| View previous topic :: View next topic |
| Author |
Message |
sl70
Guru
Joined: 18 Jun 2002
Posts: 455
Location: Saitama, JP
|
 Posted: Sun Jun 02, 2024 7:22 am Post subject: fail2ban runs but nothing gets stopped |
 |
|
I set up fail2ban according to the wiki, copied /etc/fail2ban/jail.conf to jail.local, and made very basic edits -- just enabled the sshd jail.
| Code: | diff jail.conf jail.local
274c274
< # [sshd]
---
> [sshd]
279,280c279,281
< #mode = normal
< # port = ssh
---
> # mode = normal
> enabled = true
> port = ssh
282a284
> # port = ssh |
That seems to work. No error messages, anyway.
| Code: | 2024-06-02 12:18:10,904 fail2ban.server [21171]: INFO Starting Fail2ban v1.0.2
2024-06-02 12:18:10,904 fail2ban.server [21171]: INFO Daemon started
2024-06-02 12:18:10,905 fail2ban.observer [21171]: INFO Observer start...
2024-06-02 12:18:10,916 fail2ban.database [21171]: INFO Connected to fail2ban persistent database /var/lib/fail2ban/fail2ban.sqlite3'
2024-06-02 12:18:10,917 fail2ban.jail [21171]: INFO Creating new jail 'sshd'
2024-06-02 12:18:10,979 fail2ban.jail [21171]: INFO Jail 'sshd' uses poller {}
2024-06-02 12:18:10,979 fail2ban.jail [21171]: INFO Initiated 'polling' backend
2024-06-02 12:18:10,980 fail2ban.filter [21171]: INFO maxLines: 1
2024-06-02 12:18:10,990 fail2ban.filter [21171]: INFO maxRetry: 5
2024-06-02 12:18:10,990 fail2ban.filter [21171]: INFO findtime: 600
2024-06-02 12:18:10,990 fail2ban.actions [21171]: INFO banTime: 600
2024-06-02 12:18:10,990 fail2ban.filter [21171]: INFO encoding: UTF-8
2024-06-02 12:18:10,991 fail2ban.jail [21171]: INFO Jail 'sshd' started
|
In spite of having this my logs are filled with messages like these:
| Code: | Jun 2 16:06:53 musume sshd[22093]: User root from 120.79.78.58 not allowed because not listed in AllowUsers
Jun 2 16:06:53 musume sshd[22093]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=120.79.78.58 user=root
Jun 2 16:06:55 musume sshd[22093]: Failed password for invalid user root from 120.79.78.58 port 60244 ssh2
Jun 2 16:06:56 musume sshd[22093]: Connection closed by invalid user root 120.79.78.58 port 60244 [preauth]
|
And this:
| Code: | fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list:
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
|
I depend on my router to keep unwanted connections out. I only have sshd running and open on a non-standard port. I also have not included root in the /etc/ssh/sshd_config AllowUsers list. But on some days I have more than 1000 unauthorized connection attempts. It annoys me. I would really like to stop these attempts before they start or at least right after they start. How can I get fail2bad to do what I expect it to? |
|
| Back to top |
|
 |
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3206
|
| Posted: Sun Jun 02, 2024 10:18 am Post subject: |
|
|
I was too lazy to properly research Gentoo way to configure many services (I'm looking at you, apache2), so I just went with this (combined with ssh persistence and multiplexing):
| Quote: | | -A ssh -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 3 --hashlimit-mode srcip --hashlimit-name ssh -j DROP |
1 IP can make 3 attempts in a row, then 1 more after every hour.
Basically, rate limit the whole internet, whether login succeeds or not. Also, nmap scans count towards this limit too.
This comes after rules accepting packets from connections that are already established and those coming in via a vpn, so I'm not going to accidentally lock myself out
| Code: | cat /etc/ssh/ssh_config.d/multiplex.conf
Host *
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p.socket
ControlPersist 5m |
_________________
Make Computing Fun Again |
|
| Back to top |
|
|
sl70
Guru
Joined: 18 Jun 2002
Posts: 455
Location: Saitama, JP
|
| Posted: Mon Jun 03, 2024 3:22 am Post subject: |
|
|
| Thanks for the help, but I'm afraid I don't understand this at all. The first quoted line looks like an ``iptables`` invocation but I don't know where it would go. Likewise for the second snippet of code. I don't have a /etc/ssh_config.d directory or a mulitplex.conf file. I'm afraid I need more basic help. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3206
|
| Posted: Mon Jun 03, 2024 9:10 am Post subject: |
|
|
Those are NOT a part of f2b; it's my replacement for f2b. Legitimate users start _fewer_ connections that attackers, so it's OK to temporarily ban them too, which is why:
I added a generic iptables rule for rate limiting clients (which should mostly work with the way ssh is typically used) + ssh config for the client, which makes subsequent sessions avoid rate limits.
With this confusion sorted, you should be able to modify your server's firewall and client's ssh configs, it's not that difficult.
If you're OK with using something else than F2B of course.
_________________
Make Computing Fun Again |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
