fail2ban doesn't block (ssh)

To: debian-user@lists.debian.org
Subject: fail2ban doesn't block (ssh)
From: Denis Witt <denis.witt@concepts-and-training.de>
Date: Tue, 08 May 2012 10:34:39 +0200
Message-id: <[🔎] 4FA8DA9F.9090308@concepts-and-training.de>

Hi,

I have a strange problem with fail2ban. There are three Squeeze-Serverwith identical configuration. One server works fine, if a user try tologin over SSH he will get blocked if he uses a wrong password to often.On the two other server nothing happens (= no ban).


The config:

#####################################################################

/etc/fail2ban/jail.local:

#####################################################################

[DEFAULT]
ignoreip = 127.0.0.1
bantime = 604800
destemail = root@concepts-and-training.de
banaction = iptables-multiport
action = %(action_mwl)s

[ssh]
enabled = true
port = 22
filter    = sshd
logpath  = /var/log/auth.log
maxretry = 2

#####################################################################

/etc/fail2ban/filter.d/sshd.conf

#####################################################################

[INCLUDES]
before = common.conf

[Definition]

_daemon = sshd

failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failurefor .* from <HOST>\s*$^%(__prefix_line)s(?:error: PAM: )?User not known to theunderlying authentication module for .* from <HOST>\s*$^%(__prefix_line)sFailed (?:password|publickey) for .* from<HOST>(?: port \d*)?(?: ssh\d*)?$

            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$

^%(__prefix_line)sUser .+ from <HOST> not allowed becausenot listed in AllowUsers$^%(__prefix_line)sauthentication failure; logname=\S*uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$

            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$

^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-INATTEMPT!*\s*$^%(__prefix_line)sUser .+ from <HOST> not allowed becausenone of user's groups are listed in AllowGroups\s*$


ignoreregex =

#####################################################################

Running fail2ban-regex /var/log/auth.log/etc/fail2ban/filter.d/sshd.conf gives the following output on all machines:


#####################################################################

/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5module is deprecated; use hashlib instead

  import md5

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file   : /var/log/auth.log


Results
=======

Failregex
|- Regular expressions:

| [1] ^\s*(?:\S+ )?(?:@vserver_\S+)?(?:(?:\[\d+\])?:\s+[\[$]?sshd(?:\(\S+$)?[\]\)]?:?|[\[$]?sshd(?:\(\S+$)?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error:PAM: )?Authentication failure for .* from <HOST>\s*$| [2] ^\s*(?:\S+ )?(?:@vserver_\S+)?(?:(?:\[\d+\])?:\s+[\[$]?sshd(?:\(\S+$)?[\]\)]?:?|[\[$]?sshd(?:\(\S+$)?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error:PAM: )?User not known to the underlying authentication module for .*from <HOST>\s*$| [3] ^\s*(?:\S+ )?(?:@vserver_\S+)?(?:(?:\[\d+\])?:\s+[\[$]?sshd(?:\(\S+$)?[\]\)]?:?|[\[$]?sshd(?:\(\S+$)?[\]\)]?:?(?:\[\d+\])?:)?\s*Failed(?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$| [4] ^\s*(?:\S+ )?(?:@vserver_\S+)?(?:(?:\[\d+\])?:\s+[\[$]?sshd(?:\(\S+$)?[\]\)]?:?|[\[$]?sshd(?:\(\S+$)?[\]\)]?:?(?:\[\d+\])?:)?\s*ROOTLOGIN REFUSED.* FROM <HOST>\s*$| [5] ^\s*(?:\S+ )?(?:@vserver_\S+)?(?:(?:\[\d+\])?:\s+[\[$]?sshd(?:\(\S+$)?[\]\)]?:?|[\[$]?sshd(?:\(\S+$)?[\]\)]?:?(?:\[\d+\])?:)?\s*[iI](?:llegal|nvalid)user .* from <HOST>\s*$| [6] ^\s*(?:\S+ )?(?:@vserver_\S+)?(?:(?:\[\d+\])?:\s+[\[$]?sshd(?:\(\S+$)?[\]\)]?:?|[\[$]?sshd(?:\(\S+$)?[\]\)]?:?(?:\[\d+\])?:)?\s*User.+ from <HOST> not allowed because not listed in AllowUsers$| [7] ^\s*(?:\S+ )?(?:@vserver_\S+)?(?:(?:\[\d+\])?:\s+[\[$]?sshd(?:\(\S+$)?[\]\)]?:?|[\[$]?sshd(?:\(\S+$)?[\]\)]?:?(?:\[\d+\])?:)?\s*authenticationfailure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S*rhost=<HOST>(?:\s+user=.*)?\s*$| [8] ^\s*(?:\S+ )?(?:@vserver_\S+)?(?:(?:\[\d+\])?:\s+[\[$]?sshd(?:\(\S+$)?[\]\)]?:?|[\[$]?sshd(?:\(\S+$)?[\]\)]?:?(?:\[\d+\])?:)?\s*refusedconnect from \S+ $<HOST>$\s*$| [9] ^\s*(?:\S+ )?(?:@vserver_\S+)?(?:(?:\[\d+\])?:\s+[\[$]?sshd(?:\(\S+$)?[\]\)]?:?|[\[$]?sshd(?:\(\S+$)?[\]\)]?:?(?:\[\d+\])?:)?\s*Address<HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$| [10] ^\s*(?:\S+ )?(?:@vserver_\S+)?(?:(?:\[\d+\])?:\s+[\[$]?sshd(?:\(\S+$)?[\]\)]?:?|[\[$]?sshd(?:\(\S+$)?[\]\)]?:?(?:\[\d+\])?:)?\s*User.+ from <HOST> not allowed because none of user's groups are listed inAllowGroups\s*$

|
`- Number of matches:
   [1] 0 match(es)
   [2] 0 match(es)
   [3] 13 match(es)
   [4] 0 match(es)
   [5] 4 match(es)
   [6] 0 match(es)
   [7] 0 match(es)
   [8] 0 match(es)
   [9] 0 match(es)
   [10] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
[2]
[3]
    166.111.5.xxx (Sun May 06 15:50:13 2012)
    218.108.224.xxx (Sun May 06 17:47:44 2012)
    117.135.160.xxx (Sun May 06 19:00:14 2012)
    83.170.66.xxx (Sun May 06 21:33:40 2012)
    83.170.66.xxx (Sun May 06 21:33:44 2012)
    83.170.66.xxx (Sun May 06 21:33:46 2012)
    219.235.2.xxx (Sun May 06 21:45:52 2012)
    58.51.95.xxx (Sun May 06 23:47:42 2012)
    58.51.95.xxx (Sun May 06 23:47:46 2012)
    121.10.140.xxx (Mon May 07 02:45:17 2012)
    202.46.14.xxx (Mon May 07 05:42:39 2012)
    202.85.132.xxx (Mon May 07 08:48:03 2012)
    202.85.132.xxx (Mon May 07 08:48:08 2012)
[4]
[5]
    166.111.5.xxx (Sun May 06 15:50:11 2012)
    219.235.2.xxx (Sun May 06 21:45:49 2012)
    121.10.140.xxx (Mon May 07 02:45:15 2012)
    202.46.14.xxx (Mon May 07 05:42:37 2012)
[6]
[7]
[8]
[9]
[10]

Date template hits:
15287 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 17

However, look at the above section 'Running tests' which could containimportant

information.

#####################################################################

fail2ban runs fine:

#####################################################################

root 24156 0.1 0.0 66804 7640 ? Sl 11:07 0:01/usr/bin/python /usr/bin/fail2ban-server -b -s/var/run/fail2ban/fail2ban.sock


#####################################################################

iptables is also fine:

#####################################################################

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh  tcp  --  anywhere             anywhere multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

#####################################################################

As said above everything works fine on one of the machines. Any ideaswhy it won't work on the other?


Thanks in advance.

Best regards
Denis

Reply to:

Follow-Ups:
- Re: fail2ban doesn't block (ssh)
  - From: Claudius Hubig <debian_1205@chubig.net>

Prev by Date: Re: Signatures (was: Panning the screen to get an usable GNOME desktop in netbooks)
Next by Date: Re: Supermicro SAS controller
Previous by thread: Re: RAID broken .... /dev/sd? drive name changed
Next by thread: Re: fail2ban doesn't block (ssh)
Index(es):
- Date
- Thread