You are not logged in.

#1 2020-05-25 21:00:50

leonixyz
Member
Registered: 2014-07-12
Posts: 62

fail2ban does not parse sshd log correctly

I am struggling to have fail2ban working. Followed instructions on https://wiki.archlinux.org/index.php/Fa … m_SSH_jail

Installed packages:

- fail2ban 0.11.1-1
- openssh 8.2p1-3

# grep LogLevel /etc/ssh/sshd_config 
LogLevel VERBOSE
# cat /etc/fail2ban/jail.d/jail.local 
[DEFAULT]
bantime = 1d
destemail = my@email.address
sender = my@email.address
mta = sendmail
action = %(action_mwl)s

[sshd]
enabled   = true
filter    = sshd
banaction = iptables
backend   = systemd
maxretry  = 5
findtime  = 1d
bantime   = 2w
ignoreip  = 127.0.0.1/8

(abbreviated)

# fail2ban-client get sshd failregex

|- [2]: ^Failed publickey for invalid user (?P<user>(?P<cond_user>\S+)|(?:(?! from ).)*?) from (?:\[?(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?P<dns>[\w\-.^_]*\w))(?: (?:port \d+|on \S+)){0,2}(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
|- [3]: ^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:\[?(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?P<dns>[\w\-.^_]*\w))(?: (?:port \d+|on \S+)){0,2}(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
|- [4]: ^Failed <cmnfailed> for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:\[?(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?P<dns>[\w\-.^_]*\w))(?: (?:port \d+|on \S+)){0,2}(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*))$
# journalctl -fu sshd

May 25 22:43:46 archost sshd[3579]: Connection from 10.5.4.3 port 32948 on 10.5.4.1 port 22 rdomain ""
May 25 22:43:46 archost sshd[3579]: Failed publickey for test from 10.5.4.3 port 32948 ssh2: RSA SHA256:blablabla
May 25 22:43:46 archost sshd[3579]: Connection closed by authenticating user test 10.5.4.3 port 32948 [preauth]

My guess is that fail2ban regex are outdated/unable to parse the journal, but I'm not capable of debugging why.

I receive emails when fail2ban is started/stopped, and therefore I suppose I should get one also when someone gets banned, but I don't get anything when trying to ssh > 5 times using an invalid certificate, and neither when trying to authenticate with password (which is explicitly disabled in sshd_config). The ssh client is always able to initiate a connection.

The fail2ban does not show anything useful as well.

May 25 21:39:22 archost systemd[1]: Starting Fail2Ban Service...
May 25 21:39:22 archost systemd[1]: Started Fail2Ban Service.
May 25 21:39:22 archost fail2ban-server[3143]: Server ready
May 25 21:45:46 archost systemd[1]: Stopping Fail2Ban Service...

Thanks in advance for any help.

Offline

#2 2020-05-26 13:23:01

paulkerry
Member
From: Sheffield, UK
Registered: 2014-10-02
Posts: 611

Re: fail2ban does not parse sshd log correctly

leonixyz wrote:

My guess is that fail2ban regex are outdated/unable to parse the journal, but I'm not capable of debugging why.

Have you used the

fail2ban-regex

command to check your regex settings?

man fail2ban-regex

Also are you getting anything in /var/log/fail2ban.log ?

Offline

#3 2020-06-02 21:52:36

leonixyz
Member
Registered: 2014-07-12
Posts: 62

Re: fail2ban does not parse sshd log correctly

Thanks for pointing me to fail2ban-regex. It confirms that the default regex in /etc/fail2ban/filter.d/sshd.conf does not match the log entry:

# fail2ban-regex 'Failed publickey for test from 10.5.4.3 port 48168 ssh2: RSA SHA256:dIsSVbo8cWdomqAnxAaHvgOk7tWvcyxBQqqMfD5fRZk' /etc/fail2ban/filter.d/sshd.conf 

Running tests
=============

Use   failregex filter file : sshd, basedir: /etc/fail2ban
Use         maxlines : 1
Use      datepattern : Default Detectors
Use      single line :  Failed publickey for test from 10.5.4.3 ...


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.01 sec]

|- Missed line(s):
|   Failed publickey for test from 10.5.4.3 port 48168 ssh2: RSA SHA256:dIsSVbo8cWdomqAnxAaHvgOk7tWvcyxBQqqMfD5fRZk
`-

I suppose therefore the content of /var/log/fail2ban.log has little, if any, meaning.

2020-06-02 23:23:44,585 fail2ban.server         [1011]: INFO    Starting Fail2ban v0.11.1
2020-06-02 23:23:44,586 fail2ban.observer       [1011]: INFO    Observer start...
2020-06-02 23:23:44,591 fail2ban.database       [1011]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2020-06-02 23:23:44,592 fail2ban.jail           [1011]: INFO    Creating new jail 'sshd'
2020-06-02 23:23:44,602 fail2ban.jail           [1011]: INFO    Jail 'sshd' uses systemd {}
2020-06-02 23:23:44,602 fail2ban.jail           [1011]: INFO    Initiated 'systemd' backend
2020-06-02 23:23:44,604 fail2ban.filter         [1011]: INFO      maxLines: 1
2020-06-02 23:23:44,621 fail2ban.filtersystemd  [1011]: INFO    [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2020-06-02 23:23:44,621 fail2ban.filter         [1011]: INFO      maxRetry: 5
2020-06-02 23:23:44,621 fail2ban.filter         [1011]: INFO      findtime: 86400
2020-06-02 23:23:44,622 fail2ban.actions        [1011]: INFO      banTime: 1209600
2020-06-02 23:23:44,622 fail2ban.filter         [1011]: INFO      encoding: UTF-8
2020-06-02 23:23:44,631 fail2ban.jail           [1011]: INFO    Jail 'sshd' started
2020-06-02 23:23:44,638 fail2ban.filter         [1011]: INFO    [sshd] Found 192.168.55.118 - 2020-06-02 21:13:25

The last line is a match on the following log entry (not the one that I am looking for):
Edit: it also confirms that fail2ban is actually parsing the journal, as it should be doing

User root from 192.168.55.118 not allowed because not listed in AllowUsers

Last edited by leonixyz (2020-06-02 21:54:27)

Offline

#4 2020-06-03 15:54:00

paulkerry
Member
From: Sheffield, UK
Registered: 2014-10-02
Posts: 611

Re: fail2ban does not parse sshd log correctly

Do you have a user on your system called "test"? If yes, fail2ban will only trigger when your maxretry=5 is reached.

edit: extra recommended info at https://www.fail2ban.org/wiki/index.php … _8#Filters
so you could add an extra failregex line as mentioned above to test things

Last edited by paulkerry (2020-06-03 15:58:09)

Offline

Board footer

Powered by FluxBB