Fail2ban sshd not banning

Hello,

fail2ban is not working properly with sshd. I have tried bannning the attackers with iptables-allports, iptables-multiport and route. None of them worked.

With all of them I see the attacks continue:

2020-09-24 10:19:48,005 fail2ban.filter         [25636]: INFO    [sshd] Found 139.9.122.153 - 2020-09-24 10:19:48
2020-09-24 10:20:02,220 fail2ban.filter         [25636]: INFO    [sshd] Found 120.78.160.213 - 2020-09-24 10:20:02
2020-09-24 10:20:02,222 fail2ban.filter         [25636]: INFO    [sshd] Found 120.78.160.213 - 2020-09-24 10:20:02
2020-09-24 10:20:02,991 fail2ban.actions        [25636]: WARNING [sshd] 120.78.160.213 already banned
2020-09-24 10:20:04,074 fail2ban.filter         [25636]: INFO    [sshd] Found 120.78.160.213 - 2020-09-24 10:20:04
2020-09-24 10:20:24,907 fail2ban.filter         [25636]: INFO    [sshd] Found 139.9.122.153 - 2020-09-24 10:20:24
2020-09-24 10:20:24,907 fail2ban.filter         [25636]: INFO    [sshd] Found 139.9.122.153 - 2020-09-24 10:20:24
2020-09-24 10:20:25,018 fail2ban.actions        [25636]: WARNING [sshd] 139.9.122.153 already banned

besides with route I get the following errors:

2020-09-22 13:15:04,914 fail2ban.utils          [25636]: Level 39 7fc716191348 -- exec: ip route del unreachable 222.186.10.49
2020-09-22 13:15:04,914 fail2ban.utils          [25636]: ERROR   7fc716191348 -- stderr: 'RTNETLINK answers: No such process'
2020-09-22 13:15:04,914 fail2ban.utils          [25636]: ERROR   7fc716191348 -- returned 2
2020-09-22 13:15:04,915 fail2ban.actions        [25636]: ERROR   Failed to execute unban jail 'sshd' action 'route' info 'ActionInfo({'ip': '222.186.10.49', 'family': 'inet4', 'ip-rev': '49.10.186.222.', 'ip-host': None, 'fid': '222.186.10.49', 'failures': 5, 'time': 1600764278.0, 'matches': 'Sep 22 10:43:58 anton sshd[4833]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 10:44:00 anton sshd[4833]: Failed password for invalid user ts from 222.186.10.49 port 30586 ssh2\nSep 22 10:44:38 anton sshd[5611]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 ', 'restored': 0, 'F-*': {'matches': ['Sep 22 10:43:58 anton sshd[4833]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 ', 'Sep 22 10:44:00 anton sshd[4833]: Failed password for invalid user ts from 222.186.10.49 port 30586 ssh2', 'Sep 22 10:44:38 anton sshd[5611]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 '], 'failures': 5, 'mlfid': ' anton sshd[4833]: ', 'user': 'ts', 'ip4': '222.186.10.49'}, 'ipmatches': 'Sep 22 12:02:14 anton sshd[18758]: Failed password for root from 222.186.10.49 port 59300 ssh2\nSep 22 12:02:54 anton sshd[18770]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:02:56 anton sshd[18770]: Failed password for invalid user gd from 222.186.10.49 port 65358 ssh2\nSep 22 12:03:34 anton sshd[18785]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:03:35 anton sshd[18785]: Failed password for invalid user ralf from 222.186.10.49 port 6908 ssh2\nSep 22 12:04:13 anton sshd[19604]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:04:15 anton sshd[19604]: Failed password for invalid user internet1 from 222.186.10.49 port 12962 ssh2\nSep 22 12:04:59 anton sshd[19628]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:05:02 anton sshd[19628]: Failed password for invalid user testftp from 222.186.10.49 port 19018 ssh2\nSep 22 12:05:37 anton sshd[19670]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:05:39 anton sshd[19670]: Failed password for invalid user fax from 222.186.10.49 port 25076 ssh2\nSep 22 12:06:14 anton sshd[19679]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:06:15 anton sshd[19679]: Failed password for invalid user test from 222.186.10.49 port 31134 ssh2\nSep 22 12:06:57 anton sshd[19691]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:06:59 anton sshd[19691]: Failed password for invalid user simedw from 222.186.10.49 port 37194 ssh2\nSep 22 12:07:37 anton sshd[19702]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:07:39 anton sshd[19702]: Failed password for invalid user linda from 222.186.10.49 port 43250 ssh2\nSep 22 12:08:18 anton sshd[19712]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:08:21 anton sshd[19712]: Failed password for invalid user samba from 222.186.10.49 port 49304 ssh2\nSep 22 12:09:00 anton sshd[19720]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:09:02 anton sshd[19720]: Failed password for invalid user heinrich from 222.186.10.49 port 55344 ssh2\nSep 22 12:09:39 anton sshd[20550]: Failed password for root from 222.186.10.49 port 61404 ssh2\nSep 22 12:10:21 anton sshd[20603]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:10:23 anton sshd[20603]: Failed password for invalid user arao from 222.186.10.49 port 2952 ssh2\nSep 22 12:10:59 anton sshd[20613]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:11:01 anton sshd[20613]: Failed password for invalid user upload from 222.186.10.49 port 9008 ssh2\nSep 22 12:11:40 anton sshd[20621]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:11:42 anton sshd[20621]: Failed password for invalid user master from 222.186.10.49 port 15066 ssh2\nSep 22 12:12:24 anton sshd[20631]: Failed password for irc from 222.186.10.49 port 21132 ssh2\nSep 22 12:13:06 anton sshd[20642]: Failed password for root from 222.186.10.49 port 27192 ssh2\nSep 22 12:13:45 anton sshd[20650]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:13:47 anton sshd[20650]: Failed password for invalid user amavis from 222.186.10.49 port 33250 ssh2\nSep 22 12:14:23 anton sshd[21417]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:14:25 anton sshd[21417]: Failed password for invalid user test from 222.186.10.49 port 39312 ssh2\nSep 22 12:15:05 anton sshd[21461]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:15:07 anton sshd[21461]: Failed password for invalid user fernandez from 222.186.10.49 port 45368 ssh2\nSep 22 12:15:47 anton sshd[21470]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:15:49 anton sshd[21470]: Failed password for invalid user wwwadmin from 222.186.10.49 port 51424 ssh2\nSep 22 12:16:27 anton sshd[21493]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:16:29 anton sshd[21493]: Failed password for invalid user abc from 222.186.10.49 port 57474 ssh2\nSep 22 12:17:08 anton sshd[21505]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:17:10 anton sshd[21505]: Failed password for invalid user support from 222.186.10.49 port 63528 ssh2\nSep 22 12:17:52 anton sshd[21519]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:17:54 anton sshd[21519]: Failed password for invalid user andrew from 222.186.10.49 port 5062 ssh2\nSep 22 12:18:31 anton sshd[21528]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:18:33 anton sshd[21528]: Failed password for invalid user office from 222.186.10.49 port 11124 ssh2\nSep 22 12:19:11 anton sshd[22290]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:19:12 anton sshd[22290]: Failed password for invalid user shop from 222.186.10.49 port 17178 ssh2\nSep 22 12:19:54 anton sshd[22312]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:19:56 anton sshd[22312]: Failed password for invalid user user from 222.186.10.49 port 23236 ssh2', 'ipjailmatches': 'Sep 22 12:02:14 anton sshd[18758]: Failed password for root from 222.186.10.49 port 59300 ssh2\nSep 22 12:02:54 anton sshd[18770]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:02:56 anton sshd[18770]: Failed password for invalid user gd from 222.186.10.49 port 65358 ssh2\nSep 22 12:03:34 anton sshd[18785]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:03:35 anton sshd[18785]: Failed password for invalid user ralf from 222.186.10.49 port 6908 ssh2\nSep 22 12:04:13 anton sshd[19604]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:04:15 anton sshd[19604]: Failed password for invalid user internet1 from 222.186.10.49 port 12962 ssh2\nSep 22 12:04:59 anton sshd[19628]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:05:02 anton sshd[19628]: Failed password for invalid user testftp from 222.186.10.49 port 19018 ssh2\nSep 22 12:05:37 anton sshd[19670]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:05:39 anton sshd[19670]: Failed password for invalid user fax from 222.186.10.49 port 25076 ssh2\nSep 22 12:06:14 anton sshd[19679]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:06:15 anton sshd[19679]: Failed password for invalid user test from 222.186.10.49 port 31134 ssh2\nSep 22 12:06:57 anton sshd[19691]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:06:59 anton sshd[19691]: Failed password for invalid user simedw from 222.186.10.49 port 37194 ssh2\nSep 22 12:07:37 anton sshd[19702]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:07:39 anton sshd[19702]: Failed password for invalid user linda from 222.186.10.49 port 43250 ssh2\nSep 22 12:08:18 anton sshd[19712]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:08:21 anton sshd[19712]: Failed password for invalid user samba from 222.186.10.49 port 49304 ssh2\nSep 22 12:09:00 anton sshd[19720]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:09:02 anton sshd[19720]: Failed password for invalid user heinrich from 222.186.10.49 port 55344 ssh2\nSep 22 12:09:39 anton sshd[20550]: Failed password for root from 222.186.10.49 port 61404 ssh2\nSep 22 12:10:21 anton sshd[20603]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:10:23 anton sshd[20603]: Failed password for invalid user arao from 222.186.10.49 port 2952 ssh2\nSep 22 12:10:59 anton sshd[20613]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:11:01 anton sshd[20613]: Failed password for invalid user upload from 222.186.10.49 port 9008 ssh2\nSep 22 12:11:40 anton sshd[20621]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:11:42 anton sshd[20621]: Failed password for invalid user master from 222.186.10.49 port 15066 ssh2\nSep 22 12:12:24 anton sshd[20631]: Failed password for irc from 222.186.10.49 port 21132 ssh2\nSep 22 12:13:06 anton sshd[20642]: Failed password for root from 222.186.10.49 port 27192 ssh2\nSep 22 12:13:45 anton sshd[20650]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:13:47 anton sshd[20650]: Failed password for invalid user amavis from 222.186.10.49 port 33250 ssh2\nSep 22 12:14:23 anton sshd[21417]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:14:25 anton sshd[21417]: Failed password for invalid user test from 222.186.10.49 port 39312 ssh2\nSep 22 12:15:05 anton sshd[21461]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:15:07 anton sshd[21461]: Failed password for invalid user fernandez from 222.186.10.49 port 45368 ssh2\nSep 22 12:15:47 anton sshd[21470]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:15:49 anton sshd[21470]: Failed password for invalid user wwwadmin from 222.186.10.49 port 51424 ssh2\nSep 22 12:16:27 anton sshd[21493]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:16:29 anton sshd[21493]: Failed password for invalid user abc from 222.186.10.49 port 57474 ssh2\nSep 22 12:17:08 anton sshd[21505]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:17:10 anton sshd[21505]: Failed password for invalid user support from 222.186.10.49 port 63528 ssh2\nSep 22 12:17:52 anton sshd[21519]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:17:54 anton sshd[21519]: Failed password for invalid user andrew from 222.186.10.49 port 5062 ssh2\nSep 22 12:18:31 anton sshd[21528]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:18:33 anton sshd[21528]: Failed password for invalid user office from 222.186.10.49 port 11124 ssh2\nSep 22 12:19:11 anton sshd[22290]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:19:12 anton sshd[22290]: Failed password for invalid user shop from 222.186.10.49 port 17178 ssh2\nSep 22 12:19:54 anton sshd[22312]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.49 \nSep 22 12:19:56 anton sshd[22312]: Failed password for invalid user user from 222.186.10.49 port 23236 ssh2', 'ipfailures': 393, 'ipjailfailures': 393})': Error unbanning 222.186.10.49
2020-09-22 13:15:04,921 fail2ban.utils          [25636]: Level 39 7fc716142510 -- exec: ip route del unreachable 149.202.208.104
2020-09-22 13:15:04,922 fail2ban.utils          [25636]: ERROR   7fc716142510 -- stderr: 'RTNETLINK answers: No such process'
2020-09-22 13:15:04,922 fail2ban.utils          [25636]: ERROR   7fc716142510 -- returned 2

This is my current configuration:

image

I have my sshd server running on port 10022.

what could be the problem? has anyone an idea of how to ban brute force attacks on ssh?

try banaction = iptables-multiport

also consider copy /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local and edit jail.local

restart fail2ban

it is not working either.
Is there something in webmin, firewalld or iptables that can get on the way of the ban?

image

the result is:

2020-09-24 11:57:29,618 fail2ban.filter         [25636]: INFO    [sshd] Found 39.96.19.171 - 2020-09-24 11:57:29
2020-09-24 11:57:42,554 fail2ban.filter         [25636]: INFO    [sshd] Found 157.0.78.2 - 2020-09-24 11:57:42
2020-09-24 11:57:42,556 fail2ban.filter         [25636]: INFO    [sshd] Found 157.0.78.2 - 2020-09-24 11:57:42
2020-09-24 11:57:42,737 fail2ban.actions        [25636]: WARNING [sshd] 157.0.78.2 already banned
2020-09-24 11:57:44,218 fail2ban.filter         [25636]: INFO    [sshd] Found 157.0.78.2 - 2020-09-24 11:57:44
2020-09-24 11:57:49,210 fail2ban.filter         [25636]: INFO    [sshd] Found 120.78.160.213 - 2020-09-24 11:57:49
2020-09-24 11:57:49,212 fail2ban.filter         [25636]: INFO    [sshd] Found 120.78.160.213 - 2020-09-24 11:57:49
2020-09-24 11:57:49,746 fail2ban.actions        [25636]: WARNING [sshd] 120.78.160.213 already banned

What’s your Linux distro and how was Fail2ban installed? Firewalld and iptables suggests you’re using CentOS 7, in which case Fail2ban came from the EPEL repository when Virtualmin was installed. In my case with CentOS 8, there was a preset jail.local file with jails needed for basic hosting services, and the sshd jail worked straight away with no tinkering.

You’ll see this banaction in /etc/fail2ban/jail.conf:

banaction = iptables-multiport
banaction_allports = iptables-allports

But for Firewalld on CentOS there’s /etc/fail2ban/jail.d/00-firewalld.conf that overrides jail.conf or jail.local. If you have this file and it contains the following there’s no need to add the banaction to jail.local.

[DEFAULT]
banaction = firewallcmd-rich-rules[actiontype=<multiport>]
banaction_allports = firewallcmd-rich-rules[actiontype=<allports>]

If you don’t have a file like this try adding the above banaction to the top of jail.local.

If it’s still a struggle I suggest putting sshd back on port 22 and get Fail2ban working before switching to an obscure port.

I am using debian.

4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux

I switched back the SSH daemon to port 22. It is still not working. Here there are some conf files. I think that virtualmin is setting firewallcmd-ipset as the default action. but that still does not work!

I am wondering if the default configuration of webmin for fail2ban actually works. I did not modify anything but the sshd port.

image

image

fail2ban log after changing the configuration. the brute force attack continues as usual : /

Are other jails banning or is sshd the only one not working? It’s hard to guess what needs fixing. From the looks of your screen shot an IP was banned and maybe there are others. In a terminal use fail2ban-client status sshd to see if there’s a list of banned IPs.

FYI, if you’re using Fail2ban v0.10 or newer the postfix-rbl and postfix-sasl filters are integrated into postfix.conf, so only the [postfix] jail is needed.

1 Like

the problem is that webmin sets firewalld as the banning method and this is apparently incompatible with iptables. This is the configuration that finally worked:

image

with this as default:

image

By the way, apparently there is a better solution for using firewalld, see the discussion here:

maybe the webmin developers want to consider this?

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.