I have a Debian 10 server running on a VPS.
The only software I installed is: tinyproxy (http proxy) and fail2ban
I have included the results of port scan using nmap
I have included my specific settings in the fail2ban jail.local file.
I have included my specific settings in the fail2ban fail2ban.local file.
I have included below a sample of entries from auth log.
I have included below a sample of entries from fail2ban log.
I have included my results from sample scan of IpTables.
I do not understand if fail2ban is working,
i.e. causing IPs to be blocked based upon entries in the IP Tables that fail2ban has made.
As example:
== auth.log shows attempted entry by 192.241.141.43, almost every minute
== fail2ban.log shows 192.241.141.43 is banned
== Iptables shows 192.241.141.43 is banned
I thought that based upon the IP being blocked, that the malicious user would NOT be able to attempt a login.
Yet it seems that these users are indeed being able to attempt logins.
MY QUESTIONS, Please:
- Does it appear that fail2ban is working?
- Why are malicious users allowed to even attempt login if they are banned?
Many thanks !
===
=== Results from nmap scan
# Nmap 7.80 scan initiated Sat Jan 27 15:25:04 2024 as: nmap -sS -oG out.txt 107.174.156.124 Host: 107.174.156.124 (107-174-156-124-host.colocrossing.com) Status: Up Host: 107.174.156.124 (107-174-156-124-host.colocrossing.com) Ports: 139/filtered/tcp//netbios-ssn///, 445/filtered/tcp//microsoft-ds///, 8888/open/tcp//sun-answerbook/// Ignored State: closed (997) # Nmap done at Sat Jan 27 15:25:06 2024 -- 1 IP address (1 host up) scanned in 2.20 seconds
===
=== Here are my entries in jail.local
# # JAILS # # # SSH servers # [sshd] # To use more aggressive sshd modes set filter parameter "mode" in jail.local: # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. #mode = normal enabled = true mode = aggressive port = 63xxx filter = sshd logpath = /var/log/auth.log bantime = 2000000 findtime = 7200 maxretry = 2 backend = %(sshd_backend)s action = iptables-multiport[name=sshd, port="ssh", protocol=tcp]
===
=== Here are my entries in fail2ban.local
# Options: dbpurgeage # Notes.: Sets age at which bans should be purged from the database # Values: [ SECONDS ] Default: 86400 (24hours) dbpurgeage = 2100000
===
=== Here is sample Auth log
As example, there are several attempts by 192.241.141.43
And this is repeated almost every minute !
Jan 27 15:54:55 racknerd-64d010 sshd[2232]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.141.43 user=root Jan 27 15:54:57 racknerd-64d010 sshd[2232]: Failed password for root from 192.241.141.43 port 54798 ssh2 Jan 27 15:54:57 racknerd-64d010 sshd[2232]: Received disconnect from 192.241.141.43 port 54798:11: Bye Bye [preauth] Jan 27 15:54:57 racknerd-64d010 sshd[2232]: Disconnected from authenticating user root 192.241.141.43 port 54798 [preauth]
===
=== Here is sample of fail2ban
As example, fail2ban says 192.241.141.43 is banned
2024-01-27 15:55:50,928 fail2ban.actions [29992]: WARNING [sshd] 82.102.12.130 already banned 2024-01-27 15:55:50,929 fail2ban.actions [29992]: WARNING [sshd] 192.241.141.43 already banned 2024-01-27 15:55:50,929 fail2ban.actions [29992]: WARNING [sshd] 159.75.161.40 already banned
===
=== Results from Iptables scan
IP 192.241.141.43 is banned
0 0 REJECT all -- * * 61.231.64.170 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 192.241.141.43 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 104.250.34.177 0.0.0.0/0 reject-with icmp-port-unreachable
Best Answer
It looks like it's working according to your log file.
/var/log/fail2ban.log
Fail2ban also has it's own tool to check the status with
fail2ban-client status sshd
On my machine where it's working it looks like this