ls /etc/fail2ban/filter.d
and see if your jail is really there, and if so,
cat /etc/fail2ban/filter.d/sshd.conf
to see if it has bad code in it.
Wayne Sallee
wa...@waynesallee.com
http://www.WayneSallee.com
-------- Original Message --------
*Subject: * Re: [Fail2ban-users] bans not working
*From: * Mike <t...@rohms.com>
*To: * James Moe <ji...@sohnen-moe.com>, Fail2ban-users
<fail2ban-users@lists.sourceforge.net>
*CC: *
*Date: * 2019-8-25 07:25 PM
> I've moved ssh to a non-standard port and it has been discovered by
> some hackers. I'm noticing repeated attempts to connect and login
> even though the IPs are supposedly banned.
>
> NOTICE [sshd] 54.34.136.87 already banned
> I do not understand, if I've banned an IP why they're still getting through?
>
"Already banned" implies that the IP is banned on another port.
Have you changed your filter to ban the new port?
Did you unban all of the previously banned standard SSH port IPs?
So here's what i've figured out.
In some cases, it looks like the fail2ban ipset is not configured in iptables.
I am not sure under what circumstance this is happening but sometimes when I start f2b, it doesn't apply all the ipset
rules.
For example, fail2ban may have 4 jails:
vsftpd, pam-generic, dovecot, sshd
Everything appears to work, but then I see errors in the log showing an IP is already banned but it's still hitting
the server. I found out why...
And sometimes after starting f2b I'll run:
iptables -L -n | grep fail2ban
and I'll only see 3 instead of 4 of the jails listed as ipsets configured. So the iptables aren't reading the jail
blacklist.
Sometimes if I execute the command:
fail2ban-client reload <JAIL>
it will add the proper iptables rule to apply the jail ipset that was not
running before.
So I am not sure what's happening? If I run fail2ban-client stop <JAIL> followed by fail2ban-client start <JAIL>
I'll sometimes see this error:
# fail2ban-client start sshd
ERROR NOK: ('sshd',)
Sorry but the jail 'sshd' does not exist
# fail2ban-client reload sshd
ERROR NOK: ('sshd',)
I get an error there, but now the jail is loaded and working.... What could be
causing this?
I have a tendency of editing the jail.local file and routinely tweaking the configuration without restarting fail2ban
proper. And sometimes I copy a "known good" set of config settings from one server to another - I'm wondering if I'm
leaving out a necessary step to properly tell fail2ban to set up the jails permanently and execute the appropriate
iptables/firewallcmd command(s) to connect with the ipset groups created by fail2ban?
Is there a standard workflow of how you make sure you have a certain jail permanently set up and defined so it will
always start up properly?
I can't figure out the exact conditions when sometimes a jail initilizes, but
isn't tied with iptables.
Any ideas?
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
