| View previous topic :: View next topic |
| Author |
Message |
RayDude
Advocate
Joined: 29 May 2004
Posts: 2091
Location: San Jose, CA
|
 Posted: Fri Jan 17, 2025 4:37 am Post subject: fail2ban stopped working since latest upgrade. |
 |
|
It says it's running, but no logging is occurring.
And more importantly someone is trying to login, I won't explain how I know, that's too much information.
I shut down ssh for the time being, but I need to understand why fail2ban is not running, not logging, etc.
Has anyone else seen anything like this? Is there something I can check?
_________________
Some day there will only be free software. |
|
| Back to top |
|
 |
kgdrenefort
Guru
Joined: 19 Sep 2023
Posts: 324
Location: Somewhere in the 77
|
| Posted: Mon Jan 20, 2025 11:01 am Post subject: |
|
|
Hello,
We lack a lot of informations to help you:
1/ Show us it running, systemd status fail2ban or the equivalent from OpenRC. Or ps output worst case.
2/ What do you mean by «someone is trying to login», which services (SSH) ? Is this an allowed connection ?
3/ Any logs messages about it ?
4/ What is your fail2ban configuration files looking ?
5/ Did you tried to output the status of the jail while it's active and running ?
6/ Version of fail2ban ?
7/ Do you have SELinux ?
Side notes, beware when you disable a service managed by fail2ban, I might remember it crashing if, let's say, you add configuration for SSH but there is no SSH connections to look for while trying to (re)start it (fail2ban service).
Regards,
GASPARD DE RENEFORT Kévin
_________________
Traduction wiki, pour praticiper.
Custom logos/biz card/website. |
|
| Back to top |
|
|
freke
Veteran
Joined: 23 Jan 2003
Posts: 1047
Location: Somewhere in Denmark
|
| Posted: Tue Jan 21, 2025 4:39 pm Post subject: |
|
|
Here it seems to run fine (updated ~amd64 as of today) | Code: | Jan 18 11:16:30 ns fail2ban.server[2060]: INFO Shutdown in progress...
Jan 18 11:16:30 ns fail2ban.observer[2060]: INFO Observer stop ... try to end queue 5 seconds
Jan 18 11:16:30 ns fail2ban.observer[2060]: INFO Observer stopped, 0 events remaining.
Jan 18 11:16:30 ns fail2ban.server[2060]: INFO Stopping all jails
Jan 18 11:16:30 ns fail2ban.filter[2060]: INFO Removed logfile: '/var/log/messages'
Jan 18 11:16:30 ns fail2ban.filter[2060]: INFO Removed logfile: '/var/log/messages'
Jan 18 11:16:30 ns fail2ban.actions[2060]: NOTICE [recidive] Flush ticket(s) with iptables-allports
Jan 18 11:16:31 ns fail2ban.actions[2060]: NOTICE [sshd] Flush ticket(s) with iptables-allports
Jan 18 11:16:31 ns fail2ban.jail[2060]: INFO Jail 'sshd' stopped
Jan 18 11:16:31 ns fail2ban.jail[2060]: INFO Jail 'recidive' stopped
Jan 18 11:16:31 ns fail2ban.database[2060]: INFO Connection to database closed.
Jan 18 11:16:31 ns fail2ban.server[2060]: INFO Exiting Fail2ban
Jan 18 11:17:04 ns fail2ban.server[2072]: INFO --------------------------------------------------
Jan 18 11:17:04 ns fail2ban.server[2072]: INFO Starting Fail2ban v1.1.0
Jan 18 11:17:04 ns fail2ban.server[2072]: INFO Daemon started
Jan 18 11:17:04 ns fail2ban.observer[2072]: INFO Observer start...
Jan 18 11:17:04 ns fail2ban.database[2072]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
Jan 18 11:17:04 ns fail2ban.jail[2072]: INFO Creating new jail 'sshd'
Jan 18 11:17:04 ns fail2ban.jail[2072]: INFO Jail 'sshd' uses pyinotify {}
Jan 18 11:17:04 ns fail2ban.jail[2072]: INFO Initiated 'pyinotify' backend
Jan 18 11:17:04 ns fail2ban.filter[2072]: INFO maxLines: 1
Jan 18 11:17:04 ns fail2ban.filter[2072]: INFO maxRetry: 1
Jan 18 11:17:04 ns fail2ban.filter[2072]: INFO findtime: 86400
Jan 18 11:17:04 ns fail2ban.actions[2072]: INFO banTime: 172800
Jan 18 11:17:04 ns fail2ban.filter[2072]: INFO encoding: UTF-8
Jan 18 11:17:04 ns fail2ban.filter[2072]: INFO Added logfile: '/var/log/messages' (pos = 17222764, hash = a90e694da5351682dce8e6a0b46f4c153b1df848)
Jan 18 11:17:04 ns fail2ban.jail[2072]: INFO Creating new jail 'recidive'
Jan 18 11:17:04 ns fail2ban.jail[2072]: INFO Jail 'recidive' uses pyinotify {}
Jan 18 11:17:04 ns fail2ban.jail[2072]: INFO Initiated 'pyinotify' backend
Jan 18 11:17:04 ns fail2ban.filter[2072]: INFO maxRetry: 2
Jan 18 11:17:04 ns fail2ban.filter[2072]: INFO findtime: 1209600
Jan 18 11:17:04 ns fail2ban.actions[2072]: INFO banTime: 2419200
Jan 18 11:17:04 ns fail2ban.filter[2072]: INFO encoding: UTF-8
Jan 18 11:17:04 ns fail2ban.filter[2072]: INFO Added logfile: '/var/log/messages' (pos = 17222764, hash = a90e694da5351682dce8e6a0b46f4c153b1df848)
Jan 18 11:17:04 ns fail2ban.jail[2072]: INFO Jail 'sshd' started
Jan 18 11:17:04 ns fail2ban.jail[2072]: INFO Jail 'recidive' started
Jan 21 17:35:37 ns fail2ban.filter[2072]: INFO [sshd] Ignore 2a06:4002:9044:0:75ec:ea53:97fa:63f6 by ip
Jan 21 17:35:42 ns fail2ban.filter[2072]: INFO [sshd] Ignore 2a06:4002:9044:0:75ec:ea53:97fa:63f6 by ip
Jan 21 17:35:42 ns fail2ban.filter[2072]: INFO [sshd] Ignore 2a06:4002:9044:0:75ec:ea53:97fa:63f6 by ip |
Not a public facing ssh-server running here - just did a login with a unknown user which triggered some ignores.....
So yes - logs and configs would be a good place to start. |
|
| Back to top |
|
|
RayDude
Advocate
Joined: 29 May 2004
Posts: 2091
Location: San Jose, CA
|
| Posted: Sat Jan 25, 2025 5:37 pm Post subject: |
|
|
Thanks for the replies.
I looked at config and logs today to gain some understanding.
The log does not report failed login attempts.
But something is locking me out as after three failed login attempts from an account that's not allowed to login, It told me I had been banned for ten minutes.
I don't think that's fail2ban's doing. I think that might be PAM, but I know so little about the guts of linux that I'm just guessing.
_________________
Some day there will only be free software. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
