CODEWITHSUNDEEP
fail2ban
Greg
Greg

Reputation: 1803

Fail2ban not blocking IP

I've installed Fail2ban and trying to get it to block IP's. According to the logs its detecting SSH scans and adding the IP Addresses to the ban list but I can still SSH in from a test IP on the internet that is on the banned list.

OS = openSUSE Leap 42.2

Fail2ban v0.10.3

jail.local:

[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.1.0/24

ignorecommand =
bantime  = 1d
findtime  = 600
maxretry = 3

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
abuseipdb[abuseipdb_apikey="my_key", abuseipdb_category="18,22"]
logpath  = /var/log/messages
maxretry = 3

The IP Address is being picked up and says its already banned? fail2ban.log file:

2018-05-01 15:21:59,207 fail2ban.filter         [20450]: INFO    [ssh-iptables] Found x.x.x.x - 2018-05-01 15:21:59
2018-05-01 15:22:02,315 fail2ban.filter         [20450]: INFO    [ssh-iptables] Found x.x.x.x - 2018-05-01 15:22:02
2018-05-01 15:22:02,324 fail2ban.filter         [20450]: INFO    [ssh-iptables] Found x.x.x.x - 2018-05-01 15:22:02
2018-05-01 15:22:02,364 fail2ban.actions        [20450]: NOTICE  [ssh-iptables] x.x.x.x already banned

Status of fail2ban-client status ssh-iptables

Status for the jail: ssh-iptables
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     51
|  `- File list:        /var/log/messages
    `- Actions
|- Currently banned: 47
|- Total banned:     437

Output of IP Tables:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-SSH    tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain f2b-SSH (1 references)
target     prot opt source               destination

Apart from that nothing is being sent to AbuseIPDB. Any ides what I'm missing?

I've read through a few forums but don't seem to get able to get it to work.

Upvotes: 4

Views: 11939

Answers (2)

chmod777
chmod777

Reputation: 31

First make sure that fail2ban is in version v0.10.0, to know this enter:

fail2ban-client -V

The reporting feature for https://www.abuseipdb.com is only native from this release.

If you have a previous version, you should do the following:

sudo nano /etc/fail2ban/action.d/abuseipdb.conf

Paste the content of the link https://github.com/fail2ban/fail2ban/blob/0.11/config/action.d/abuseipdb.conf into the file and save it.

Then open /etc/fail2ban/jail.local and paste before the line containing action =% (action_) s the following content:

# Report ban via abuseipdb.com.
#
# See action.d / abuseipdb.conf for usage example and details.
#
action_abuseipdb = abuseipdb

Then add the following content in the jail corresponding to the service you want to report (here I used brutal force ssh as an example):

 # Ban IP and report to AbuseIPDB for SSH Brute-Forcing
action =% (action_) s
         % (action_abuseipdb) s [abuseipdb_apikey = "my-api-key", abuseipdb_category = "18,22"]

Fill "my-api-key" with your key created on the site abuseipdb and then

fail2ban-client reload

If you have any doubt the reference is here:

https://www.abuseipdb.com/fail2ban.html

Upvotes: 2

Greg
Greg

Reputation: 1803

Managed to get it working. Restarting fail2ban fixed the blocking issue. Odd as I did a fail2ban-client reload, which didn't help. Had to kill and restart the service.

Abuseipdb was fixed by changing jail.local file

action   = iptables[name=SSH, port=ssh, protocol=tcp]
           abuseipdb[abuseipdb_category="18,22"]

Upvotes: 2

Related Questions