fail2ban not banning on Ubuntu 19.04

Question

I configured a jail for a PHP application login page, but failed login attempts:

stephane@example:~$ tail -400f /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log
[15-Oct-2019 12:15:18 Europe/London] (10.255.0.2) [WARNING] fail2ban -- Failed admin login attempt for root at https://www.example.com:83

never trigger a ban:

Every 2.0s: fail2ban-client status learnintouch-admin                                                example.com: Tue Oct 15 13:21:17 2019

Status for the jail: learnintouch-admin
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

Running in DEBUG level shows fail2ban notices the log file has been modified:

stephane@example:~$ sudo tail -f /var/log/fail2ban.log
[sudo] password for stephane: 
2019-10-15 12:57:38,814 fail2ban.CommandAction  [25514]: DEBUG     Set blocktype = 'reject'
2019-10-15 12:57:38,814 fail2ban.CommandAction  [25514]: DEBUG     Set destination = 'any'
2019-10-15 12:57:38,814 fail2ban.CommandAction  [25514]: DEBUG     Set application = ''
2019-10-15 12:57:38,814 fail2ban.jail           [25514]: DEBUG   Starting jail 'learnintouch-admin'
2019-10-15 12:57:38,814 fail2ban.filterpoll     [25514]: DEBUG   /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-15 12:57:38,815 fail2ban.filter         [25514]: DEBUG   Seek to find time 1571136458.8108385 (2019-10-15 12:47:38), file size 0
2019-10-15 12:57:38,815 fail2ban.filter         [25514]: DEBUG   Position -1 from 0, found time None () within 0 seeks
2019-10-15 12:57:38,816 fail2ban.jail           [25514]: INFO    Jail 'learnintouch-admin' started
2019-10-15 13:15:18,414 fail2ban.filterpoll     [25514]: DEBUG   /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified

Testing the regex shows it is a match:

stephane@example:~/dev/docker/projects/learnintouch/www.example/app$ fail2ban-regex /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log "\(<HOST>\) \[WARNING\] fail2ban -- Failed admin login attempt for"

Running tests
=============

Use   failregex line : \(<HOST>\) \[WARNING\] fail2ban -- Failed admin lo...
Use         log file : /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log
Use         encoding : UTF-8


Results
=======

Failregex: 6 total
|-  #) [# of hits] regular expression
|   1) [6] \(<HOST>\) \[WARNING\] fail2ban -- Failed admin login attempt for
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [6] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 6 lines, 0 ignored, 6 matched, 0 missed
[processed in 0.02 sec]

My configuration /etc/fail2ban/jail.local file contains:

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 1800
findtime = 600
maxretry = 5
banaction = ufw

[sshd]
enabled = false

[learnintouch-admin]
enabled = true
port = 81,83
filter = learnintouch-admin.fail2ban
logpath = /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log

The jail configuration /etc/fail2ban/filter.d/learnintouch-admin.fail2ban.conf file:

[INCLUDES]

before = common.conf

[Definition]

failregex = \(<HOST>\) \[WARNING\] fail2ban -- Failed admin login attempt for

I installed fail2ban with the following commands:

sudo apt-get install fail2ban
sudo apt-get install iptables-persistent

I configured the /etc/fail2ban/action.d/ufw.conf file:

Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any port 83
actionunban = ufw delete deny from <ip> to any port 83

The ufw firewall status:

stephane@example:~/dev/docker/projects/user-rest/app$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp (OpenSSH)           ALLOW IN    Anywhere                  
80/tcp                     ALLOW IN    Anywhere                  
443/tcp                    ALLOW IN    Anywhere                  
3306                       ALLOW IN    127.0.0.0                 
6379                       ALLOW IN    127.0.0.0                 
8080                       ALLOW IN    Anywhere                  
81                         ALLOW IN    Anywhere                  
83                         ALLOW IN    Anywhere                  
8443                       ALLOW IN    Anywhere                  
9001                       ALLOW IN    Anywhere                  
5000                       ALLOW IN    127.0.0.0                 
22                         ALLOW IN    Anywhere                  
22/tcp                     ALLOW IN    Anywhere                  
Anywhere                   ALLOW IN    Anywhere                  
82                         ALLOW IN    Anywhere                  
443                        ALLOW IN    Anywhere                  
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)             
80/tcp (v6)                ALLOW IN    Anywhere (v6)             
443/tcp (v6)               ALLOW IN    Anywhere (v6)             
8080 (v6)                  ALLOW IN    Anywhere (v6)             
81 (v6)                    ALLOW IN    Anywhere (v6)             
83 (v6)                    ALLOW IN    Anywhere (v6)             
8443 (v6)                  ALLOW IN    Anywhere (v6)             
9001 (v6)                  ALLOW IN    Anywhere (v6)             
22 (v6)                    ALLOW IN    Anywhere (v6)             
22/tcp (v6)                ALLOW IN    Anywhere (v6)             
Anywhere (v6)              ALLOW IN    Anywhere (v6)             
82 (v6)                    ALLOW IN    Anywhere (v6)             
443 (v6)                   ALLOW IN    Anywhere (v6)

If I restart fail2ban and fail 6 login attempts in a row the log shows only:

stephane@thalasoft:~$ sudo tail -f /var/log/fail2ban.log
2019-10-23 10:11:02,395 fail2ban.datetemplate   [12908]: DEBUG     constructed regex (?:^|\b|\W)(?iu)((?:(?P<Z>Z|[A-Z]{3,5}) )?(?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9])  ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<Y>(?:201|202)\d))?)(?=\b|\W|$)
2019-10-23 10:11:02,395 fail2ban.datetemplate   [12908]: DEBUG     constructed regex ^(?:\W{0,2})?(?iu)((?:(?P<Z>Z|[A-Z]{3,5}) )?(?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9])  ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<Y>(?:201|202)\d))?)(?=\b|\W|$)
2019-10-23 10:11:02,395 fail2ban.datetemplate   [12908]: DEBUG     constructed regex (?:^|\b|\W)(?iu)((?:(?P<z>Z|UTC|GMT|[+-][01]\d(?::?\d{2})?) )?(?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9])  ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<Y>(?:201|202)\d))?)(?=\b|\W|$)
2019-10-23 10:11:02,395 fail2ban.datetemplate   [12908]: DEBUG     constructed regex ^(?:\W{0,2})?(?iu)((?:(?P<z>Z|UTC|GMT|[+-][01]\d(?::?\d{2})?) )?(?:(?P<a>mon|tue|wed|thu|fri|sat|sun) )?(?P<b>jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec) (?P<d>3[0-1]|[1-2]\d|0[1-9]|[1-9]| [1-9])  ?(?P<H>[0-2]?\d):(?P<M>[0-5]\d|\d):(?P<S>6[0-1]|[0-5]\d|\d)(?:\.(?P<f>[0-9]{1,6}))?(?: (?P<Y>(?:201|202)\d))?)(?=\b|\W|$)
2019-10-23 10:11:02,399 fail2ban.datetemplate   [12908]: DEBUG     constructed regex (@[0-9a-f]{24})(?=\b|\W|$)
2019-10-23 10:11:02,399 fail2ban.datetemplate   [12908]: DEBUG     constructed regex ^(?:\W{0,2})?(@[0-9a-f]{24})(?=\b|\W|$)
2019-10-23 10:11:05,628 fail2ban.filterpoll     [12908]: DEBUG   /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-23 10:11:10,242 fail2ban.filterpoll     [12908]: DEBUG   /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-23 10:11:12,452 fail2ban.filterpoll     [12908]: DEBUG   /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-23 10:11:14,456 fail2ban.filterpoll     [12908]: DEBUG   /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-23 10:12:11,743 fail2ban.filterpoll     [12908]: DEBUG   /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-23 10:12:14,359 fail2ban.filterpoll     [12908]: DEBUG   /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified
2019-10-23 10:12:16,362 fail2ban.filterpoll     [12908]: DEBUG   /home/stephane/dev/docker/projects/common/volumes/logs/php_error_log has been modified

The iptables input and output configuration:

stephane@thalasoft:~$ sudo iptables -n -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination         
f2b-sshd   tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22
ufw-before-logging-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-input  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-input  all  --  0.0.0.0/0            0.0.0.0/0           
stephane@thalasoft:~$ sudo iptables -n -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-before-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-after-logging-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-reject-output  all  --  0.0.0.0/0            0.0.0.0/0           
ufw-track-output  all  --  0.0.0.0/0            0.0.0.0/0           
stephane@thalasoft:~$

UPDATE: I also installed fail2ban from source, the 0.10.4 version and then the 0.10.3 version.

sudo apt-get remove fail2ban
wget https://github.com/fail2ban/fail2ban/archive/0.10.3.tar.gz
mv 0.10.3.tar.gz fail2ban-0.10.3.tar.gz
gzip -d fail2ban-0.10.3.tar.gz
tar -xvf fail2ban-0.10.3.tar
cd ~/programs/fail2ban-0.10.3
mkdir ~/programs/install/fail2ban
sudo python setup.py install --root=~/programs/install/fail2ban
sudo cp files/debian-initd /etc/init.d/fail2ban
sudo update-rc.d fail2ban defaults
sudo systemctl unmask fail2ban.service
sudo service fail2ban start

But I still got the exact same error under both sources versions.

UPDATE: I can see many incoming blocked login attempts in the /var/log/ufw.log file:

Oct 23 10:19:01 thalasoft kernel: [336294.072283] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:02:39:59:aa:fe:00:02:39:59:aa:08:00 SRC=218.92.0.204 DST=149.28.60.185 LEN=700 TOS=0x00 PREC=0x00 TTL=48 ID=55749 DF PROTO=TCP SPT=50112 DPT=22 WINDOW=229 RES=0x00 ACK PSH URGP=0 
Oct 23 10:19:07 thalasoft kernel: [336300.735374] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:02:39:59:aa:fe:00:02:39:59:aa:08:00 SRC=185.156.73.52 DST=149.28.60.185 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=47855 PROTO=TCP SPT=55690 DPT=281 WINDOW=1024 RES=0x00 SYN URGP=0 
Oct 23 10:20:13 thalasoft kernel: [336366.115758] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:02:39:59:aa:fe:00:02:39:59:aa:08:00 SRC=185.156.73.52 DST=149.28.60.185 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=958 PROTO=TCP SPT=55690 DPT=147 WINDOW=1024 RES=0x00 SYN URGP=0

this even if I stopped the fail2ban server.

Does fail2ban-client states anyone is banned? Check banaction in jail.conf, and check your firewall configuration. Most of the times the issue is about missing link to INPUT/OUTPUT chains for fail2ban chains. https://serverfault.com/a/853413/216275 — Marco, Oct 19 '19 at 13:27
Apart from doing a `fail2ban-client status learnintouch-admin` how to see if the `fail2ban-client` bans anyone ? And I'm using the `ufw` firewall, so could you tell me more on how to check these chains you are talking about ? — Stephane, Oct 19 '19 at 18:51
`iptables-save > firewall.rules` will generate your firewall configuration file, despite the fact that you are using ufw. `fail2ban-client status` will tell you if someone is banned. `zgrep 'Ban:' /var/log/fail2ban.log*` will tell you who has been banned in the past. Every command might need sudo depending on the system configuration. — Marco, Oct 19 '19 at 20:16

Andre · Answer 1 · 2019-10-15T12:17:36.140

0

failregex = \(<HOST>\) \[WARNING\] fail2ban -- Failed admin login attempt for

cannot work, because there are characters in front of HOST, try something like:

failregex = ^.*\(<HOST>\) \[WARNING\] fail2ban -- Failed admin login attempt for

edited Oct 15 '19 at 12:17

answered Oct 15 '19 at 12:06

Andre

36
3

How come the testing of the regex would match then ? I did your suggestion anyway, but it changed nothing to the issue. – Stephane Oct 15 '19 at 13:03
You're right, but I had a comparable case and couldn't make it without the mentioned change. But maybe the case is different with you – Andre Oct 15 '19 at 13:11

fail2ban not banning on Ubuntu 19.04

1 Answers1

Linked