Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

fail2ban fails to ban on Ubuntu 14.04

Tags:

ssh

ubuntu

I would like to secure my web server from brute force attack (first through ssh). So I installed fail2ban. I cannot get it to ban me though.

Here is my /etc/fail2ban/jail.local:

[DEFAULT]
bantime  = 300
findtime = 600
maxretry = 4
backend = auto
usedns = warn
destemail = [email protected]
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT

(...)
action = %(action_mw)s

(...)

[ssh]

enabled  = true
port     = anyport
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 4

Only ssh is enabled and I did not change anything that is omitted.

According to this configuration I should be banned for 300 seconds after 4 failed login attemps. I am allowed 6 though and there is no ban. The /var/log/auth.log looks probably fine. Here is the fragment showing my 6 unsuccessful logins:

Jul  8 09:51:09 nazwaserwera sshd[1798]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=abod34.neoplus.adsl.tpnet.pl  user=my-admin
Jul  8 09:51:10 nazwaserwera sshd[1798]: Failed password for my-admin from 83.8.19.34 port 56451 ssh2
Jul  8 09:51:27 nazwaserwera sshd[1798]: message repeated 5 times: [ Failed password for my-admin from 83.8.19.34 port 56451 ssh2]
Jul  8 09:51:27 nazwaserwera sshd[1798]: Disconnecting: Too many authentication failures for my-admin [preauth]
Jul  8 09:51:27 nazwaserwera sshd[1798]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=abod34.neoplus.adsl.tpnet.pl  user=my-admin

Here is sudo iptables -L output:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

And here what is written in /var/log/fail2ban.log after restarting fail2ban:

2014-07-08 11:26:12,538 fail2ban.server : INFO   Stopping all jails
2014-07-08 11:26:13,141 fail2ban.jail   : INFO   Jail 'ssh' stopped
2014-07-08 11:26:13,142 fail2ban.server : INFO   Exiting Fail2ban
2014-07-08 11:26:16,825 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.11
2014-07-08 11:26:16,826 fail2ban.jail   : INFO   Creating new jail 'ssh'
2014-07-08 11:26:17,024 fail2ban.jail   : INFO   Jail 'ssh' uses pyinotify
2014-07-08 11:26:17,141 fail2ban.jail   : INFO   Initiated 'pyinotify' backend
2014-07-08 11:26:17,142 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2014-07-08 11:26:17,144 fail2ban.filter : INFO   Set maxRetry = 4
2014-07-08 11:26:17,145 fail2ban.filter : INFO   Set findtime = 600
2014-07-08 11:26:17,145 fail2ban.actions: INFO   Set banTime = 300
2014-07-08 11:26:17,438 fail2ban.jail   : INFO   Jail 'ssh' started
2014-07-08 11:26:17,619 fail2ban.actions.action: ERROR  iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports anyport -j fail2ban-ssh returned 200

There are a couple of things that can be relevant here as well:

  • I use non-standard port for my ssh connection:

    Port 4444

    set in /etc/ssh/sshd_conf

  • I remember to restart services (fail2ban, ssh) after changing configuration files

  • I get emails from fail2ban, but only telling me that it was started or stopped

I have searched for a solution in Google but could not find a working one. Any help would be appreciated.

like image 537
Krzysztof Wołowski Avatar asked Jul 08 '14 10:07

Krzysztof Wołowski


People also ask

Does fail2ban work with UFW?

UFW is an additional security layer to protect your VPS from port-scanning attacks. While Fail2Ban uses iptables as the default firewall system, you can customize the software and enable UFW instead.

What can fail2ban do to protect sshd?

A good way to protect SSH would be to ban an IP address from logging in if there are too many failed login attempts. You can use a package called “fail2ban” for this purpose, and it works with minimal configuration. In addition, you can even configure Fail2ban to protect other applications, like web servers.

Does fail2ban require iptables?

By default, fail2ban uses the iptables interface to block IP addresses.


1 Answers

Solved it!

According to my configuration in jail.local

maxretry = 4

fail2ban should search the auth.log file for 5 lines (1 + 4) containing an alert about an unsuccessful login attempt each. But looking at my auth.log more closely I noticed that the maximum I ever get is 2. Here is how 6 failed login attemps are recorded:

Jul  8 09:51:10 nazwaserwera sshd[1798]: Failed password for my-admin from 83.8.19.34 port 56451 ssh2
Jul  8 09:51:27 nazwaserwera sshd[1798]: message repeated 5 times: [ Failed password for my-admin from 83.8.19.34 port 56451 ssh2]

As you can see instead of 6 lines I only get two with the second one saying "message repeated 5 times".

The solution is very simple: I just changed RepeatedMsgReduction from on to off in /etc/rsyslog.conf. And then restarted both rsyslog and fail2ban.

like image 93
Krzysztof Wołowski Avatar answered Oct 10 '22 22:10

Krzysztof Wołowski