Reputation: 88
Fail2Ban doesn't seem to respond / ban IPs
So I have a server online and I am using Fail2Ban to ban IPs that are bruteforcing my server. I did some testing today, and it seems that isn't the case.
Let's start from the beginning.
> sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: x.x.254.115
So here we can see that there is one IP in my sshd jail (that's my IP)
Also, I can check the Iptables for the rule:
> sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (1 references)
target prot opt source destination
DROP all -- pppgint-254-73-115.b-online.gr anywhere
RETURN all -- anywhere anywhere
So everything looks good (?).
banaction = iptables-multiport
banaction_allports = iptables-allports
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
And the actions are configured as above.
My problem is that I still can try to SSH (and even login if the parameters are correct) and after my IP is banned.
One problem that I can see in the above configuration, is that in the source column in the iptables there isn't an IP but there is that weird name pppgint-254-73-115.b-online.gr. Shouldn't be my IP there?
Can you help me? If you need anything else, tell me.
Kind Regards.
Upvotes: 1
Views: 913
Answers (1)
Reputation: 820
My problem is that I still can try to SSH (and even login if the parameters are correct) and after my IP is banned.
Some of the net-filter rules may be wrong, or you have some white-listing rules probably (see https://github.com/fail2ban/fail2ban/issues/2545#issuecomment-543087971 and below for an answer of similar question).
Check fail2ban.log for the errors after [sshd] Ban x.x.254.115. Do you see something?
Also check ssh port (rejecting in iptables) is the single port your sshd answering (may be you changed it in sshd_config).
Shouldn't be my IP there?
From iptables documentation:
-n, --numeric
Numeric output. IP addresses and port numbers will be printed in numeric format.
By default, the program will try to display them as host names, network names, or services (whenever applicable).
So use iptables -nL.
Upvotes: 1
Related Questions
- Cant enable fail2ban jail sshd
- How to understand if the fail2ban ssh filter is working with a new port?
- fail2ban not banning ssh bruteforce but regex works
- fail2ban: apache-auth isn't banning failed login attempts
- Fail2Ban is not adding iptables Chain f2b-sshd
- Banned internet provider IP address By Fail2ban?
- Fail2ban not blocking IP
- fail2ban fails to ban on Ubuntu 14.04
- Fail2ban rules not working
- fail2ban not working with regex (ssh)