fail2ban not banning

[vbrookie]

Hello all I've just upgraded my server few days ago from Etch to Lenny, and my fail2ban is not working. And for the past few days somebody is trying to break in to my server.
There are 100s of these entry on my auth.log.

Code:

Mar  9 09:42:33 ns1 sshd[15779]: Invalid user custom from 210.51.171.74
Mar  9 09:42:36 ns1 sshd[15781]: Invalid user custom from 210.51.171.74
Mar  9 09:42:39 ns1 sshd[15783]: Invalid user paula from 210.51.171.74
Mar  9 09:42:41 ns1 sshd[15785]: Invalid user tony from 210.51.171.74
Mar  9 09:42:44 ns1 sshd[15789]: Invalid user angie from 210.51.171.74
Mar  9 11:30:01 ns1 CRON[17155]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar  9 11:30:01 ns1 CRON[17155]: pam_unix(cron:session): session closed for user root
Mar  9 11:39:01 ns1 CRON[17269]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar  9 11:39:01 ns1 CRON[17269]: pam_unix(cron:session): session closed for user root
Mar  9 12:00:01 ns1 CRON[17827]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar  9 12:00:01 ns1 CRON[17827]: pam_unix(cron:session): session closed for user root
Mar  9 12:01:28 ns1 sshd[17897]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:01:30 ns1 sshd[17900]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:01:32 ns1 sshd[17903]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:01:34 ns1 sshd[17906]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:01:36 ns1 sshd[17911]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:01:38 ns1 sshd[17913]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:01:39 ns1 sshd[17916]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:01:41 ns1 sshd[17919]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:04:10 ns1 sshd[18190]: Invalid user netdump from 134.159.122.26
Mar  9 12:04:12 ns1 sshd[18193]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:04:12 ns1 sshd[18193]: Invalid user user1 from 134.159.122.26
Mar  9 12:04:14 ns1 sshd[18196]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:04:14 ns1 sshd[18196]: Invalid user user1 from 134.159.122.26
Mar  9 12:04:16 ns1 sshd[18201]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:04:16 ns1 sshd[18201]: Invalid user student from 134.159.122.26
Mar  9 12:04:17 ns1 sshd[18204]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:04:18 ns1 sshd[18204]: Invalid user student1 from 134.159.122.26

Help.

[falko]

Did you check the regular expressions for fail2ban (I think they are in the /etc/fail2ban/filters directory (or somewhere similar)?

[Been Told]

I just installed fail2ban too and it doesn't seem to ban. I made 6 wrong attempts (max is 5) and the session was closed (so far so good), but then when I try to re-connect I can keep making wrong login attempts.
Here's my jail.local file:

Code:

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = e-mail@ddress.remov.ed

# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]


[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 5


[apache]

enabled = true
port    = http
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 5


[apache-noscript]

enabled = false
port    = http
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 5


[vsftpd]

enabled  = false
port     = ftp
filter   = vsftpd
logpath  = /var/log/auth.log
maxretry = 5


[proftpd]

enabled  = true
port     = ftp
filter   = proftpd
logpath  = /var/log/auth.log
failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
maxretry = 5


[wuftpd]

enabled  = false
port     = ftp
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 5


[postfix]

enabled  = false
port     = smtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 5


[courierpop3]

enabled  = true
port     = pop3
filter   = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5


[courierimap]

enabled  = true
port     = imap2
filter   = courierlogin
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5


[sasl]

enabled  = true
port     = smtp
filter   = sasl
failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
logpath  = /var/log/mail.log
maxretry = 5

[falko]

On what service did you make the 6 login attempts? SSH, FTP, ...?

[Been Told]

Ah sorry for the omission. It was SSH.

[falko]

What's in /var/log/auth.log when there's a failed login attempt?
What's the failregex for SSH? (There should be a file for SSH in the filters.d subdirectory.)

[Been Told]

The filter.d\sshd.conf is:

Code:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 663 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = sshd

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
            ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

And here're the entries in /var/log/auth.log:

Code:

Jun 13 11:33:01 server1 sshd[24297]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxxxxxxx.dip.t-dialin.net  user=root
Jun 13 11:33:04 server1 sshd[24297]: Failed password for root from xxxxxxxxx port 49475 ssh2
Jun 13 11:33:17 server1 last message repeated 5 times
Jun 13 11:33:17 server1 sshd[24297]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxxxxxxx.dip.t-dialin.net  user=root
Jun 13 11:33:17 server1 sshd[24297]: PAM service(sshd) ignoring max retries; 5 > 3

[falko]

Can you add this line to failregex and restart fail2ban?

Code:

^%(__prefix_line)spam_unix(sshd:auth): authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$

[Been Told]

Hi falko!
Did that, still the same problem.
Here's the log:

Code:

Jun 14 14:38:14 server1 sshd[17278]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXXXXXX.dip.t-dialin.net  user=root
Jun 14 14:38:16 server1 sshd[17278]: Failed password for root from XXXXXXX port 52562 ssh2
Jun 14 14:38:30 server1 last message repeated 5 times
Jun 14 14:38:30 server1 sshd[17278]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXXXXXX.dip.t-dialin.net  user=root
Jun 14 14:38:30 server1 sshd[17278]: PAM service(sshd) ignoring max retries; 5 > 3
Jun 14 14:38:58 server1 sshd[17315]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXXXXXX.dip.t-dialin.net  user=root
Jun 14 14:38:59 server1 sshd[17315]: Failed password for root from XXXXXXX port 52571 ssh2
Jun 14 14:39:01 server1 CRON[17321]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 14 14:39:01 server1 CRON[17321]: pam_unix(cron:session): session closed for user root
Jun 14 14:39:03 server1 sshd[17315]: Failed password for root from XXXXXXX port 52571 ssh2
Jun 14 14:39:06 server1 sshd[17315]: Failed password for root from XXXXXXX port 52571 ssh2

[falko]

What about this line?

Code:

authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*