Sample Header Ad - 728x90

Fail2Ban is banning IPs but they can still attack me what am I doing wrong?

1 vote
2 answers
487 views
ssh fedora sshd fail2ban
I'm right now building my first Linux Server using Fedora 36. I activated SSH and realized that bots were trying to connect to my server. After a bit of research, I found fail2ban and installed it. It worked fine, so I thought the problem was solved, but even after a few tries AND after fail2ban blocks them, they are still attacking. I read that they are using persistent connections. Is there a way to counter that, or do I have a different problem? Here is my setup: /etc/fail2ban/jail.local: 
[DEFAULT]
banaction = iptables-allports

[sshd]
enabled = true
port = all
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = -1
/var/log/auth.log doesn't exist, so I don't know where it gets its data, but it reads something and bans people. /var/log/fail2ban.log, of someone still being able to attack and not being banned after three tries: 
2022-08-19 23:40:18,366 fail2ban.server         : INFO    Reload jail 'sshd'
2022-08-19 23:40:18,367 fail2ban.filter         : INFO      maxLines: 1
2022-08-19 23:40:18,369 fail2ban.filtersystemd  : INFO    [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2022-08-19 23:40:18,369 fail2ban.filter         : INFO      maxRetry: 3
2022-08-19 23:40:18,369 fail2ban.filter         : INFO      findtime: 600
2022-08-19 23:40:18,369 fail2ban.actions        : INFO      banTime: -1
2022-08-19 23:40:18,369 fail2ban.filter         : INFO      encoding: UTF-8
2022-08-19 23:40:18,370 fail2ban.server         : INFO    Jail 'sshd' reloaded
2022-08-19 23:40:18,371 fail2ban.server         : INFO    Reload finished.
2022-08-19 23:43:07,478 fail2ban.filter         : INFO    [sshd] Found 79.232.107.204 - 2022-08-19 23:43:07
2022-08-19 23:43:07,480 fail2ban.filter         : INFO    [sshd] Found 79.232.107.204 - 2022-08-19 23:43:07
2022-08-19 23:43:09,228 fail2ban.filter         : INFO    [sshd] Found 79.232.107.204 - 2022-08-19 23:43:08
2022-08-19 23:43:09,229 fail2ban.filter         : INFO    [sshd] Found 79.232.107.204 - 2022-08-19 23:43:08
2022-08-19 23:43:09,350 fail2ban.actions        : NOTICE  [sshd] Ban 79.232.107.204
2022-08-19 23:49:04,030 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,030 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,031 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,031 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,032 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,032 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,032 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,033 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,353 fail2ban.actions        : NOTICE  [sshd] Ban 1.117.78.189
2022-08-19 23:49:06,478 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:06
2022-08-19 23:49:06,479 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:06
...
iptables -L -nv: 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
13336  897K f2b-sshd   all  --  *      *       0.0.0.0/0            0.0.0.0/0
12829  859K f2b-sshd   all  --  *      *       0.0.0.0/0            0.0.0.0/0
13026  874K f2b-sshd   all  --  *      *       0.0.0.0/0            0.0.0.0/0
13170  888K f2b-sshd   all  --  *      *       0.0.0.0/0            0.0.0.0/0
16162 1358K f2b-sshd   all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain f2b-sshd (5 references)
 pkts bytes target     prot opt in     out     source               destination
  507 38384 REJECT     all  --  *      *       1.117.78.0/24        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       79.232.107.0/24      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       94.131.132.0/24      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       82.65.33.0/24        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       82.157.143.0/24      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       76.186.2.0/24        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       61.177.173.0/24      0.0.0.0/0            reject-with icmp-port-unreachable
...
I also set some stuff in /etc/sysctl.conf: 
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
I also set them to ban the entire network using /24, but I don't remember where I put that. If someone knows what my problem is or you need more information, please tell me.
Asked by Raistlin (11 rep)
Aug 19, 2022, 10:13 PM
Last activity: Jan 10, 2025, 09:39 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "ssh"
More questions tagged "fedora"
More questions tagged "sshd"
Footer Ad - 728x90