Portal Home > Knowledgebase > Articles Database > fail2ban doesnt ban ips
fail2ban doesnt ban ips
Posted by mixmox, 12-24-2015, 01:13 PM |
Hey
it can detect ssh BFD attack by runnning:
fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf,
but ip doesnt ban by iptables, like fail2ban can detect but cant action,
PS: no changing is apply in jail or action, just install fail2ban and set ssh to "true" in jail.conf
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/sshd.conf
Use log file : /var/log/secure
Results
=======
Failregex: 3 total
|- #) [# of hits] regular expression
| 3) [3] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(??:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Failed \S+ for .*? from (?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ (?:[\da-f]{2}{15}[\da-f]{2}(, client user ".*", client host ".*")?))?\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [66] MONTH Day Hour:Minuteecond
`-
Lines: 66 lines, 0 ignored, 3 matched, 63 missed
Missed line(s): too many to print. Use --print-all-missed to print all 63 lines
|
Posted by Srv24x7, 12-25-2015, 10:11 AM |
Hi,
Please check the fail2ban configuration once. There could be some configuration in it that you have missed. Also, take a look at the below link to see if it can be of assistance to you.
mauromascia.com/en/blog/fail2ban-set-permanent-ban-per-ip/
You may also need to add below entries in the iptables (make changes appropriately)
----------------- ----------------- -----------------
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-ssh -j RETURN
----------------- ----------------- -----------------
|
Posted by mixmox, 12-29-2015, 04:41 PM |
TQ,
can you explain what these commands do ?
how can i use csf instead of iptables ?
|
Posted by JohnSutton, 12-29-2015, 04:58 PM |
You have to configure jail.conf to look at the correct log file. The default jail.conf file for me didn't look at /var/log/secure I don't think. And I know this may sound stupid but make sure you start fail2ban.
|
Posted by Srv24x7, 01-16-2016, 09:17 AM |
Hi,
Check the below link. It may be helpful for you to understand the exact functioning.
digitalfaq.com/guides/webhosting/install-fail2ban-cpanel-pt2.htm
|
Add to Favourites Print this Article
Also Read
Fall over (Views: 559)
Pure-FTPD TLS (Views: 570)