Centos – Fail2Ban on CentOS 6.5 Never Bans

Environment:
*CentOS 6.5
*Fail2Ban 0.8.14-1
*date outputs the correct date

Behavior:
Fail2ban starts successfully, but does not create iptables blocks after bad SSH login attempts. I'm only concerned with SSH at this point. I attempted to reinstall using this guide: https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-centos-6

Fail2Ban used to work – but through system updates, it appears to have stopped working. If I run

sudo service fail2ban restart

I get an email saying that the jail has stopped and another email saying the jail has started, so it seems that fail2ban is running and functional.

My /etc/fail2ban/jail.local file includes the entry:

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
       sendmail-whois[name=SSH, dest=chalstead@mydomain.edu, sender=fail2ban@campus.mydomain.edu, sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 5

My IP address is not listed in the ignoreip delcaration. I'm using standard bantime of 600, findtime of 600, and maxretry of 3.

When I look at /var/log/secure, I see plenty of failed attempts:

Sep 30 00:17:02 nebo unix_chkpwd[3796]: password check failed for user (root)
Sep 30 00:17:02 nebo sshd[3794]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.173.26.189  user=root

iptables -L seems to report that fail2ban does have a chain:

Chain fail2ban-SSH (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

My current best guest is that the action for sshd in actions.d/sshd.conf is using a regular expression to look through the log file, but it doesn't match the current syntax of the CentOS log for a banned attempt.

Time is insync per: Why isn't fail2ban blocking failures?

Ran fail2ban-regex to test my theory, and it looks like I may be on the right track:

[isdept@nebo action.d]$ sudo fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf 

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/sshd.conf
Use         log file : /var/log/secure


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [22655] MONTH Day Hour:Minute:Second
`-

Lines: 22655 lines, 0 ignored, 0 matched, 22655 missed
Missed line(s): too many to print.  Use --print-all-missed to print all 22655 lines

I'm not totally sure how to modify the regex patterns to fix this (if this is the issue), but I am surprised to find that I haven't found an easy fix since CentOS is common. I'd be happy to provide any additional info. Thanks for any tips or pointers you can give!

For safety – I'm currently disabling public access to this host.

Best Answer

Well, I'm no regex master (or even novice), but I did manage to get it to work by adding:

^.*authentication failure;.*rhost=<HOST>

to filters.d/sshd.conf. This did it and I've successfully banned my first host. If any regex experts would like to chime in, I'd be greatly appreciative. I'm sure there's a case that I'm missing in this short expression that would fail in a certain case.

Thanks!

Best Answer

Related Solutions

Nginx – fail2ban doesn’t process jail even though regex matches

Fail2ban is not banning IP

Related Topic