Environment:
*CentOS 6.5
*Fail2Ban 0.8.14-1
*date outputs the correct date
Behavior:
Fail2ban starts successfully, but does not create iptables blocks after bad SSH login attempts. I'm only concerned with SSH at this point. I attempted to reinstall using this guide: https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-centos-6
Fail2Ban used to work – but through system updates, it appears to have stopped working. If I run
sudo service fail2ban restart
I get an email saying that the jail has stopped and another email saying the jail has started, so it seems that fail2ban is running and functional.
My /etc/fail2ban/jail.local file includes the entry:
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=chalstead@mydomain.edu, sender=fail2ban@campus.mydomain.edu, sendername="Fail2Ban"]
logpath = /var/log/secure
maxretry = 5
My IP address is not listed in the ignoreip delcaration. I'm using standard bantime of 600, findtime of 600, and maxretry of 3.
When I look at /var/log/secure, I see plenty of failed attempts:
Sep 30 00:17:02 nebo unix_chkpwd[3796]: password check failed for user (root)
Sep 30 00:17:02 nebo sshd[3794]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.189 user=root
iptables -L seems to report that fail2ban does have a chain:
Chain fail2ban-SSH (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
My current best guest is that the action for sshd in actions.d/sshd.conf is using a regular expression to look through the log file, but it doesn't match the current syntax of the CentOS log for a banned attempt.
Time is insync per: Why isn't fail2ban blocking failures?
Ran fail2ban-regex to test my theory, and it looks like I may be on the right track:
[isdept@nebo action.d]$ sudo fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/sshd.conf
Use log file : /var/log/secure
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [22655] MONTH Day Hour:Minute:Second
`-
Lines: 22655 lines, 0 ignored, 0 matched, 22655 missed
Missed line(s): too many to print. Use --print-all-missed to print all 22655 lines
I'm not totally sure how to modify the regex patterns to fix this (if this is the issue), but I am surprised to find that I haven't found an easy fix since CentOS is common. I'd be happy to provide any additional info. Thanks for any tips or pointers you can give!
For safety – I'm currently disabling public access to this host.
Best Answer
Well, I'm no regex master (or even novice), but I did manage to get it to work by adding:
to filters.d/sshd.conf. This did it and I've successfully banned my first host. If any regex experts would like to chime in, I'd be greatly appreciative. I'm sure there's a case that I'm missing in this short expression that would fail in a certain case.
Thanks!