fail2ban not banning

Discussion in 'Server Operation' started by vbrookie, Mar 9, 2009.

  1. vbrookie

    vbrookie New Member

    Hello all I've just upgraded my server few days ago from Etch to Lenny, and my fail2ban is not working. And for the past few days somebody is trying to break in to my server.
    There are 100s of these entry on my auth.log.

    Code:
    Mar  9 09:42:33 ns1 sshd[15779]: Invalid user custom from 210.51.171.74
    Mar  9 09:42:36 ns1 sshd[15781]: Invalid user custom from 210.51.171.74
    Mar  9 09:42:39 ns1 sshd[15783]: Invalid user paula from 210.51.171.74
    Mar  9 09:42:41 ns1 sshd[15785]: Invalid user tony from 210.51.171.74
    Mar  9 09:42:44 ns1 sshd[15789]: Invalid user angie from 210.51.171.74
    Mar  9 11:30:01 ns1 CRON[17155]: pam_unix(cron:session): session opened for user root by (uid=0)
    Mar  9 11:30:01 ns1 CRON[17155]: pam_unix(cron:session): session closed for user root
    Mar  9 11:39:01 ns1 CRON[17269]: pam_unix(cron:session): session opened for user root by (uid=0)
    Mar  9 11:39:01 ns1 CRON[17269]: pam_unix(cron:session): session closed for user root
    Mar  9 12:00:01 ns1 CRON[17827]: pam_unix(cron:session): session opened for user root by (uid=0)
    Mar  9 12:00:01 ns1 CRON[17827]: pam_unix(cron:session): session closed for user root
    Mar  9 12:01:28 ns1 sshd[17897]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
    Mar  9 12:01:30 ns1 sshd[17900]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
    Mar  9 12:01:32 ns1 sshd[17903]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
    Mar  9 12:01:34 ns1 sshd[17906]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
    Mar  9 12:01:36 ns1 sshd[17911]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
    Mar  9 12:01:38 ns1 sshd[17913]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
    Mar  9 12:01:39 ns1 sshd[17916]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
    Mar  9 12:01:41 ns1 sshd[17919]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
    Mar  9 12:04:10 ns1 sshd[18190]: Invalid user netdump from 134.159.122.26
    Mar  9 12:04:12 ns1 sshd[18193]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
    Mar  9 12:04:12 ns1 sshd[18193]: Invalid user user1 from 134.159.122.26
    Mar  9 12:04:14 ns1 sshd[18196]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
    Mar  9 12:04:14 ns1 sshd[18196]: Invalid user user1 from 134.159.122.26
    Mar  9 12:04:16 ns1 sshd[18201]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
    Mar  9 12:04:16 ns1 sshd[18201]: Invalid user student from 134.159.122.26
    Mar  9 12:04:17 ns1 sshd[18204]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
    Mar  9 12:04:18 ns1 sshd[18204]: Invalid user student1 from 134.159.122.26
    
    Help.
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Did you check the regular expressions for fail2ban (I think they are in the /etc/fail2ban/filters directory (or somewhere similar)?
     
  3. Been Told

    Been Told Member

    I just installed fail2ban too and it doesn't seem to ban. I made 6 wrong attempts (max is 5) and the session was closed (so far so good), but then when I try to re-connect I can keep making wrong login attempts.
    Here's my jail.local file:
    Code:
    [DEFAULT]
    
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host
    ignoreip = 127.0.0.1
    bantime  = 600
    maxretry = 3
    
    # "backend" specifies the backend used to get files modification. Available
    # options are "gamin", "polling" and "auto".
    # yoh: For some reason Debian shipped python-gamin didn't work as expected
    #      This issue left ToDo, so polling is default backend for now
    backend = polling
    
    #
    # Destination email address used solely for the interpolations in
    # jail.{conf,local} configuration files.
    destemail = [email protected]
    
    # Default action to take: ban only
    action = iptables[name=%(__name__)s, port=%(port)s]
    
    
    [ssh]
    
    enabled = true
    port    = ssh
    filter  = sshd
    logpath  = /var/log/auth.log
    maxretry = 5
    
    
    [apache]
    
    enabled = true
    port    = http
    filter  = apache-auth
    logpath = /var/log/apache*/*error.log
    maxretry = 5
    
    
    [apache-noscript]
    
    enabled = false
    port    = http
    filter  = apache-noscript
    logpath = /var/log/apache*/*error.log
    maxretry = 5
    
    
    [vsftpd]
    
    enabled  = false
    port     = ftp
    filter   = vsftpd
    logpath  = /var/log/auth.log
    maxretry = 5
    
    
    [proftpd]
    
    enabled  = true
    port     = ftp
    filter   = proftpd
    logpath  = /var/log/auth.log
    failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
    maxretry = 5
    
    
    [wuftpd]
    
    enabled  = false
    port     = ftp
    filter   = wuftpd
    logpath  = /var/log/auth.log
    maxretry = 5
    
    
    [postfix]
    
    enabled  = false
    port     = smtp
    filter   = postfix
    logpath  = /var/log/mail.log
    maxretry = 5
    
    
    [courierpop3]
    
    enabled  = true
    port     = pop3
    filter   = courierlogin
    failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
    logpath  = /var/log/mail.log
    maxretry = 5
    
    
    [courierimap]
    
    enabled  = true
    port     = imap2
    filter   = courierlogin
    failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
    logpath  = /var/log/mail.log
    maxretry = 5
    
    
    [sasl]
    
    enabled  = true
    port     = smtp
    filter   = sasl
    failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
    logpath  = /var/log/mail.log
    maxretry = 5
    
     
  4. falko

    falko Super Moderator ISPConfig Developer

    On what service did you make the 6 login attempts? SSH, FTP, ...?
     
  5. Been Told

    Been Told Member

    Ah sorry for the omission. It was SSH.
     
  6. falko

    falko Super Moderator ISPConfig Developer

    What's in /var/log/auth.log when there's a failed login attempt?
    What's the failregex for SSH? (There should be a file for SSH in the filters.d subdirectory.)
     
  7. Been Told

    Been Told Member

    The filter.d\sshd.conf is:
    Code:
    # Fail2Ban configuration file
    #
    # Author: Cyril Jaquier
    #
    # $Revision: 663 $
    #
    
    [INCLUDES]
    
    # Read common prefixes. If any customizations available -- read them from
    # common.local
    before = common.conf
    
    
    [Definition]
    
    _daemon = sshd
    
    # Option:  failregex
    # Notes.:  regex to match the password failures messages in the logfile. The
    #          host must be matched by a group named "host". The tag "<HOST>" can
    #          be used for standard IP/hostname matching and is only an alias for
    #          (?:::f{4,6}:)?(?P<host>\S+)
    # Values:  TEXT
    #
    failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
                ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
                ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
                ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
                ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
                ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers$
                ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
                ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
                ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
                ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$
    
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    ignoreregex = 
    
    And here're the entries in /var/log/auth.log:
    Code:
    Jun 13 11:33:01 server1 sshd[24297]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxxxxxxx.dip.t-dialin.net  user=root
    Jun 13 11:33:04 server1 sshd[24297]: Failed password for root from xxxxxxxxx port 49475 ssh2
    Jun 13 11:33:17 server1 last message repeated 5 times
    Jun 13 11:33:17 server1 sshd[24297]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxxxxxxx.dip.t-dialin.net  user=root
    Jun 13 11:33:17 server1 sshd[24297]: PAM service(sshd) ignoring max retries; 5 > 3
     
  8. falko

    falko Super Moderator ISPConfig Developer

    Can you add this line to failregex and restart fail2ban?

    Code:
    ^%(__prefix_line)spam_unix(sshd:auth): authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
     
  9. Been Told

    Been Told Member

    Hi falko!
    Did that, still the same problem.
    Here's the log:
    Code:
    Jun 14 14:38:14 server1 sshd[17278]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXXXXXX.dip.t-dialin.net  user=root
    Jun 14 14:38:16 server1 sshd[17278]: Failed password for root from XXXXXXX port 52562 ssh2
    Jun 14 14:38:30 server1 last message repeated 5 times
    Jun 14 14:38:30 server1 sshd[17278]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXXXXXX.dip.t-dialin.net  user=root
    Jun 14 14:38:30 server1 sshd[17278]: PAM service(sshd) ignoring max retries; 5 > 3
    Jun 14 14:38:58 server1 sshd[17315]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXXXXXX.dip.t-dialin.net  user=root
    Jun 14 14:38:59 server1 sshd[17315]: Failed password for root from XXXXXXX port 52571 ssh2
    Jun 14 14:39:01 server1 CRON[17321]: pam_unix(cron:session): session opened for user root by (uid=0)
    Jun 14 14:39:01 server1 CRON[17321]: pam_unix(cron:session): session closed for user root
    Jun 14 14:39:03 server1 sshd[17315]: Failed password for root from XXXXXXX port 52571 ssh2
    Jun 14 14:39:06 server1 sshd[17315]: Failed password for root from XXXXXXX port 52571 ssh2
     
  10. falko

    falko Super Moderator ISPConfig Developer

    What about this line?

    Code:
    authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*
     
  11. Gen@

    Gen@ New Member

    The problem is the date format in LOG file :)

    the timestamp must be YYYY.MM.DD HH:MM:SS
    and not MMM DD HH:MM:SS
     

Share This Page