You are not logged in.
i just noticed that fail2ban was no longer banning ips that try to brute force my ssh.
i really don't know how to fix this.
here is a portion of my jail.conf
54 [ssh-iptables]
55
56 enabled = true
57 filter = sshd
58 action = iptables[name=SSH, port=ssh, protocol=tcp]
59 sendmail-whois[name=SSH, dest=myemail@myhost.com, sender=myemail@myhost.com]
60 logpath = /var/log/auth.log
61 maxretry = 5
output from sudo fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: ssh-iptables
output from fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
...
Success, the total number of match is 46
Last edited by murfMan (2009-11-22 20:03:50)
Offline
Of those 46 matches, how many of them are for the same IP address (more than 5?)
What is the output of `iptables -nvL`?
Does /var/log/fail2ban.log reveal anything?
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
sudo iptables -nvL
Chain INPUT (policy ACCEPT 250 packets, 33400 bytes)
pkts bytes target prot opt in out source destination
0 0 fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 145 packets, 26592 bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-SSH (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
i looked in the log ... the last time any activity was logged was nov 11. i have also tried to ban myself on another machine. so i know its not working. is there anything i need to start? i have fail2ban running as a daemon on startup.
Offline
Do you have SSH running on port 22?
Is the fail2ban process running? (pgrep -l fail2ban)
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
lol
i changed the port that ssh listens on a few days ago ... to cut down on brute force attacks.
plum forgot to update fail2ban accordingly.
thanks for the help.
Last edited by murfMan (2009-11-24 03:47:06)
Offline
I have exactly the same problem that the topic opener, but now sshd is on port 22, and I have the same problem. So his solution is not working for me
# pgrep -l fail2ban
408 fail2ban-server
# iptables -nvL
Chain INPUT (policy ACCEPT 12883 packets, 929K bytes)
pkts bytes target prot opt in out source destination
48 6128 fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 26469 packets, 30M bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-SSH (1 references)
pkts bytes target prot opt in out source destination
48 6128 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
##jail.conf
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=xxxx@gmail.com, sender=xxxx@gmail.com]
logpath = /var/log/sshd.log
maxretry = 2
# fail2ban-client status
Status
|- Number of jail: 1
`- Jail list: ssh-iptables
#fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
...
Success, the total number of match is 34
##from the same ip
Syslog-ng is enabled in systemd
After this I can SSH 7 times with bad password from my phone and mobile network without getting my ip banned. Any ideas why?
Edit: SOLVED,
at jail.conf:
-/var/log/sshd.log
+/var/log/auth.log
Last edited by Vegita (2013-03-15 11:16:14)
Offline