I would like to secure my web server from brute force attack (first through ssh). So I installed fail2ban. I cannot get it to ban me though.
Here is my /etc/fail2ban/jail.local:
[DEFAULT]
bantime = 300
findtime = 600
maxretry = 4
backend = auto
usedns = warn
destemail = [email protected]
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT
(...)
action = %(action_mw)s
(...)
[ssh]
enabled = true
port = anyport
filter = sshd
logpath = /var/log/auth.log
maxretry = 4
Only ssh is enabled and I did not change anything that is omitted.
According to this configuration I should be banned for 300 seconds after 4 failed login attemps. I am allowed 6 though and there is no ban. The /var/log/auth.log looks probably fine. Here is the fragment showing my 6 unsuccessful logins:
Jul 8 09:51:09 nazwaserwera sshd[1798]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=abod34.neoplus.adsl.tpnet.pl user=my-admin
Jul 8 09:51:10 nazwaserwera sshd[1798]: Failed password for my-admin from 83.8.19.34 port 56451 ssh2
Jul 8 09:51:27 nazwaserwera sshd[1798]: message repeated 5 times: [ Failed password for my-admin from 83.8.19.34 port 56451 ssh2]
Jul 8 09:51:27 nazwaserwera sshd[1798]: Disconnecting: Too many authentication failures for my-admin [preauth]
Jul 8 09:51:27 nazwaserwera sshd[1798]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=abod34.neoplus.adsl.tpnet.pl user=my-admin
Here is sudo iptables -L output:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
And here what is written in /var/log/fail2ban.log after restarting fail2ban:
2014-07-08 11:26:12,538 fail2ban.server : INFO Stopping all jails
2014-07-08 11:26:13,141 fail2ban.jail : INFO Jail 'ssh' stopped
2014-07-08 11:26:13,142 fail2ban.server : INFO Exiting Fail2ban
2014-07-08 11:26:16,825 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11
2014-07-08 11:26:16,826 fail2ban.jail : INFO Creating new jail 'ssh'
2014-07-08 11:26:17,024 fail2ban.jail : INFO Jail 'ssh' uses pyinotify
2014-07-08 11:26:17,141 fail2ban.jail : INFO Initiated 'pyinotify' backend
2014-07-08 11:26:17,142 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2014-07-08 11:26:17,144 fail2ban.filter : INFO Set maxRetry = 4
2014-07-08 11:26:17,145 fail2ban.filter : INFO Set findtime = 600
2014-07-08 11:26:17,145 fail2ban.actions: INFO Set banTime = 300
2014-07-08 11:26:17,438 fail2ban.jail : INFO Jail 'ssh' started
2014-07-08 11:26:17,619 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports anyport -j fail2ban-ssh returned 200
There are a couple of things that can be relevant here as well:
I use non-standard port for my ssh connection:
Port 4444
set in /etc/ssh/sshd_conf
I remember to restart services (fail2ban, ssh) after changing configuration files
I get emails from fail2ban, but only telling me that it was started or stopped
I have searched for a solution in Google but could not find a working one. Any help would be appreciated.
UFW is an additional security layer to protect your VPS from port-scanning attacks. While Fail2Ban uses iptables as the default firewall system, you can customize the software and enable UFW instead.
A good way to protect SSH would be to ban an IP address from logging in if there are too many failed login attempts. You can use a package called “fail2ban” for this purpose, and it works with minimal configuration. In addition, you can even configure Fail2ban to protect other applications, like web servers.
By default, fail2ban uses the iptables interface to block IP addresses.
Solved it!
According to my configuration in jail.local
maxretry = 4
fail2ban should search the auth.log file for 5 lines (1 + 4) containing an alert about an unsuccessful login attempt each. But looking at my auth.log more closely I noticed that the maximum I ever get is 2. Here is how 6 failed login attemps are recorded:
Jul 8 09:51:10 nazwaserwera sshd[1798]: Failed password for my-admin from 83.8.19.34 port 56451 ssh2
Jul 8 09:51:27 nazwaserwera sshd[1798]: message repeated 5 times: [ Failed password for my-admin from 83.8.19.34 port 56451 ssh2]
As you can see instead of 6 lines I only get two with the second one saying "message repeated 5 times".
The solution is very simple: I just changed RepeatedMsgReduction from on to off in /etc/rsyslog.conf. And then restarted both rsyslog and fail2ban.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With