fail2ban not banning ssh bruteforce but regex works

Question

I've just noticed an ssh bruteforce at my server, which actually should have been banned by fail2ban, but for some reason it doesn't ban it. Most people who have problems with fail2ban, seem to have problems with their regex, which seems to be fine here.

part of jail.conf

[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6
findtime = 6000
bantime = 86400

fail2ban-client status ssh

Status for the jail: ssh
|- filter
|  |- File list:    /var/log/auth.log 
|  |- Currently failed: 0
|  `- Total failed: 0
`- action
   |- Currently banned: 0
   |  `- IP list:   
   `- Total banned: 0

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file   : /var/log/auth.log


Results
=======

Failregex
|- Regular expressions:
|  [1] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
|  [2] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
|  [3] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Failed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
|  [4] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*ROOT LOGIN REFUSED.* FROM <HOST>\s*$
|  [5] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$
|  [6] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*User .+ from <HOST> not allowed because not listed in AllowUsers$
|  [7] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
|  [8] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*refused connect from \S+ \(<HOST>\)\s*$
|  [9] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S
+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Address <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
|  [10] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\
S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
|
`- Number of matches:
   [1] 0 match(es)
   [2] 0 match(es)
   [3] 380 match(es)
   [4] 0 match(es)
   [5] 353 match(es)
   [6] 26 match(es)
   [7] 0 match(es)
   [8] 0 match(es)
   [9] 0 match(es)
   [10] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
[2]
[3]
    198.245.50.151 (Sat Dec 21 15:18:12 2013)
    198.245.50.151 (Sat Dec 21 15:18:15 2013)
    198.245.50.151 (Sat Dec 21 15:18:18 2013)
    198.245.50.151 (Sat Dec 21 15:18:21 2013)
    198.245.50.151 (Sat Dec 21 15:18:24 2013)
..................
Date template hits:
23379 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
..................

Success, the total number of match is 759

Any ideas, why fail2ban does not ban, even if I have lots of regex matches?

Regards, fish

Answer 1

This question is pretty old, but I encountered the same problem, and after many many searches, finally found the solution.

My problem was due to a change on my Timezone: some time ago, I used the following command to set my correct timezone.

sudo dpkg-reconfigure tzdata

My system time was ok, but the times of entries in auth.log were indeed shifted. And this was the problem for fail2ban: it has to compare entries of auth.log to check if it has to ban, keep, or unban... and logged entries were always considered as too old because of wrong time.

I just had to restart syslog daemon with:

sudo service rsyslog restart

Then, times were not any more shifted in auth.log, and fail2ban did its job successfully.

I hope this will help!

Answer 2

I tried all the solutions here before I Googled it again and found the answer on ServerFault:

Running service rsyslog restart was all I needed to do and now it works as expected (of course there's the possibility that all the solutions here were necessary as well...). Unlike the poster of this question, I never deleted or edited the log file, so why this is the solution I know not.

Answer 3

Ok, this is not an official solution but it does work:

3 months working perfectly until fail2ban upgraded and stopped banning. I can tell how hard I investigated to solve this issue and at the end this is the only way that works.

This should work

 sudo service fail2ban stop
 sudo service fail2ban start

This will not work

sudo service fail2ban restart

IMPORTANT: Test with another device (3G cell) an intentional failed ssh logging to verify fail2ban is working. If not, service stop/start again. Sometimes some jails don't load correctly. Never trust!!!!!

EXTRA NOTES:

• Using jail.local
• 4 jails enabled: ssh, dovecot, apache and wootwoot
• All jails working as a charm for months with no issue
• Ubuntu server 14.04
• fail2ban 0.9