fail2ban doesn't block (ssh)

Tue, 08 May 2012 01:41:31 -0700 

Hi,
I have a strange problem with fail2ban. There are three Squeeze-Server with identical configuration. One server works fine, if a user try to login over SSH he will get blocked if he uses a wrong password to often. On the two other server nothing happens (= no ban). 

The config:

#####################################################################

/etc/fail2ban/jail.local:

#####################################################################

[DEFAULT]
ignoreip = 127.0.0.1
bantime = 604800
destemail = r...@concepts-and-training.de
banaction = iptables-multiport
action = %(action_mwl)s

[ssh]
enabled = true
port = 22
filter    = sshd
logpath  = /var/log/auth.log
maxretry = 2

#####################################################################

/etc/fail2ban/filter.d/sshd.conf

#####################################################################

[INCLUDES]
before = common.conf

[Definition]

_daemon = sshd


failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure 
for .* from <HOST>\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the 
underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed (?:password|publickey) for .* from 
<HOST>(?: port \d*)?(?: ssh\d*)?$

            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$

            ^%(__prefix_line)sUser .+ from <HOST> not allowed because 
not listed in AllowUsers$
            ^%(__prefix_line)sauthentication failure; logname=\S* 
uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$

            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$

            ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN 
ATTEMPT!*\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because 
none of user's groups are listed in AllowGroups\s*$


ignoreregex =

#####################################################################


Running fail2ban-regex /var/log/auth.log 
/etc/fail2ban/filter.d/sshd.conf gives the following output on all machines:


#####################################################################


/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 
module is deprecated; use hashlib instead

  import md5

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file   : /var/log/auth.log


Results
=======

Failregex
|- Regular expressions:

|  [1] ^\s*(?:\S+ )?(?:@vserver_\S+ 
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error: 
PAM: )?Authentication failure for .* from <HOST>\s*$
|  [2] ^\s*(?:\S+ )?(?:@vserver_\S+ 
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*(?:error: 
PAM: )?User not known to the underlying authentication module for .* 
from <HOST>\s*$
|  [3] ^\s*(?:\S+ )?(?:@vserver_\S+ 
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Failed 
(?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
|  [4] ^\s*(?:\S+ )?(?:@vserver_\S+ 
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*ROOT 
LOGIN REFUSED.* FROM <HOST>\s*$
|  [5] ^\s*(?:\S+ )?(?:@vserver_\S+ 
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*[iI](?:llegal|nvalid) 
user .* from <HOST>\s*$
|  [6] ^\s*(?:\S+ )?(?:@vserver_\S+ 
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*User 
.+ from <HOST> not allowed because not listed in AllowUsers$
|  [7] ^\s*(?:\S+ )?(?:@vserver_\S+ 
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*authentication 
failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* 
rhost=<HOST>(?:\s+user=.*)?\s*$
|  [8] ^\s*(?:\S+ )?(?:@vserver_\S+ 
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*refused 
connect from \S+ \(<HOST>\)\s*$
|  [9] ^\s*(?:\S+ )?(?:@vserver_\S+ 
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Address 
<HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
|  [10] ^\s*(?:\S+ )?(?:@vserver_\S+ 
)?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*User 
.+ from <HOST> not allowed because none of user's groups are listed in 
AllowGroups\s*$

|
`- Number of matches:
   [1] 0 match(es)
   [2] 0 match(es)
   [3] 13 match(es)
   [4] 0 match(es)
   [5] 4 match(es)
   [6] 0 match(es)
   [7] 0 match(es)
   [8] 0 match(es)
   [9] 0 match(es)
   [10] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
[2]
[3]
    166.111.5.xxx (Sun May 06 15:50:13 2012)
    218.108.224.xxx (Sun May 06 17:47:44 2012)
    117.135.160.xxx (Sun May 06 19:00:14 2012)
    83.170.66.xxx (Sun May 06 21:33:40 2012)
    83.170.66.xxx (Sun May 06 21:33:44 2012)
    83.170.66.xxx (Sun May 06 21:33:46 2012)
    219.235.2.xxx (Sun May 06 21:45:52 2012)
    58.51.95.xxx (Sun May 06 23:47:42 2012)
    58.51.95.xxx (Sun May 06 23:47:46 2012)
    121.10.140.xxx (Mon May 07 02:45:17 2012)
    202.46.14.xxx (Mon May 07 05:42:39 2012)
    202.85.132.xxx (Mon May 07 08:48:03 2012)
    202.85.132.xxx (Mon May 07 08:48:08 2012)
[4]
[5]
    166.111.5.xxx (Sun May 06 15:50:11 2012)
    219.235.2.xxx (Sun May 06 21:45:49 2012)
    121.10.140.xxx (Mon May 07 02:45:15 2012)
    202.46.14.xxx (Mon May 07 05:42:37 2012)
[6]
[7]
[8]
[9]
[10]

Date template hits:
15287 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 17


However, look at the above section 'Running tests' which could contain 
important

information.

#####################################################################

fail2ban runs fine:

#####################################################################


root     24156  0.1  0.0  66804  7640 ?        Sl   11:07   0:01 
/usr/bin/python /usr/bin/fail2ban-server -b -s 
/var/run/fail2ban/fail2ban.sock


#####################################################################

iptables is also fine:

#####################################################################

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh  tcp  --  anywhere             anywhere multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

#####################################################################


As said above everything works fine on one of the machines. Any ideas 
why it won't work on the other?


Thanks in advance.

Best regards
Denis


--

To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/4fa8da9f.9090...@concepts-and-training.de























					Reply via email to