Portal Home > Knowledgebase > Articles Database > fail2ban doesnt ban ips

fail2ban doesnt ban ips

Posted by mixmox, 12-24-2015, 01:13 PM

Hey it can detect ssh BFD attack by runnning: fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf, but ip doesnt ban by iptables, like fail2ban can detect but cant action, PS: no changing is apply in jail or action, just install fail2ban and set ssh to "true" in jail.conf Running tests ============= Use failregex file : /etc/fail2ban/filter.d/sshd.conf Use log file : /var/log/secure Results ======= Failregex: 3 total |- #) [# of hits] regular expression | 3) [3] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(??:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Failed \S+ for .*? from (?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ (?:[\da-f]{2}{15}[\da-f]{2}(, client user ".*", client host ".*")?))?\s*$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [66] MONTH Day Hour:Minuteecond `- Lines: 66 lines, 0 ignored, 3 matched, 63 missed Missed line(s): too many to print. Use --print-all-missed to print all 63 lines

---

Posted by Srv24x7, 12-25-2015, 10:11 AM

Hi, Please check the fail2ban configuration once. There could be some configuration in it that you have missed. Also, take a look at the below link to see if it can be of assistance to you. mauromascia.com/en/blog/fail2ban-set-permanent-ban-per-ip/ You may also need to add below entries in the iptables (make changes appropriately) ----------------- ----------------- ----------------- -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A fail2ban-ssh -j RETURN ----------------- ----------------- -----------------

---

Posted by mixmox, 12-29-2015, 04:41 PM

TQ, can you explain what these commands do ? how can i use csf instead of iptables ?

---

Posted by JohnSutton, 12-29-2015, 04:58 PM

You have to configure jail.conf to look at the correct log file. The default jail.conf file for me didn't look at /var/log/secure I don't think. And I know this may sound stupid but make sure you start fail2ban.

---

Posted by Srv24x7, 01-16-2016, 09:17 AM

Hi, Check the below link. It may be helpful for you to understand the exact functioning. digitalfaq.com/guides/webhosting/install-fail2ban-cpanel-pt2.htm

---

Add to Favourites    Print this Article

CentOS 5.3,vsftpd, high iowait, high LOAD :( (Views: 572)

DNS Failover/Redundancy (Views: 527)

Fall over (Views: 559)

Restrict direct access (Views: 540)

Pure-FTPD TLS (Views: 570)