You are not logged in.
I am struggling to have fail2ban working. Followed instructions on https://wiki.archlinux.org/index.php/Fa … m_SSH_jail
Installed packages:
- fail2ban 0.11.1-1
- openssh 8.2p1-3
# grep LogLevel /etc/ssh/sshd_config
LogLevel VERBOSE# cat /etc/fail2ban/jail.d/jail.local
[DEFAULT]
bantime = 1d
destemail = my@email.address
sender = my@email.address
mta = sendmail
action = %(action_mwl)s
[sshd]
enabled = true
filter = sshd
banaction = iptables
backend = systemd
maxretry = 5
findtime = 1d
bantime = 2w
ignoreip = 127.0.0.1/8(abbreviated)
# fail2ban-client get sshd failregex
|- [2]: ^Failed publickey for invalid user (?P<user>(?P<cond_user>\S+)|(?:(?! from ).)*?) from (?:\[?(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?P<dns>[\w\-.^_]*\w))(?: (?:port \d+|on \S+)){0,2}(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
|- [3]: ^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:\[?(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?P<dns>[\w\-.^_]*\w))(?: (?:port \d+|on \S+)){0,2}(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
|- [4]: ^Failed <cmnfailed> for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?:\[?(?:(?:::f{4,6}:)?(?P<ip4>(?:\d{1,3}\.){3}\d{1,3})|(?P<ip6>(?:[0-9a-fA-F]{1,4}::?|::){1,7}(?:[0-9a-fA-F]{1,4}|(?<=:):)))\]?|(?P<dns>[\w\-.^_]*\w))(?: (?:port \d+|on \S+)){0,2}(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*))$# journalctl -fu sshd
May 25 22:43:46 archost sshd[3579]: Connection from 10.5.4.3 port 32948 on 10.5.4.1 port 22 rdomain ""
May 25 22:43:46 archost sshd[3579]: Failed publickey for test from 10.5.4.3 port 32948 ssh2: RSA SHA256:blablabla
May 25 22:43:46 archost sshd[3579]: Connection closed by authenticating user test 10.5.4.3 port 32948 [preauth]My guess is that fail2ban regex are outdated/unable to parse the journal, but I'm not capable of debugging why.
I receive emails when fail2ban is started/stopped, and therefore I suppose I should get one also when someone gets banned, but I don't get anything when trying to ssh > 5 times using an invalid certificate, and neither when trying to authenticate with password (which is explicitly disabled in sshd_config). The ssh client is always able to initiate a connection.
The fail2ban does not show anything useful as well.
May 25 21:39:22 archost systemd[1]: Starting Fail2Ban Service...
May 25 21:39:22 archost systemd[1]: Started Fail2Ban Service.
May 25 21:39:22 archost fail2ban-server[3143]: Server ready
May 25 21:45:46 archost systemd[1]: Stopping Fail2Ban Service...Thanks in advance for any help.
Offline
My guess is that fail2ban regex are outdated/unable to parse the journal, but I'm not capable of debugging why.
Have you used the
fail2ban-regexcommand to check your regex settings?
man fail2ban-regexAlso are you getting anything in /var/log/fail2ban.log ?
Offline
Thanks for pointing me to fail2ban-regex. It confirms that the default regex in /etc/fail2ban/filter.d/sshd.conf does not match the log entry:
# fail2ban-regex 'Failed publickey for test from 10.5.4.3 port 48168 ssh2: RSA SHA256:dIsSVbo8cWdomqAnxAaHvgOk7tWvcyxBQqqMfD5fRZk' /etc/fail2ban/filter.d/sshd.conf
Running tests
=============
Use failregex filter file : sshd, basedir: /etc/fail2ban
Use maxlines : 1
Use datepattern : Default Detectors
Use single line : Failed publickey for test from 10.5.4.3 ...
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.01 sec]
|- Missed line(s):
| Failed publickey for test from 10.5.4.3 port 48168 ssh2: RSA SHA256:dIsSVbo8cWdomqAnxAaHvgOk7tWvcyxBQqqMfD5fRZk
`-I suppose therefore the content of /var/log/fail2ban.log has little, if any, meaning.
2020-06-02 23:23:44,585 fail2ban.server [1011]: INFO Starting Fail2ban v0.11.1
2020-06-02 23:23:44,586 fail2ban.observer [1011]: INFO Observer start...
2020-06-02 23:23:44,591 fail2ban.database [1011]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2020-06-02 23:23:44,592 fail2ban.jail [1011]: INFO Creating new jail 'sshd'
2020-06-02 23:23:44,602 fail2ban.jail [1011]: INFO Jail 'sshd' uses systemd {}
2020-06-02 23:23:44,602 fail2ban.jail [1011]: INFO Initiated 'systemd' backend
2020-06-02 23:23:44,604 fail2ban.filter [1011]: INFO maxLines: 1
2020-06-02 23:23:44,621 fail2ban.filtersystemd [1011]: INFO [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2020-06-02 23:23:44,621 fail2ban.filter [1011]: INFO maxRetry: 5
2020-06-02 23:23:44,621 fail2ban.filter [1011]: INFO findtime: 86400
2020-06-02 23:23:44,622 fail2ban.actions [1011]: INFO banTime: 1209600
2020-06-02 23:23:44,622 fail2ban.filter [1011]: INFO encoding: UTF-8
2020-06-02 23:23:44,631 fail2ban.jail [1011]: INFO Jail 'sshd' started
2020-06-02 23:23:44,638 fail2ban.filter [1011]: INFO [sshd] Found 192.168.55.118 - 2020-06-02 21:13:25The last line is a match on the following log entry (not the one that I am looking for):
Edit: it also confirms that fail2ban is actually parsing the journal, as it should be doing
User root from 192.168.55.118 not allowed because not listed in AllowUsersLast edited by leonixyz (2020-06-02 21:54:27)
Offline
Do you have a user on your system called "test"? If yes, fail2ban will only trigger when your maxretry=5 is reached.
edit: extra recommended info at https://www.fail2ban.org/wiki/index.php … _8#Filters
so you could add an extra failregex line as mentioned above to test things
Last edited by paulkerry (2020-06-03 15:58:09)
Offline