How to understand if the fail2ban ssh filter is working with a new port?

Question

I changed my ssh port (for security reason), and I added these lines to my file: /etc/fail2ban/jail.local

[sshd]
enabled = true
port    = 18249
#port    = ssh,sftp,18249

Now when I run this command:

sudo fail2ban-client status sshd

i get this result:

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 0
|  `- File list:    /var/log/auth.log
`- Actions
   |- Currently banned: 0
   |- Total banned: 0
   `- Banned IP list:   

Beautiful and fantastic, but it also seems too good to be true... (I have had periods when there were thousands of attempts to access ssh.), doubt comes.

Is there any other way to understand/confirm if the filter is working?

Or does it work, it's all right, it's all configured correctly, and I'm worrying about nothing?

(P.S. that's not my port)

Answer 1

On RHEL 9, fail2ban apparently uses firewalld instead of iptables, even though iptables is configured in the fail2ban configuration file. So, confirm the banned IPs are in this list:

firewall-cmd --list-all

You should get a big list of banned IP's with an indication that they will be rejected. If you get the list, it's working.

Answer 2

lets say our ssh port is 2222.
just manually ban any ip:

fail2ban-client set sshd banip 111.111.111.111

and verify if a new iptables rules became active:

iptables -n -L --line-numbers

there you should see something like this:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    f2b-sshd   tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 2222
.
.
.
.
Chain f2b-sshd (1 references)
num  target     prot opt source               destination         
1    REJECT     all  --  111.111.111.111      0.0.0.0/0            reject-with icmp-port-unreachable

okay, this doesn´t give you the confirmation, that the service itself is working correctly, at least it proves, that fail2ban is using the correct port and the process of "banip" is working as it should.

after checking the iptables rules, you can call the same fail2ban-command with unbanip to remove the test-ban. after that, you shouldn´t see 111.111.111.111 anywhere inside the iptables rules.

Answer 3

I had the same concerns when configuring it for my server. What I did back then is reduce the ban time to 30s, make some wrong logins from another machine (you can even use an android phone with JuiceSSH) and check the logs. Remember to increase the ban time once it works as expected!

Answer 4

You could connect to your server from another computer and intentionally fail the ssh login. Then, check your fail2ban logs in /var/log/fail2ban.log and expect something like this:

...
2006-02-13 15:52:30,388 fail2ban.actions: WARNING [sendmail] Ban XXX.66.82.116
2006-02-13 15:59:29,295 fail2ban.actions: WARNING [sendmail] Ban XXX.27.118.100
2006-02-13 16:07:31,183 fail2ban.actions: WARNING [sendmail] Unban XXX.66.82.116
2006-02-13 16:14:29,530 fail2ban.actions: WARNING [sendmail] Unban XXX.27.118.100
2006-02-13 16:56:27,086 fail2ban.actions: WARNING [ssh] Ban XXX.136.60.164
2006-02-13 17:11:27,833 fail2ban.actions: WARNING [ssh] Unban XXX.136.60.164

Taken from here.