'Re: [Fail2ban-users] Fail2Ban doesn't seem to be working?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fail2ban-users
Subject:    Re: [Fail2ban-users] Fail2Ban doesn't seem to be working?
From:       Yaroslav Halchenko <lists () onerussian ! com>
Date:       2014-05-07 13:45:33
Message-ID: 20140507134533.GM8748 () onerussian ! com
[Download RAW message or body]

1. make sure that you still have a jump from INPUT chain to fail2ban-ssh
   and it is before any ACCEPT rule ;)

2. zero out hits (iptables -Z) and then whenever again such attempt gets
through check if count was increased (mystery how then it got
through) or not (somehow mismatched)

On Wed, 07 May 2014, r fancher wrote:

>    iptables -L -n -v | grep "220.177.198"
>    22   880 DROP       all  --  *      *       220.177.198.0/24     0.0.0.0/0
>    527 31984 REJECT     all  --  *      *       220.177.198.31      
>    0.0.0.0/0            reject-with icmp-port-unreachable
>    16  1044 REJECT     all  --  *      *       220.177.198.33      
>    0.0.0.0/0            reject-with icmp-port-unreachable
>     0     0 REJECT     all  --  *      *       220.177.198.0/24    
>    0.0.0.0/0            reject-with icmp-port-unreachable

>    Ok maybe the word global was the wrong word. I banned the whole subnet
>    rather than 1.

>    >not sure what is "global ban" is(and thus how it was "put"), thus
>    >-- first check either you have those rules in your iptables

>    >iptables -L -n -v

>    On Sun, 04 May 2014, r fancher wrote:

>    >    A month ago this "person" made several attempts at accessing my site
>    so I
>    >    put in a global ban:

>    >    -A fail2ban-ssh -s 220.177.198.0/24 -j REJECT --reject-with
>    >    icmp-port-unreachable
>    >    But today I saw the following which is concerning me that fail2ban
>    isn't
>    >    actually working:
>    >    May? 2 11:56:57 pcname sshd[21105]: pam_unix(sshd:auth):
>    authentication
>    >    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.33?
>    >    user=root
>    >    May? 2 11:56:59 pcname sshd[21105]: Failed password for root from
>    >    220.177.198.33 port 41260 ssh2
>    >    May? 2 11:56:59 pcname sshd[21105]: Received disconnect from
>    >    220.177.198.33: 11: Bye Bye [preauth]
>    >    May? 2 19:23:27 pcname sshd[24226]: pam_unix(sshd:auth):
>    authentication
>    >    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.31?
>    >    user=root
>    >    2014-05-02 11:57:00,026 fail2ban.actions: WARNING [ssh] Ban
>    220.177.198.33
>    >    2014-05-02 19:23:29,510 fail2ban.actions: WARNING [ssh] Ban
>    220.177.198.31
>    >    I have the standard defaults in my conf file:
>    >    [ssh]
>    >    enabled? = true
>    >    port???? = ssh
>    >    filter?? = sshd
>    >    logpath? = /var/log/auth.log
>    >    maxretry = 1
>    >    I have also seen various other ip's banned yet still give the result
>    logs
>    >    as if they were met with a user/pass challenge.
>    >    These were already in place before I put in a global ban:
>    >    -A fail2ban-ssh -s 220.177.198.31/32 -j REJECT --reject-with
>    >    icmp-port-unreachable
>    >    -A fail2ban-ssh -s 220.177.198.33/32 -j REJECT --reject-with
>    >    icmp-port-unreachable
>    >    Even without the global ban they used the same IP?s and still was met
>    with
>    >    the ssh challenge, why is that? I know it works because I have banned
>    >    myself on several occasions, so why am I still seeing this in the
>    logs?

> ------------------------------------------------------------------------------
> Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
> &#149; 3 signs your SCM is hindering your productivity
> &#149; Requirements for releasing software faster
> &#149; Expert tips and advice for migrating your SCM now
> http://p.sf.net/sfu/perforce

> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users


-- 
Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Research Scientist,            Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834                       Fax: +1 (603) 646-1419
WWW:   http://www.linkedin.com/in/yarik        

------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic