You are not logged in.

#1 2009-11-22 19:52:45

murfMan
Member
Registered: 2009-10-27
Posts: 161

fail2ban stopped working :(

i just noticed that fail2ban was no longer banning ips that try to brute force my ssh.
i really don't know how to fix this.

here is a portion of my jail.conf

 54 [ssh-iptables]
 55 
 56 enabled  = true
 57 filter   = sshd
 58 action   = iptables[name=SSH, port=ssh, protocol=tcp]
 59            sendmail-whois[name=SSH, dest=myemail@myhost.com, sender=myemail@myhost.com]
 60 logpath  = /var/log/auth.log
 61 maxretry = 5

output from sudo fail2ban-client status

Status
|- Number of jail:    1
`- Jail list:        ssh-iptables

output from fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

...
Success, the total number of match is 46

sad

Last edited by murfMan (2009-11-22 20:03:50)

Offline

#2 2009-11-22 21:29:40

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: fail2ban stopped working :(

Of those 46 matches, how many of them are for the same IP address (more than 5?)
What is the output of `iptables -nvL`?
Does /var/log/fail2ban.log reveal anything?

Offline

#3 2009-11-23 19:32:16

murfMan
Member
Registered: 2009-10-27
Posts: 161

Re: fail2ban stopped working :(

sudo iptables -nvL

Chain INPUT (policy ACCEPT 250 packets, 33400 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 fail2ban-SSH  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 145 packets, 26592 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain fail2ban-SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

i looked in the log ... the last time any activity was logged was nov 11.  i have also tried to ban myself on another machine.  so i know its not working.  is there anything i need to start?  i have fail2ban running as a daemon on startup.

Offline

#4 2009-11-23 22:54:08

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: fail2ban stopped working :(

Do you have SSH running on port 22?
Is the fail2ban process running? (pgrep -l fail2ban)

Offline

#5 2009-11-24 03:28:28

murfMan
Member
Registered: 2009-10-27
Posts: 161

Re: fail2ban stopped working :(

lol
i changed the port that ssh listens on a few days ago ... to cut down on brute force attacks. 

plum forgot to update fail2ban accordingly. tongue

thanks for the help.

Last edited by murfMan (2009-11-24 03:47:06)

Offline

#6 2013-03-15 11:03:07

Vegita
Member
Registered: 2009-10-06
Posts: 111

Re: fail2ban stopped working :(

I have exactly the same problem that the topic opener, but now sshd is on port 22, and I have the same problem. So his solution is not working for me

# pgrep -l fail2ban
408 fail2ban-server

# iptables -nvL
Chain INPUT (policy ACCEPT 12883 packets, 929K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   48  6128 fail2ban-SSH  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 26469 packets, 30M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain fail2ban-SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   48  6128 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0 

##jail.conf
[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=xxxx@gmail.com, sender=xxxx@gmail.com]
logpath  = /var/log/sshd.log
maxretry = 2

# fail2ban-client status
Status
|- Number of jail:	1
`- Jail list:		ssh-iptables

#fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
...
Success, the total number of match is 34
##from the same ip

Syslog-ng is enabled in systemd

After this I can SSH 7 times with bad password from my phone and mobile network without getting my ip banned. Any ideas why?

Edit: SOLVED,

at jail.conf:
-/var/log/sshd.log
+/var/log/auth.log

Last edited by Vegita (2013-03-15 11:16:14)

Offline

Board footer

Powered by FluxBB