Why is fail2ban finding but not banning
I noticed something strange on my Ubuntu Xenial server.
It has SSH on the default port and it has fail2ban.
Fail2ban is detecting brute force attempts on the server and are logged accordingly:
2017-01-12 10:58:19,927 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:03:27,808 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:08:37,936 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:13:51,538 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:18:57,939 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:24:10,399 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:29:23,161 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:34:34,064 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:39:44,540 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
x.x.x.x is the same IP in all instances, and this guy is just phishing random usernames, as seen in auth.log:
Jan 12 12:05:46 MYSERVER sshd[23579]: Invalid user journalist from x.x.x.x
Jan 12 12:05:46 MYSERVER sshd[23579]: input_userauth_request: invalid user journalist [preauth]
Jan 12 12:05:46 MYSERVER sshd[23579]: Received disconnect from x.x.x.x port 47995:11: Normal Shutdown, Thank you for playing [preauth]
Jan 12 12:05:46 MYSERVER sshd[23579]: Disconnected from x.x.x.x port 47995 [preauth]
Fail2ban sees them, he list them as "Found", but not banning. Any ideas?
Edit:
cat /etc/fail2ban/jail.d/myjails.local
[apache-auth]
enabled = true
[sshd-ddos]
enabled = true
[recidive]
enabled = true
[dovecot]
enabled = true
[postfix]
enabled=true
The remaining config files are left as is according to the sane defaults from Ubuntu, namely /etc/fail2ban/jail.conf
has:
[sshd]
port = ssh
logpath = %(sshd_log)s
[sshd-ddos]
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
port = ssh
logpath = %(sshd_log)s
and we have:
cat /etc/fail2ban/jail.d/defaults-debian.conf
[sshd]
enabled = true
Solution 1:
Fail2ban appears to be rightfully not banning anyone - Your provided log does not show anyone exceeding the default limits that Ubuntu xenial ships with fail2ban.
Look in your /etc/fail2ban/jail.conf
, in the [DEFAULT]
section there are the parameters findtime
(default 600 seconds, so 10 minutes) and maxretry
(default 5 times, within that find window). Meaning that someone who is trying just a few password an hour will simply not trigger it.
Note that you dont need to change this file (and should not, to be able to cleanly upgrade it). You can put the [DEFAULT] block into your /etc/fail2ban/jail.d/myjails.local
, aswell:
[DEFAULT]
findtime = 3600
bantime = 3600
maxretry = 4
- Look into the beginning of the file
jail.conf
it actually gives some hints about how and why. - Dont lock yourself out.
- You passwords should be strong enough so that you should be at ease knowing theres a couple people trying a couple passwords per hour without finding anything in a million years.