Fail2ban won't ban IPs

Question

I installed the Fail2ban on my Ubuntu 18 server with etc/fail2ban/jail.local file

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/fail2ssh.log
maxretry = 2

after restart fail2ban service I can allways see attemts to login auth.log

Jul 26 14:43:24 vps249697 sshd[4383]: Received disconnect from 118.25.48.254 port 55848:11: Bye Bye [preauth]
Jul 26 14:43:24 vps249697 sshd[4383]: Disconnected from invalid user radik 118.25.48.254 port 55848 [preauth]
Jul 26 14:43:49 vps249697 sshd[4379]: Connection reset by invalid user adm 91.236.116.89 port 28767 [preauth]
Jul 26 14:43:50 vps249697 sshd[4385]: Invalid user adm from 91.236.116.89 port 38386
Jul 26 14:43:50 vps249697 sshd[4385]: pam_unix(sshd:auth): check pass; user unknown
Jul 26 14:43:50 vps249697 sshd[4385]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.236.$
Jul 26 14:43:53 vps249697 sshd[4385]: Failed password for invalid user adm from 91.236.116.89 port 38386 ssh2
Jul 26 14:43:53 vps249697 sshd[4385]: Failed password for invalid user adm from 91.236.116.89 port 38386 ssh2
Jul 26 14:43:53 vps249697 sshd[4385]: pam_unix(sshd:auth): check pass; user unknown
Jul 26 14:43:55 vps249697 sshd[4385]: Failed password for invalid user adm from 91.236.116.89 port 38386 ssh2
Jul 26 14:44:17 vps249697 sshd[4387]: Invalid user tomcat from 153.126.159.208 port 50732
Jul 26 14:44:17 vps249697 sshd[4387]: pam_unix(sshd:auth): check pass; user unknown
Jul 26 14:44:17 vps249697 sshd[4387]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=153.126$
Jul 26 14:44:18 vps249697 sshd[4389]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=187.12.$
Jul 26 14:44:19 vps249697 sshd[4387]: Failed password for invalid user tomcat from 153.126.159.208 port 50732 ssh2
Jul 26 14:44:19 vps249697 sshd[4387]: Received disconnect from 153.126.159.208 port 50732:11: Bye Bye [preauth]
Jul 26 14:44:19 vps249697 sshd[4387]: Disconnected from invalid user tomcat 153.126.159.208 port 50732 [preauth]
Jul 26 14:44:20 vps249697 sshd[4391]: Invalid user user from 173.212.232.230 port 34124
Jul 26 14:44:20 vps249697 sshd[4391]: pam_unix(sshd:auth): check pass; user unknown
Jul 26 14:44:20 vps249697 sshd[4391]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=173.212$
Jul 26 14:44:20 vps249697 sshd[4389]: Failed password for root from 187.12.167.85 port 33518 ssh2
Jul 26 14:44:21 vps249697 sshd[4389]: Received disconnect from 187.12.167.85 port 33518:11: Bye Bye [preauth]
Jul 26 14:44:21 vps249697 sshd[4389]: Disconnected from authenticating user root 187.12.167.85 port 33518 [preauth]
Jul 26 14:44:22 vps249697 sshd[4391]: Failed password for invalid user user from 173.212.232.230 port 34124 ssh2
Jul 26 14:44:22 vps249697 sshd[4391]: Received disconnect from 173.212.232.230 port 34124:11: Bye Bye [preauth]
Jul 26 14:44:22 vps249697 sshd[4391]: Disconnected from invalid user user 173.212.232.230 port 34124 [preauth]
Jul 26 14:44:27 vps249697 sshd[4385]: Connection reset by invalid user adm 91.236.116.89 port 38386 [preauth]
Jul 26 14:44:27 vps249697 sshd[4385]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.236.116.89
Jul 26 14:44:28 vps249697 sshd[4394]: Invalid user scan from 103.99.113.35 port 57228
Jul 26 14:44:28 vps249697 sshd[4394]: pam_unix(sshd:auth): check pass; user unknown
Jul 26 14:44:28 vps249697 sshd[4394]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.99.$
Jul 26 14:44:28 vps249697 sshd[4397]: Invalid user adm from 91.236.116.89 port 48694
Jul 26 14:44:28 vps249697 sshd[4397]: pam_unix(sshd:auth): check pass; user unknown
Jul 26 14:44:28 vps249697 sshd[4397]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.236.$
Jul 26 14:44:29 vps249697 sshd[4394]: Failed password for invalid user scan from 103.99.113.35 port 57228 ssh2
Jul 26 14:44:29 vps249697 sshd[4394]: Received disconnect from 103.99.113.35 port 57228:11: Bye Bye [preauth]
Jul 26 14:44:29 vps249697 sshd[4394]: Disconnected from invalid user scan 103.99.113.35 port 57228 [preauth]
Jul 26 14:44:30 vps249697 sshd[4397]: Failed password for invalid user adm from 91.236.116.89 port 48694 ssh2
Jul 26 14:44:30 vps249697 sshd[4397]: pam_unix(sshd:auth): check pass; user unknown
Jul 26 14:44:32 vps249697 sshd[4397]: Failed password for invalid user adm from 91.236.116.89 port 48694 ssh2
Jul 26 14:44:47 vps249697 sshd[4397]: pam_unix(sshd:auth): check pass; user unknown
Jul 26 14:44:49 vps249697 sshd[4397]: Failed password for invalid user adm from 91.236.116.89 port 48694 ssh2
Jul 26 14:44:49 vps249697 sshd[4397]: pam_unix(sshd:auth): check pass; user unknown
Jul 26 14:44:51 vps249697 sshd[4397]: Failed password for invalid user adm from 91.236.116.89 port 48694 ssh2

How to ban these ips?

Thank you for your help.

score 4 · Answer 1 · answered Jul 27 '19 at 05:12

4

Your problem is here:

logpath = /var/log/fail2ssh.log

The Jail Option logpath defines the

Path to the log file which is provided to the filter

If the attempts appears in the auth.log, that should be defined in your logpath, instead of this fail2ssh.log.

Additional hint: maxretry = 2 is extremely low and will probably ban legitimate users, including yourself. Whitelisting your own IP address might be a good idea.

answered Jul 27 '19 at 05:12

Esa Jokinen

46,944
3
83
129

Thank you, I changed the ssh port from 22 to my custom and fór now there are no attempts for login. I Also changed the logpath – Peter Valek Jul 28 '19 at 11:50
It's possible to check whether the filter regular expression works in general by using `fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf -v` (`fail2ban `) – Oliver Hader Sep 18 '19 at 20:29

Fail2ban won't ban IPs

1 Answers1