Fail2Ban on CentOS 6.5 Never Bans
Environment: *CentOS 6.5 *Fail2Ban 0.8.14-1 *date outputs the correct date
Behavior: Fail2ban starts successfully, but does not create iptables blocks after bad SSH login attempts. I'm only concerned with SSH at this point. I attempted to reinstall using this guide: https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-centos-6
Fail2Ban used to work - but through system updates, it appears to have stopped working. If I run
sudo service fail2ban restart
I get an email saying that the jail has stopped and another email saying the jail has started, so it seems that fail2ban is running and functional.
My /etc/fail2ban/jail.local file includes the entry:
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected], [email protected], sendername="Fail2Ban"]
logpath = /var/log/secure
maxretry = 5
My IP address is not listed in the ignoreip delcaration. I'm using standard bantime of 600, findtime of 600, and maxretry of 3.
When I look at /var/log/secure, I see plenty of failed attempts:
Sep 30 00:17:02 nebo unix_chkpwd[3796]: password check failed for user (root)
Sep 30 00:17:02 nebo sshd[3794]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.189 user=root
iptables -L seems to report that fail2ban does have a chain:
Chain fail2ban-SSH (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
My current best guest is that the action for sshd in actions.d/sshd.conf is using a regular expression to look through the log file, but it doesn't match the current syntax of the CentOS log for a banned attempt.
Time is insync per: Why isn't fail2ban blocking failures?
Ran fail2ban-regex to test my theory, and it looks like I may be on the right track:
[isdept@nebo action.d]$ sudo fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/sshd.conf
Use log file : /var/log/secure
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [22655] MONTH Day Hour:Minute:Second
`-
Lines: 22655 lines, 0 ignored, 0 matched, 22655 missed
Missed line(s): too many to print. Use --print-all-missed to print all 22655 lines
I'm not totally sure how to modify the regex patterns to fix this (if this is the issue), but I am surprised to find that I haven't found an easy fix since CentOS is common. I'd be happy to provide any additional info. Thanks for any tips or pointers you can give!
For safety - I'm currently disabling public access to this host.
Solution 1:
Well, I'm no regex master (or even novice), but I did manage to get it to work by adding:
^.*authentication failure;.*rhost=<HOST>
to filters.d/sshd.conf. This did it and I've successfully banned my first host. If any regex experts would like to chime in, I'd be greatly appreciative. I'm sure there's a case that I'm missing in this short expression that would fail in a certain case.
Thanks!
Solution 2:
@SteadH In your initial post you have this:
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, [email protected], [email protected], sendername="Fail2Ban"]
logpath = /var/log/secure
maxretry = 5
[ssh-iptables] : being the filter name/reference and
filter = sshd : being the file with the regex filter in /filter.d (sshd.conf)
Then your last post you are making edits to the sshd-iptables.conf? You did your fail2ban-regex check on sshd.conf? Which file are your using? and which one exists or do both exist. I can help you with a regex pattern but I need to make sure Im looking at the right pattern to match.
Solution 3:
i'm working on the same problem today, also on centos 6.5.
in my case the distro file is named filters.d/sshd.conf, not filters.d/sshd-iptables.conf as you wrote. not sure why yours and mine would be different. but in any case i believe the problem is identical.
an example entry from my secure.log is this:
Oct 11 11:11:11 myhostname sshd[12345]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4
the closest matching failregex in the distro filters.d/sshd.conf is this one:
^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
that's clearly not going to match the example above because of the "from" and "via" strings and no "rhost=" string. my attempts at fixing this are listed below.
-
first mod, did not match:
^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error); .* rhost=<HOST> .*$
-
second mod, did not match:
^%(__prefix_line)[aA]uthentication (?:failure|error); .* rhost=<HOST> .*$
-
third mod, matched:
[aA]uthentication (?:failure|error); .* rhost=<HOST> .*$
the __prefix_line regex subexpression comes from filters.d/common.conf and is a great attempt to try to match every possible permutation of known linux log entry prefix formats, but unfortunately it needs some tweaking for our particular centos 6.5 situation. i may take a crack at that but a first glance at the regexes in common.conf makes my head hurt. the less complex regex without __prefix_line may be sufficient.