Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

fail2ban runs but nothing gets stopped
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
sl70
Guru
Guru


Joined: 18 Jun 2002
Posts: 455
Location: Saitama, JP
PostPosted: Sun Jun 02, 2024 7:22 am    Post subject: fail2ban runs but nothing gets stopped Reply with quote
I set up fail2ban according to the wiki, copied /etc/fail2ban/jail.conf to jail.local, and made very basic edits -- just enabled the sshd jail.
Code:
 diff jail.conf jail.local
274c274
< # [sshd]
---
> [sshd]
279,280c279,281
< #mode   = normal
< # port    = ssh
---
> # mode   = normal
> enabled = true
> port    = ssh
282a284
> # port    = ssh


That seems to work. No error messages, anyway.

Code:
2024-06-02 12:18:10,904 fail2ban.server         [21171]: INFO    Starting Fail2ban v1.0.2
2024-06-02 12:18:10,904 fail2ban.server         [21171]: INFO    Daemon started
2024-06-02 12:18:10,905 fail2ban.observer       [21171]: INFO    Observer start...
2024-06-02 12:18:10,916 fail2ban.database       [21171]: INFO    Connected to fail2ban persistent database /var/lib/fail2ban/fail2ban.sqlite3'
2024-06-02 12:18:10,917 fail2ban.jail           [21171]: INFO    Creating new jail 'sshd'
2024-06-02 12:18:10,979 fail2ban.jail           [21171]: INFO    Jail 'sshd' uses poller {}
2024-06-02 12:18:10,979 fail2ban.jail           [21171]: INFO    Initiated 'polling' backend
2024-06-02 12:18:10,980 fail2ban.filter         [21171]: INFO      maxLines: 1
2024-06-02 12:18:10,990 fail2ban.filter         [21171]: INFO      maxRetry: 5
2024-06-02 12:18:10,990 fail2ban.filter         [21171]: INFO      findtime: 600
2024-06-02 12:18:10,990 fail2ban.actions        [21171]: INFO      banTime: 600
2024-06-02 12:18:10,990 fail2ban.filter         [21171]: INFO      encoding: UTF-8
2024-06-02 12:18:10,991 fail2ban.jail           [21171]: INFO    Jail 'sshd' started


In spite of having this my logs are filled with messages like these:
Code:
Jun  2 16:06:53 musume sshd[22093]: User root from 120.79.78.58 not allowed because not listed in AllowUsers
Jun  2 16:06:53 musume sshd[22093]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=120.79.78.58  user=root
Jun  2 16:06:55 musume sshd[22093]: Failed password for invalid user root from 120.79.78.58 port 60244 ssh2
Jun  2 16:06:56 musume sshd[22093]: Connection closed by invalid user root 120.79.78.58 port 60244 [preauth]


And this:

Code:
fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:       
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:   


I depend on my router to keep unwanted connections out. I only have sshd running and open on a non-standard port. I also have not included root in the /etc/ssh/sshd_config AllowUsers list. But on some days I have more than 1000 unauthorized connection attempts. It annoys me. I would really like to stop these attempts before they start or at least right after they start. How can I get fail2bad to do what I expect it to?
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3412
PostPosted: Sun Jun 02, 2024 10:18 am    Post subject: Reply with quote
I was too lazy to properly research Gentoo way to configure many services (I'm looking at you, apache2), so I just went with this (combined with ssh persistence and multiplexing):
Quote:
-A ssh -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 3 --hashlimit-mode srcip --hashlimit-name ssh -j DROP

1 IP can make 3 attempts in a row, then 1 more after every hour.
Basically, rate limit the whole internet, whether login succeeds or not. Also, nmap scans count towards this limit too.
This comes after rules accepting packets from connections that are already established and those coming in via a vpn, so I'm not going to accidentally lock myself out

Code:
cat /etc/ssh/ssh_config.d/multiplex.conf
Host *
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p.socket
ControlPersist 5m

_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
sl70
Guru
Guru


Joined: 18 Jun 2002
Posts: 455
Location: Saitama, JP
PostPosted: Mon Jun 03, 2024 3:22 am    Post subject: Reply with quote
Thanks for the help, but I'm afraid I don't understand this at all. The first quoted line looks like an ``iptables`` invocation but I don't know where it would go. Likewise for the second snippet of code. I don't have a /etc/ssh_config.d directory or a mulitplex.conf file. I'm afraid I need more basic help.
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3412
PostPosted: Mon Jun 03, 2024 9:10 am    Post subject: Reply with quote
Those are NOT a part of f2b; it's my replacement for f2b. Legitimate users start _fewer_ connections that attackers, so it's OK to temporarily ban them too, which is why:
I added a generic iptables rule for rate limiting clients (which should mostly work with the way ssh is typically used) + ssh config for the client, which makes subsequent sessions avoid rate limits.

With this confusion sorted, you should be able to modify your server's firewall and client's ssh configs, it's not that difficult.
If you're OK with using something else than F2B of course.
_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
phanxen
n00b
n00b


Joined: 02 Jan 2022
Posts: 10
Location: Jugoslavija
PostPosted: Tue Nov 05, 2024 7:02 pm    Post subject: Reply with quote
Today I found that fail2ban was not working in my system.

After some research I realized that the problem is the daemon name used in the configuration. In the file /etc/fail2ban/filter.d/sshd.conf I found the following line:

Code:
_daemon = sshd


However, the messages in the system logs show that the SSH daemon is labeled sshd-session:

Code:
Nov  5 19:42:30 mygentoobox sshd-session[30602]: error: PAM: User not known to the underlying authentication module for illegal user matt from 1.2.3.4
Nov  5 19:42:30 mygentoobox sshd-session[30602]: Failed keyboard-interactive/pam for invalid user matt from 1.2.3.4 port 33257 ssh2
Nov  5 19:42:30 mygentoobox sshd-session[30602]: Connection closed by invalid user matt 1.2.3.4 port 33257 [preauth]


So, check if the daemon name is correct. Besides, for testing, you can use the following command line:

Code:
$ sudo fail2ban-regex /var/log/sshd/sshd.log /etc/fail2ban/filter.d/sshd.conf


On the other hand, I'm not sure if this is some kind of bug or not. I have checked the main branch of the official fail2ban GitHub account, and the daemon is also called sshd.

Best regards
_________________
:.P.h.A.n.X.e.N.:
Back to top
View user's profile Send private message
flexibeast
Guru
Guru


Joined: 04 Apr 2022
Posts: 433
Location: Naarm/Melbourne, Australia
PostPosted: Tue Nov 05, 2024 11:11 pm    Post subject: Reply with quote
sshd is getting split up into multiple binaries, for security reasons, so end-user documentation needs to be updated to reflect that.
_________________
https://wiki.gentoo.org/wiki/User:Flexibeast
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy