for 600 seconds. And here is fail2ban log

2013-07-10 11:54:08,522 fail2ban.actions: WARNING [ssh-iptables] Ban 192.168.162.191
2013-07-10 12:04:09,348 fail2ban.actions: WARNING [ssh-iptables] Unban 192.168.162.191

My iptables, fail2ban has port 22

Chain INPUT (policy ACCEPT 1591 packets, 165K bytes)
 pkts bytes target     prot opt in     out     source               destination
   44  5292 fail2ban-SSH  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 181 packets, 71152 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain fail2ban-SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination
   35  4836 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

I change SSH port to let say 12345 by editing ssh config

vi /etc/ssh/sshd_config
service sshd restart

Now ssh works on port 12345 not 22, totally fine

Logs show my failed login attempts properly

After 5 attempts fail2ban log file displays ban

2013-07-10 11:37:33,124 fail2ban.actions: WARNING [ssh-iptables] Ban 192.168.162.191

PROBLEM IS

But it never bans me from SSH port 12345, I can still access ssh and login

I believe this is because iptables has rule for fail2ban on port 22 but not sure how to edit it. Because if I restart fail2ban it adds it's own rule again with port 22

EDIT 1:

jail.conf

# Fail2Ban jail specifications file
#
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
#
# Changes:  in most of the cases you should not modify this
#           file, but provide customizations in jail.local file, e.g.:
#
# [DEFAULT]
# bantime = 3600
#
# [ssh-iptables]
# enabled = true
#

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#              If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#              If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external libraries.
# auto:      will try to use the following backends, in order:
#              pyinotify, gamin, polling.
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
#   warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes:   if a hostname is encountered, a DNS lookup will be performed.
# warn:  if a hostname is encountered, a DNS lookup will be performed,
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
usedns = warn


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled  = true
filter   = sshd
port     = ssh #TRIED TO PUT HERE 12345 port number but problem persists
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/secure
maxretry = 5

[proftpd-iptables]

enabled  = false
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=you@example.com]
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6

# This jail forces the backend to "polling".

[sasl-iptables]

enabled  = false
filter   = sasl
backend  = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois[name=sasl, dest=you@example.com]
logpath  = /var/log/mail.log

# ASSP SMTP Proxy Jail
[assp]
enabled  = false
filter   = assp
action = iptables-multiport[name=assp,port="25,465,587"]
logpath  = /root/path/to/assp/logs/maillog.txt

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled     = false
filter      = sshd
action      = hostsdeny
              sendmail-whois[name=SSH, dest=you@example.com]
ignoreregex = for myuser from
logpath     = /var/log/sshd.log

# Here we use blackhole routes for not requiring any additional kernel support
# to store large volumes of banned IPs

[ssh-route]

enabled = false
filter = sshd
action = route
logpath = /var/log/sshd.log
maxretry = 5

# Here we use a combination of Netfilter/Iptables and IPsets
# for storing large volumes of banned IPs
#
# IPset comes in two versions. See ipset -V for which one to use
# requires the ipset package and kernel support.
[ssh-iptables-ipset4]

enabled  = false
filter   = sshd
action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/sshd.log
maxretry = 5

[ssh-iptables-ipset6]
enabled  = false
filter   = sshd
action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
logpath  = /var/log/sshd.log
maxretry = 5

# bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
# table number must be unique.
# 
# This will create a deny rule for that table ONLY if a rule 
# for the table doesn't ready exist.
#
[ssh-bsd-ipfw]
enabled  = false
filter   = sshd
action   = bsd-ipfw[port=ssh,table=1]
logpath  = /var/log/auth.log
maxretry = 5

# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled  = false
filter   = apache-auth
action   = hostsdeny
logpath  = /var/log/apache*/*error.log
           /home/www/myhomepage/error.log
maxretry = 6

# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.

[postfix-tcpwrapper]

enabled  = false
filter   = postfix
action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
           sendmail[name=Postfix, dest=you@example.com]
logpath  = /var/log/postfix.log
bantime  = 300

# Do not ban anybody. Just report information about the remote host.
# A notification is sent at most every 600 seconds (bantime).

[vsftpd-notification]

enabled  = false
filter   = vsftpd
action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800

# Same as above but with banning the IP address.

[vsftpd-iptables]

enabled  = false
filter   = vsftpd
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=VSFTPD, dest=you@example.com]
logpath  = /var/log/vsftpd.log
maxretry = 5
bantime  = 1800

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled  = false
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
logpath  = /var/www/*/logs/access_log
bantime  = 172800
maxretry = 1

# Use shorewall instead of iptables.

[apache-shorewall]

enabled  = false
filter   = apache-noscript
action   = shorewall
           sendmail[name=Postfix, dest=you@example.com]
logpath  = /var/log/apache2/error_log

# Monitor roundcube server

[roundcube-iptables]

enabled  = false
filter   = roundcube-auth
action   = iptables[name=RoundCube, port="http,https"]
logpath  = /var/log/roundcube/userlogins


# Monitor SOGo groupware server

[sogo-iptables]

enabled  = false
filter   = sogo-auth
# without proxy this would be:
# port    = 20000
action   = iptables[name=SOGo, port="http,https"]
logpath  = /var/log/sogo/sogo.log

# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.

[php-url-fopen]

enabled = false
action  = iptables[name=php-url-open, port="http,https"]
filter  = php-url-fopen
logpath = /var/www/*/logs/access_log
maxretry = 1

# A simple PHP-fastcgi jail which works with lighttpd.
# If you run a lighttpd server, then you probably will
# find these kinds of messages in your error_log:
# ALERT – tried to register forbidden variable ‘GLOBALS’
# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
# This jail would block the IP 1.2.3.4.

[lighttpd-fastcgi]

enabled = false
filter  = lighttpd-fastcgi
action  = iptables[name=lighttpd-fastcgi, port="http,https"]
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2

# Same as above for mod_auth
# It catches wrong authentications

[lighttpd-auth]

enabled = false
filter  = lighttpd-auth
action  = iptables[name=lighttpd-auth, port="http,https"]
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.

[ssh-ipfw]

enabled  = false
filter   = sshd
action   = ipfw[localhost=192.168.0.1]
           sendmail-whois[name="SSH,IPFW", dest=you@example.com]
logpath  = /var/log/auth.log
ignoreip = 168.192.0.1

# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# };
#
# in your named.conf to provide proper logging.
# This jail blocks UDP traffic for DNS requests.

# !!! WARNING !!!
#   Since UDP is connection-less protocol, spoofing of IP and imitation
#   of illegal actions is way too simple.  Thus enabling of this filter
#   might provide an easy way for implementing a DoS against a chosen
#   victim. See
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
#   Please DO NOT USE this jail unless you know what you are doing.
#
# [named-refused-udp]
#
# enabled  = false
# filter   = named-refused
# action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
#            sendmail-whois[name=Named, dest=you@example.com]
# logpath  = /var/log/named/security.log
# ignoreip = 168.192.0.1

# This jail blocks TCP traffic for DNS requests.

[named-refused-tcp]

enabled  = false
filter   = named-refused
action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
           sendmail-whois[name=Named, dest=you@example.com]
logpath  = /var/log/named/security.log
ignoreip = 168.192.0.1

# Multiple jails, 1 per protocol, are necessary ATM:
# see https://github.com/fail2ban/fail2ban/issues/37
[asterisk-tcp]

enabled  = false
filter   = asterisk
action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/asterisk/messages
maxretry = 10

[asterisk-udp]

enabled  = false
filter   = asterisk
action   = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/asterisk/messages
maxretry = 10

# To log wrong MySQL access attempts add to /etc/my.cnf:
# log-error=/var/log/mysqld.log
# log-warning = 2
[mysqld-iptables]

enabled  = false
filter   = mysqld-auth
action   = iptables[name=mysql, port=3306, protocol=tcp]
           sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/mysqld.log
maxretry = 5


# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]

enabled  = false
filter   = recidive
logpath  = /var/log/fail2ban.log
action   = iptables-allports[name=recidive]
           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 5

# PF is a BSD based firewall
[ssh-pf]

enabled=false
filter = sshd
action = pf
logpath  = /var/log/sshd.log
maxretry=5
Ergec
  • 578
  • 1
  • 7
  • 25
  • Could you please show us your jail configuration? – quanta Jul 10 '13 at 09:30
  • ok added conf file – Ergec Jul 10 '13 at 09:38
  • @Ergec you have to modify the standard ssh port found in /etc/services You have there ssh 22/tcp Change the port that suits your needs. – Valentin Bajrami Jul 10 '13 at 09:42
  • @val0x00ff add you comment as answer because that was exactly what I need. I'll accept your answer. Seems fail2ban uses ports in /etc/services to create iptables rules. Thanks a lot. – Ergec Jul 10 '13 at 09:54
  • 1
    @Ergec, No problem. Though specifying the port as 12345 in the `action` section.. would also work since you are hardcoding the port. `port=ssh` was ofcourse mapped to port 22. – Valentin Bajrami Jul 10 '13 at 10:02
  • Ok seems I have two correct answers from @quanta and val0x00ff and both solve my problem. But I'll pick val0x00ff because it seems like a more global fix. Correct me if I'm wrong. – Ergec Jul 10 '13 at 10:04

3 Answers3

5

You have to change the default port in the action line, something like this:

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=12345, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/secure
maxretry = 5

Don't forget to restart the fail2ban after that.

quanta
  • 50,327
  • 19
  • 152
  • 213
4

Copy paste from my /etc/fail2ban/jail.local Works fine and let me change on one place for both TCP/22 and TCP/2222

[ssh]
enabled = true
port = ssh,2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 4
norrland
  • 103
  • 9
2

Since you are using ssh as port name it is going to search on /etc/services file and map the name ssh to the associated port which is 22

You can simply modify the /etc/services file and change port 22/tcp to whatever you like.

Save changes and you are done!

Valentin Bajrami
  • 3,870
  • 1
  • 17
  • 25