[prev in list] [next in list] [prev in thread] [next in thread]
List: fail2ban-users
Subject: Re: [Fail2ban-users] Fail2Ban doesn't seem to be working?
From: Yaroslav Halchenko <lists () onerussian ! com>
Date: 2014-05-07 13:45:33
Message-ID: 20140507134533.GM8748 () onerussian ! com
[Download RAW message or body]
1. make sure that you still have a jump from INPUT chain to fail2ban-ssh
and it is before any ACCEPT rule ;)
2. zero out hits (iptables -Z) and then whenever again such attempt gets
through check if count was increased (mystery how then it got
through) or not (somehow mismatched)
On Wed, 07 May 2014, r fancher wrote:
> iptables -L -n -v | grep "220.177.198"
> 22 880 DROP all -- * * 220.177.198.0/24 0.0.0.0/0
> 527 31984 REJECT all -- * * 220.177.198.31
> 0.0.0.0/0 reject-with icmp-port-unreachable
> 16 1044 REJECT all -- * * 220.177.198.33
> 0.0.0.0/0 reject-with icmp-port-unreachable
> 0 0 REJECT all -- * * 220.177.198.0/24
> 0.0.0.0/0 reject-with icmp-port-unreachable
> Ok maybe the word global was the wrong word. I banned the whole subnet
> rather than 1.
> >not sure what is "global ban" is(and thus how it was "put"), thus
> >-- first check either you have those rules in your iptables
> >iptables -L -n -v
> On Sun, 04 May 2014, r fancher wrote:
> > A month ago this "person" made several attempts at accessing my site
> so I
> > put in a global ban:
> > -A fail2ban-ssh -s 220.177.198.0/24 -j REJECT --reject-with
> > icmp-port-unreachable
> > But today I saw the following which is concerning me that fail2ban
> isn't
> > actually working:
> > May? 2 11:56:57 pcname sshd[21105]: pam_unix(sshd:auth):
> authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.33?
> > user=root
> > May? 2 11:56:59 pcname sshd[21105]: Failed password for root from
> > 220.177.198.33 port 41260 ssh2
> > May? 2 11:56:59 pcname sshd[21105]: Received disconnect from
> > 220.177.198.33: 11: Bye Bye [preauth]
> > May? 2 19:23:27 pcname sshd[24226]: pam_unix(sshd:auth):
> authentication
> > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.31?
> > user=root
> > 2014-05-02 11:57:00,026 fail2ban.actions: WARNING [ssh] Ban
> 220.177.198.33
> > 2014-05-02 19:23:29,510 fail2ban.actions: WARNING [ssh] Ban
> 220.177.198.31
> > I have the standard defaults in my conf file:
> > [ssh]
> > enabled? = true
> > port???? = ssh
> > filter?? = sshd
> > logpath? = /var/log/auth.log
> > maxretry = 1
> > I have also seen various other ip's banned yet still give the result
> logs
> > as if they were met with a user/pass challenge.
> > These were already in place before I put in a global ban:
> > -A fail2ban-ssh -s 220.177.198.31/32 -j REJECT --reject-with
> > icmp-port-unreachable
> > -A fail2ban-ssh -s 220.177.198.33/32 -j REJECT --reject-with
> > icmp-port-unreachable
> > Even without the global ban they used the same IP?s and still was met
> with
> > the ssh challenge, why is that? I know it works because I have banned
> > myself on several occasions, so why am I still seeing this in the
> logs?
> ------------------------------------------------------------------------------
> Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
> • 3 signs your SCM is hindering your productivity
> • Requirements for releasing software faster
> • Expert tips and advice for migrating your SCM now
> http://p.sf.net/sfu/perforce
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
--
Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Research Scientist, Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419
WWW: http://www.linkedin.com/in/yarik
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity
• Requirements for releasing software faster
• Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic