fail2ban and ssh don't work

Question

I have configured ssh with port 2122 and pubkey only. I secured but i want more banning the lamers wich try bruteforce auth.

My configuration of fail2ban

jail.local

[INCLUDES]
before = paths-slackware.conf
[DEFAULT]
ignoreip = 127.0.0.1/8
ignorecommand =
bantime  = 10800
findtime  = 600
maxretry = 3
backend = auto
usedns = warn
logencoding = auto
enabled = true
filter = %(__name__)s
destemail = root@localhost
sender = root@localhost
mta = mail
protocol = tcp
chain = INPUT
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = iptables-multiport
banaction_allports = iptables-allports
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
action = %(action_)s
[ssh]
enabled  = true
port     = 22
filter   = sshd
logpath  = /var/log/messages
maxretry = 3
findtime = 10800
bantime = 21600
[apache]
enabled  = true
port     = http,https
filter   = apache-auth
logpath  = /var/chroothttp/var/log/httpd/error_log
maxretry = 3
findtime = 10800
bantime = 21600

Apache is working perfect,I have tried some bad logins and ban the ip's But ssh try and retry..no ban!

What port are you connecting to your server on and expecting to be banned ? — user9517, Oct 28 '16 at 00:16

score 1 · Answer 1 · answered Oct 28 '16 at 08:56

1

If SSH is not running on port 22, there will not be failed login attempts logged into /var/log/messages, and therefore Fail2Ban has no information on which IP addresses to ban.

However, since you don't have any service running on port 22, you don't actually need banning.

answered Oct 28 '16 at 08:56

Tero Kilkanen

34,499
3
38
58

You do not need to ban failed SSH auth of you changed port and also going with key only. ++ to this – Orphans Oct 28 '16 at 10:41
On log messages i see Connection from Connection closed – elbarna Oct 28 '16 at 16:29
Can you copy the exact log line into your question? It is difficult to understand the description above.. – Tero Kilkanen Oct 29 '16 at 01:58

score 1 · Answer 2 · edited Apr 13 '17 at 12:14

1

If you're running ssh on a non-standard port, you need to update your fail2ban config to pay attention to that port, not just the named service (because it assumes the named service is running on its standard port).

Quoting from another answer:

fail2ban will detect login attemps with log content. fail2ban don't use ports for detection, only to block. To block the right port, you have to tell fail2ban which one in order to correctly setup iptable. Into /etc/fail2ban/jail.local:

[ssh]
enabled = true
port = ssh <-- just modify this with your port port = 1234

Then restart fail2ban.

edited Apr 13 '17 at 12:14

Community

1

answered Oct 28 '16 at 14:27

warren

17,829
23
82
134

I did it and..nothing happen – elbarna Oct 28 '16 at 16:29
2

@elbarna - there shouldn't be much that "happens" if you're on a non-standard port: very few (if any) attacks are going to come across that vector – warren Oct 28 '16 at 16:34

score -3 · Accepted Answer · answered Oct 28 '16 at 16:31

-3

ATM the solution is: fail2ban not ban if pubkey only auth is enabled. If someone find another solution...reply.

answered Oct 28 '16 at 16:31

elbarna

322
3
6
14

fail2ban and ssh don't work

3 Answers3