Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


[SOLVED] fail2ban not banning user
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[SOLVED] fail2ban not banning user

mudethmudeth Member
edited April 2016 in Help

On a whim, I checked /var/log/auth.log and saw brute force attempts for root from a couple of IPs in China, happily going on while I thought fail2ban was working.

From what I've gathered from Google, fail2ban seems to be set up correctly (I haven't modified defaults, just made a copy of jail.conf to jail.local). sshd is the only service enabled in jail.local, and all filters are set to defaults.

Also, fail2ban-server is running and fail2ban-client is able to find it. sudo fail2ban-client status displays:

Status
|- Number of jail:      1
`- Jail list:           ssh

I tried ssh'ing in from another VPS of mine, and confirmed that it doesn't ban me after 6 (or more) incorrect attempts.

I also tried installing gamin, and set backend = gamin in jail.local, no dice.

For now, I've disabled root login and changed the SSH port, but I'd like to get fail2ban running. Any pointers?

Edit: Debian 8, KVM, dotdeb repositories, Fail2Ban v0.8.13

Edit: Solved: Problem was that sshd was logging in a different timezone. I rebooted, and it works fine now! (thanks @ATHK)

Comments

  • Is there an issue with iptables perhaps?

  • mudethmudeth Member
    edited April 2016

    @Ole_Juul said:
    Is there an issue with iptables perhaps?

    iptables is working fine, it seems. First thing I did when I saw the attempt was iptables -j DROP, and it worked.

    Also, I just checked on another Debian 7 VPS with the same default setup, and fail2ban has logged 367 bans in the past, while this server reports 0.

  • IkoulaIkoula Member, Host Rep

    Hello,

    Did you tried to reload configuration ?

    #sudo fail2ban-client reload

    Might be helpfull to tail fail2ban logs during the reload to check if there is any error.

  • Check your /var/log/fail2ban.log. Is it just not detecting any matches - no Found lines in your log? Or is it finding, but not banning them. In the second case increase findtime in jail.conf/jail.local. For instance, I have findtime = 2000, bantime = 14400, maxretry=2.

  • @Ikoula said:

    #sudo fail2ban-client reload

    Might be helpfull to tail fail2ban logs during the reload to check if there is any error.

    Thanks for the tip. I had reloaded, though with sudo service fail2ban reload and restart. I tried with the client this time, and logfile reports this:

    2016-04-11 16:00:18,149 fail2ban.jail   [6389]: INFO    Jail 'ssh' stopped
    2016-04-11 16:00:18,151 fail2ban.server [6389]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.13
    2016-04-11 16:00:18,152 fail2ban.jail   [6389]: INFO    Creating new jail 'ssh'
    2016-04-11 16:00:18,152 fail2ban.jail   [6389]: INFO    Jail 'ssh' uses poller
    2016-04-11 16:00:18,154 fail2ban.filter [6389]: INFO    Added logfile = /var/log/auth.log
    2016-04-11 16:00:18,155 fail2ban.filter [6389]: INFO    Set maxRetry = 6
    2016-04-11 16:00:18,157 fail2ban.filter [6389]: INFO    Set findtime = 600
    2016-04-11 16:00:18,158 fail2ban.actions[6389]: INFO    Set banTime = 600
    2016-04-11 16:00:18,191 fail2ban.jail   [6389]: INFO    Jail 'ssh' started
    

    (this is without gamin). I did tail -f and tried wrong passwords from another VPS, no udpates, and still not banned.

    @rincewind said:
    Check your /var/log/fail2ban.log. Is it just not detecting any matches - no Found lines in your log? Or is it finding, but not banning them. In the second case increase findtime in jail.conf/jail.local. For instance, I have findtime = 2000, bantime = 14400, maxretry=2.

    Nope - that's exactly the problem, it isn't finding entries in /var/log/auth.log. One thing I just noticed is that timestamps in auth.log are off! Could this be the reason fail2ban isn't recognizing them?

    Apr 11 06:40:34 carbon sudo: pam_unix(sudo:session): session closed for user root

    This is just now, when my local time (IST) is ~16:10, and server time (GMT) is ~10:40. Why is sshd logging time in a completely different time zone?

  • IkoulaIkoula Member, Host Rep
    edited April 2016

    Could you check /var/log/auth.log user rights ? (just to be sure).

    Edit : if fail2ban can't read auth.log that can also be a right issue.

    Thanked by 1mudeth
  • ATHKATHK Member

    Did you change your timezone and reboot?

    Thanked by 1mudeth
  • Maybe you installed fail2fail2ban instead? :D

  • @ATHK said:
    Did you change your timezone and reboot?

    I had done this when I first set up the VPS with dpkg-reconfigure. Not sure if I'd rebooted then though. I'll try this now!

    @Ikoula said:

    Could you check /var/log/auth.log user rights ? (just to be sure).

    fail2ban is running as root, and fail2ban.log is not complaining about this, so I don't think this is the issue, but thanks for the lead, it's worth investigating. auth.log is at default permissions: -rw-r----- 1 root adm.

  • @deadbeef said:
    Maybe you installed fail2fail2ban instead? :D

    Haha, maybe the attacker is using that.. :)

    Thanked by 1deadbeef
  • Did you change your timezone and reboot?

    Boom! This was the problem - because the timestamps weren't matching. Rebooted, and it banned me yay!

    Thanks so much. I feel silly. Now I'll never forget to reboot after changing TZ.

    Thanked by 1Ole_Juul
  • ATHKATHK Member

    @mudeth said:
    Thanks so much. I feel silly. Now I'll never forget to reboot after changing TZ.

    You probably could've got a away with restarting SSH , but a reboot would fix up anything else that outputs timestamps to logs.

    :)

  • @ATHK said:
    You probably could've got a away with restarting SSH

    I'm pretty confident I've restarted sshd at least a couple of times (after changing timeout, keepalive etc.), and definitely once today after disabling root login and changing port, so yeah, it's weird behaviour.

    Such an IT crowd moment.

    Thanked by 1KamA
  • Always found the name "fail to ban" quite ironic xD

  • mudethmudeth Member
    edited April 2016

    @EphemeralEclipse said:
    Always found the name "fail to ban" quite ironic xD

    Ha! I missed a great chance to title this post 'failing2ban'.

    Edit: Maybe it's meant to imply fail -to-> ban, like a failure to authenticate leads to a ban.

  • dragon2611dragon2611 Member
    edited April 2016

    Pretty sure Fail2ban won't work in an LXC container, looks like it tries to create something in /proc which will fail.

    Edit: or at least it doesn't work properly.

  • @dragon2611 said:
    Pretty sure Fail2ban won't work in an LXC container, looks like it tries to create something in /proc which will fail.

    I'm on KVM, had added it as an edit in OP. Seems to work fine here (and on my OpenVZ VPS's as well FWIW). I'll keep this in mind, though.

  • I might be mis-remembering I'm sure I tried to use it on something the other day and it wasn't playing nice.

    That said I'm equally sure i've had my phone be banned by fail2ban on the PBX before but maybe that was my old PBX running in KVM.

  • Switch to safe2notban

Sign In or Register to comment.