Issue Fail2Ban is not banning IP addresses properly

[Tonies]

• OS: ‪CentOS Linux 7.4.1708 (Core)‬
• Product: Plesk Onyx 17.5.3 Update #44

Hi,

I logged in to my server today as root there was a message "There were 4524 failed login attempts since the last successful login."

Fail2Ban jails are all enabled and green.

There is only one IP address banned in there at the moment.

Here are my settings for Fail2Ban:

Why has Fail2Ban not added the IPs which have made attempts to log in as root as there were over 4000 attempts to login between a space of a few hours logging in?

Can someone provide some information or a link to follow and troubleshoot this, please?

Thanks.

 

[Brujo]

perhaps a good starting point is Protection Against Brute Force Attacks (Fail2Ban) & Fail2Ban Jails Management

For the Comunity it would be helpfull when you provide your OS & Plesk Version

Why has Fail2Ban not added the IPs which have made attempts to log in as root as there were over 4000 attempts to login between a space of a few hours logging in?

Because a) fail2ban / Jail is not working right, b) settings wrong c) it was a distributed attack with different IP´s....

Well based on the screenshot the global settings (and if you have not different settings for the relevant jail) would mean 2 attemps in 60 seconds from the same IP would be banned. Therefore you have to check the relevant logfile of this attack and the failed2ban logfile also.

If you are talking about failed ssh login attempts it would be depending on your OS /var/log/auth.log or /var/log/secure you have to identify the bad IP(s) and then check the fail2ban.log if this ip(s) was recognized by fail2ban.

you can test for example fail2ban jails & config on CLI like:

# fail2ban-regex --print-all-matched /path/to/logfile/xyz.log /etc/fail2ban/filter.d/xyz-jail.conf

 

[Tonies]

Hi @Brujo

Thanks for the reply and sorry for not entering my OS and Plesk Version, I have now updated my original post to reflect this and will do so moving forward (Will also change my other posts with this information too).

Thanks for the links too, Fail2Ban Jails Management this one helped as I created a jail for SSHD based on the guide:

There is already one which exists for SSH:

I found the log that is used for my system and it is located here: /var/log/secure and also found a command to check failed attempts in SSH: egrep "Failed|Failure" /var/log/secure

The log is quite long.

Based on the SSH Fail2Ban jail, these IP's should have been blocked. I checked the Fail2Ban log in /var/log/fail2ban.log as suggested and found no trace of the above IP's in there.

I also ran the command as per your advice and got the following result:

fail2ban-regex --print-all-matched var/log/fail2ban.log /etc/fail2ban/filter.d/sshd.conf

No idea how to interpret this though.

Thanks in advance.

 

[Brujo]

Based on the SSH Fail2Ban jail, these IP's should have been blocked. I checked the Fail2Ban log in /var/log/fail2ban.log as suggested and found no trace of the above IP's in there.

this would mean the fail2ban filter would not match the logentrys.

Sorry if I wrote not detailed enough about fail2ban-regex see: MANUAL 0 8 - Fail2ban (Section Testing)

the logfile in your case is /var/log/secure so the test should look like

fail2ban-regex --print-all-matched /var/log/secure /etc/fail2ban/filter.d/sshd.conf

 

[Tonies]

this would mean the fail2ban filter would not match the logentrys.

Will check the filter based on the previous link documentation you have sent and hopefully resolve the issue as I still believe it is not working as it should.

Thanks for the updated command and I ran that command and got the same result as previously provided in my last message.

Thanks.

 

[Brujo]

example output of an centos testserver

# grep Failed /var/log/secure
Apr 8 15:35:24 mail sshd[22704]: Failed password for root from 123.229.34.230 port 55401 ssh2
Apr 8 15:35:29 mail sshd[22704]: Failed password for root from 123.229.34.230 port 55401 ssh2
Apr 8 15:36:02 mail sshd[23126]: Failed password for root from 123.229.34.230 port 55401 ssh2

# fail2ban-regex --print-all-matched /var/log/secure /etc/fail2ban/filter.d/sshd.conf
Lines: 23 lines, 0 ignored, 4 matched, 19 missed
[processed in 0.02 sec]

|- Matched line(s):
| Apr 8 15:35:22 golum sshd[22704]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=someone user=root
| Apr 8 15:35:24 golum sshd[22704]: Failed password for root from 123.229.34.230 port 55401 ssh2
| Apr 8 15:35:29 golum sshd[22704]: Failed password for root from 123.229.34.230 port 55401 ssh2
| Apr 8 15:36:02 golum sshd[22704]: Failed password for root from 123.229.34.230 port 55401 ssh2

and in the fail2ban.log there are findings logged and in this case it was 3 times found and banned

# grep ssh /var/log/fail2ban.log
2018-04-08 15:35:24,892 fail2ban.filter [24678]: INFO [ssh] Found 123.229.34.230
2018-04-08 15:35:29,703 fail2ban.filter [24678]: INFO [ssh] Found 123.229.34.230
2018-04-08 15:36:02,537 fail2ban.filter [24678]: INFO [ssh] Found 123.229.34.230
2018-04-08 15:36:02,796 fail2ban.actions [24678]: NOTICE [ssh] Ban 123.229.34.230

 

[Tonies]

Thanks for the response, I ran the command as you have suggested @Brujo

fail2ban-regex --print-all-matched /var/log/secure /etc/fail2ban/filter.d/sshd.conf

The output after starting the tests:

As can be seen, there have been 165651 attempts I had to remove the new Jail I created which I posted above as I realised it was already activated with the default ssh.

I have added the two troublesome IP's by activating firewall for now and hopefully, they cannot gain access to my site or attack my server until I get this Fail2Ban resolved somehow and for it to work. (Did not activate before as some of my website extension developers cannot access the sites and been trying to figure out how to give them access via firewall after activation for FTP SSH).

I am still searching for how to fix this Fail2Ban and if I find the cause then will report back but unfortunately until now, no joy.

Thanks for your help thus far, appreciate it much.

 

[Brujo]

the relevant output of fail2ban-regex is "Lines: 23 lines, 0 ignored, 4 matched, 19 missed"
Lines = Total log entrys, matched = how many entrys are catched by the filter, missed = entrys which are not recogniced by the filter and perhaps fine

Well based on your screenshot you provided there are matched entrys, therefore it should be also an entry in fail2ban.log

whats the output of
# grep ssh /var/log/fail2ban.log or grep 213.136.74.205 /var/log/fail2ban.log
is there any Found or Ban like in my above example?

 

[Tonies]

Hi @Brujo

After running command:

# grep ssh /var/log/fail2ban.log or grep 213.136.74.205 /var/log/fail2ban.log

I get the following:

I see that it states:

2018-04-08 11:11:46,001 fail2ban.actions        [3575]: ERROR   Failed to stop  j
2018-04-08 11:11:46,001 fail2ban.actions        [3575]: ERROR   Failed to stop jail 'ssh' action 'iptables-allports': Error stopping action

il 'ssh' action 'iptables-allports': Error stopping action

That must be the culprit, right?

Is it because of all ports setting in SSH jail? not sure.

Thanks.

 

[Brujo]

Hey Tonies

did you get arround your issue and it is working now or you still struggle with it?
if so, how looks your filter for ssh now

 

[Tonies]

Hi @Brujo

Thanks for catching up with me.

No, unfortunately, I have not. I found an article about fail2ban through google but was no help.

I ran these commands again:

grep ssh /var/log/fail2ban.log

and

grep 213.136.74.205 /var/log/fail2ban.log

Nothing came up for both commands, it just goes to a blank line, why does it not show anything?

Thanks in advance.

 

[Tonies]

Hi @Brujo

After disabling the firewall, the Fail2Ban started to block IP's.

Can the Fail2Ban and Plesk firewall not work together?

 

[Larsm]

The Plesk Firewall and Fail2ban working good on my Server. I don't know why you have trouble with this.

Gesendet von meinem Pixel mit Tapatalk