fail2ban fails to ban on Ubuntu 14.04

Question

I would like to secure my web server from brute force attack (first through ssh). So I installed fail2ban. I cannot get it to ban me though.

Here is my /etc/fail2ban/jail.local:

[DEFAULT]
bantime  = 300
findtime = 600
maxretry = 4
backend = auto
usedns = warn
destemail = moj.adres@gmail.com
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT

(...)
action = %(action_mw)s

(...)

[ssh]

enabled  = true
port     = anyport
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 4

Only ssh is enabled and I did not change anything that is omitted.

According to this configuration I should be banned for 300 seconds after 4 failed login attemps. I am allowed 6 though and there is no ban. The /var/log/auth.log looks probably fine. Here is the fragment showing my 6 unsuccessful logins:

Jul  8 09:51:09 nazwaserwera sshd[1798]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=abod34.neoplus.adsl.tpnet.pl  user=my-admin
Jul  8 09:51:10 nazwaserwera sshd[1798]: Failed password for my-admin from 83.8.19.34 port 56451 ssh2
Jul  8 09:51:27 nazwaserwera sshd[1798]: message repeated 5 times: [ Failed password for my-admin from 83.8.19.34 port 56451 ssh2]
Jul  8 09:51:27 nazwaserwera sshd[1798]: Disconnecting: Too many authentication failures for my-admin [preauth]
Jul  8 09:51:27 nazwaserwera sshd[1798]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=abod34.neoplus.adsl.tpnet.pl  user=my-admin

Here is sudo iptables -L output:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

And here what is written in /var/log/fail2ban.log after restarting fail2ban:

2014-07-08 11:26:12,538 fail2ban.server : INFO   Stopping all jails
2014-07-08 11:26:13,141 fail2ban.jail   : INFO   Jail 'ssh' stopped
2014-07-08 11:26:13,142 fail2ban.server : INFO   Exiting Fail2ban
2014-07-08 11:26:16,825 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11
2014-07-08 11:26:16,826 fail2ban.jail   : INFO   Creating new jail 'ssh'
2014-07-08 11:26:17,024 fail2ban.jail   : INFO   Jail 'ssh' uses pyinotify
2014-07-08 11:26:17,141 fail2ban.jail   : INFO   Initiated 'pyinotify' backend
2014-07-08 11:26:17,142 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2014-07-08 11:26:17,144 fail2ban.filter : INFO   Set maxRetry = 4
2014-07-08 11:26:17,145 fail2ban.filter : INFO   Set findtime = 600
2014-07-08 11:26:17,145 fail2ban.actions: INFO   Set banTime = 300
2014-07-08 11:26:17,438 fail2ban.jail   : INFO   Jail 'ssh' started
2014-07-08 11:26:17,619 fail2ban.actions.action: ERROR  iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports anyport -j fail2ban-ssh returned 200

There are a couple of things that can be relevant here as well:

• I use non-standard port for my ssh connection:

  Port 4444

  set in /etc/ssh/sshd_conf

• I remember to restart services (fail2ban, ssh) after changing configuration files

• I get emails from fail2ban, but only telling me that it was started or stopped

I have searched for a solution in Google but could not find a working one. Any help would be appreciated.

Answer 1

Solved it!

According to my configuration in jail.local

maxretry = 4

fail2ban should search the auth.log file for 5 lines (1 + 4) containing an alert about an unsuccessful login attempt each. But looking at my auth.log more closely I noticed that the maximum I ever get is 2. Here is how 6 failed login attemps are recorded:

Jul  8 09:51:10 nazwaserwera sshd[1798]: Failed password for my-admin from 83.8.19.34 port 56451 ssh2
Jul  8 09:51:27 nazwaserwera sshd[1798]: message repeated 5 times: [ Failed password for my-admin from 83.8.19.34 port 56451 ssh2]

As you can see instead of 6 lines I only get two with the second one saying "message repeated 5 times".

The solution is very simple: I just changed RepeatedMsgReduction from on to off in /etc/rsyslog.conf. And then restarted both rsyslog and fail2ban.