Dominic, Thanks for responding. Finally I went to debug the filter.d/sshd-ddos.conf and came to a working conclusion with :
failregex = ^%(__prefix_line)sDid not receive identification string from <HOST>(?: port \d+)\s*$ instead of failregex = ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$ Patrick On 2017-01-25 13:27, Dominic Raferd wrote: > On 25 January 2017 at 12:03, Patrick PICHON <patr...@pichon.me> wrote: >> Hello, >> >> In addition: >> [DEFAULT] >> destemail = supp...@pipiche.net >> banaction = iptables-multiport >> >> >> Thanks for responding. I did what you recommended and still no action >> taken: >> >> [sshd-ddos] >> enabled = true >> port = 23,20022 >> maxretry=2 >> findtime = 600 >> bantime = 600 >> >> Here after are the logs >> >> 2017-01-25 12:59:38,716 fail2ban.action [30982]: DEBUG >> iptables -w >> -N f2b-sshd-ddos >> iptables -w -A f2b-sshd-ddos -j RETURN >> iptables -w -I INPUT -p tcp -m multiport --dports 23,20022 -j >> f2b-sshd-ddos >> -- stderr: b'' >> 2017-01-25 12:59:38,716 fail2ban.action [30982]: DEBUG >> iptables -w >> -N f2b-sshd-ddos >> iptables -w -A f2b-sshd-ddos -j RETURN >> iptables -w -I INPUT -p tcp -m multiport --dports 23,20022 -j >> f2b-sshd-ddos >> -- returned successfully >> 2017-01-25 12:59:44,863 fail2ban.filtersystemd [30982]: DEBUG Read >> systemd journal entry: '2017-01-25T12:59:44.559610pitchoun.pipiche.net >> sshd[30989]: Did not receive identification string from 15.203.163.254 >> port >> 58130' >> 2017-01-25 12:59:48,871 fail2ban.filtersystemd [30982]: DEBUG Read >> systemd journal entry: '2017-01-25T12:59:48.818770pitchoun.pipiche.net >> sshd[30993]: Did not receive identification string from 15.203.163.254 >> port >> 58132' >> 2017-01-25 12:59:52,114 fail2ban.filtersystemd [30982]: DEBUG Read >> systemd journal entry: '2017-01-25T12:59:51.730913pitchoun.pipiche.net >> sshd[30997]: Did not receive identification string from 15.203.163.254 >> port >> 58134' >> 2017-01-25 12:59:55,123 fail2ban.filtersystemd [30982]: DEBUG Read >> systemd journal entry: '2017-01-25T12:59:54.987220pitchoun.pipiche.net >> sshd[31001]: Did not receive identification string from 15.203.163.254 >> port >> 58136' >> 2017-01-25 12:59:58,370 fail2ban.filtersystemd [30982]: DEBUG Read >> systemd journal entry: '2017-01-25T12:59:58.323035pitchoun.pipiche.net >> sshd[31005]: Did not receive identification string from 15.203.163.254 >> port >> 58138' >> 2017-01-25 13:00:01,613 fail2ban.filtersystemd [30982]: DEBUG Read >> systemd journal entry: '2017-01-25T13:00:01.242494pitchoun.pipiche.net >> sshd[31009]: Did not receive identification string from 15.203.163.254 >> port >> 58140' >> 2017-01-25 13:00:05,112 fail2ban.filtersystemd [30982]: DEBUG Read >> systemd journal entry: '2017-01-25T13:00:04.747112pitchoun.pipiche.net >> sshd[31029]: Did not receive identification string from 15.203.163.254 >> port >> 58142' >> 2017-01-25 13:00:08,363 fail2ban.filtersystemd [30982]: DEBUG Read >> systemd journal entry: '2017-01-25T13:00:07.992217pitchoun.pipiche.net >> sshd[31035]: Did not receive identification string from 15.203.163.254 >> port >> 58144' >> >> >> >> On 2017-01-25 12:51, Dominic Raferd wrote: >>> >>> >>> My initial reaction was that the default maxretry setting is 5, and >>> the extract you have shown does not show five offences by any single >>> ip. Could this be the reason? If you want to reduce the maxretry >>> setting for this jail, put an extra line in >>> /etc/fail2ban/jail.d/sshd-ddos.conf like: 'maxretry=2'. >>> >>> But on reflection I think it is more likely your problem is the one >>> reported here: https://github.com/fail2ban/fail2ban/issues/1341 - in >>> which case the solution is probably to rebuild fail2ban (0.9 or 0.10) >>> from the latest at https://github.com/fail2ban/fail2ban. > > So your options are: > > 1. make the log source explicit and simpler e.g. in your > /etc/fail2ban/jail.d/sshd-ddos.conf: > > logpath = /var/log/messages > > - set to wherever your sshd log messages are filed > > 2. If 1 doesn't work, you might also need to comment out the > journalmatch line in /etc/fail2ban/filter.d/sshd-ddos (but probably > not). > > 3. If 1 & 2 don't work, then remove the logpath line from > sshd-ddos.conf, and in your filter file try setting journalmatch = > [your explicit ssh log file] > > 4. If all else fails, rebuild fail2ban from the git source > > I'm not a fail2ban expert BTW, so these are (I hope intelligent) > guesses. > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
