All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
[SOLVED] fail2ban not banning user
On a whim, I checked /var/log/auth.log and saw brute force attempts for root from a couple of IPs in China, happily going on while I thought fail2ban was working.
From what I've gathered from Google, fail2ban seems to be set up correctly (I haven't modified defaults, just made a copy of jail.conf
to jail.local
). sshd
is the only service enabled in jail.local
, and all filters are set to defaults.
Also, fail2ban-server is running and fail2ban-client is able to find it. sudo fail2ban-client status
displays:
Status
|- Number of jail: 1
`- Jail list: ssh
I tried ssh'ing in from another VPS of mine, and confirmed that it doesn't ban me after 6 (or more) incorrect attempts.
I also tried installing gamin, and set backend = gamin
in jail.local
, no dice.
For now, I've disabled root login and changed the SSH port, but I'd like to get fail2ban running. Any pointers?
Edit: Debian 8, KVM, dotdeb repositories, Fail2Ban v0.8.13
Edit: Solved: Problem was that sshd was logging in a different timezone. I rebooted, and it works fine now! (thanks @ATHK)
Comments
Is there an issue with iptables perhaps?
iptables is working fine, it seems. First thing I did when I saw the attempt was iptables -j DROP, and it worked.
Also, I just checked on another Debian 7 VPS with the same default setup, and fail2ban has logged 367 bans in the past, while this server reports 0.
Hello,
Did you tried to reload configuration ?
#sudo fail2ban-client reload
Might be helpfull to tail fail2ban logs during the reload to check if there is any error.
Check your
/var/log/fail2ban.log
. Is it just not detecting any matches - no Found lines in your log? Or is it finding, but not banning them. In the second case increasefindtime
in jail.conf/jail.local. For instance, I have findtime = 2000, bantime = 14400, maxretry=2.Thanks for the tip. I had reloaded, though with
sudo service fail2ban reload
andrestart
. I tried with the client this time, and logfile reports this:(this is without gamin). I did
tail -f
and tried wrong passwords from another VPS, no udpates, and still not banned.Nope - that's exactly the problem, it isn't finding entries in
/var/log/auth.log
. One thing I just noticed is that timestamps in auth.log are off! Could this be the reason fail2ban isn't recognizing them?This is just now, when my local time (IST) is ~16:10, and server time (GMT) is ~10:40. Why is sshd logging time in a completely different time zone?
Could you check /var/log/auth.log user rights ? (just to be sure).
Edit : if fail2ban can't read auth.log that can also be a right issue.
Did you change your timezone and reboot?
Maybe you installed fail2fail2ban instead?
I had done this when I first set up the VPS with dpkg-reconfigure. Not sure if I'd rebooted then though. I'll try this now!
fail2ban is running as root, and fail2ban.log is not complaining about this, so I don't think this is the issue, but thanks for the lead, it's worth investigating. auth.log is at default permissions:
-rw-r----- 1 root adm
.Haha, maybe the attacker is using that..
Boom! This was the problem - because the timestamps weren't matching. Rebooted, and it banned me yay!
Thanks so much. I feel silly. Now I'll never forget to reboot after changing TZ.
You probably could've got a away with restarting SSH , but a reboot would fix up anything else that outputs timestamps to logs.
I'm pretty confident I've restarted sshd at least a couple of times (after changing timeout, keepalive etc.), and definitely once today after disabling root login and changing port, so yeah, it's weird behaviour.
Such an IT crowd moment.
Always found the name "fail to ban" quite ironic xD
Ha! I missed a great chance to title this post 'failing2ban'.
Edit: Maybe it's meant to imply fail -to-> ban, like a failure to authenticate leads to a ban.
Pretty sure Fail2ban won't work in an LXC container, looks like it tries to create something in /proc which will fail.
Edit: or at least it doesn't work properly.
I'm on KVM, had added it as an edit in OP. Seems to work fine here (and on my OpenVZ VPS's as well FWIW). I'll keep this in mind, though.
I might be mis-remembering I'm sure I tried to use it on something the other day and it wasn't playing nice.
That said I'm equally sure i've had my phone be banned by fail2ban on the PBX before but maybe that was my old PBX running in KVM.
Switch to safe2notban