Fail2Ban on CentOS 6.5 Never Bans

Environment: *CentOS 6.5 *Fail2Ban 0.8.14-1 *date outputs the correct date

Behavior: Fail2ban starts successfully, but does not create iptables blocks after bad SSH login attempts. I'm only concerned with SSH at this point. I attempted to reinstall using this guide: https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-centos-6

Fail2Ban used to work - but through system updates, it appears to have stopped working. If I run

sudo service fail2ban restart

I get an email saying that the jail has stopped and another email saying the jail has started, so it seems that fail2ban is running and functional.

My /etc/fail2ban/jail.local file includes the entry:

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
       sendmail-whois[name=SSH, [email protected], [email protected], sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 5

My IP address is not listed in the ignoreip delcaration. I'm using standard bantime of 600, findtime of 600, and maxretry of 3.

When I look at /var/log/secure, I see plenty of failed attempts:

Sep 30 00:17:02 nebo unix_chkpwd[3796]: password check failed for user (root)
Sep 30 00:17:02 nebo sshd[3794]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.189  user=root

iptables -L seems to report that fail2ban does have a chain:

Chain fail2ban-SSH (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

My current best guest is that the action for sshd in actions.d/sshd.conf is using a regular expression to look through the log file, but it doesn't match the current syntax of the CentOS log for a banned attempt.

Time is insync per: Why isn't fail2ban blocking failures?

Ran fail2ban-regex to test my theory, and it looks like I may be on the right track:

[isdept@nebo action.d]$ sudo fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf 

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/sshd.conf
Use         log file : /var/log/secure


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [22655] MONTH Day Hour:Minute:Second
`-

Lines: 22655 lines, 0 ignored, 0 matched, 22655 missed
Missed line(s): too many to print.  Use --print-all-missed to print all 22655 lines

I'm not totally sure how to modify the regex patterns to fix this (if this is the issue), but I am surprised to find that I haven't found an easy fix since CentOS is common. I'd be happy to provide any additional info. Thanks for any tips or pointers you can give!

For safety - I'm currently disabling public access to this host.


Solution 1:

Well, I'm no regex master (or even novice), but I did manage to get it to work by adding:

^.*authentication failure;.*rhost=<HOST>

to filters.d/sshd.conf. This did it and I've successfully banned my first host. If any regex experts would like to chime in, I'd be greatly appreciative. I'm sure there's a case that I'm missing in this short expression that would fail in a certain case.

Thanks!

Solution 2:

@SteadH In your initial post you have this:

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
       sendmail-whois[name=SSH, [email protected], [email protected], sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 5

[ssh-iptables] : being the filter name/reference and

filter = sshd : being the file with the regex filter in /filter.d (sshd.conf)

Then your last post you are making edits to the sshd-iptables.conf? You did your fail2ban-regex check on sshd.conf? Which file are your using? and which one exists or do both exist. I can help you with a regex pattern but I need to make sure Im looking at the right pattern to match.

Solution 3:

i'm working on the same problem today, also on centos 6.5.

in my case the distro file is named filters.d/sshd.conf, not filters.d/sshd-iptables.conf as you wrote. not sure why yours and mine would be different. but in any case i believe the problem is identical.

an example entry from my secure.log is this:

Oct 11 11:11:11 myhostname sshd[12345]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4

the closest matching failregex in the distro filters.d/sshd.conf is this one:

^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$

that's clearly not going to match the example above because of the "from" and "via" strings and no "rhost=" string. my attempts at fixing this are listed below.

  • first mod, did not match:

    ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error); .* rhost=<HOST> .*$
    
  • second mod, did not match:

    ^%(__prefix_line)[aA]uthentication (?:failure|error); .* rhost=<HOST> .*$
    
  • third mod, matched:

    [aA]uthentication (?:failure|error); .* rhost=<HOST> .*$
    

the __prefix_line regex subexpression comes from filters.d/common.conf and is a great attempt to try to match every possible permutation of known linux log entry prefix formats, but unfortunately it needs some tweaking for our particular centos 6.5 situation. i may take a crack at that but a first glance at the regexes in common.conf makes my head hurt. the less complex regex without __prefix_line may be sufficient.