On 25 January 2017 at 11:05, Patrick PICHON <patr...@pichon.me> wrote: > > Hello, > > I'm having problem to get sshd-ddos triggering action. From the > configuration and from the log it looks like things are working, but > there is no trigger of action ! > > Do I miss something ? > > Thanks in advance for your support > Patrick > > Fedora 25 with systemd/journalctl > > Packages installed are : > fail2ban-systemd-0.9.6-2.fc25.noarch > fail2ban-server-0.9.6-2.fc25.noarch > fail2ban-sendmail-0.9.6-2.fc25.noarch > fail2ban-mail-0.9.6-2.fc25.noarch > fail2ban-0.9.6-2.fc25.noarch > fail2ban-firewalld-0.9.6-2.fc25.noarch > > ========== > /etc/fail2ban/filter.d/sshd-ddos[INCLUDES] > > # Read common prefixes. If any customizations available -- read them > from > # common.local > before = common.conf > > [Definition] > _daemon = sshd > failregex = ^%(__prefix_line)sDid not receive identification string from > <HOST>\s*$ > ignoreregex = > [Init] > journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd > # Author: Yaroslav Halchenko > > ====== > /etc/fail2ban/jail.d/sshd-ddos.conf > [sshd-ddos] > enabled = true > port = 23,20022 > findtime = 600 > bantime = 600 > > > ======= > fail2ban-client status > Status > |- Number of jail: 1 > `- Jail list: sshd-ddos > > > fail2ban-client status sshd-ddos > Status for the jail: sshd-ddos > |- Filter > | |- Currently failed: 0 > | |- Total failed: 0 > | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd > `- Actions > |- Currently banned: 0 > |- Total banned: 0 > `- Banned IP list: > > > Here after is an extract of the fail2ban log (in DEBUG mode) > identification string from 15.203.163.254 port 57692' > 2017-01-25 11:53:06,613 fail2ban.filtersystemd [30722]: DEBUG Read > systemd journal entry: '2017-01-25T11:53:06.206739pitchoun.pipiche.net > sshd[30729]: Did not receive identification string from 15.203.163.254 > port 57712' > 2017-01-25 11:53:12,362 fail2ban.filtersystemd [30722]: DEBUG Read > systemd journal entry: '2017-01-25T11:53:11.983178pitchoun.pipiche.net > sshd[30733]: Did not receive identification string from 15.203.163.254 > port 57716' > 2017-01-25 11:53:13,862 fail2ban.filtersystemd [30722]: DEBUG Read > systemd journal entry: '2017-01-25T11:53:13.544886pitchoun.pipiche.net > sshd[30696]: Did not receive identification string from 62.215.52.6 port > 17877' > 2017-01-25 11:53:17,612 fail2ban.filtersystemd [30722]: DEBUG Read > systemd journal entry: '2017-01-25T11:53:17.247066pitchoun.pipiche.net > sshd[30740]: Did not receive identification string from 15.203.163.254 > port 57718' > 2017-01-25 11:53:20,618 fail2ban.filtersystemd [30722]: DEBUG Read > systemd journal entry: '2017-01-25T11:53:20.399851pitchoun.pipiche.net > sshd[30744]: Did not receive identification string from 15.203.163.254 > port 57722' > 2017-01-25 11:54:25,612 fail2ban.filtersystemd [30722]: DEBUG Read > systemd journal entry: '2017-01-25T11:54:25.353911pitchoun.pipiche.net > sshd[30748]: Did not receive identification string from 201.194.252.161 > port 42002' > 2017-01-25 12:01:17,551 fail2ban.transmitter [30722]: DEBUG > Command: ['status'] > 2017-01-25 12:01:35,906 fail2ban.transmitter [30722]: DEBUG > Command: ['status', 'sshd-ddos']
My initial reaction was that the default maxretry setting is 5, and the extract you have shown does not show five offences by any single ip. Could this be the reason? If you want to reduce the maxretry setting for this jail, put an extra line in /etc/fail2ban/jail.d/sshd-ddos.conf like: 'maxretry=2'. But on reflection I think it is more likely your problem is the one reported here: https://github.com/fail2ban/fail2ban/issues/1341 - in which case the solution is probably to rebuild fail2ban (0.9 or 0.10) from the latest at https://github.com/fail2ban/fail2ban. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
