Fail2ban does not work for ssh except on port 22

fail2banssh

My fail2ban is not working for sshd except for the default port 22/tcp.

My old, working config in jail.local:

[sshd]
enabled  = true
port     = ssh

Tested fail2ban, did ban me after 3 failed attempts as intended.

I explicitly specified a different port afterwards in jail.local; ssh tunnel works on the new port, but when I consciously err with wrong ssh password I do not receive a ban after any number of attempts.

sshd.service, fail2ban.service already restarted, also tried rebooting.

I DO get the email message about being banned, however, I can still (successfully) attempt to log in.

Edit: This is the pastebin of fail2ban-client -d | grep 'ssh'

Best Answer

Something may be not correct in your configuration.

For example, fail2ban default jail section for sshd is [sshd], whereas your example shows [ssh]. Do you have 2 jails? Or did you make some customization with own jail or defaults? (for instance default action is overwritten).

To inspect it deeper you could show the dump of fail2ban (merged) configuration:

fail2ban-client -d | grep 'ssh'

Interesting are the values of actionstart (and actionban) and whether the port is interpolated in the action definitions.

Small hint: for customization (if you need to overwrite the action for some reason), either set the banaction only (it will be interpolated in default action declaration):

[jail]
banaction = iptables-ipset-proto6

or use all parameters the action expects:

[jail]
action = iptables-ipset-proto6[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

Otherwise the action could use its default port (which may be indeed 22).

Related Solutions

Ubuntu – fail2ban cannot ban ip on all ports if it’s already banned for specific port

While fail2ban creates an iptables chain per service (eg fail2ban-ssh), the check for an existing ban is based on the IP address. A possibility to fix the problem is to make fail2ban unban an IP (ticket) if it is already in the banned-list just before it is going to ban it (again)

These actions happen in the python script located (when installed via apt-get install) in

/usr/share/fail2ban/server

edit the file actions.py, you should see the following code for the __checkban definition

def __checkBan(self):
        ticket = self.jail.getFailTicket()
        if ticket != False:
                aInfo = dict()
                bTicket = BanManager.createBanTicket(ticket)
                aInfo["ip"] = bTicket.getIP()
                aInfo["failures"] = bTicket.getAttempt()
                aInfo["time"] = bTicket.getTime()
                aInfo["matches"] = "".join(bTicket.getMatches())
                if self.__banManager.addBanTicket(bTicket):
                        logSys.warn("[%s] Ban %s" % (self.jail.getName(), aInfo["ip"]))
                        for action in self.__actions:
                                action.execActionBan(aInfo)
                        return True
                else:
                       logSys.warn("[%s] %s already banned" % (self.jail.getName(), aInfo["ip"]))
        return False

modify/replace the definition with

def __checkBan(self):
        ticket = self.jail.getFailTicket()
        if ticket != False:
                aInfo = dict()
                bTicket = BanManager.createBanTicket(ticket)
                aInfo["ip"] = bTicket.getIP()
                aInfo["failures"] = bTicket.getAttempt()
                aInfo["time"] = bTicket.getTime()
                aInfo["matches"] = "".join(bTicket.getMatches())
                # changes from here ...
                if not self.__banManager.addBanTicket(bTicket):
                        logSys.warn("[%s] first unban %s before ban" % (self.jail.getName(), aInfo["ip"]))
                        self.__unBan(ticket)
                        self.__banManager.addBanTicket(bTicket)
                logSys.warn("[%s] Ban %s" % (self.jail.getName(), aInfo["ip"]))
                for action in self.__actions:
                        action.execActionBan(aInfo)
                return True
                # else:
                #       logSys.warn("[%s] %s already banned" % (self.jail.getName(), 
                #                                                                                       aInfo["ip"]))
        #return False

and restart fail2ban (e.g. /etc/init.d/fail2ban restart) while it is probably not necessary...

Note: if you want to 'play around' with this, you can list the firewall (iptables) rules

iptables -L

and delete the rule that was created by fail2ban in order to access and force a "re-ban"

iptables -D fail2ban-ssh xxxx

where xxxx is the number of the rule in that chain from the list iptables -L fail2ban-ssh

Ubuntu – Fail2Ban Correctly Attempts to Ban IP but IP does not get banned – iptables chain exists but not working

The fail2ban chains are not correctly linked to your INPUT and OUTPUT chains. Please edit your question and provide output of:

iptables -n -L INPUT
iptables -n -L OUTPUT

and all fail2ban chains too, and I'll be able to be more precise.

Best Answer

Related Solutions

Ubuntu – fail2ban cannot ban ip on all ports if it’s already banned for specific port

Ubuntu – Fail2Ban Correctly Attempts to Ban IP but IP does not get banned – iptables chain exists but not working

Related Topic