Here's how to add another port:
Tell selinux:
semanage port -a -t ssh_port_t -p tcp 2112
/etc/ssh/sshd_config:
# My changes
Port 22
Port 2112
[0:root@yoda ~]$ netstat -anp | grep ssh
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
1677/sshd
tcp 0 0 0.0.0.0:2112 0.0.0.0:* LISTEN 1677/sshd
Bill
On 9/11/2017 10:51 AM, Eckert, Doug wrote:
My fault for trusting what I was told instead of looking myself.
I was told the second ssh was listening on 2112, when in fact it was listening on 22. So, fail2ban was banning port 2112, but
22 traffic was uninhibited.
On Mon, Sep 11, 2017 at 10:28 AM, Eckert, Doug <doug.eck...@dowjones.com
<mailto:doug.eck...@dowjones.com>> wrote:
Here's the current date and iptables list
# date
Mon Sep 11 10:23:19 EDT 2017
# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 3250 packets, 253K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 f2b-sshdext tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0>
0.0.0.0/0 <http://0.0.0.0/0> multiport dports
2112
2 1891K 113M f2b-vsftpd tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0>
0.0.0.0/0 <http://0.0.0.0/0> multiport dports
21,20,990,989
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3231 packets, 7088K bytes)
num pkts bytes target prot opt in out source destination
Chain f2b-sshdext (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 172.26.47.66 0.0.0.0/0
<http://0.0.0.0/0> reject-with
icmp-port-unreachable
2 0 0 REJECT all -- * * 103.89.89.149 0.0.0.0/0
<http://0.0.0.0/0> reject-with
icmp-port-unreachable
3 0 0 REJECT all -- * * 90.150.90.116 0.0.0.0/0
<http://0.0.0.0/0> reject-with
icmp-port-unreachable
4 0 0 REJECT all -- * * 190.218.115.115 0.0.0.0/0
<http://0.0.0.0/0> reject-with
icmp-port-unreachable
5 0 0 REJECT all -- * * 193.201.224.212 0.0.0.0/0
<http://0.0.0.0/0> reject-with
icmp-port-unreachable
6 0 0 REJECT all -- * * 117.239.39.51 0.0.0.0/0
<http://0.0.0.0/0> reject-with
icmp-port-unreachable
7 0 0 RETURN all -- * * 0.0.0.0/0 <http://0.0.0.0/0>
0.0.0.0/0 <http://0.0.0.0/0>
Chain f2b-vsftpd (1 references)
num pkts bytes target prot opt in out source destination
1 1891K 113M RETURN all -- * * 0.0.0.0/0 <http://0.0.0.0/0>
0.0.0.0/0 <http://0.0.0.0/0>
And a snapshot of /var/log/secure (active sessions from that IP still
hitting the daemon)
# tail -f secure | grep failure
Sep 11 10:24:53 #### sshdext[5573]: pam_unix(sshdext:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=193.201.224.212
Sep 11 10:25:07 #### sshdext[5591]: pam_unix(sshdext:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=193.201.224.212
Sep 11 10:25:13 #### sshdext[5593]: pam_unix(sshdext:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=193.201.224.212
Sep 11 10:25:15 #### sshdext[5595]: pam_unix(sshdext:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=193.201.224.212
'sshdext' is a second sshd running on 2112. Entry made in /etc/services for
it, as well as a matching file in filter.d.
The regex seems to be doing its job, as iptables entries are there.
On Sat, Sep 9, 2017 at 7:30 PM, Bill Shirley <bshir...@openmri-scottsboro.com
<mailto:bshir...@openmri-scottsboro.com>> wrote:
A host can have multiple addresses; multiple PTRs can point to a host.
You
should use 'iptables -nvL' and compare banned IP addresses instead of
hostnames.
Bill
On 9/9/2017 6:56 AM, Doug Eckert wrote:
the name & port have been added to /etc/services. I also copied
filter.d/ssh.conf to filter.d/sshdext.conf and edited
to match.
The right source ip an dest port is added to iptables, but traffic is
still getting through for some reason.
On Sat, Sep 9, 2017 at 2:07 AM Dominic Raferd <domi...@timedicer.co.uk
<mailto:domi...@timedicer.co.uk>> wrote:
On 8 September 2017 at 16:22, Eckert, Doug <doug.eck...@dowjones.com
<mailto:doug.eck...@dowjones.com>> wrote:
CentOS 6 with fail2ban-0.9.2-1.el6.noarch, and
iptables-1.4.7-16.el6.x86_64
Not sure where my issue lies. It appears that f2b is processing
the log file(s) fine and adding 'iptables'
rules, but I still see connection attempts and authentication
errors on the ssh daemon.
Example. From /var/log/messages, it triggered a ban for this IP
at 0858hrs
Sep 8 08:58:20 ####### fail2ban.actions[28791]: NOTICE
[sshdext] Ban 124.190.106.117
'iptables' shows the IP should be DROPping
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshdext tcp -- anywhere anywhere multiport dports
sshdext
f2b-vsftpd tcp -- anywhere anywhere multiport dports
ftp,ftp-data,ftps,ftps-data
...
The 'sshdext' serivce is just 'sshd' running on an alternate
port for external users - corporate firewall
blocks incoming port 22.
I am not an expert but I am puzzled by line:
f2b-sshdext tcp -- anywhere anywhere multiport dports
sshdext
How does iptables --list know which port is 'sshdext'?
'iptables --list -n' will show the numeric values (and is fast),
then you can see if this rule is indeed covering
the correct port.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
<https://lists.sourceforge.net/lists/listinfo/fail2ban-users>
--
*Doug Eckert*
Technical Architect - Systems Technology Services
Dow Jones <http://www.dowjones.com/>
P.O. Box 300 | Princeton NJ 08543-0300
(W) 609.520.4993 <tel:%28609%29%20520-4993> (C) 732.666.3681
<tel:%28732%29%20666-3681>
*Email: **doug.eck...@dowjones.com* <mailto:al...@dowjones.com>**
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
<https://lists.sourceforge.net/lists/listinfo/fail2ban-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
<https://lists.sourceforge.net/lists/listinfo/fail2ban-users>
--
*Doug Eckert*
Technical Architect - Systems Technology Services
Dow Jones <http://www.dowjones.com/>
P.O. Box 300 | Princeton NJ 08543-0300
(W) 609.520.4993 <tel:%28609%29%20520-4993> (C) 732.666.3681
<tel:%28732%29%20666-3681>
*Email: **doug.eck...@dowjones.com* <mailto:al...@dowjones.com>**
--
*Doug Eckert*
Technical Architect - Systems Technology Services
Dow Jones <http://www.dowjones.com/>
P.O. Box 300 | Princeton NJ 08543-0300
(W) 609.520.4993 (C) 732.666.3681
*Email: **doug.eck...@dowjones.com* <mailto:al...@dowjones.com>**
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
