Why isn't fail2ban blocking failures?

debian debian-lenny fail2ban brute-force-attacks
8,008

I had exactly the same problem. Actually, the time was not sync.

dpkg-reconfigure tzdata
cp /usr/share/zoneinfo/Europe/Paris /etc/localtime
vim /etc/rsyslog.conf
#see all messages
$RepeatedMsgReduction off
service rsyslog restart
Share:
8,008

Related videos on Youtube

Rihards
Author by

Rihards

Updated on September 18, 2022

Comments

  • Rihards
    Rihards almost 2 years

    This below is the output of fail2ban log. Nothing more shows up, but in auth.log I see like hundreds of failures for root user login (someone is bad ass brute forcing). 

    2011-07-06 01:48:16,249 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.3
2011-07-06 01:48:16,250 fail2ban.jail   : INFO   Creating new jail 'ssh'
2011-07-06 01:48:16,250 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2011-07-06 01:48:16,251 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2011-07-06 01:48:16,252 fail2ban.filter : INFO   Set maxRetry = 3
2011-07-06 01:48:16,253 fail2ban.filter : INFO   Set findtime = 600
2011-07-06 01:48:16,253 fail2ban.actions: INFO   Set banTime = 600
2011-07-06 01:48:16,329 fail2ban.jail   : INFO   Jail 'ssh' started

    Why isn't it blocking them? I haven't changed (except the maxRetry) anything in the configurations - I just installed it on my Linux Debian Lenny and it started, but it isn't blocking anyone. :/
    What could I do to fix this?

    I can share some of the attacks:

    Jul  6 01:02:24 tornado sshd[19768]: Failed password for root from 200.63.212.41 port 43457 ssh2
Jul  6 01:02:26 tornado sshd[19771]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.gamavision.com  user=root
Jul  6 01:02:27 tornado sshd[19771]: Failed password for root from 200.63.212.41 port 43565 ssh2
Jul  6 01:02:29 tornado sshd[19773]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.gamavision.com  user=root
Jul  6 01:02:31 tornado sshd[19773]: Failed password for root from 200.63.212.41 port 43662 ssh2
Jul  6 01:02:32 tornado sshd[19775]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.gamavision.com  user=root

    By the way, does it change something that server time is 1 hour off as I see? ;D

    Edit:

    Status for the jail: ssh
|- filter
|  |- File list:        /var/log/auth.log
|  |- Currently failed: 0
|  `- Total failed:     0
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     0

    Before I had installed fail2ban in auth.log I noticed such lines:

    reverse mapping checking getaddrinfo for server1.intensevps.com [94.75.242.39] failed - POSSIBLE BREAK-IN ATTEMPT!

    Could it be that fail2ban is conflicting with something else? I just don't know what that thing is which detected the possible break in thing. Now it doesn't detect anything once fail2ban is installed.

    • MastaJeet
      MastaJeet almost 13 years
      What is the output of fail2ban-client status ssh?
    • Rihards
      Rihards almost 13 years
      @embobo, added it to post.
    • Philip
      Philip almost 13 years
      Maybe I've got an older version of fail2ban, shouldn't it be the 'sshd' jail, not 'ssh'? What's your jail.local file have configured for the ssh section?
    • Rihards
      Rihards almost 13 years
      enabled = true port = ssh,sftp filter = sshd logpath = /var/log/auth.log maxretry = 3 That is default setting, i just added sftp as I saw that somewhere.
    • Rihards
      Rihards almost 13 years
      And there is no ssh filter. ;P
  • Rihards
    Rihards almost 13 years
    -bash: service: command not found
  • fxmtor
    fxmtor over 12 years
    /sbin/service is a RH-specific item. Debian might have another similar command, but the fallback that I know is on there is to run /etc/init.d/fail2ban start
  • meawoppl
    meawoppl almost 11 years
    Can you clarify what is happening here? It is unclear to me how this is related. . .
  • Alexander Garden
    Alexander Garden about 10 years
    Setting '$RepeatedMsgReduction off' is what does the magic. If it was on, that changes the format of /var/log/auth.log (or wherever login failures are logged on your system), which messes up fail2ban. See this for how to turn off RepeatedMsgReduction only for auth logging.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to use Ralink RT2501/RT2573 as wifi access point in Debian Linux
Did Debian lenny repositories vanish?
How to reinstall a package using 'apt-get'?
Install PHP5 with SQLite3 on Debian Lenny
LVM volume group not found (debian lenny)
how to: rescue Data from MySQL (only files on HDD left)
fail2ban does not seem to ban an IP after repeated failed ssh login attempts
Debian Lenny apt-get install php5-cli Unmet dependencies help?
OpenLDAP with ldaps support on Debian Lenny
how to upgrade already installed apache2 on debian (lenny)