On 25 January 2017 at 12:03, Patrick PICHON <patr...@pichon.me> wrote: > Hello, > > In addition: > [DEFAULT] > destemail = supp...@pipiche.net > banaction = iptables-multiport > > > Thanks for responding. I did what you recommended and still no action taken: > > [sshd-ddos] > enabled = true > port = 23,20022 > maxretry=2 > findtime = 600 > bantime = 600 > > Here after are the logs > > 2017-01-25 12:59:38,716 fail2ban.action [30982]: DEBUG iptables -w > -N f2b-sshd-ddos > iptables -w -A f2b-sshd-ddos -j RETURN > iptables -w -I INPUT -p tcp -m multiport --dports 23,20022 -j f2b-sshd-ddos > -- stderr: b'' > 2017-01-25 12:59:38,716 fail2ban.action [30982]: DEBUG iptables -w > -N f2b-sshd-ddos > iptables -w -A f2b-sshd-ddos -j RETURN > iptables -w -I INPUT -p tcp -m multiport --dports 23,20022 -j f2b-sshd-ddos > -- returned successfully > 2017-01-25 12:59:44,863 fail2ban.filtersystemd [30982]: DEBUG Read > systemd journal entry: '2017-01-25T12:59:44.559610pitchoun.pipiche.net > sshd[30989]: Did not receive identification string from 15.203.163.254 port > 58130' > 2017-01-25 12:59:48,871 fail2ban.filtersystemd [30982]: DEBUG Read > systemd journal entry: '2017-01-25T12:59:48.818770pitchoun.pipiche.net > sshd[30993]: Did not receive identification string from 15.203.163.254 port > 58132' > 2017-01-25 12:59:52,114 fail2ban.filtersystemd [30982]: DEBUG Read > systemd journal entry: '2017-01-25T12:59:51.730913pitchoun.pipiche.net > sshd[30997]: Did not receive identification string from 15.203.163.254 port > 58134' > 2017-01-25 12:59:55,123 fail2ban.filtersystemd [30982]: DEBUG Read > systemd journal entry: '2017-01-25T12:59:54.987220pitchoun.pipiche.net > sshd[31001]: Did not receive identification string from 15.203.163.254 port > 58136' > 2017-01-25 12:59:58,370 fail2ban.filtersystemd [30982]: DEBUG Read > systemd journal entry: '2017-01-25T12:59:58.323035pitchoun.pipiche.net > sshd[31005]: Did not receive identification string from 15.203.163.254 port > 58138' > 2017-01-25 13:00:01,613 fail2ban.filtersystemd [30982]: DEBUG Read > systemd journal entry: '2017-01-25T13:00:01.242494pitchoun.pipiche.net > sshd[31009]: Did not receive identification string from 15.203.163.254 port > 58140' > 2017-01-25 13:00:05,112 fail2ban.filtersystemd [30982]: DEBUG Read > systemd journal entry: '2017-01-25T13:00:04.747112pitchoun.pipiche.net > sshd[31029]: Did not receive identification string from 15.203.163.254 port > 58142' > 2017-01-25 13:00:08,363 fail2ban.filtersystemd [30982]: DEBUG Read > systemd journal entry: '2017-01-25T13:00:07.992217pitchoun.pipiche.net > sshd[31035]: Did not receive identification string from 15.203.163.254 port > 58144' > > > > On 2017-01-25 12:51, Dominic Raferd wrote: >> >> >> My initial reaction was that the default maxretry setting is 5, and >> the extract you have shown does not show five offences by any single >> ip. Could this be the reason? If you want to reduce the maxretry >> setting for this jail, put an extra line in >> /etc/fail2ban/jail.d/sshd-ddos.conf like: 'maxretry=2'. >> >> But on reflection I think it is more likely your problem is the one >> reported here: https://github.com/fail2ban/fail2ban/issues/1341 - in >> which case the solution is probably to rebuild fail2ban (0.9 or 0.10) >> from the latest at https://github.com/fail2ban/fail2ban.
So your options are: 1. make the log source explicit and simpler e.g. in your /etc/fail2ban/jail.d/sshd-ddos.conf: logpath = /var/log/messages - set to wherever your sshd log messages are filed 2. If 1 doesn't work, you might also need to comment out the journalmatch line in /etc/fail2ban/filter.d/sshd-ddos (but probably not). 3. If 1 & 2 don't work, then remove the logpath line from sshd-ddos.conf, and in your filter file try setting journalmatch = [your explicit ssh log file] 4. If all else fails, rebuild fail2ban from the git source I'm not a fail2ban expert BTW, so these are (I hope intelligent) guesses. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
