fail2ban not working on fresh install of ubuntu 14.04, why?
Solution 1
not sure if related but I deleted and recreated /var/log/auth.log, because I needed to empty it, to debug the situation
This could well be the problem. It's likely that the syslog daemon is still writing to the original fd. You should try restarting the syslog daemon to see if it starts to log to the correct file.
service rsyslog restart
Once you have messages going to the auth.log it should start working.
Solution 2
Sometimes this is because the __bsd_syslog_verbose
is wrong. fail2ban expects /var/log/auth.log to start with YYYY.MM.DD
(ie: 2014.10.15) yet the logs read MMM DD
(ie: Oct 15)
To fix this you will need to do the following:
cp /etc/fail2ban/filter.d/common.conf /etc/fail2ban/filter.d/common.local
Edit common.local
and set:
__bsd_syslog_verbose = (<[^.]+ [^.]+>)
Restart fail2ban :
Ubuntu (don't use restart):
sudo service fail2ban stop
sudo service fail2ban start
Solution 3
Issue in pyinotify:
https://github.com/fail2ban/fail2ban/issues/878
in /etc/fail2ban/jail.conf or /etc/fail2ban/jail.local
I changed "backend = auto"
to "backend = polling"
and everything works as expected ;)
service fail2ban stop
service fail2ban start
Related videos on Youtube
punkbit
Updated on September 18, 2022Comments
-
punkbit over 1 year
After installing and configuring fail2ban, I tried to login to my server through ssh with a wrong password. After a few attempts, I tried with the correct password with success. So, fail2ban didn't banned the user ip allowing him to login. Regardless of the rules I've set, maxretry = 1, etc.
My iptables -L output:
Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-SSH (1 references) target prot opt source destination RETURN all -- anywhere anywhere
Here's the debug log, not complete version follows:
root@host:~# fail2ban-client -v -v -v start DEBUG Reading configs for /etc/fail2ban/fail2ban under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/fail2ban.conf DEBUG Reading files: ['/etc/fail2ban/fail2ban.conf'] INFO Using socket file /var/run/fail2ban/fail2ban.sock DEBUG Reading configs for /etc/fail2ban/fail2ban under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/fail2ban.conf DEBUG Reading files: ['/etc/fail2ban/fail2ban.conf'] DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local'] DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local'] DEBUG Reading configs for /etc/fail2ban/filter.d/sshd under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/filter.d/sshd.conf DEBUG Reading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/common.local', '/etc/fail2ban/filter.d/sshd.conf'] DEBUG Reading configs for /etc/fail2ban/action.d/iptables under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/action.d/iptables.conf DEBUG Reading files: ['/etc/fail2ban/action.d/iptables-blocktype.conf', '/etc/fail2ban/action.d/iptables-blocktype.local', '/etc/fail2ban/action.d/iptables.conf'] DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local'] DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local'] DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local'] DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local'] DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local [...] SKIPPED SOME READING CONFIG FILES here DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local'] DEBUG Reading configs for /etc/fail2ban/jail under /etc/fail2ban DEBUG Reading config files: /etc/fail2ban/jail.conf, /etc/fail2ban/jail.local DEBUG Reading files: ['/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.local'] INFO [# ] Waiting on the server...DEBUG Starting '/usr/bin/fail2ban-server' with args ['fail2ban-server', '-b', '-s', '/var/run/fail2ban/fail2ban.sock', '-p', '/var/run/fail2ban/fail2ban.pid'] 2014-05-22 15:29:14,376 fail2ban.server : INFO Starting Fail2ban v0.8.11 2014-05-22 15:29:14,376 fail2ban.server : INFO Starting in daemon mode DEBUG OK : 'pong' DEBUG OK : 3 DEBUG OK : '/var/log/fail2ban.log' DEBUG OK : 'ssh' DEBUG OK : 'warn' DEBUG OK : ['/var/log/auth.log'] DEBUG OK : 1 DEBUG OK : ['127.0.0.1/8'] DEBUG OK : 600 DEBUG OK : 600 DEBUG OK : ['^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from (?:::f{4,6}:)?(?P<host>[\\w\\-.^_]*\\w)( via \\S+)?\\s*$'] DEBUG OK : ['^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from (?:::f{4,6}:)?(?P<host>[\\w\\-.^_]*\\w)( via \\S+)?\\s*$', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from (?:::f{4,6}:)?(?P<host>[\\w\\-.^_]*\\w)\\s*$'] [...] SKIPPED SOME REGEX HERE DEBUG OK : 'iptables' DEBUG OK : 'iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>' DEBUG OK : 'iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>' DEBUG OK : 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>' DEBUG OK : 'iptables -D fail2ban-<name> -s <ip> -j <blocktype>' DEBUG OK : "iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \\t]'" DEBUG OK : 'REJECT --reject-with icmp-port-unreachable' DEBUG OK : 'tcp' DEBUG OK : 'SSH' DEBUG OK : 'INPUT' DEBUG OK : 'ssh' DEBUG OK : None
My fail2ban.log, jail.local:
tail /var/log/fail2ban.log 2014-05-22 15:30:27,729 fail2ban.server : INFO Exiting Fail2ban 2014-05-22 15:30:32,668 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11 2014-05-22 15:30:32,668 fail2ban.jail : INFO Creating new jail 'ssh' 2014-05-22 15:30:32,668 fail2ban.jail : INFO Jail 'ssh' uses poller 2014-05-22 15:30:32,679 fail2ban.jail : INFO Initiated 'polling' backend 2014-05-22 15:30:32,680 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2014-05-22 15:30:32,681 fail2ban.filter : INFO Set maxRetry = 1 2014-05-22 15:30:32,681 fail2ban.filter : INFO Set findtime = 600 2014-05-22 15:30:32,682 fail2ban.actions: INFO Set banTime = 600 2014-05-22 15:30:32,716 fail2ban.jail : INFO Jail 'ssh' started
tail /etc/fail2ban/jail.local
[ssh] enabled = true logpath = /var/log/auth.log filter = sshd maxretry = 1 action = iptables[name=SSH, port=ssh, protocol=tcp] port = ssh tail /var/log/auth.log
tail /var/log/auth.log is empty!
root@host:~# fail2ban-client -d
['set', 'loglevel', 3] ['set', 'logtarget', '/var/log/fail2ban.log'] ['add', 'ssh', 'polling'] ['set', 'ssh', 'usedns', 'warn'] ['set', 'ssh', 'addlogpath', '/var/log/auth.log'] ['set', 'ssh', 'maxretry', 1] ['set', 'ssh', 'addignoreip', '127.0.0.1/8'] ['set', 'ssh', 'findtime', 600] ['set', 'ssh', 'bantime', 600] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \\S+)?\\s*$'] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\\s*$'] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*Failed \\S+ for .*? from <HOST>(?: port \\d*)?(?: ssh\\d*)?(: (ruser .*|(\\S+ ID \\S+ \\(serial \\d+\\) CA )?\\S+ (?:[\\da-f]{2}:){15}[\\da-f]{2}(, client user ".*", client host ".*")?))?\\s*$'] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*ROOT LOGIN REFUSED.* FROM <HOST>\\s*$'] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*[iI](?:llegal|nvalid) user .* from <HOST>\\s*$'] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because not listed in AllowUsers\\s*$'] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because listed in DenyUsers\\s*$'] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because not in any group\\s*$'] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*refused connect from \\S+ \\(<HOST>\\)\\s*$'] ['set', 'ssh', 'addfailregex', '^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because a group is listed in DenyGroups\\s*$'] ['set', 'ssh', 'addfailregex', "^\\s*(<[^.]+\\.[^.]+>)?\\s*(?:\\S+ )?(?:kernel: \\[\\d+\\.\\d+\\] )?(?:@vserver_\\S+ )?(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)?\\s(?:\\[ID \\d+ \\S+\\])?\\s*User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*$"] ['set', 'ssh', 'addaction', 'iptables'] ['set', 'ssh', 'actionban', 'iptables', 'iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>'] ['set', 'ssh', 'actionstop', 'iptables', 'iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>\niptables -F fail2ban-<name>\niptables -X fail2ban-<name>'] ['set', 'ssh', 'actionstart', 'iptables', 'iptables -N fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>'] ['set', 'ssh', 'actionunban', 'iptables', 'iptables -D fail2ban-<name> -s <ip> -j <blocktype>'] ['set', 'ssh', 'actioncheck', 'iptables', "iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \\t]'"] ['set', 'ssh', 'setcinfo', 'iptables', 'blocktype', 'REJECT --reject-with icmp-port-unreachable'] ['set', 'ssh', 'setcinfo', 'iptables', 'protocol', 'tcp'] ['set', 'ssh', 'setcinfo', 'iptables', 'name', 'SSH'] ['set', 'ssh', 'setcinfo', 'iptables', 'chain', 'INPUT'] ['set', 'ssh', 'setcinfo', 'iptables', 'port', 'ssh'] ['start', 'ssh']
Other info:
dpkg -l |grep fail ii fail2ban 0.8.11-1 all ban hosts that cause multiple authentication errors /etc/init.d/fail2ban status * Status of authentication failure monitor * fail2ban is running fail2ban-client status Status |- Number of jail: 1 `- Jail list: ssh
Any hints ? Thanks for looking!
-
Ladadadada almost 10 yearsIs there anything in the auth.log more recent than that? There are no failed login attempts in that log sample so there's nothing fail2ban should trigger on and what is there is from 10am but your other logs are from 3pm.
-
punkbit almost 10 yearsOh sorry, I was updating each log and forgot to remove that one. IF you notice just after, there's a reference saying the auth.log is empty. I'll remove it, actually I run again and it's still empty.
-
Ladadadada almost 10 yearsThat's your problem then. fail2ban looks at that log and blocks IP addresses based on what it finds in there. If there's nothing in there, there's nothing for it to block.
-
punkbit almost 10 years@Ladadadada thanks for looking btw! So, I need to understand why my ssh wrong login attempts are not being logged ? is this related with iptables ?
-
punkbit almost 10 yearsnot sure if related but I deleted and recreated /var/log/auth.log, because I needed to empty it, to debug the situation :T
-
punkbit almost 10 yearsOk did service rsyslog restart and now I've got the log back. Going to update my post!
-
punkbit almost 10 yearsOh I think rsyslog restart did the job ssh: connect to host xxxxx port 22: Connection refused
-
-
D.Mill over 9 yearsGlad it could help. I read every possible post available to mankind before figuring this out... Why this issue cropped up in the first place I'll never know. It was working fine before.
-
Jeroen over 9 yearsI know!!! I had the same thing, first it worked. Then I changed some rules in iptables-multiport.conf and all of a sudden it didn't work anymore (even after putting the original file back). Anyway, it's all good now!
-
rdvdijk about 8 yearsThe common.local file needs a [DEFAULT] section header, correct?
-
D.Mill about 8 years@rdvdijk I'm not sure, it's been a long time. I literally just did what was described in the answer.
-
Ergec over 7 yearsin my case this was indeed the problem. I put
polling
and fail2ban started to ban as expected. no idea why this answer get down voted, it solved my problem. upvoted. -
sdot257 almost 7 yearsHours of searching, this fixed it for me.
-
mjs over 3 yearsdoes not work. hangs on stop.
-
mjs over 3 yearsdid not solve mine