Ubuntu – why fail2ban does not ban? (ubuntu, ssh)

fail2baniptablessshUbuntu

I installed a fresh Ubuntu machine. Then I changed the ssh port which is no more 22 but 22111:

Then I have installed fail2ban:

apt-get install fail2ban -y
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
service fail2ban restart
iptables -L

Then I try to SSH login from the ip 192.168.1.22. After few wrong login, fail2ban add the follow line to iptables.

-A fail2ban-ssh -s 192.168.1.22/32 -j REJECT --reject-with icmp-port-unreachable

After that, I try to login again with the right credential and I can login with no problem, from the IP 192.168.1.22

The iptables rule is still there.

Do I need additional configuration?

Best Answer

As already mentioned in the comment, you need to change the port value in jail.local file to your custom port number that the ssh is listening to.

[ssh]

enabled  = true
port     = 22111 # custom port here
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

This is because, this port number is used to create the iptables rule for the INPUT chain, as below, from your post:

-N fail2ban-ssh -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh

See the value of --dports 22, which means those packet will be matched first that are destined for port 22 and hence, when you are trying to log into another port, it is not matching and therefore the flollowing rule for that specific ip is not getting employed:

-A fail2ban-ssh -s 192.168.1.22/32 -j REJECT --reject-with icmp-port-unreachable

Change the port and restart fail2ban, and then check iptables rules again, you will see, it is changed and then thing should work as expected.

Related Topic