I've set up fail2ban on a centos VPS used for a few mail accounts among other things and want to check that everything is running smoothly. According to fail2ban-client status everything is running as expected on dovecot, exim, and ssh, but there's no log file in the expected place (/var/log/fail2ban.log), and find / -name fail2ban.log finds nothing. fail2ban-client get loglevel returns Current logging level is 'INFO', and fail2ban-client get logtarget returns Current logging target is:- SYSLOG. Based on this, it should be logging in the default location, which all the docs and guides I've found say is /var/log/fail2ban.log, but no log file is there. There have been many of the usual probes on dovecot since setting fail2ban up including many from repeat IPs, so it's not like fail2ban has had nothing to do. How can I investigate why fail2ban has not got any log file and appears to be failing to log? Searches uncovered a few people posting about similar problems on a few forums but no solutions I could see.

I'm not sure if this the correct regex, but i'm trying to add multiple lines at the ignoreregex Here are the config lines in my ddos.conf: [Definition] failregex = ^ -.*"(GET|POST).* ignoreregex =.*(robots.txt|favicon.ico|jpg|png) ^ -.*"(GET|POST).*(Googlebot|bingbot) Is the code is correct what should i add to multiply lines

I recently implemented fail2ban on a fresh debian server which left me with some default iptables configuration automatically, root@plutarchy:/etc/apache2# iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N fail2ban-ssh -A INPUT -p tcp -m multiport --dports 2222 -j fail2ban-ssh -A fail2ban-ssh -j RETURN Now, when I add some old iptables rules that I don't want to run through fail2ban, I end up with the following, -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N fail2ban-ssh -A INPUT -p tcp -m multiport --dports 2222 -j fail2ban-ssh -A INPUT -s 127.0.0.1/32 -i lo -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 2222 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -j DROP -A fail2ban-ssh -j RETURN Note that I need to add the line **-A INPUT -p tcp --dport 2222 -j ACCEPT** or I cannot ssh into the box. Will fail2ban still protect ssh (port 2222) when I have this line inserted? If not, how can I make sure ssh still goes through fail2ban while I have port 80 opened for normal operation?

I've been running fail2ban for a bit, and recently installed iptables-persistent and am using it with ipset for a blacklist (there's one particular IP that is always hammering away at this machine). The ipset/iptables persistency was a bit of work on Ubuntu, but that part seems to be working. My issue is now the following: When I reboot the machine, my (relevant portion) iptables looks like this: Chain INPUT (policy ACCEPT 682 packets, 84744 bytes) pkts bytes target prot opt in out source destination 347 23254 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set blacklist src 347 23254 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain f2b-sshd (2 references) pkts bytes target prot opt in out source destination 694 46508 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 With this, I noticed also that netfilter-persistent.service was marked as "loaded failed failed" by systemctl even though it clearly loaded the rules files. I tried editing my fail2ban service to load AFTER netfilter-persistent, and now netfilter-persistent is marked as "loaded active exited"...but the rules are still duplicated (apparently f2b creates the rules regardless of whether they already exist) Manually editing this file each time I run iptables-save to delete the f2b entries is probably an acceptable option (particularly given that the consequences aren't all the grave if I forget to do so), but I'm wondering if there's a better option?

Say I have a public-facing Nginx reverse proxy container (A) that sends traffic to a downstream web service (B). This A container is where TLS connections terminate. The Docker server is _also_ behind an external reverse proxy service. I am **successfully** able to extract and log the real IPs from forward headers. No problem. How to configure the fail2ban action to jail (e.g. DROP) traffic from the real IP exiting container A? The downstream web service B will see an XFF header with the real IP. Here is what my iptables are doing now (iptables -nL): Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-auth-fail tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT) target prot opt source destination DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0 DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (2 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 172.20.128.1 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 172.20.128.1 tcp dpt:80 Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0 DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (2 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-auth-fail (1 references) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 STRING match "X-Forwarded-For: 184.75.215.178" ALGO name bm TO 65535 RETURN all -- 0.0.0.0/0 0.0.0.0/0 As you can see I'm already trying to match on packets with the XFF string, and that IP address is the real IP, not the proxy server. Perhaps the INPUT chain is the culprit? Here are my main actions: actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN iptables -I -p --dport -j fail2ban- actionban = iptables -I fail2ban- 1 -p tcp --dport 80 -m string --algo bm --string 'X-Forwarded-For: ' -j DROP

I have an issue setting up my firewalld to have a perfect link together with docker and fail2ban. First, what I want to achive is the following traffic routing setup:

[PUBLIC] -> 
  [FIREWALLD] -> (
    [143/tcp FORWARD PORT] -----> [DOCKER/143/tcp]
    [ 22/tcp]              -----> [openssh locally running]
  )

**fail2ban** I set up fail2ban to listen to my docker container, check for auth errors and set up a ban using firewall-cmd. That works so far. As soon as I mis-authenticate 3 times, it sends a command to firewalld. **Port forwarding** I also have set up the port forward for docker. I am setting it up explicitly, because I do not want to have docker destroying my networking. Maybe this is something I do not need in the future, but it is configured via the StrictForwardPorts=yes configuration. https://firewalld.org/2024/11/strict-forward-ports **Goal** The goal is to whenever a fail2ban trigger happens, the IP should **not** have access to the port 143 (forwarded one) and (maybe) neither the other ones anymore. But at first, I'd like to ban port-wise. **Problem** The problem currently is, that if a reject rich rule is created, it will block port 22 for that IP, but not port 143. **Attempts** I also tried putting the IP into the drop zone, giving it the priority -10. Same error result. Port 22 is dropped, but 143 still works. What am I doing wrong? Here's my zone configuration from the last try:

docker (active)
  target: ACCEPT
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: br-0aa8d4b5dde7 docker0
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule priority="-999" family="ipv4" source address="192.168.178.44" reject

drop (active)
  target: DROP
  ingress-priority: -10
  egress-priority: -10
  icmp-block-inversion: no
  interfaces: 
  sources: 192.168.178.44
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

public (default, active)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
        port=143:proto=tcp:toport=143:toaddr=172.18.0.2
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule priority="-999" family="ipv4" source address="192.168.178.44" reject

As seen: Actually, address 192.168.178.44 should be fully blocked to the public zone. But it isnt. Additionally I added the IP to the drop zone. It seems that drop zone priority is working, as my SSH connection is dropped instead of rejected, but the port 143 is still accessible **Update 1: Some debug info**

$ sudo firewall-cmd --get-policies
allow-host-ipv6 docker-forwarding

**Update 2: --info-policy=docker-forwarding**

docker-forwarding (active)
  priority: -1
  target: ACCEPT
  ingress-zones: ANY
  egress-zones: docker
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: `

**Update 3:** Another idea that came to my mind was to create another policy with priority -10, containing the rich rule:

sudo firewall-cmd --permanent --new-policy ban-pre-routing
sudo firewall-cmd --permanent --policy ban-pre-routing --add-ingress-zone ANY
sudo firewall-cmd --permanent --policy ban-pre-routing --add-egress-zone HOST
sudo firewall-cmd --permanent --policy ban-pre-routing --set-priority -10
sudo firewall-cmd --permanent --policy ban-pre-routing --add-rich-rule="rule family=ipv4 source address=192.168.178.44 port port=143 protocol=tcp reject"

Still no effect. My *.44 Host can still connect to the machine. If I leave out the port port=143 protocol=tcp part, it would block the machine though to ssh - while still being able to access the port 143. **Update 4:** Using Update 3 with the policy configured to egress zone docker, it does not result in a difference. My Configs look like this now:

$ sudo firewall-cmd --list-all-policies
allow-host-ipv6 (active)
  priority: -15000
  target: CONTINUE
  ingress-zones: ANY
  egress-zones: HOST
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv6" icmp-type name="neighbour-advertisement" accept
        rule family="ipv6" icmp-type name="neighbour-solicitation" accept
        rule family="ipv6" icmp-type name="redirect" accept
        rule family="ipv6" icmp-type name="router-advertisement" accept

ban-pre-routing (active)
  priority: -10
  target: CONTINUE
  ingress-zones: ANY
  egress-zones: docker
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="192.168.178.44" port port="143" protocol="tcp" reject

docker-forwarding (active)
  priority: -1
  target: ACCEPT
  ingress-zones: ANY
  egress-zones: docker
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

And for zones:

$ sudo firewall-cmd --list-all --zone=public
public (default, active)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
        port=143:proto=tcp:toport=143:toaddr=172.18.0.2
  source-ports: 
  icmp-blocks: 
  rich rules: 

$ sudo firewall-cmd --list-all --zone=drop
drop
  target: DROP
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

$ sudo firewall-cmd --list-all --zone=docker
docker (active)
  target: ACCEPT
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: br-c5f172e4effe docker0
  sources: 
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

I'm currently trying to get Fail2ban to work with my Xibo container, but even though I'm listed as banned, I can still attempt to log in. debian@vps-ec7a07fd:~/xibo$ sudo fail2ban-client status xibo Status for the jail: xibo |- Filter | |- Currently failed: 1 | |- Total failed: 7 | `- File list: /var/log/xilog/container.log `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 172.18.0.1 I went to check the IPtables, but I don't see anything unusual. pkts bytes target prot opt in out source destination 32 6227 f2b-xibo 6 -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 And finally, I don't see any errors in the fail2ban.log. 2025-02-21 12:35:55,883 fail2ban.filter : INFO [xibo] Found 172.18.0.1 - 2025-02-21 12:35:55 2025-02-21 12:35:57,813 fail2ban.filter : INFO [xibo] Found 172.18.0.1 - 2025-02-21 12:35:57 2025-02-21 12:36:00,516 fail2ban.filter : INFO [xibo] Found 172.18.0.1 - 2025-02-21 12:35:59 2025-02-21 12:36:00,674 fail2ban.actions : NOTICE [xibo] Ban 172.18.0.1 2025-02-21 12:36:02,119 fail2ban.filter : INFO [xibo] Found 172.18.0.1 - 2025-02-21 12:36:01 2025-02-21 12:36:03,743 fail2ban.filter : INFO [xibo] Found 172.18.0.1 - 2025-02-21 12:36:03 2025-02-21 12:36:05,501 fail2ban.filter : INFO [xibo] Found 172.18.0.1 - 2025-02-21 12:36:05 2025-02-21 12:36:05,904 fail2ban.actions : NOTICE [xibo] 172.18.0.1 a lready banned 2025-02-21 12:36:07,244 fail2ban.filter : INFO [xibo] Found 172.18.0.1 - 2025-02-21 12:36:07 2025-02-21 12:39:05,184 fail2ban.actions : NOTICE [xibo] Unban 172.18.0.1 If you have any idea where the issue might come from, I'm open to any suggestions.

I use CentOS 7 on a host. There used to be a report of the number of failed login attempts shown whenever I logged into the machine using SSH. The full banner was something like this: > Last failed login: Fri May 24 03:58:45 EDT 2019 from x.x.x.x on ssh:notty > There were 121 failed login attempts since the last successful login. > Last login: Thu May 23 15:52:24 2019 from x.x.x.x Then I installed fail2ban to prevent these attempts, and after that the line reporting the number of failed logins is gone. At first I thought maybe these bots have decided to not try to login to my machine anymore and there was really no failed login attempts, so the message is gone. But then I realized lastb shows a lot of recent attempts. I tried to have a look at /var/log/secure but the file does not exist anymore. As I understand /etc/pam.d/postlogin is responsible to show this message at login. Here is the content of that file: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet session [default=1] pam_lastlog.so nowtmp showfailed session optional pam_lastlog.so silent noupdate showfailed How do I find out what caused this change? And how do I get that message back?

I noticed a problem with my fail2ban installation. All my jails have a short bantime, just the "recidive" has a much longer bantime. I'm using nftables. The banned IP addresses are stored in sets. (Originally I thought there was only one set, but this assumption was wrong). This is what I see in the log for a given single IP:

1. portscan BAN1 for short time
2. portscan UNBAN1 after a while

3. portscan BAN2 for short time
4. portscan UNBAN2 after a while

5. portscan BAN3 for short time
6. recidive BAN for LONG time, because the portscan was activated 3 times
7. portscan UNBAN3 after a while (the IP is no longer banned!!)

8. recidive UNBAN (error logged, IP not found in the set)

- In line 5 is the IP banned in jail "portscan" - In line 6 is the IP banned in jail "recidive" - In line 7 is the IP unbanned in "portscan", but it looks like it is unbanned globally! Real log:

NOTICE  [portscan] Ban 78.IP.XX.YY
NOTICE  [portscan] Unban 78.IP.XX.YY
NOTICE  [portscan] Ban 78.IP.XX.YY
NOTICE  [portscan] Unban 78.IP.XX.YY
NOTICE  [portscan] Ban 78.IP.XX.YY
NOTICE  [portscan] Unban 78.IP.XX.YY
NOTICE  [portscan] Ban 78.IP.XX.YY
NOTICE  [recidive] Ban 78.IP.XX.YY
NOTICE  [portscan] Unban 78.IP.XX.YY
NOTICE  [portscan] Ban 78.IP.XX.YY
NOTICE  [portscan] Unban 78.IP.XX.YY
NOTICE  [portscan] Ban 78.IP.XX.YY
NOTICE  [portscan] Unban 78.IP.XX.YY
NOTICE  [recidive] Unban 78.IP.XX.YY
ERROR   7fe663585fb0 -- exec: nft delete element inet f2b-table addr-set-recidive \{ 78.IP.XX.YY \}
ERROR   7fe663585fb0 -- stderr: 'delete element inet f2b-table addr-set-recidive { 78.IP.XX.YY }'
ERROR   7fe663585fb0 -- exec: nft delete element inet f2b-table addr-set-recidive \{ 78.IP.XX.YY \}
ERROR   7fe663585fb0 -- stderr: 'delete element inet f2b-table addr-set-recidive { 78.IP.XX.YY }'
ERROR   Failed to execute unban jail 'recidive' action 'nftables-allports' info 'ActionInfo({'ip': '78.IP.XX.YY', 'family': 'inet4', 'fid':  at 0x7fe671bb98a0>, 'raw-ticket':  at 0x7fe671bba020>})': Error unbanning 78.IP.XX.YY
NOTICE  [portscan] Ban 78.IP.XX.YY
NOTICE  [portscan] Unban 78.IP.XX.YY
NOTICE  [portscan] Ban 78.IP.XX.YY
NOTICE  [portscan] Unban 78.IP.XX.YY
NOTICE  [portscan] Ban 78.IP.XX.YY

Ignoring changes not related to this issue my configuration is basically just: banaction = nftables-multiport banaction_allports = nftables-allports I did not not modify any nftables-xxx actions, i.e. I'm using the standard action definitions. The mentioned jails are defined as follows:

[portscan]
enabled = true
filter = portscan
backend = systemd
journalmatch = _TRANSPORT=kernel
logpath = %(syslog_daemon)s

[recidive]
enabled = true
bantime = 18h

Where did I make an error and how to fix it?

I'm right now building my first Linux Server using Fedora 36. I activated SSH and realized that bots were trying to connect to my server. After a bit of research, I found fail2ban and installed it. It worked fine, so I thought the problem was solved, but even after a few tries AND after fail2ban blocks them, they are still attacking. I read that they are using persistent connections. Is there a way to counter that, or do I have a different problem? Here is my setup: /etc/fail2ban/jail.local:

[DEFAULT]
banaction = iptables-allports

[sshd]
enabled = true
port = all
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = -1

/var/log/auth.log doesn't exist, so I don't know where it gets its data, but it reads something and bans people. /var/log/fail2ban.log, of someone still being able to attack and not being banned after three tries:

2022-08-19 23:40:18,366 fail2ban.server         : INFO    Reload jail 'sshd'
2022-08-19 23:40:18,367 fail2ban.filter         : INFO      maxLines: 1
2022-08-19 23:40:18,369 fail2ban.filtersystemd  : INFO    [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
2022-08-19 23:40:18,369 fail2ban.filter         : INFO      maxRetry: 3
2022-08-19 23:40:18,369 fail2ban.filter         : INFO      findtime: 600
2022-08-19 23:40:18,369 fail2ban.actions        : INFO      banTime: -1
2022-08-19 23:40:18,369 fail2ban.filter         : INFO      encoding: UTF-8
2022-08-19 23:40:18,370 fail2ban.server         : INFO    Jail 'sshd' reloaded
2022-08-19 23:40:18,371 fail2ban.server         : INFO    Reload finished.
2022-08-19 23:43:07,478 fail2ban.filter         : INFO    [sshd] Found 79.232.107.204 - 2022-08-19 23:43:07
2022-08-19 23:43:07,480 fail2ban.filter         : INFO    [sshd] Found 79.232.107.204 - 2022-08-19 23:43:07
2022-08-19 23:43:09,228 fail2ban.filter         : INFO    [sshd] Found 79.232.107.204 - 2022-08-19 23:43:08
2022-08-19 23:43:09,229 fail2ban.filter         : INFO    [sshd] Found 79.232.107.204 - 2022-08-19 23:43:08
2022-08-19 23:43:09,350 fail2ban.actions        : NOTICE  [sshd] Ban 79.232.107.204
2022-08-19 23:49:04,030 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,030 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,031 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,031 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,032 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,032 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,032 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,033 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:03
2022-08-19 23:49:04,353 fail2ban.actions        : NOTICE  [sshd] Ban 1.117.78.189
2022-08-19 23:49:06,478 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:06
2022-08-19 23:49:06,479 fail2ban.filter         : INFO    [sshd] Found 1.117.78.189 - 2022-08-19 23:49:06
...

iptables -L -nv:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
13336  897K f2b-sshd   all  --  *      *       0.0.0.0/0            0.0.0.0/0
12829  859K f2b-sshd   all  --  *      *       0.0.0.0/0            0.0.0.0/0
13026  874K f2b-sshd   all  --  *      *       0.0.0.0/0            0.0.0.0/0
13170  888K f2b-sshd   all  --  *      *       0.0.0.0/0            0.0.0.0/0
16162 1358K f2b-sshd   all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain f2b-sshd (5 references)
 pkts bytes target     prot opt in     out     source               destination
  507 38384 REJECT     all  --  *      *       1.117.78.0/24        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       79.232.107.0/24      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       94.131.132.0/24      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       82.65.33.0/24        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       82.157.143.0/24      0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       76.186.2.0/24        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       61.177.173.0/24      0.0.0.0/0            reject-with icmp-port-unreachable
...

I also set some stuff in /etc/sysctl.conf:

net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1

I also set them to ban the entire network using /24, but I don't remember where I put that. If someone knows what my problem is or you need more information, please tell me.

I'm trying to get fail2ban working on a DietPi but no matter what I do it won't ban me. I've found quite a few threads about this but just can not get it working, so apologies for any repetition. Thanks for any help fail2ban status **My jail.local:**

[DEFAULT]
enabled = true
ignoreip = 127.0.0.1/8
ignorecommand =
backend = systemd
mode = normal
filter = %(__name__)s[mode=%(mode)s]
findtime = 600
maxretry = 3
bantime = 600
banaction = iptables-multiport

[dropbear]
enabled = true
filter = dropbear

[sshd]
enabled = true
filter = sshd

**filter.d/dropbear.conf contains:**

prefregex = ^%(__prefix_line)s(?:[Ll]ogin|[Bb]ad|[Ee]xit).+$
failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from :\d+$
            ^[Bb]ad (PAM )?password attempt for .+ from (:\d+)?$
            ^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from :\d+\s*$
ignoreregex =

**Logs below:** *sudo journalctl -u dropbear -n 10*

...
Nov 01 13:01:44 DietPi dropbear:  Nov 01 13:01:44 Child connection from IPADDRESS:52290
Nov 01 13:01:44 DietPi dropbear:  Nov 01 13:01:44 Failed loading /etc/dropbear/dropbear_dss_host_key
Nov 01 13:01:46 DietPi dropbear:  Nov 01 13:01:46 Bad password attempt for 'NAME' from IPADDRESS:52290
Nov 01 13:01:47 DietPi dropbear:  Nov 01 13:01:47 Bad password attempt for 'NAME' from IPADDRESS:52290
Nov 01 13:01:48 DietPi dropbear:  Nov 01 13:01:48 Bad password attempt for 'NAME' from IPADDRESS:52290
Nov 01 13:01:48 DietPi dropbear:  Nov 01 13:01:48 Exit before auth from : (user 'NAME', 3 fails): Exited normally
...

*sudo fail2ban-client status dropbear*

Status for the jail: dropbear
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

# Why isn't UDP port 443 accepting connections when iptables rules are set? ## Environment - Operating System: Linux 6.8.0-47-generic #47-Ubuntu, aarch64 - Cloud VM: Yes (Hetzner) ## Current Setup I'm trying to set up UDP communication on port 443, but I'm encountering issues despite having configured the firewall rules. ### Steps Taken 1. **Added firewall rules:**

sudo iptables -A INPUT -p udp --dport 443 -j ACCEPT
   sudo netfilter-persistent save

2. **Current iptables rules:**

# IPv4 rules
   iptables -L -v -n | grep 443
   35318 4093K f2b-nginx-limit-req  6    --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
   210K   25M f2b-nginx-php-accessrules  6    --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
   209K   25M f2b-wordpress  6    --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
   209K   25M f2b-nginx-bad-request  6    --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443
   302 88281 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:443

   # IPv6 rules
   ip6tables -L -v -n | grep 443
   61618 9650K f2b-wordpress  6    --  *      *       ::/0                 ::/0                 multiport dports 80,443
   61600 9649K f2b-nginx-bad-request  6    --  *      *       ::/0                 ::/0                 multiport dports 80,443
   61600 9649K f2b-nginx-php-accessrules  6    --  *      *       ::/0                 ::/0                 multiport dports 80,443
   1467  316K ACCEPT     17   --  *      *       ::/0                 ::/0                 udp dpt:443

3. **Port scan results:**

sudo nmap -sU -p 443 
   Starting Nmap 7.94SVN ( https://nmap.org  ) at 2024-10-26 20:14 CEST
   Nmap scan report for 
   Host is up (0.0027s latency).
   
   PORT      STATE          SERVICE
   443/udp   open|filtered  https
   
   Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds

4. **Attempted netcat test:** - Server side:

sudo nc -lu 443

- Client side:

echo 'test' | nc -u  443

## Issue No traffic is getting through to the listening netcat process despite the port showing as "open|filtered" in nmap scan. ## Questions 1. Why might the port show as "open|filtered" rather than definitively "open"? 2. What additional configurations might I need to get UDP traffic flowing through port 443? 3. Are there any diagnostic steps I should take to identify where the traffic is being blocked? ## What I've Already Checked - Firewall rules are in place and saved for both IPv4 and IPv6 - Port is not blocked according to nmap - Basic connectivity exists between client and server - Hetzner cloud firewall is configured to allow port 443 UDP - fail2ban has multiple rules for ports 80,443 but these appear to be for TCP (nginx-related) ## Additional Information If anyone needs more details about my setup or additional debugging information, please let me know.

## The Question How can I exclude inconsequential¹ failed SSH logins? ## Background For ambient awareness, I like to have little background windows showing system error logs on every GNU/Linux box I admin. I used to do this with xconsole, but now use xterm running journalctl -f. Unfortunately, on the machines where ssh is a needed service, the journalctl log is a constant stream of clutter from crackers trying to ssh in with lists of common names/passwords.² I see failures scrolling in every second for accounts that don't even exist. This makes it hard to see anything else in my console log. ## Solutions? I don't know systemd half as well as I ought, so it's possible there's a slick, simple answer, but I haven't found one yet.³ Any solution is welcome. I suspect it's going to entail messing around with pam, journalctl, and/or grep -v. I'm looking for a solution which still shows me attempts against existing accounts. However, if that is too difficult, I'll accept an answer which hides all failed login attempts. ## Journalctl examples Do not show the following:

Dec 12 17:19:21 gaia sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=139.59.90.40  user=root
Dec 12 17:19:21 gaia sshd: Invalid user git from 14.29.201.30
Dec 12 17:19:21 gaia sshd: input_userauth_request: invalid user git [preauth]
Dec 12 17:19:21 gaia sshd: pam_unix(sshd:auth): check pass; user unknown
Dec 12 17:19:21 gaia sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=14.29.201.30
Dec 12 17:19:22 gaia sshd: Invalid user molisoft from 5.135.152.97
Dec 12 17:19:22 gaia sshd: input_userauth_request: invalid user molisoft [preauth]
Dec 12 17:19:22 gaia sshd: pam_unix(sshd:auth): check pass; user unknown
Dec 12 17:19:22 gaia sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=5.135.152.97
Dec 12 17:19:23 gaia sshd: Failed password for root from 139.59.90.40 port 37752 ssh2
Dec 12 17:19:23 gaia sshd: Received disconnect from 139.59.90.40: 11: Bye Bye [preauth]
Dec 12 17:19:23 gaia sshd: Failed password for invalid user git from 14.29.201.30 port 41178 ssh2
Dec 12 17:19:23 gaia sshd: Received disconnect from 14.29.201.30: 11: Bye Bye [preauth]
Dec 12 17:19:24 gaia sshd: Failed password for invalid user molisoft from 5.135.152.97 port 50730 ssh2
Dec 12 17:19:24 gaia sshd: Received disconnect from 5.135.152.97: 11: Bye Bye [preauth]

But do show valid logins:

Dec 10 08:56:16 gaia sshd: Accepted publickey for sophia from 24.22.130.192 port 41610 ssh2: RSA 6b:5f:aa:9c:d8:33:65:2c:c4:0c:88:12:ec:9b:ff:51
Dec 10 08:56:16 gaia sshd: pam_unix(sshd:session): session opened for user sophia by (uid=0)
Dec 10 21:06:37 gaia sshd: pam_unix(sshd:session): session closed for user sophia

Also show failed attempts on valid accounts (other than root):

Dec 12 00:46:28 gaia sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.9.134  user=sophia
Dec 12 00:46:30 gaia sshd: Failed password for sophia from 192.168.9.134 port 55888 ssh2
Dec 12 00:46:33 gaia sshd: Connection closed by authenticating user sophia 192.168.9.134 port 55888 [preauth]

And, of course, any service which is _not_ sshd should be shown.

Dec 10 08:56:16 gaia systemd: Started User Manager for UID 3237.

____ ¹ Defined as "username does not exist" or "username is root". Root ssh is disabled on my boxen. ² I do use fail2ban. It helps, but the attempts are coming from too many IP addresses. ³ E.g., journalctl allows one to grep, but not grep -v to exclude certain criteria.

I installed fail2ban, but When I enter fail2ban-client status in the Linux terminal, I get the following warnings:

fail2ban.configreader : ERROR Found no accessible config files for 'filter.d/murmur' under /etc/fail2ban
fail2ban.configreader : ERROR  No section: 'Definition'
fail2ban.configreader : ERROR  No section: 'Definition'
fail2ban.configreader : ERROR  No section: 'Definition'
fail2ban.configreader : ERROR  No section: 'Definition'
fail2ban.configreader : ERROR  No section: 'Definition'
fail2ban              :ERROR Failed to access socket path: /var/run/fail2ban/fail2ban.sock. Is fail2ban running?

By the way, I know there is a problem with the configuration, but I do not know how to configure it

I have fail2ban setup and it's working great for most scanning. It triggers off any 4xx in the nginx error log. However, note the following bot scan. Somehow THIS bot is triggering my server to return 301 instead of 404, like all the others. How could it be doing this? Since it's a 301 and not a 4xx, it walked right past my fail2ban and never got banned. I'd like to detect and prevent this. Any suggestion on how this was done and how to prevent it? 178.20.44.82 - - [30/May/2024:21:28:48 +0000] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0" 178.20.44.82 - - [30/May/2024:21:28:49 +0000] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0" 178.20.44.82 - - [30/May/2024:21:28:49 +0000] "GET /.DS_Store HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.0 Safari/605.1.15" 178.20.44.82 - - [30/May/2024:21:28:49 +0000] "GET /.env HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" 178.20.44.82 - - [30/May/2024:21:28:49 +0000] "POST /.env HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0" 178.20.44.82 - - [30/May/2024:21:28:50 +0000] "GET /.env.prod HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 178.20.44.82 - - [30/May/2024:21:28:50 +0000] "POST /.env.prod HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0" 178.20.44.82 - - [30/May/2024:21:28:50 +0000] "GET /.env.production HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 178.20.44.82 - - [30/May/2024:21:28:51 +0000] "POST /.env.production HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 178.20.44.82 - - [30/May/2024:21:28:51 +0000] "GET /redmine/.env HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 178.20.44.82 - - [30/May/2024:21:28:51 +0000] "POST /redmine/.env HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 178.20.44.82 - - [30/May/2024:21:28:52 +0000] "GET /__tests__/test-become/.env HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 178.20.44.82 - - [30/May/2024:21:28:52 +0000] "POST /__tests__/test-become/.env HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" 178.20.44.82 - - [30/May/2024:21:28:52 +0000] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0" 178.20.44.82 - - [30/May/2024:21:28:52 +0000] "POST / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 178.20.44.82 - - [30/May/2024:21:28:53 +0000] "GET /debug/default/view?panel=config HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 178.20.44.82 - - [30/May/2024:21:28:53 +0000] "GET /debug/default/view.html HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 178.20.44.82 - - [30/May/2024:21:28:53 +0000] "GET /debug/default/view HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0" 178.20.44.82 - - [30/May/2024:21:28:54 +0000] "GET /frontend/web/debug/default/view HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 178.20.44.82 - - [30/May/2024:21:28:54 +0000] "GET /web/debug/default/view HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" 178.20.44.82 - - [30/May/2024:21:28:54 +0000] "GET /sapi/debug/default/view HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" 178.20.44.82 - - [30/May/2024:21:28:54 +0000] "GET /_profiler/phpinfo HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 178.20.44.82 - - [30/May/2024:21:28:55 +0000] "GET /app_dev.php/_profiler/phpinfo HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 178.20.44.82 - - [30/May/2024:21:28:55 +0000] "GET /phpinfo.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 178.20.44.82 - - [30/May/2024:21:28:55 +0000] "GET /owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" 178.20.44.82 - - [30/May/2024:21:28:56 +0000] "GET /info.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0" 178.20.44.82 - - [30/May/2024:21:28:56 +0000] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36" My only 301 redirects are the ones certbot set up: server { if ($host = www.mydomainname.com) { return 301 https://$host$request_uri ; } # managed by Certbot if ($host = mydomainname.com) { return 301 https://$host$request_uri ; } # managed by Certbot

I'm running CentOS 7, all fully updated, and am trying to get Fail2Ban to work, but I'm running into problems. Specifically, I'm trying to block brute force SSH attacks. I'm pretty sure I've set up everything right – enabled the sshd jail in

.local

, using

-ipset

as the ban action, definitely using Firewalld, not using SELinux. But when I start Fail2Ban, here's what's in

/var/log/fail2ban.log

: 2017-06-21 06:11:44,186 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6 2017-06-21 06:11:44,186 fail2ban.database : INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' 2017-06-21 06:11:44,188 fail2ban.jail : INFO Creating new jail 'sshd' 2017-06-21 06:11:44,206 fail2ban.jail : INFO Jail 'sshd' uses systemd {} 2017-06-21 06:11:44,230 fail2ban.jail : INFO Initiated 'systemd' backend 2017-06-21 06:11:44,232 fail2ban.filter : INFO Set maxRetry = 3 2017-06-21 06:11:44,232 fail2ban.filter : INFO Set jail log file encoding to UTF-8 2017-06-21 06:11:44,233 fail2ban.actions : INFO Set banTime = 86400 2017-06-21 06:11:44,233 fail2ban.filter : INFO Set findtime = 3600 2017-06-21 06:11:44,234 fail2ban.filter : INFO Set maxlines = 10 2017-06-21 06:11:44,320 fail2ban.filtersystemd : INFO Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd' 2017-06-21 06:11:44,335 fail2ban.jail : INFO Jail 'sshd' started 2017-06-21 06:11:44,864 fail2ban.action : ERROR ipset create fail2ban-sshd hash:ip timeout 86400 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p all -m multiport --dports 44 -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable -- stdout: '' 2017-06-21 06:11:44,865 fail2ban.action : ERROR ipset create fail2ban-sshd hash:ip timeout 86400 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p all -m multiport --dports 44 -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable -- stderr: '\x1b[91mError: COMMAND_FAILED\x1b[00m\n' 2017-06-21 06:11:44,865 fail2ban.action : ERROR ipset create fail2ban-sshd hash:ip timeout 86400 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p all -m multiport --dports 44 -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable -- returned 13 2017-06-21 06:11:44,865 fail2ban.actions : ERROR Failed to start jail 'sshd' action 'firewallcmd-ipset': Error starting action As you'll note, everything runs smoothly until

-cmd

is tried. The commands it's trying to run are:

create fail2ban-sshd hash:ip timeout 86400

followed by

-cmd --direct --add-rule ipv4 filter INPUT 0 -p all -m multiport --dports 44 -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable

If I try to run those myself, the

command works fine, but the

-cmd

one returns with

: COMMAND_FAILED

. So, I'm guessing it's a problem with the command that Fail2Ban is trying to send to

-cmd

– but I don't know enough about Firewalld to fix it. (Oh, SSH is on port 44 because I've found that it massively reduces drive-by attacks, so let's not get into the pros and cons of that! Also,

status fail2ban

shows everything to be running smoothly, no problems reported there. I only noticed this when I logged in and saw that there'd been a bunch of failed login attempts, which is rare what with the port change and all. Finally,

-r

returns

.10.0-229.14.1.el7.centos.plus.x86_64

so I'm fairly sure it's not the OpenVZ problem which I've seen as a cause of this elsewhere.)

I have a Debian 10 server running on a VPS. The only software I installed are: tinyproxy (http proxy) and fail2ban I have included: - the results of port scan using nmap - my specific settings in the fail2ban jail.local file. - my specific settings in the fail2ban fail2ban.local file. - a sample of entires from auth log. - a sample of entires from fail2ban log. - my results from sample scan of IpTables. Problem Summary: - auth.log shows attempted entry by 192.241.141.43, almost every minute, all day long - fail2ban.log shows 192.241.141.43 is banned - Iptables shows 192.241.141.43 is banned I thought that based upon the IP being blocked, that the malicious user would NOT be able to attempt a login. Yet it seems that the kernel is indeed (pam_unix(sshd:auth)) allowing attempted logins. MY 2 QUESTIONS, Please: 1. Why does the kernel allow malicious users to even attempt login if they are banned? 2. Why does Iptables entry say "icmp" and not "tcp"? Yes I understand that a "ping" is an icmp packet, but I want to block tcp login attempts. Many thanks ! ### Results from nmap scan

# Nmap 7.80 scan initiated Sat Jan 27 15:25:04 2024 as: nmap -sS -oG out.txt 

107.174.156.124

Host: 107.174.156.124 (107-174-156-124-host.colocrossing.com)	
Status: 
Up
Host: 107.174.156.124 (107-174-156-124-host.colocrossing.com)	
Ports: 
139/filtered/tcp//netbios-ssn///, 
445/filtered/tcp//microsoft-ds///, 
8888/open/tcp//sun-answerbook///	
Ignored State: closed (997)

# Nmap done at Sat Jan 27 15:25:06 2024 
-- 1 IP address (1 host up) scanned in 2.20 seconds

--- ### Here are my entries in jail.local Please note that I have moved the SSHD port to 63xxx range. I have obscured the last 3 digits with xxx

#
# JAILS
#

#
# SSH servers
#

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
enabled = true
mode = aggressive
port = 63xxx
filter = sshd
logpath = /var/log/auth.log
bantime = 2000000
findtime = 7200
maxretry = 2
backend = %(sshd_backend)s
action = iptables-multiport[name=sshd, port="ssh", protocol=tcp]

### fail2ban.local

# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 2100000

### Sample Auth log As example, there are several attempts by 192.241.141.43 And this is repeated almost every minute !

Jan 27 15:54:55 racknerd-64d010 sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.141.43  user=root
Jan 27 15:54:57 racknerd-64d010 sshd: Failed password for root from 192.241.141.43 port 54798 ssh2
Jan 27 15:54:57 racknerd-64d010 sshd: Received disconnect from 192.241.141.43 port 54798:11: Bye Bye [preauth]
Jan 27 15:54:57 racknerd-64d010 sshd: Disconnected from authenticating user root 192.241.141.43 port 54798 [preauth]

### Sample of fail2ban As example, fail2ban says 192.241.141.43 is banned

2024-01-27 15:55:50,928 fail2ban.actions        : WARNING [sshd] 82.102.12.130 already banned
2024-01-27 15:55:50,929 fail2ban.actions        : WARNING [sshd] 192.241.141.43 already banned
2024-01-27 15:55:50,929 fail2ban.actions        : WARNING [sshd] 159.75.161.40 already banned

### Results from Iptables scan IP 192.241.141.43 is banned

0     0 REJECT     all  --  *      *       61.231.64.170        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       192.241.141.43       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       104.250.34.177       0.0.0.0/0            reject-with icmp-port-unreachable

### Additional Info 1+2, Complete Rule Set Here is a link to the complete ruleset file. - iptables_o2.txt - auth_2024-01-27m_sample.txt === Additional Info Summary I am including a summary here that incorporates the critical input from Chris Davies. I am doing this so that folks who are reading this in the future, will know, clearly, what to add in their SSHD Jail section of their jail.local file. I am also including the single changed line of text from the fail2ban.local file - again, thanks Chris. === Here is jail.local

#
# JAILS
#

#
# SSH servers
#

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
enabled = true
mode = aggressive
port = 22
filter = sshd
logpath = /var/log/auth.log
bantime = 2000000
findtime = 7200
maxretry = 2
backend = %(sshd_backend)s
banaction_allports = iptables-allports
action_ap = %(banaction_allports)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action = %(action_ap)s

=== Here is fail2ban.local

# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 2100000

I've install fail2ban on Debian Jessie LXC container, currently it's failing due to: Starting authentication failure monitor: fail2ban ERROR No file(s) found for glob /var/log/auth.log ERROR Failed during configuration: Have not found any log file for ssh jail There's no syslog or rsyslog on the system and thus /var/log/auth.log is not generated. Is there a way how to tell fail2ban to use output of journalctl _COMM=sshd?

I am trying to write fail2ban filter to block bruteforcing IP addresses which are trying to subscribe to username/password protected mosquitto service by guessing username/password combinations. On attempt to subscribe with incorrect details, mosquitto writes two lines to log like: 1544984465: New connection from 123.123.123.123 on port 1883. 1544984465: Socket error on client , disconnecting. I managed to write regex matching this two lines pattern by using https://regex101.com/ set to "python flavor". Regex looks like this: \s(?P\d+)\: New connection from (?P[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+\n(?P=date): Socket error on client \, disconnecting. Unfortunately, fail2ban is unable to find matches in log by using this regex: # fail2ban-regex '/var/log/testlog.log' '\s(?P\d+)\: New connection from (?P[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+\n(?P=date): Socket error on client \, disconnecting.' Running tests ============= Use failregex line : \s(?P\d+)\: New connection from (?P[0-... Use log file : /var/log/testlog.log Use encoding : UTF-8 Results ======= Failregex: 0 total Ignoreregex: 0 total Date template hits: |- [# of hits] date format | Epoch `- Lines: 13 lines, 0 ignored, 0 matched, 13 missed [processed in 0.00 sec] |- Missed line(s): | 1544984465: New connection from 123.123.123.123 on port 1883. | 1544984465: Socket error on client , disconnecting. | 1544984466: New connection from 123.123.123.123 on port 1883. | 1544984466: Socket error on client , disconnecting. | 1544984468: New connection from 123.123.123.123 on port 1883. | 1544984468: Socket error on client , disconnecting. | 1544984469: New connection from 123.123.123.123 on port 1883. | 1544984469: Socket error on client , disconnecting. | 1544984470: New connection from 123.123.123.123 on port 1883. | 1544984470: Socket error on client , disconnecting. | 1544984471: New connection from 123.123.123.123 on port 1883. | 1544984471: Socket error on client , disconnecting. | 1544984473: New connection from 123.123.123.123 on port 1883. `- Fail2ban version is 0.9.6-1.el6.1. Running on Centos 6 server.

I'm trying to filter out malicious requests to our website on our AWS Instances through adding and removing IPs in the WAF IP sets. I'm trying to set up fail2ban to help with this. These are the files - ### jail.local

[my-jail]
enabled = true
filter = my-filter
action = my-action
  sendmail-whois[name=Fail2Ban Test, dest=my-name@my-org.de, sender=EC2-Fail2Ban@my-org.de, sendername="Fail2Ban"]
logpath = /var/log/apache2/frontend-app-my-org-com-access.log
maxretry = 4
findtime = 60
bantime = 300
journalmatch = _SYSTEMD_UNIT=httpd.service

### my-action.conf

[Definition]

actionstart = touch /var/log/fail2ban_debug.log
actionstop = rm -f /var/log/fail2ban_debug.log

actionban = /opt/scripts/ban.sh Ban 
actionunban = /opt/scripts/ban.sh Unban

--- Note: the /opt/scripts/ban.sh is executable and when tested manually via /opt/scripts/ban.sh Ban 10.10.10.10 I get the expected result. All files are owned and managed by the root user. The fail2ban service is also started via the root user. ### my-filter.conf

[Definition]
failregex = ^ - - \[.*\] \".*.my-org.*\" \".*\" [4-5][0-9][0-9]

### Regex check When I manually check the filter against my logs - it works:

[root@ip-172-31-89-74 action.d]# fail2ban-regex /var/log/apache2/frontend-app-my-org-com-access.log /etc/fail2ban/filter.d/my-filter.conf | grep matched
Lines: 2325 lines, 0 ignored, 2325 matched, 0 missed

### logs

2023-10-16 15:03:08,737 fail2ban.server         : INFO    --------------------------------------------------
2023-10-16 15:03:08,737 fail2ban.server         : INFO    Starting Fail2ban v0.11.2
2023-10-16 15:03:08,737 fail2ban.server         : DEBUG   Creating PID file /var/run/fail2ban/fail2ban.pid
2023-10-16 15:03:08,738 fail2ban.observer       : INFO    Observer start...
2023-10-16 15:03:08,738 fail2ban.server         : DEBUG   Starting communication
2023-10-16 15:03:08,742 fail2ban.database       : INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2023-10-16 15:03:08,742 fail2ban.jail           : INFO    Creating new jail 'my-jail'
2023-10-16 15:03:08,748 fail2ban.jail           : INFO    Jail 'my-jail' uses systemd {}
2023-10-16 15:03:08,748 fail2ban.filter         : DEBUG   Setting usedns = warn for FilterSystemd(Jail('my-jail'))
2023-10-16 15:03:08,748 fail2ban.filter         : DEBUG   Created FilterSystemd(Jail('my-jail'))
2023-10-16 15:03:08,749 fail2ban.filtersystemd  : DEBUG   Created FilterSystemd
2023-10-16 15:03:08,749 fail2ban.jail           : INFO    Initiated 'systemd' backend
2023-10-16 15:03:08,749 fail2ban.filter         : DEBUG   Setting usedns = warn for FilterSystemd(Jail('my-jail'))
2023-10-16 15:03:08,749 fail2ban.server         : DEBUG     failregex: '^ - - \\[.*\\] \\".*.my-org.*\\" \\".*\\" [4-5][0-9][0-9]'
2023-10-16 15:03:08,750 fail2ban.filtersystemd  : INFO    [my-jail] Added journal match for: '_SYSTEMD_UNIT=httpd.service'
2023-10-16 15:03:08,750 fail2ban.filter         : INFO      maxRetry: 4
2023-10-16 15:03:08,750 fail2ban.filter         : INFO      encoding: UTF-8
2023-10-16 15:03:08,750 fail2ban.filter         : INFO      findtime: 60
2023-10-16 15:03:08,750 fail2ban.actions        : INFO      banTime: 300
2023-10-16 15:03:08,750 fail2ban.CommandAction  : DEBUG   Created 
2023-10-16 15:03:08,750 fail2ban.CommandAction  : DEBUG     Set actionunban = '/opt/scripts/ban.sh Unban '
2023-10-16 15:03:08,750 fail2ban.CommandAction  : DEBUG     Set actionstop = 'rm -f /var/log/fail2ban_debug.log'
2023-10-16 15:03:08,750 fail2ban.CommandAction  : DEBUG     Set actionban = '/opt/scripts/ban.sh Ban '
2023-10-16 15:03:08,750 fail2ban.CommandAction  : DEBUG     Set actionstart = 'touch /var/log/fail2ban_debug.log'
2023-10-16 15:03:08,751 fail2ban.CommandAction  : DEBUG     Set actname = 'my-action'
2023-10-16 15:03:08,751 fail2ban.CommandAction  : DEBUG     Set name = 'my-jail'
2023-10-16 15:03:08,751 fail2ban.jail           : DEBUG   Starting jail 'my-jail'
2023-10-16 15:03:08,753 fail2ban.jail           : INFO    Jail 'my-jail' started
2023-10-16 15:03:08,754 fail2ban.transmitter    : DEBUG   Status: ready
2023-10-16 15:03:08,756 fail2ban.utils          : DEBUG   7f36b00f7490 -- returned successfully 0

[root@ip-172-31-89-74 action.d]# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2023-10-16 15:03:08 CEST; 35min ago
     Docs: man:fail2ban(1)
  Process: 8983 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
  Process: 9160 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
 Main PID: 9162 (fail2ban-server)
   CGroup: /system.slice/fail2ban.service
           └─9162 /usr/bin/python2 -s /usr/bin/fail2ban-server -xf start

Oct 16 15:03:08 ip-172-31-89-74.eu-central-1.compute.internal systemd: Starting Fail2Ban Service...
Oct 16 15:03:08 ip-172-31-89-74.eu-central-1.compute.internal systemd: Started Fail2Ban Service.
Oct 16 15:03:08 ip-172-31-89-74.eu-central-1.compute.internal fail2ban-server: Server ready

### Testing in bash from a specific IP address

i=0;while true; do echo -e"\n---------------------------------$i-----------------------------\n"; curl -s -L testing.my-org.de/tests
; i=$(($i+1));

This generates lines in the expected log in the jail.local I confirm that the actionstart works, as there is a logfile. Also I get e-mails whenever I restart the service. What am I missing, or doing incorrectly? ### More data:

222.222.222.222 - - [16/Oct/2023:22:10:51 +0200] "testing.my-org.com" "GET /tests HTTP/1.1" 404 8043 61680 "-" "curl/7.88.1" "" "ea4uh580h9dl7tat34q2d5cjo7" 
222.222.222.222 - - [16/Oct/2023:22:10:52 +0200] "testing.my-org.com" "GET /tests HTTP/1.1" 404 8043 61976 "-" "curl/7.88.1" "" "uou7bo5pj4tgp2m9t5kulkmvn2" 
222.222.222.222 - - [16/Oct/2023:22:10:52 +0200] "testing.my-org.com" "GET /tests HTTP/1.1" 404 8043 68577 "-" "curl/7.88.1" "" "m3u0g2s41fa6igphsfecrdbg41"


[root@ip-172-31-89-74 apache2]# fail2ban-regex /var/log/apache2/frontend-app-my-org-com-access.log.1 /etc/fail2ban/filter.d/my-filter.conf

Running tests
=============

Use   failregex filter file : my-filter, basedir: /etc/fail2ban
Use         log file : /var/log/apache2/frontend-app-my-org-com-access.log.1
Use         encoding : UTF-8


Results
=======

Failregex: 2480 total
|-  #) [# of hits] regular expression
|   1)  ^
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|   Day(?P[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 2480 lines, 0 ignored, 2480 matched, 0 missed
[processed in 0.17 sec]

[root@ip-172-31-89-74 apache2]# vim /etc/fail2ban/filter.d/my-filter.conf
[root@ip-172-31-89-74 apache2]# fail2ban-regex /var/log/apache2/frontend-app-my-org-com-access.log.1 /etc/fail2ban/filter.d/my-filter.conf

Running tests
=============

Use   failregex filter file : my-filter, basedir: /etc/fail2ban
Use         log file : /var/log/apache2/frontend-app-my-org-com-access.log.1
Use         encoding : UTF-8


Results
=======

Failregex: 2480 total
|-  #) [# of hits] regular expression
|   1)  ^ - - \[.*\] \".*.my-org.*\" \".*\" [4-5][0-9][0-9]
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|   Day(?P[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 2480 lines, 0 ignored, 2480 matched, 0 missed
[processed in 0.18 sec]