Fail2Ban fails to ban :-)

[Wandering-Aimlessly]

Hi people.

I have spent 2 days trying to get Fail2Ban to work. I have read everything I can find without success, so it is time to ask.

I have installed Fail2ban on a test server and after some messing with the configs got it working well. Then I tried to install on a production box but it just won't work. Both boxes are running Centos 5.3 and are reasonably identical (except the hardware of course). I have even copied the configs from the test to the production box.

Fail2ban seems to be running and passes all the tests I can come up with but it just fails to ban any attempts at brute force SSH.

Here are the configs/results of tests etc :-

# fail2ban-client status

Quote:

Status
|- Number of jail: 1
`- Jail list: ssh-iptables

# fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

Quote:

Success, the total number of match is 4896

Here is the result of a deliberate wrong user login (from /var/log/secure):

Quote:

Jul 23 07:49:24 my-server sshd[7438]: pam_unix(sshd:auth): check pass; user unknown
Jul 23 07:49:24 my-server sshd[7438]: pam_succeed_if(sshd:auth): error retrieving information about user uhbs
Jul 23 07:49:26 my-server sshd[7438]: Failed password for invalid user uhbs from 123.123.123.123 port 3107 ssh2

To ensure that there was not time issue,I immediately ran the date command

Quote:

Thu Jul 23 07:49:29 BST 2009

There are no local config files so here are the regular files (snipped for brevity):

Jail.conf

Quote:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 617 $

…

[DEFAULT]

ignoreip = 127.0.0.1

bantime = 60

findtime = 600

maxretry = 3

backend = auto



[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=my-email@my-domain.co.uk, sender=fail2ban@mail.com]
logpath = /var/log/secure
maxretry = 3

sshd.conf

Quote:

# Fail2Ban configuration file
# Author: Cyril Jaquier
# $Revision: 663 $


[INCLUDES]

before = common.conf

[Definition]
_daemon = sshd

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>\S+)
# Values: TEXT
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)sFailed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$


ignoreregex =

I have not changed iptables.conf

When I stop and start Fail2ban an email is sent confirming the stop and another for the start.

The version I installed was fail2ban-0.8.2-3.el5.rf.noarch.rpm from
DAG packages for Red Hat Linux el5 x86_64.

Hoping that someone can help. Thanks for reading.

Edited to add: var/log/fail2ban.log shows no entry for failed logins but does show entries for the start/stop.