Re: [Fail2ban-users] Fwd: Re: fail2ban ban's being dropped/disappear without noticed

[Steven Barthen via Fail2ban-users]

Hey

I already moved SSH to another port from the beginning, but seems someone
found it anyways now.

Also I am pretty sure the block works, as its a "drop" on the IP,
unspecific to any port.
If I dont block them, I get connection every few seconds. If block, its
reduced to ~9min oer connection. So till the block disappears and they get
blocked again.

I have password enabled as a fallback, but its 65 characters so even hard
to bruteforce anytime soon.

But someone has to explain that to me

########
~# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     7822
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 137
   |- Total banned:     137
   `- Banned IP list:   104.248.240.220 118.25.52.98 122.14.209.213
134.119.188.37 177.101.255.26 182.162.96.185 202.129.188.69 210.14.77.102
81.66.89.42 95.58.194.141 78.134.3.221 122.155.209.74 62.209.136.157
157.230.213.241 212.10.74.113 188.131.134.157 149.129.244.23 123.207.10.199
129.205.15.174 193.112.85.80 182.162.96.184 185.69.216.37 79.158.133.215
139.162.55.128 62.173.154.159 58.59.2.26 106.13.105.77 157.122.116.160
112.169.9.150 128.199.107.244 106.12.12.172 201.174.182.159 202.46.29.77
96.239.59.131 68.183.102.174 76.95.183.232 210.4.155.157 181.49.43.238
186.1.40.130 164.163.99.10 179.191.96.166 140.143.4.50 95.91.8.75
174.138.48.36 51.68.188.176 129.204.3.8 209.53.254.34 188.2.248.70
85.186.70.19 145.239.91.91 139.59.85.89 47.104.96.174 167.99.76.71
85.201.213.223 188.165.242.200 119.29.227.108 193.112.244.110 106.13.52.247
41.72.219.102 47.91.40.136 45.55.158.8 147.135.209.40 159.89.115.126
223.171.46.146 182.184.44.6 119.82.68.254 37.187.0.223 218.5.36.120
178.164.165.197 180.169.225.60 181.215.132.4 162.214.14.3 77.95.1.133
46.105.157.97 64.17.77.94 118.144.137.101 103.131.152.186 142.93.251.1
140.143.98.35 46.105.112.107 94.177.203.136 132.232.133.12 51.75.146.122
36.89.85.33 122.155.223.37 113.161.125.23 61.180.150.36 59.36.173.179
114.112.81.183 124.82.156.29 79.109.176.9 94.101.181.238 177.73.140.62
111.230.21.80 194.206.194.187 200.54.242.46 1.9.46.177 185.249.199.61
45.55.224.209 201.80.154.232 181.55.122.64 190.244.196.20 47.107.55.172
140.143.16.25 178.23.209.124 27.148.193.66 188.165.44.214 39.108.131.148
128.199.220.232 139.59.59.194 217.30.78.142 182.254.225.230 51.219.58.141
138.19.255.149 182.18.188.132 118.89.219.133 77.221.145.194 51.254.123.127
137.135.121.27 122.152.219.135 147.213.219.2 94.191.103.139 221.7.213.133
138.255.0.12 119.29.168.114 51.255.91.75 150.95.66.109 159.65.33.186
201.249.89.102 180.244.148.195 138.197.195.52 41.67.39.6 134.209.104.109
119.1.238.156 36.26.80.214 51.38.113.45 212.33.26.218
#########
~# shorewall show dynamic
Shorewall 5.0.15.6 Chain dynamic at xxx - Mi 22. Mai 18:22:51 CEST 2019

Counters reset So 19. Mai 19:50:59 CEST 2019

Chain dynamic (5 references)
 pkts bytes target     prot opt in     out     source
 destination
    0     0 DROP       all  --  *      *       192.0.0.1
0.0.0.0/0
    0     0 DROP       all  --  *      *       192.0.0.2
0.0.0.0/0
  316 18960 DROP       all  --  *      *       118.25.52.98
0.0.0.0/0
    0     0 DROP       all  --  *      *       134.119.188.37
0.0.0.0/0
    0     0 DROP       all  --  *      *       177.101.255.26
0.0.0.0/0
    0     0 DROP       all  --  *      *       182.162.96.185
0.0.0.0/0
    0     0 DROP       all  --  *      *       81.66.89.42
0.0.0.0/0
    0     0 DROP       all  --  *      *       95.58.194.141
0.0.0.0/0
    8   476 DROP       all  --  *      *       157.122.116.160
0.0.0.0/0
  303 15612 DROP       all  --  *      *       185.234.219.56
0.0.0.0/0
  556 28912 DROP       all  --  *      *       185.234.219.57
0.0.0.0/0
  415 25260 DROP       all  --  *      *       223.171.46.146
0.0.0.0/0
    0     0 DROP       all  --  *      *       198.108.66.240
0.0.0.0/0
  204 10608 DROP       all  --  *      *       185.234.219.58
0.0.0.0/0
 1907  114K DROP       all  --  *      *       185.222.209.97
0.0.0.0/0
  645 33540 DROP       all  --  *      *       185.234.216.93
0.0.0.0/0
    9   360 DROP       all  --  *      *       89.248.168.176
0.0.0.0/0
    0     0 DROP       all  --  *      *       185.53.88.212
0.0.0.0/0
  150  7800 DROP       all  --  *      *       185.234.219.60
0.0.0.0/0
    2   104 DROP       all  --  *      *       216.245.193.10
0.0.0.0/0
    0     0 DROP       all  --  *      *       62.233.65.182
0.0.0.0/0
    0     0 DROP       all  --  *      *       41.216.186.201
0.0.0.0/0
    0     0 DROP       all  --  *      *       51.38.12.13
0.0.0.0/0
    7   388 DROP       all  --  *      *       106.75.84.197
0.0.0.0/0
    0     0 DROP       all  --  *      *       192.168.0.3
0.0.0.0/0
   18  1080 DROP       all  --  *      *       128.14.136.78
0.0.0.0/0
    0     0 DROP       all  --  *      *       198.108.66.16
0.0.0.0/0
    8   480 DROP       all  --  *      *       201.249.89.102
0.0.0.0/0
   14   792 DROP       all  --  *      *       134.209.104.109
0.0.0.0/0
   52  3040 DROP       all  --  *      *       185.137.111.77
0.0.0.0/0
   68  4080 DROP       all  --  *      *       212.33.26.218
0.0.0.0/0
   48  2880 DROP       all  --  *      *       185.137.111.145
0.0.0.0/0
   29  2148 DROP       all  --  *      *       51.38.113.45
0.0.0.0/0
   18  1000 DROP       all  --  *      *       138.197.195.52
0.0.0.0/0
   13   740 DROP       all  --  *      *       119.1.238.156
0.0.0.0/0
    0     0 DROP       all  --  *      *       180.244.148.195
0.0.0.0/0
   18  1080 DROP       all  --  *      *       218.92.0.199
0.0.0.0/0
   28  1600 DROP       all  --  *      *       185.137.111.14
0.0.0.0/0
    0     0 DROP       all  --  *      *       36.26.80.214
0.0.0.0/0
#########

Something must be wrong.... the different between database and real
blocklist is ~100 ips atm... that cant be intended...


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users