fail2ban not detecting ssh login failures

fennectech · 2 January 2020 22:08

I have an public facing ssh server thats being beat on constantly this ive set the logging level to verbose and have a custom jail with this config

[fennectech@jasper ~]$  cat /etc/fail2ban/jail.d/sshd.local 
[sshd]
enabled   = true
filter    = sshd
banaction = iptables
backend   = systemd
maxretry  = 5
findtime  = 1d
bantime   = 2w
ignoreip  = 127.0.0.1/8

But it is not detecting the attackers that are banging on my front door.

im getting constant output like this in dmesg

[  477.515913] audit: type=1100 audit(1578002868.083:149): pid=24591 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/bin/sshd" hostname=49.88.112.111 addr=49.88.112.111 terminal=ssh res=failed'
[  489.194660] audit: type=1100 audit(1578002879.755:150): pid=25157 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="pierre" exe="/usr/bin/sshd" hostname=144.217.85.239 addr=144.217.85.239 terminal=ssh res=failed'

I would like to have it block these types of requests

xabbu · 3 January 2020 04:38

The normal fail2ban sshd filter does not match against audit messages. Check out

/etc/fail2ban/filter.d/sshd.conf

to find out more and also about the different modes. It matches against the sshd services messages.
You can see them with

sudo journalctl -u sshd

This option means that every IP has 4 tries and only on the fifth wrong try it will be banned.

Fail2ban has a nice little tool called fail2ban-regex , for example

sudo fail2ban-regex --print-all-matched  systemd-journal /etc/fail2ban/filter.d/sshd.conf

It will print all matched lines, but keep the maxretry in mind.

btw., a good countermeasure against bots is to change the sshd port. Bots only try the default port, but it will not help against a real attacker. So it does not add any real security but it keeps the logs cleaner.

fennectech · 3 January 2020 04:43

ive resolved it. the problem was the journal was disabled As for changing the default port ive considered that and have decided against it

xabbu · 3 January 2020 07:19

Can I asked for the reason(s) why you decided against changing the default port?

linux-aarhus · 3 January 2020 10:12

[HowTo] Secure SSH server - Connect using SSH keys

That is true.

I run a ssh server on a non default port - and it has been great for years - until someone ran a complete port scan and found my port - then I got hammered from whole IP ranges originating in China.

The best security measure is public key.

xabbu · 3 January 2020 12:10

The nice thing is, that you can always switch the port again.

I also run fail2ban after changing the port. It is very simple to block a non default port in Fail2ban or even multiple ports. However that requires a banaction like iptables-multiport or similar.

I would also suggest to disable the root login entirely and specify only one/a few users, that are allowed to login. This can be done in the sshd_config via AllowUsers

fennectech · 3 January 2020 18:40

I often give access to friends and aranging for keyd access would be a pain. I will protect my root and main user account with ssh keys.

system · 2 February 2020 18:41

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.