1

I started fail2ban service as sudo systemctl restart fail2ban.service, it successfully started. But my ssh attempts with the wrong password from remote PCs are not blocking, There is no IP listed in Banned IP list

  • It works only with fail2ban-client set sshd banip <remote_pc_IP>
  • Banned IP list not updating as per maxretry attempt

/etc/fail2ban/jail.local

[DEFAULT]
default_backend = auto

[sshd]
enabled = true
mode = aggressive
port = ssh
filter = sshd
# I added the below logpath since No file(s) found for glob /var/log/auth.log
# below file only giving ssh connection log
logpath = /var/volatile/log/messages
maxretry = 1
#backend = systemd
  • backend commented since no sshd log was found in journal

sudo tail -f /var/volatile/log/messages | grep "172.16.0."

Apr 11 13:27:25  auth.info sshd[1873]: Failed password for guest from 172.16.0.80 port 60486 ssh2
Apr 11 13:27:25  auth.info sshd[1873]: Failed password for guest from 172.16.0.80 port 60486 ssh2
Apr 11 13:27:25  auth.info sshd[1873]: Connection closed by authenticating user guest 172.16.0.80 port 60486 [preauth]

fail2ban-client status sshd

Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/volatile/log/messages
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

/var/log/fail2ban.log

2023-04-11 12:54:15,500 fail2ban.server         [692]: INFO    Starting Fail2ban v0.10.3.fix1
2023-04-11 12:54:15,516 fail2ban.database       [692]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-04-11 12:54:15,525 fail2ban.jail           [692]: INFO    Creating new jail 'sshd'
2023-04-11 12:54:15,574 fail2ban.jail           [692]: INFO    Jail 'sshd' uses pyinotify {}
2023-04-11 12:54:15,586 fail2ban.jail           [692]: INFO    Initiated 'pyinotify' backend
2023-04-11 12:54:15,589 fail2ban.filter         [692]: INFO      maxLines: 1
2023-04-11 12:54:15,756 fail2ban.server         [692]: INFO    Jail sshd is not a JournalFilter instance
2023-04-11 12:54:15,761 fail2ban.filter         [692]: INFO    Added logfile: '/var/volatile/log/messages' (pos = 0, hash = 133455cd694ec2584c1defa33b1d1eef)
2023-04-11 12:54:15,780 fail2ban.filter         [692]: INFO      maxRetry: 1
2023-04-11 12:54:15,782 fail2ban.filter         [692]: INFO      encoding: ANSI_X3.4-1968
2023-04-11 12:54:15,783 fail2ban.actions        [692]: INFO      banTime: 600
2023-04-11 12:54:15,786 fail2ban.filter         [692]: INFO      findtime: 600
2023-04-11 12:54:15,800 fail2ban.jail           [692]: INFO    Jail 'sshd' started
zaheerk
  • 11
  • 2
  • You also need to set a `bantime` and a `findtime`, for how long an IP is being banned when `maxretry` was found in `findtime`. -> https://linuxhint.com/change-ban-time-fail2ban/ – paladin Apr 13 '23 at 11:42

1 Answers1

0

This issue was resolved by disabling the syslog from busybox component and enabling only the journal log. So all the SSH attempt logs are hitting on the journal, leading to successful fail2ban tracking

zaheerk
  • 11
  • 2