9

I noticed something strange on my Ubuntu Xenial server.
It has SSH on the default port and it has fail2ban.
Fail2ban is detecting brute force attempts on the server and are logged accordingly:

2017-01-12 10:58:19,927 fail2ban.filter    [23119]: INFO    [sshd] Found x.x.x.x
2017-01-12 11:03:27,808 fail2ban.filter    [23119]: INFO    [sshd] Found x.x.x.x
2017-01-12 11:08:37,936 fail2ban.filter    [23119]: INFO    [sshd] Found x.x.x.x
2017-01-12 11:13:51,538 fail2ban.filter    [23119]: INFO    [sshd] Found x.x.x.x
2017-01-12 11:18:57,939 fail2ban.filter    [23119]: INFO    [sshd] Found x.x.x.x
2017-01-12 11:24:10,399 fail2ban.filter    [23119]: INFO    [sshd] Found x.x.x.x
2017-01-12 11:29:23,161 fail2ban.filter    [23119]: INFO    [sshd] Found x.x.x.x
2017-01-12 11:34:34,064 fail2ban.filter    [23119]: INFO    [sshd] Found x.x.x.x
2017-01-12 11:39:44,540 fail2ban.filter    [23119]: INFO    [sshd] Found x.x.x.x

x.x.x.x is the same IP in all instances, and this guy is just phishing random usernames, as seen in auth.log:

Jan 12 12:05:46 MYSERVER sshd[23579]: Invalid user journalist from x.x.x.x
Jan 12 12:05:46 MYSERVER sshd[23579]: input_userauth_request: invalid user journalist [preauth]
Jan 12 12:05:46 MYSERVER sshd[23579]: Received disconnect from x.x.x.x port 47995:11: Normal Shutdown, Thank you for playing [preauth]
Jan 12 12:05:46 MYSERVER sshd[23579]: Disconnected from x.x.x.x port 47995 [preauth]

Fail2ban sees them, he list them as "Found", but not banning. Any ideas?

Edit:

cat /etc/fail2ban/jail.d/myjails.local
[apache-auth]
enabled = true

[sshd-ddos]
enabled = true

[recidive]
enabled = true

[dovecot]
enabled = true

[postfix]
enabled=true

The remaining config files are left as is according to the sane defaults from Ubuntu, namely /etc/fail2ban/jail.conf has:

[sshd]

port    = ssh
logpath = %(sshd_log)s


[sshd-ddos]
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
port    = ssh
logpath = %(sshd_log)s

and we have:

cat /etc/fail2ban/jail.d/defaults-debian.conf
[sshd]
enabled = true
5
  • 2
    Please show us the config for the relevant jails.
    – user9517
    Commented Jan 12, 2017 at 10:55
  • @istheEnglishway Post edited accordingly Commented Jan 12, 2017 at 11:12
  • what do you have configured as banaction? (should be in jail.conf by default) Commented Jan 12, 2017 at 11:28
  • @GeraldSchneider banaction = iptables-multiport Commented Jan 12, 2017 at 11:41
  • What's the config in /etc/fail2ban/action.d/iptables-multiport.conf
    – Lenniey
    Commented Jan 12, 2017 at 16:00

1 Answer 1

6

Fail2ban appears to be rightfully not banning anyone - Your provided log does not show anyone exceeding the default limits that Ubuntu xenial ships with fail2ban.

Look in your /etc/fail2ban/jail.conf, in the [DEFAULT] section there are the parameters findtime (default 600 seconds, so 10 minutes) and maxretry (default 5 times, within that find window). Meaning that someone who is trying just a few password an hour will simply not trigger it.

Note that you dont need to change this file (and should not, to be able to cleanly upgrade it). You can put the [DEFAULT] block into your /etc/fail2ban/jail.d/myjails.local, aswell:

[DEFAULT]
findtime = 3600
bantime = 3600
maxretry = 4
  • Look into the beginning of the file jail.conf it actually gives some hints about how and why.
  • Dont lock yourself out.
  • You passwords should be strong enough so that you should be at ease knowing theres a couple people trying a couple passwords per hour without finding anything in a million years.
0

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .