You are not logged in.

Pages: 1

#1 2017-08-17 13:14:32

maxline
Member
Registered: 2017-08-17
Posts: 8

[SOLVED] Fail2ban not ban ip after too many authentication

Hi. Pls help.
Did as https://wiki.archlinux.org/index.php/Fail2ban instructed
cp /etc/fail2ban/paths-fedora.conf /etc/fail2ban/paths-archlinux.conf
nano /etc/fail2ban/jail.local

[INCLUDES]
before = paths-archlinux.conf

nano /etc/fail2ban/jail.d/jail.conf

[DEFAULT]
bantime = 864000
findtime  = 86400
ignoreip = 127.0.0.1/8

[sshd]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
backend  = systemd
maxretry = 2
port = 22

systemctl status fail2ban.service

 fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2017-08-17 15:06:32 MSK; 11min ago
     Docs: man:fail2ban(1)
  Process: 1039 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
  Process: 1044 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
 Main PID: 1047 (fail2ban-server)
    Tasks: 3 (limit: 4915)
   CGroup: /system.slice/fail2ban.service
           └─1047 /usr/bin/python /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

systemctl enable fail2ban.service
systemctl restart fail2ban.service

fail2ban-client -vv -d 2>&1 | grep sshd | grep -Ev "'addfailregex'|'addignoreip'|'action'"

INFO   Loading configs for filter.d/sshd under /etc/fail2ban
DEBUG  Reading configs for filter.d/sshd under /etc/fail2ban
DEBUG  Reading config files: /etc/fail2ban/filter.d/sshd.conf
INFO     Loading files: ['/etc/fail2ban/filter.d/sshd.conf']
INFO     Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/sshd.conf']
['add', 'sshd', 'systemd']
['set', 'sshd', 'logencoding', 'auto']
['set', 'sshd', 'maxretry', 2]
['set', 'sshd', 'findtime', 86400]
['set', 'sshd', 'bantime', 864000]
['set', 'sshd', 'usedns', 'warn']
['set', 'sshd', 'ignorecommand', '']
['set', 'sshd', 'maxlines', '10']
['set', 'sshd', 'addjournalmatch', '_SYSTEMD_UNIT=sshd.service', '+', '_COMM=sshd']
['set', 'sshd', 'addaction', 'iptables']
['start', 'sshd']

iptables -L -v -n

 Chain INPUT (policy ACCEPT 824 packets, 67207 bytes)
 pkts bytes target     prot opt in     out     source               destination
   75  7770 f2b-SSH    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 157 packets, 21121 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain f2b-SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination
   75  7770 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

But nothing works. Fail2ban not ban ip after too many authentication.

Last edited by maxline (2017-08-23 12:56:44)

Offline

#2 2017-08-23 12:50:38

maxline
Member
Registered: 2017-08-17
Posts: 8

Re: [SOLVED] Fail2ban not ban ip after too many authentication

solution
1. pacman -S syslog-ng
systemctl enable syslog-ng
systemctl restart syslog-ng
Checking [ -s /var/log/auth.log ] || echo "syslog-ng service does not work"
If there is no message, then syslog-ng is working.

2. Only from iptables v4
iptables-save > /etc/iptables/iptables.rules
systemctl enable iptables.service
systemctl restart iptables.service

3. sshd
only from ip v4
sed -i '/#AddressFamily any/a AddressFamily inet' /etc/ssh/sshd_config

systemctl enable sshd.service
systemctl restart sshd.service

netstat -tunlp | grep sshd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1505/sshd

For logged correctly
sed -i '/#LogLevel INFO/a LogLevel VERBOSE' /etc/ssh/sshd_config
systemctl restart sshd.service

4. fail2ban
pacman -S fail2ban
systemctl enable fail2ban.service
systemctl restart fail2ban.service

cp /etc/fail2ban/paths-fedora.conf /etc/fail2ban/paths-archlinux.conf

touch /etc/fail2ban/jail.local
echo "[INCLUDES]
before = paths-archlinux.conf" >> /etc/fail2ban/jail.local

touch /etc/fail2ban/jail.d/jail.conf
If you use only ip v4 and iptables
echo "[DEFAULT]
bantime = 86400
findtime  = 432000
ignoreip = 127.0.0.1/8

[sshd]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
backend  = systemd
maxretry = 3
logpath = %(sshd_log)s" >> /etc/fail2ban/jail.d/jail.conf

systemctl restart fail2ban.service
systemctl status fail2ban.service
● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
   Active: active (running)

Checking  fail2ban in iptables
iptables -L -v -n

Chain INPUT (policy ACCEPT 17 packets, 1300 bytes)
pkts bytes target     prot opt in     out     source               destination         
    0     0 f2b-SSH    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 7 packets, 493 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain f2b-SSH (1 references)
pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0   

After that fail2ban banned ip after to many authentication.
Read more here  https://manjaro.ru/blog/how-to/ustanovk … linux.html

Last edited by maxline (2017-08-23 12:54:27)

Offline

Pages: 1

Board footer

Powered by FluxBB