Hello, In addition: [DEFAULT] destemail = supp...@pipiche.net banaction = iptables-multiport
Thanks for responding. I did what you recommended and still no action taken: [sshd-ddos] enabled = true port = 23,20022 maxretry=2 findtime = 600 bantime = 600 Here after are the logs 2017-01-25 12:59:38,716 fail2ban.action [30982]: DEBUG iptables -w -N f2b-sshd-ddos iptables -w -A f2b-sshd-ddos -j RETURN iptables -w -I INPUT -p tcp -m multiport --dports 23,20022 -j f2b-sshd-ddos -- stderr: b'' 2017-01-25 12:59:38,716 fail2ban.action [30982]: DEBUG iptables -w -N f2b-sshd-ddos iptables -w -A f2b-sshd-ddos -j RETURN iptables -w -I INPUT -p tcp -m multiport --dports 23,20022 -j f2b-sshd-ddos -- returned successfully 2017-01-25 12:59:44,863 fail2ban.filtersystemd [30982]: DEBUG Read systemd journal entry: '2017-01-25T12:59:44.559610pitchoun.pipiche.net sshd[30989]: Did not receive identification string from 15.203.163.254 port 58130' 2017-01-25 12:59:48,871 fail2ban.filtersystemd [30982]: DEBUG Read systemd journal entry: '2017-01-25T12:59:48.818770pitchoun.pipiche.net sshd[30993]: Did not receive identification string from 15.203.163.254 port 58132' 2017-01-25 12:59:52,114 fail2ban.filtersystemd [30982]: DEBUG Read systemd journal entry: '2017-01-25T12:59:51.730913pitchoun.pipiche.net sshd[30997]: Did not receive identification string from 15.203.163.254 port 58134' 2017-01-25 12:59:55,123 fail2ban.filtersystemd [30982]: DEBUG Read systemd journal entry: '2017-01-25T12:59:54.987220pitchoun.pipiche.net sshd[31001]: Did not receive identification string from 15.203.163.254 port 58136' 2017-01-25 12:59:58,370 fail2ban.filtersystemd [30982]: DEBUG Read systemd journal entry: '2017-01-25T12:59:58.323035pitchoun.pipiche.net sshd[31005]: Did not receive identification string from 15.203.163.254 port 58138' 2017-01-25 13:00:01,613 fail2ban.filtersystemd [30982]: DEBUG Read systemd journal entry: '2017-01-25T13:00:01.242494pitchoun.pipiche.net sshd[31009]: Did not receive identification string from 15.203.163.254 port 58140' 2017-01-25 13:00:05,112 fail2ban.filtersystemd [30982]: DEBUG Read systemd journal entry: '2017-01-25T13:00:04.747112pitchoun.pipiche.net sshd[31029]: Did not receive identification string from 15.203.163.254 port 58142' 2017-01-25 13:00:08,363 fail2ban.filtersystemd [30982]: DEBUG Read systemd journal entry: '2017-01-25T13:00:07.992217pitchoun.pipiche.net sshd[31035]: Did not receive identification string from 15.203.163.254 port 58144' On 2017-01-25 12:51, Dominic Raferd wrote: > On 25 January 2017 at 11:05, Patrick PICHON <patr...@pichon.me> wrote: >> >> Hello, >> >> I'm having problem to get sshd-ddos triggering action. From the >> configuration and from the log it looks like things are working, but >> there is no trigger of action ! >> >> Do I miss something ? >> >> Thanks in advance for your support >> Patrick >> >> Fedora 25 with systemd/journalctl >> >> Packages installed are : >> fail2ban-systemd-0.9.6-2.fc25.noarch >> fail2ban-server-0.9.6-2.fc25.noarch >> fail2ban-sendmail-0.9.6-2.fc25.noarch >> fail2ban-mail-0.9.6-2.fc25.noarch >> fail2ban-0.9.6-2.fc25.noarch >> fail2ban-firewalld-0.9.6-2.fc25.noarch >> >> ========== >> /etc/fail2ban/filter.d/sshd-ddos[INCLUDES] >> >> # Read common prefixes. If any customizations available -- read them >> from >> # common.local >> before = common.conf >> >> [Definition] >> _daemon = sshd >> failregex = ^%(__prefix_line)sDid not receive identification string >> from >> <HOST>\s*$ >> ignoreregex = >> [Init] >> journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd >> # Author: Yaroslav Halchenko >> >> ====== >> /etc/fail2ban/jail.d/sshd-ddos.conf >> [sshd-ddos] >> enabled = true >> port = 23,20022 >> findtime = 600 >> bantime = 600 >> >> >> ======= >> fail2ban-client status >> Status >> |- Number of jail: 1 >> `- Jail list: sshd-ddos >> >> >> fail2ban-client status sshd-ddos >> Status for the jail: sshd-ddos >> |- Filter >> | |- Currently failed: 0 >> | |- Total failed: 0 >> | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd >> `- Actions >> |- Currently banned: 0 >> |- Total banned: 0 >> `- Banned IP list: >> >> >> Here after is an extract of the fail2ban log (in DEBUG mode) >> identification string from 15.203.163.254 port 57692' >> 2017-01-25 11:53:06,613 fail2ban.filtersystemd [30722]: DEBUG Read >> systemd journal entry: '2017-01-25T11:53:06.206739pitchoun.pipiche.net >> sshd[30729]: Did not receive identification string from 15.203.163.254 >> port 57712' >> 2017-01-25 11:53:12,362 fail2ban.filtersystemd [30722]: DEBUG Read >> systemd journal entry: '2017-01-25T11:53:11.983178pitchoun.pipiche.net >> sshd[30733]: Did not receive identification string from 15.203.163.254 >> port 57716' >> 2017-01-25 11:53:13,862 fail2ban.filtersystemd [30722]: DEBUG Read >> systemd journal entry: '2017-01-25T11:53:13.544886pitchoun.pipiche.net >> sshd[30696]: Did not receive identification string from 62.215.52.6 >> port >> 17877' >> 2017-01-25 11:53:17,612 fail2ban.filtersystemd [30722]: DEBUG Read >> systemd journal entry: '2017-01-25T11:53:17.247066pitchoun.pipiche.net >> sshd[30740]: Did not receive identification string from 15.203.163.254 >> port 57718' >> 2017-01-25 11:53:20,618 fail2ban.filtersystemd [30722]: DEBUG Read >> systemd journal entry: '2017-01-25T11:53:20.399851pitchoun.pipiche.net >> sshd[30744]: Did not receive identification string from 15.203.163.254 >> port 57722' >> 2017-01-25 11:54:25,612 fail2ban.filtersystemd [30722]: DEBUG Read >> systemd journal entry: '2017-01-25T11:54:25.353911pitchoun.pipiche.net >> sshd[30748]: Did not receive identification string from >> 201.194.252.161 >> port 42002' >> 2017-01-25 12:01:17,551 fail2ban.transmitter [30722]: DEBUG >> Command: ['status'] >> 2017-01-25 12:01:35,906 fail2ban.transmitter [30722]: DEBUG >> Command: ['status', 'sshd-ddos'] > > > My initial reaction was that the default maxretry setting is 5, and > the extract you have shown does not show five offences by any single > ip. Could this be the reason? If you want to reduce the maxretry > setting for this jail, put an extra line in > /etc/fail2ban/jail.d/sshd-ddos.conf like: 'maxretry=2'. > > But on reflection I think it is more likely your problem is the one > reported here: https://github.com/fail2ban/fail2ban/issues/1341 - in > which case the solution is probably to rebuild fail2ban (0.9 or 0.10) > from the latest at https://github.com/fail2ban/fail2ban. > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
