Why isn't fail2ban blocking failures?
I had exactly the same problem. Actually, the time was not sync.
dpkg-reconfigure tzdata
cp /usr/share/zoneinfo/Europe/Paris /etc/localtime
vim /etc/rsyslog.conf
#see all messages
$RepeatedMsgReduction off
service rsyslog restart
Related videos on Youtube
![Rihards](https://i.stack.imgur.com/L2uIx.jpg?s=256&g=1)
Rihards
Updated on September 18, 2022Comments
-
Rihards almost 2 years
This below is the output of fail2ban log. Nothing more shows up, but in auth.log I see like hundreds of failures for root user login (someone is bad ass brute forcing).
2011-07-06 01:48:16,249 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3 2011-07-06 01:48:16,250 fail2ban.jail : INFO Creating new jail 'ssh' 2011-07-06 01:48:16,250 fail2ban.jail : INFO Jail 'ssh' uses poller 2011-07-06 01:48:16,251 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2011-07-06 01:48:16,252 fail2ban.filter : INFO Set maxRetry = 3 2011-07-06 01:48:16,253 fail2ban.filter : INFO Set findtime = 600 2011-07-06 01:48:16,253 fail2ban.actions: INFO Set banTime = 600 2011-07-06 01:48:16,329 fail2ban.jail : INFO Jail 'ssh' started
Why isn't it blocking them? I haven't changed (except the maxRetry) anything in the configurations - I just installed it on my Linux Debian Lenny and it started, but it isn't blocking anyone. :/
What could I do to fix this?I can share some of the attacks:
Jul 6 01:02:24 tornado sshd[19768]: Failed password for root from 200.63.212.41 port 43457 ssh2 Jul 6 01:02:26 tornado sshd[19771]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.gamavision.com user=root Jul 6 01:02:27 tornado sshd[19771]: Failed password for root from 200.63.212.41 port 43565 ssh2 Jul 6 01:02:29 tornado sshd[19773]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.gamavision.com user=root Jul 6 01:02:31 tornado sshd[19773]: Failed password for root from 200.63.212.41 port 43662 ssh2 Jul 6 01:02:32 tornado sshd[19775]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.gamavision.com user=root
By the way, does it change something that server time is 1 hour off as I see? ;D
Edit:
Status for the jail: ssh |- filter | |- File list: /var/log/auth.log | |- Currently failed: 0 | `- Total failed: 0 `- action |- Currently banned: 0 | `- IP list: `- Total banned: 0
Before I had installed fail2ban in auth.log I noticed such lines:
reverse mapping checking getaddrinfo for server1.intensevps.com [94.75.242.39] failed - POSSIBLE BREAK-IN ATTEMPT!
Could it be that fail2ban is conflicting with something else? I just don't know what that thing is which detected the possible break in thing. Now it doesn't detect anything once fail2ban is installed.
-
MastaJeet almost 13 yearsWhat is the output of
fail2ban-client status ssh
? -
Rihards almost 13 years@embobo, added it to post.
-
Philip almost 13 yearsMaybe I've got an older version of fail2ban, shouldn't it be the 'sshd' jail, not 'ssh'? What's your jail.local file have configured for the ssh section?
-
Rihards almost 13 years
enabled = true port = ssh,sftp filter = sshd logpath = /var/log/auth.log maxretry = 3
That is default setting, i just added sftp as I saw that somewhere. -
Rihards almost 13 yearsAnd there is no ssh filter. ;P
-
-
Rihards almost 13 years
-bash: service: command not found
-
fxmtor over 12 years
/sbin/service
is a RH-specific item. Debian might have another similar command, but the fallback that I know is on there is to run/etc/init.d/fail2ban start
-
meawoppl almost 11 yearsCan you clarify what is happening here? It is unclear to me how this is related. . .
-
Alexander Garden about 10 yearsSetting '$RepeatedMsgReduction off' is what does the magic. If it was on, that changes the format of /var/log/auth.log (or wherever login failures are logged on your system), which messes up fail2ban. See this for how to turn off RepeatedMsgReduction only for auth logging.