fail2ban not detecting ssh login failures

I have an public facing ssh server thats being beat on constantly this ive set the logging level to verbose and have a custom jail with this config

[fennectech@jasper ~]$  cat /etc/fail2ban/jail.d/sshd.local 
[sshd]
enabled   = true
filter    = sshd
banaction = iptables
backend   = systemd
maxretry  = 5
findtime  = 1d
bantime   = 2w
ignoreip  = 127.0.0.1/8

But it is not detecting the attackers that are banging on my front door.

im getting constant output like this in dmesg

[  477.515913] audit: type=1100 audit(1578002868.083:149): pid=24591 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/bin/sshd" hostname=49.88.112.111 addr=49.88.112.111 terminal=ssh res=failed'
[  489.194660] audit: type=1100 audit(1578002879.755:150): pid=25157 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="pierre" exe="/usr/bin/sshd" hostname=144.217.85.239 addr=144.217.85.239 terminal=ssh res=failed'

I would like to have it block these types of requests

The normal fail2ban sshd filter does not match against audit messages. Check out

/etc/fail2ban/filter.d/sshd.conf

to find out more and also about the different modes. It matches against the sshd services messages.
You can see them with

sudo journalctl -u sshd

This option means that every IP has 4 tries and only on the fifth wrong try it will be banned.

Fail2ban has a nice little tool called fail2ban-regex , for example

sudo fail2ban-regex --print-all-matched  systemd-journal /etc/fail2ban/filter.d/sshd.conf

It will print all matched lines, but keep the maxretry in mind.


btw., a good countermeasure against bots is to change the sshd port. Bots only try the default port, but it will not help against a real attacker. So it does not add any real security but it keeps the logs cleaner.

2 Likes

ive resolved it. the problem was the journal was disabled As for changing the default port ive considered that and have decided against it

Can I asked for the reason(s) why you decided against changing the default port?

That is true.

I run a ssh server on a non default port - and it has been great for years - until someone ran a complete port scan and found my port - then I got hammered from whole IP ranges originating in China.

The best security measure is public key.

The nice thing is, that you can always switch the port again.

I also run fail2ban after changing the port. It is very simple to block a non default port in Fail2ban or even multiple ports. However that requires a banaction like iptables-multiport or similar.

I would also suggest to disable the root login entirely and specify only one/a few users, that are allowed to login. This can be done in the sshd_config via AllowUsers

1 Like

I often give access to friends and aranging for keyd access would be a pain. I will protect my root and main user account with ssh keys.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by