# Fail2ban is failling to ban! [SOLVED]

## Richy

Hey there,

I noticed a lot of those bruteforce ssh attacks lately, did some research  and found out about fail2ban to get rid of it.

However, I can't get it to work.

I followed "http://gentoo-wiki.com/HOWTO_fail2ban"

```
Mercur richy # ps -ef|grep fail2ban

root      8633     1  0 22:47 ?        00:00:00 /usr/bin/python /usr/bin/fail2ban-server -b -s /tmp/fail2ban.sock

root     10162     1  0 23:12 ?        00:00:00 /usr/bin/python /usr/bin/fail2ban-server -b -s /tmp/fail2ban.sock

root     10229 10214  0 23:13 pts/0    00:00:00 grep --colour=auto fail2ban

```

```

iptables --list |grep fail2ban

fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh 

fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh 

fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh 

Chain fail2ban-SSH (3 references)

```

```
 tail /var/log/fail2ban.log

2008-02-26 23:12:37,264 fail2ban.actions.action: INFO   Set actionStop = echo -en "Hi,\n

The jail <name> has been stopped.\n

Regards,\n

Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest>

2008-02-26 23:12:37,265 fail2ban.actions.action: INFO   Set actionStart = echo -en "Hi,\n

The jail <name> has been started successfuly.\n

Regards,\n

Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest>

2008-02-26 23:12:37,266 fail2ban.actions.action: INFO   Set actionUnban = 

2008-02-26 23:12:37,267 fail2ban.actions.action: INFO   Set actionCheck = 

```

So it seems to work, however:

```
Feb 26 12:26:38 Mercur sshd[14817]: Failed password for root from 58.137.38.194 port 41504 ssh2

Feb 26 12:26:41 Mercur sshd[14823]: Failed password for root from 58.137.38.194 port 41537 ssh2

Feb 26 12:26:44 Mercur sshd[14829]: Failed password for root from 58.137.38.194 port 41569 ssh2

Feb 26 12:26:47 Mercur sshd[14835]: Failed password for root from 58.137.38.194 port 41598 ssh2

Feb 26 12:26:50 Mercur sshd[14841]: Failed password for root from 58.137.38.194 port 41631 ssh2

Feb 26 12:26:53 Mercur sshd[14847]: Failed password for root from 58.137.38.194 port 41659 ssh2

Feb 26 12:26:56 Mercur sshd[14853]: Failed password for root from 58.137.38.194 port 41692 ssh2

Feb 26 12:26:59 Mercur sshd[14859]: Failed password for root from 58.137.38.194 port 41722 ssh2

Feb 26 12:27:02 Mercur sshd[14865]: Failed password for root from 58.137.38.194 port 41754 ssh2

Feb 26 12:27:10 Mercur sshd[14871]: Failed password for root from 58.137.38.194 port 41785 ssh2

Feb 26 12:27:15 Mercur sshd[14877]: Failed password for root from 58.137.38.194 port 41874 ssh2

Feb 26 12:27:17 Mercur sshd[14883]: Failed password for root from 58.137.38.194 port 41901 ssh2

Feb 26 12:27:20 Mercur sshd[14889]: Failed password for root from 58.137.38.194 port 41926 ssh2

Feb 26 12:27:23 Mercur sshd[14895]: Failed password for root from 58.137.38.194 port 41952 ssh2

Feb 26 12:27:26 Mercur sshd[14901]: Failed password for root from 58.137.38.194 port 41968 ssh2

Feb 26 12:27:29 Mercur sshd[14907]: Failed password for root from 58.137.38.194 port 41985 ssh2

Feb 26 12:27:32 Mercur sshd[14913]: Failed password for root from 58.137.38.194 port 41999 ssh2

Feb 26 12:27:39 Mercur sshd[14919]: Failed password for root from 58.137.38.194 port 42018 ssh2

Feb 26 12:27:42 Mercur sshd[14925]: Failed password for root from 58.137.38.194 port 42057 ssh2

Feb 26 12:27:48 Mercur sshd[14931]: Failed password for root from 58.137.38.194 port 42070 ssh2

Feb 26 12:27:51 Mercur sshd[14937]: Failed password for root from 58.137.38.194 port 42093 ssh2

```

What could be the problem?

Thanks a lot

RichyLast edited by Richy on Wed Feb 27, 2008 9:06 am; edited 1 time in total

----------

## ksp7498

honestly, the easiest way to avoid a the vast majority of ssh attacks like that is just to run your ssh daemon on another port.  You can pick the port in /etc/ssh/sshd_config, pick anything other than 22 and you should see a huge improvement.

----------

## Richy

Hey ksp7498,

I changed the port! & hope to see improvements  :Smile: 

Would be still nice to know, why banning isn't working.

Thanks a lot

Richy

----------

## Cyker

It depends on how fail2ban works.

If it uses iptables to ban stuff, you'll need to have a complete iptables setup working before you can use it.

If it uses tcpwrappers/hosts.deny, then you'll need to have openssh compiled with tcpwrappers support (USE=tcpd) for it to work.

----------

## schachti

Did you set the correct logpath in the [ssh-iptables] section of /etc/fail2ban/jail.conf?

For example, if you have logpath = /var/log/everything/current there, what's the output of

```
fail2ban-regex /var/log/everything/current /etc/fail2ban/filter.d/sshd.conf
```

----------

## Richy

Morgen Schachti,

I did set the correct logpath in jail.conf(as it was pointed out in the howto).

However, the Problem seems to be, that fail2ban does not recognize the attacks.

```
fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/sshd.conf

 

Running tests

=============

Use regex file : /etc/fail2ban/filter.d/sshd.conf

Use log file   : /var/log/messages

Results

=======

Failregex:

[1] Authentication failure for .* from <HOST>$

[2] Failed [-/\w]+ for .* from <HOST>$

[3] ROOT LOGIN REFUSED .* FROM <HOST>$

[4] [iI](?:llegal|nvalid) user .* from <HOST>$

Number of matches:

[1] 0 match(es)

[2] 0 match(es)

[3] 0 match(es)

[4] 0 match(es)

Sorry, no match

```

```
cat /var/log/messages | grep ssh2

...

Feb 26 12:27:42 Mercur sshd[14925]: Failed password for root from 58.137.38.194 port 

42057 ssh2

...

```

I thought that this type of attack is covered by rule No. 2 ([2] Failed [-/\w]+ for .* from <HOST>$)

----------

## think4urs11

 *Richy wrote:*   

> 
> 
> ```
> [2] Failed [-/\w]+ for .* from <HOST>$
> ```
> ...

 

If the regex really ends with the '$'-sign then it cannot match (as it is '...<HOST> port 42057 ssh2$'- check the configfile /etc/fail2ban/filter.d/sshd.conf and remove this $ to see if it works.

----------

## Richy

That's it!

Thanks a million everyone 

Richy

```
fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/sshd.conf

...

58.137.38.194 (Tue Feb 26 12:27:48 2008)

    58.137.38.194 (Tue Feb 26 12:27:51 2008)

    217.237.69.237 (Tue Feb 26 19:21:21 2008)

    217.237.69.237 (Tue Feb 26 19:21:28 2008)

[3]

[4]

Date template hits:

263 hit: Month Day Hour:Minute:Second

0 hit: Weekday Month Day Hour:Minute:Second Year

0 hit: Weekday Month Day Hour:Minute:Second

0 hit: Year/Month/Day Hour:Minute:Second

0 hit: Day/Month/Year:Hour:Minute:Second

0 hit: Year-Month-Day Hour:Minute:Second

0 hit: TAI64N

0 hit: Epoch

Success, the total number of match is 263

```

----------

## muhsinzubeir

 *ksp7498 wrote:*   

> honestly, the easiest way to avoid a the vast majority of ssh attacks like that is just to run your ssh daemon on another port.  You can pick the port in /etc/ssh/sshd_config, pick anything other than 22 and you should see a huge improvement.

 

Thanks for the idea...my logs were really messed up with 22 port, now its quite like the darkest night   :Very Happy: 

----------

