I was checking my server and I can see a couple IPs trying to guess users passwords. Fail2ban list those IPs as blocked already but I can see current connections from those same addresses still trying to guess passwords. Maybe the Webmin configuration is not properly applying the fail2ban actions? How can I really see if fail2ban is adding those addresses to firewalld?
Looks like a different issue because banaction and banaction_allports both use firewalld. Do you get “already banned” warnings in fail2ban.log? Are those ips also visible in the fail2ban.log?
I was only checking with fail2ban-client and did not think to use iptables -L, that is why I did not know that even though fail2ban las logging and banning IPs, it was not applying the rules to firewalld. The moment I modified jail.local and added the “action” directive to each jail it started banning the IPs correctly in Iptables.
It seems that the default configuration that Virtualmin uses is not valid, at least for Centos 8 Stream.
With SSH you should be using certificate keys login only.
Once you can ssh on with SSH keys you when fail all logs that don’t use that method. Fail2ban shouldn’t be needed.
@cursor try to increase ban time to something like 3 months per ban. That’s possible too harsh but in my case after few days I’ve seen only handful new ips blocked each day. I have SSH key login only on my server but still they try, and fail 3 times, fail2ban give them 6 months. SSH key only reduced attacks on my end by 90% and fail to ban is doing rest, however blocking IP for 10 minutes is was not effective at all in my case
There is the ability in Fail2ban to linearly or exponentially increase ban times for repeated offenders. I like this approach for people or (me) that might mistakenly hit the ban. In 10 minutes I can try again but repeated failures can then be an hour, a day then a week and then 6 weeks. You set the schedule like this from my /etc/fail2ban/jail.local Centos 7
I use 17 minutes as the initial ban time here because I report the offending IPs to abuseipdb.com and that site will only accept repeat reports after 15 minutes. Set ban time to whatever works for you.
Also, max bantime I set to 6 weeks. I find that works well because I set the dbpurge (fail2ban internal database purge) time to 59 days.
recidive jail was the original way of dealing with repeat offenders. It was improved with the individual jail ban times and multipliers and factors for each jail. If you want SSH to go quickly to 60d but wp-admin errors to have a shorter bantime then you can customize. I found software like opencart attracts DOS attacks and required a different jail than my other sites. Those IPs attacking get hit with bans very quickly and then repeats get the full 60d and those attacks have basically stopped. Before fail2ban, those attacks required a Linode server reboot.
