View Single Post
  #4  
Old 20th December 2012, 22:43
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 386
Thanks: 28
Thanked 58 Times in 50 Posts
Default

I experienced what may be the same issue (and it began happening all of a sudden).

Excerpted from the fail2ban mailing list:

Quote:
Hello,

Please forgive me if the solution to my problem is obvious, but I've
done quite a bit of searching-around and nothing has resonated.

I've been using fail2ban-0.8.6 on Ubuntu 10.04-1 LTS for at least a year
without issue (as far as I know).

But recently, it seems that some very persistent users/bots are not
being banned when they should be.

In particular, I see entries in my Linux Logwatch digests like this:

--------------------- SSHD Begin ------------------------


Failed logins from:
85.91.136.121 (85-91-136-121.varna.homelan.bg): 860 times
109.163.239.115: 17 times
173.208.232.143: 64 times
180.166.11.211: 1448 times
199.101.51.153 (host1.dbxmedia.com): 1638 times
216.114.69.35: 602 times

Illegal users from:
82.221.99.229: 8 times
85.91.136.121 (85-91-136-121.varna.homelan.bg): 1 time
173.208.232.143: 90 times
180.166.11.211: 37 times
216.114.69.35: 2 times

[...]

Received disconnect:
11: disconnected by user : 1 Time(s)

**Unmatched Entries**
PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh
ruser= rhost=109.163.239.115 user=root : 11 time(s)
PAM service(sshd) ignoring max retries; 4 > 3 : 11 time(s)

---------------------- SSHD End -------------------------

860 times, 1448 times, 1638 times, 602 times... why aren't these bots
being banned after 3 times?

I executed the following in an effort to make that determination:

----------------------------------------------------------
# fail2ban-regex /var/log/auth.log.0 /etc/fail2ban/filter.d/sshd.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file : /var/log/auth.log.0


Results
=======

Failregex
|- Regular expressions:
| [...]
|
`- Number of matches:
[1] 0 match(es)
[2] 0 match(es)
[3] 4762 match(es)
[4] 0 match(es)
[5] 134 match(es)
[6] 0 match(es)
[7] 0 match(es)
[8] 0 match(es)
[9] 0 match(es)
[10] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
[2]
[3]
[... thousands of matches printed here ...]
[6]
[7]
[8]
[9]
[10]

Date template hits:
148256 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 4896

However, look at the above section 'Running tests' which could contain
important
information.
----------------------------------------------------------


The file /var/log/auth.log.0 contains log entries from Dec 2 03:33:48 to
Dec 2 06:28:15. If I inspect fail2ban's log entries for the same period
of time, I find only the following:

----------------------------------------------------------
2012-12-02 00:26:23,443 fail2ban.server : INFO Changed logging target
to /var/log/fail2ban.log for Fail2ban v0.8.6
2012-12-02 00:26:24,713 fail2ban.filter : INFO Log rotation detected
for /var/log/apache2/error.log
2012-12-02 00:26:24,723 fail2ban.filter : INFO Log rotation detected
for /var/log/apache2/error.log
2012-12-02 00:30:01,906 fail2ban.filter : INFO Log rotation detected
for /var/log/apache2/other_vhosts_access.log
2012-12-02 01:02:37,839 fail2ban.filter : INFO Log rotation detected
for /var/log/auth.log
2012-12-02 01:02:37,976 fail2ban.filter : INFO Log rotation detected
for /var/log/syslog
----------------------------------------------------------


The SSHd jail configuration is:

----------------------------------------------------------
[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
----------------------------------------------------------


Might anyone know why fail2ban registered absolutely nothing in its logs
during this ongoing login-per-second attempt, for hours on end, given
the output from fail2ban-regex, above?

Thanks for any pointers,

-Ben
Upgrading to 0.8.8 solved the problem for me. It is entirely possible (and quite likely) that upgrading to 0.8.8 was somewhat of a "red herring". Perhaps the upgrade process simply reset something that was botched-up. Given that you are already on 0.8.8, I'm not sure what to tell you to try next. Have you gone to the fail2ban mailing list with this?
Reply With Quote