Fail2ban not banning

Dim_Git · June 11, 2022, 3:37am

Is this where you mean? If so, it is already set.

Again, thanks for your help.

Ilia · June 12, 2022, 11:45am

Dim_Git:

In fail2ban logs I have noticed that some IPs keep reappearing time after time like this

2022-05-23 18:48:53,805 fail2ban.filter [1170]: INFO [proftpd] Found 193.169.255.38 - 2022-05-23 18:48:53
2022-05-23 18:48:56,891 fail2ban.filter [1170]: INFO [proftpd] Found 193.169.255.38 - 2022-05-23 18:48:56
2022-05-23 18:49:03,404 fail2ban.filter [1170]: INFO [proftpd] Found 193.169.255.38 - 2022-05-23 18:49:03
2022-05-23 18:49:03,777 fail2ban.actions [1170]: WARNING [proftpd] 193.169.255.38 already banned
2022-05-24 11:10:28,880 fail2ban.filter [1170]: INFO [proftpd] Found 193.169.255.38 - 2022-05-24 11:10:28
2022-05-24 11:10:35,569 fail2ban.filter [1170]: INFO [proftpd] Found 193.169.255.38 - 2022-05-24 11:10:35
2022-05-24 11:10:42,106 fail2ban.filter [1170]: INFO [proftpd] Found 193.169.255.38 - 2022-05-24 11:10:42
2022-05-24 11:10:42,182 fail2ban.actions [1170]: WARNING [proftpd] 193.169.255.38 already banned
2022-05-24 23:03:17,409 fail2ban.filter [1170]: INFO [proftpd] Found 193.169.255.38 - 2022-05-24 23:03:17
2

The “already banned” shows that the attacker is able to continue even when banned by Fail2ban.

The rate of how IP is displayed in access logs demonstrates that it’s actually getting banned.

Try accessing your own server via SSH and entering a wrong password or providing a wrong key … make it fail and see on Webmin side in fail2ban module if it’s getting banned or not … It can be seen on a new Webmin / Networking ⇾ Fail2Ban Intrusion Detector: Jails Status page.

If you still believe there is a problem check throughout the output of the following commands:

ip a

firewall-cmd --list-all
systemctl status firewalld

systemctl status fail2ban

Dim_Git · June 13, 2022, 4:48am

That was very helpful info Illia and gave me a lot to look at. Thank you.

I followed your suggestion to try to access the server in SSH using the wrong credentials (using a different IP to save myself being blocked) and Yes, after 3 attempts the IP was blocked. I then tried to FTP in and was also blocked again. So it does appear to be working.

I was not able to reproduce the symptom of the “already banned” message in Fail2ban though. Once a ban was in place the server simply stopped responding as expected but there was no entry in the fail2ban log that shows any further attempts.

Looking at the Webmin / Networking ⇾ Fail2Ban Intrusion Detector: Jails Status` page I note that the following is shown for FTP

In the banned IP list (last column) it does not show the IP numbers that are banned only the nuimber “3001” which is clickable with the tooltip “remove 3001 from the banned list”. I wonder if not showing a list of banned IP numbers that is indicative of anything. I was exppecting a list of 36 IP numbers.

Other show a list of banned IP number like below.

Each IP can be clicked on to remove it from the banned lsit and at the bottom it says “+2935 more” which I haven’t found a way to list those more within the interface.

Thanks again for your time.

Dim_Git · June 13, 2022, 9:24am

I went back over some of the pages I had read online because I remember some seemed to fit this but I don’t want to edit places which are scary. Maybe someone would like to comment on this.

This one is nearly 8 years old so might be well past valid

Thanks.

Ilia · June 14, 2022, 11:08am

For that ProFTPD issue. What is the output of fail2ban-client status proftpd command?

Ilia · June 14, 2022, 11:10am

Nevermind, I see the issue. We will fix that for the next Webmin release.

Dim_Git · June 14, 2022, 1:44pm

Excellent, many thanks.

system · June 22, 2022, 1:45pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.

Ilia · April 16, 2023, 10:16am

For Fail2ban not banning with ProFTPd the fix and explanations are here: