fail2ban dont block ssh logins with false passwords. my jail.local: [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=xxxx@xxxx.de, sender=fail2ban@backupserver.xxxxxxxx.de, sendername="Fail2Ban backupserver"] logpath = /var/log/auth.log maxretry = 3 i tried backend polling, pyinotify, gamin, auto flase logins dont get blocked. in fail2ban log i see this: 2014-03-03 13:11:35,926 fail2ban.jail [9536]: INFO Jail 'ssh-iptables' started 2014-03-03 13:15:36,982 fail2ban.server [9536]: INFO Stopping all jails 2014-03-03 13:15:37,211 fail2ban.actions.action[9536]: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH iptables -F fail2ban-SSH iptables -X fail2ban-SSH returned 100 2014-03-03 13:15:37,738 fail2ban.jail [9536]: INFO Jail 'ssh-iptables' stopped 2014-03-03 13:15:37,738 fail2ban.server [9536]: INFO Exiting Fail2ban 2014-03-03 13:16:39,636 fail2ban.server [2422]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.12 2014-03-03 13:16:39,642 fail2ban.jail [2422]: INFO Creating new jail 'ssh-iptables' 2014-03-03 13:16:39,642 fail2ban.jail [2422]: INFO Jail 'ssh-iptables' uses poller 2014-03-03 13:16:39,720 fail2ban.jail [2422]: INFO Initiated 'polling' backend 2014-03-03 13:16:39,727 fail2ban.filter [2422]: INFO Added logfile = /var/log/auth.log 2014-03-03 13:16:39,728 fail2ban.filter [2422]: INFO Set maxRetry = 3 2014-03-03 13:16:39,729 fail2ban.filter [2422]: INFO Set findtime = 600 2014-03-03 13:16:39,730 fail2ban.actions[2422]: INFO Set banTime = 28800 2014-03-03 13:16:39,776 fail2ban.jail [2422]: INFO Jail 'ssh-iptables' started nothing gets blocked. Reproducible: Always vanilla kernel 3.10.30 emerge --info: # emerge --info Portage 2.2.7 (default/linux/amd64/13.0, gcc-4.7.3, glibc-2.17, 3.10.30_weber3.10.30 x86_64) ================================================================= System uname: Linux-3.10.30_weber3.10.30-x86_64-Intel-R-_Core-TM-_i7-3770_CPU_@_3.40GHz-with-gentoo-2.2 KiB Mem: 16107056 total, 15718220 free KiB Swap: 2047932 total, 2047932 free Timestamp of tree: Mon, 03 Mar 2014 06:15:01 +0000 ld GNU ld (GNU Binutils) 2.23.2 app-shells/bash: 4.2_p45 dev-lang/python: 2.7.5-r3, 3.2.5-r3, 3.3.3 dev-util/cmake: 2.8.10.2-r2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.4 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.69 sys-devel/automake: 1.11.6, 1.13.4 sys-devel/binutils: 2.23.2 sys-devel/gcc: 4.7.3-r1 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.9 (virtual/os-headers) sys-libs/glibc: 2.17 Repositories: gentoo paddymac x-backupserver ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -mtune=generic -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=core2 -mtune=generic -O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LDFLAGS="-Wl,--as-needed" MAKEOPTS="-j9" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/paddymac /usr/portage/local/backupserver" SYNC="rsync://88.198.52.242/gentoo-portage" USE="acl amd64 berkdb bzip2 cli cracklib crypt cxx dri fortran gdbm iconv mmx modules multilib ncurses nls nptl openmp pam pcre readline session sse sse2 ssl tcpd unicode zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif status unique_id usertrack vhost_alias speling" APACHE2_MPMS="prefork" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Then what do you see in /var/log/auth.log?
(In reply to Jeroen Roovers from comment #1) > Then what do you see in /var/log/auth.log? a little snippet: Mar 3 14:45:16 backupserver sshd[3721]: SSH: Server;Ltype: Version;Remote: 87.234.201.xxx-2464;Protocol: 2.0;Client: OpenSSH_5.3 Mar 3 14:45:16 backupserver sshd[3721]: SSH: Server;Ltype: Kex;Remote: 87.234.201.xxx-2464;Enc: aes128-ctr;MAC: hmac-sha2-256;Comp: none [preauth] Mar 3 14:45:17 backupserver sshd[3721]: SSH: Server;Ltype: Authname;Remote: 87.234.201.xxx-2464;Name: weber [preauth] Mar 3 14:45:24 backupserver sshd[3727]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=port-87-234-201-xxx.static.qsc.de user=weber Mar 3 14:45:26 backupserver sshd[3721]: error: PAM: Authentication failure for weber from port-87-234-201-xxxx.static.qsc.de Mar 3 14:45:34 backupserver sshd[3721]: Accepted keyboard-interactive/pam for weber from 87.234.201.xxxx port 2464 ssh2 Mar 3 14:45:34 backupserver sshd[3721]: pam_unix(sshd:session): session opened for user weber by (uid=0) Mar 3 14:45:34 backupserver sshd[3731]: SSH: Server;Ltype: Kex;Remote: 87.234.201.xxxxx2464;Enc: aes128-ctr;MAC: hmac-sha2-256;Comp: none Mar 3 14:45:41 backupserver su[3740]: Successful su for root by weber Mar 3 14:45:41 backupserver su[3740]: + /dev/pts/0 weber:root Mar 3 14:45:41 backupserver su[3740]: pam_unix(su:session): session opened for user root by weber(uid=1000) Mar 3 14:46:46 backupserver sshd[3749]: SSH: Server;Ltype: Version;Remote: 87.234.201.xxxx-1853;Protocol: 2.0;Client: OpenSSH_5.3 Mar 3 14:46:46 backupserver sshd[3749]: SSH: Server;Ltype: Kex;Remote: 87.234.201.xxx-1853;Enc: aes128-ctr;MAC: hmac-sha2-256;Comp: none [preauth] Mar 3 14:46:46 backupserver sshd[3749]: SSH: Server;Ltype: Authname;Remote: 87.234.201.xxx-1853;Name: weber [preauth] Mar 3 14:46:47 backupserver sshd[3754]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=port-87-234-201-xxx.static.qsc.de user=weber Mar 3 14:46:49 backupserver sshd[3749]: error: PAM: Authentication failure for weber from port-87-234-201-xxx.static.qsc.de Mar 3 14:46:50 backupserver sshd[3756]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=port-87-234-201-xxx.static.qsc.de user=weber Mar 3 14:46:52 backupserver sshd[3749]: error: PAM: Authentication failure for weber from port-87-234-201-xxx.static.qsc.de Mar 3 14:46:52 backupserver sshd[3749]: Postponed keyboard-interactive for weber from 87.234.201.xxx port 1853 ssh2 [preauth] Mar 3 14:46:53 backupserver sshd[3757]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=port-87-234-201-xxx.static.qsc.de user=weber Mar 3 14:46:55 backupserver sshd[3749]: error: PAM: Authentication failure for weber from port-87-234-201-xxxx.static.qsc.de Mar 3 14:46:55 backupserver sshd[3749]: Connection closed by 87.234.201.xxx[preauth]
Some adjustments were made to the filters in 0.8.13 and 0.9.0. Please give either a try and report back.
today i got a banned mail, so seems to work now(better). In the log i can see this= 2014-03-30 19:31:21,720 fail2ban.filter [29312]: WARNING Determined IP using DNS Lookup: host11-179-static.88-94-b.business.telecomitalia.it = ['94.88.179.11'] 2014-03-30 19:31:21,734 fail2ban.filter [29312]: WARNING Determined IP using DNS Lookup: host11-179-static.88-94-b.business.telecomitalia.it = ['94.88.179.11'] 2014-03-30 19:31:21,793 fail2ban.filter [29312]: WARNING Determined IP using DNS Lookup: static.132.82.251.148.clients.your-server.de = ['148.251.82.132'] 2014-03-30 19:31:21,825 fail2ban.actions[29312]: WARNING [ssh-iptables] Ban 148.251.82.132 2014-03-30 19:31:21,827 fail2ban.actions.action[29312]: ERROR iptables -n -L INPUT | grep -q 'fail2ban-SSH[ \t]' returned 100 2014-03-30 19:31:21,827 fail2ban.actions.action[29312]: ERROR Invariant check failed. Trying to restore a sane environment 2014-03-30 19:31:21,830 fail2ban.actions.action[29312]: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH iptables -F fail2ban-SSH iptables -X fail2ban-SSH returned 100 2014-03-31 01:20:12,240 fail2ban.filter [29312]: WARNING Determined IP using DNS Lookup: huntington.thecoreofit.com = ['66.181.74.157'] 2014-03-31 03:31:21,839 fail2ban.actions[29312]: WARNING [ssh-iptables] Unban 148.251.82.132 2014-03-31 03:31:21,844 fail2ban.actions.action[29312]: ERROR iptables -n -L INPUT | grep -q 'fail2ban-SSH[ \t]' returned 100 2014-03-31 03:31:21,844 fail2ban.actions.action[29312]: ERROR Invariant check failed. Trying to restore a sane environment 2014-03-31 03:31:21,850 fail2ban.actions.action[29312]: ERROR iptables -D INPUT -p tcp --dport ssh -j fail2ban-SSH iptables -F fail2ban-SSH iptables -X fail2ban-SSH returned 100 2014-03-31 03:31:21,864 fail2ban.actions.action[29312]: ERROR iptables -D fail2ban-SSH -s 148.251.82.132 -j REJECT --reject-with icmp-port-unreachable returned 100 2014-03-31 04:59:34,230 fail2ban.filter [29312]: WARNING Determined IP using DNS Lookup: huntington.thecoreofit.com = ['66.181.74.157'] 2014-03-31 06:02:08,974 fail2ban.filter [29312]: WARNING Determined IP using DNS Lookup: huntington.thecoreofit.com = ['66.181.74.157'] 2014-03-31 12:56:55,991 fail2ban.actions[29312]: WARNING [ssh-iptables] Ban 168.63.241.148 2014-03-31 15:33:12,000 fail2ban.filter [29312]: WARNING Determined IP using DNS Lookup: huntington.thecoreofit.com = ['66.181.74.157']
(In reply to Marko Weber Bürgermeister from comment #4) > today i got a banned mail, so seems to work now(better). > In the log i can see this= Which version would that be?
(In reply to Jeroen Roovers from comment #5) > (In reply to Marko Weber Bürgermeister from comment #4) > > today i got a banned mail, so seems to work now(better). > > In the log i can see this= > > Which version would that be? on gentoo here it is version 0.8.13
Arch teams, please test and mark stable: =net-analyzer/fail2ban-0.8.13 Targeted stable KEYWORDS : amd64 hppa ppc ppc64 x86
Stable for HPPA.
amd64 stable
x86 stable
ppc stable
ppc64 stable. Closing.