Why is fail2ban finding but not banning

ssh security ubuntu fail2ban phishing

I noticed something strange on my Ubuntu Xenial server.
It has SSH on the default port and it has fail2ban.
Fail2ban is detecting brute force attempts on the server and are logged accordingly:

2017-01-12 10:58:19,927 fail2ban.filter    [23119]: INFO    [sshd] Found x.x.x.x
2017-01-12 11:03:27,808 fail2ban.filter    [23119]: INFO    [sshd] Found x.x.x.x
2017-01-12 11:08:37,936 fail2ban.filter    [23119]: INFO    [sshd] Found x.x.x.x
2017-01-12 11:13:51,538 fail2ban.filter    [23119]: INFO    [sshd] Found x.x.x.x
2017-01-12 11:18:57,939 fail2ban.filter    [23119]: INFO    [sshd] Found x.x.x.x
2017-01-12 11:24:10,399 fail2ban.filter    [23119]: INFO    [sshd] Found x.x.x.x
2017-01-12 11:29:23,161 fail2ban.filter    [23119]: INFO    [sshd] Found x.x.x.x
2017-01-12 11:34:34,064 fail2ban.filter    [23119]: INFO    [sshd] Found x.x.x.x
2017-01-12 11:39:44,540 fail2ban.filter    [23119]: INFO    [sshd] Found x.x.x.x

x.x.x.x is the same IP in all instances, and this guy is just phishing random usernames, as seen in auth.log:

Jan 12 12:05:46 MYSERVER sshd[23579]: Invalid user journalist from x.x.x.x
Jan 12 12:05:46 MYSERVER sshd[23579]: input_userauth_request: invalid user journalist [preauth]
Jan 12 12:05:46 MYSERVER sshd[23579]: Received disconnect from x.x.x.x port 47995:11: Normal Shutdown, Thank you for playing [preauth]
Jan 12 12:05:46 MYSERVER sshd[23579]: Disconnected from x.x.x.x port 47995 [preauth]

Fail2ban sees them, he list them as "Found", but not banning. Any ideas?

Edit:

cat /etc/fail2ban/jail.d/myjails.local
[apache-auth]
enabled = true

[sshd-ddos]
enabled = true

[recidive]
enabled = true

[dovecot]
enabled = true

[postfix]
enabled=true

The remaining config files are left as is according to the sane defaults from Ubuntu, namely /etc/fail2ban/jail.conf has:

[sshd]

port    = ssh
logpath = %(sshd_log)s


[sshd-ddos]
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
port    = ssh
logpath = %(sshd_log)s

and we have:

cat /etc/fail2ban/jail.d/defaults-debian.conf
[sshd]
enabled = true

Solution 1:

Fail2ban appears to be rightfully not banning anyone - Your provided log does not show anyone exceeding the default limits that Ubuntu xenial ships with fail2ban.

Look in your /etc/fail2ban/jail.conf, in the [DEFAULT] section there are the parameters findtime (default 600 seconds, so 10 minutes) and maxretry (default 5 times, within that find window). Meaning that someone who is trying just a few password an hour will simply not trigger it.

Note that you dont need to change this file (and should not, to be able to cleanly upgrade it). You can put the [DEFAULT] block into your /etc/fail2ban/jail.d/myjails.local, aswell:

[DEFAULT]
findtime = 3600
bantime = 3600
maxretry = 4
  • Look into the beginning of the file jail.conf it actually gives some hints about how and why.
  • Dont lock yourself out.
  • You passwords should be strong enough so that you should be at ease knowing theres a couple people trying a couple passwords per hour without finding anything in a million years.

Related

HW RAID1 or ZFS mirror
Access files located on the underlying filesystem of an NFS mountpoint
SSH host key seems to be changing unexpectedly
Windows 10 cannot access network shared locations or drives
Using a batch file to zip files as individual zip files
Can spilling a liquid on a keyboard or other input device connected to a desktop computer damage the computer itself?
How could I find out the path to the current desktop image, for Windows 8
Mac OS X search and replace tool with regular expression support
How best to manually uninstall a program in windows 7/vista
Rescuing a hdd with bad sectors: dd vs gddrescue
Restrict Remote Desktop access to specific users to specific servers in a domain environment?
SCP between two networks