Fail2Ban: Already Banned. Happening a lot.

Discussion in 'Server Operation' started by edooze, Sep 26, 2016.

  1. edooze

    edooze Member

    Hi all,

    I am getting a strange problem with Fail2Ban with regards to 'already banned' ips, and subsequently more than the allowed number of connection attempts.

    I've tried a couple of things to fix it, but I am by no means an expert.
    The latest change made was to change the port on ssh from:

    Code:
    port = ssh
    to
    Code:
    port = all
    Prior to that I changed the protocol from:
    Code:
    protocol = tcp
    to
    Code:
    protocol = all
    Here's my jail.local, default and the SSH jail:

    Code:
    [DEFAULT]
    ignoreip = 127.0.0.1/8 xx.xx.xx.xx/32 (the xx is the webserver external ip)
    bantime = 3600
    protocol = all
    
    [ssh]
    enabled  = true
    port  = all
    #action  = iptables-multiport[name=ssh, port=all, protocol=all]
    logpath  = /var/log/auth.log*
    maxretry = 6
    
    The action line is commented out, as I thought this might be causing it.

    select lines from jail.conf (let me know if you need more)
    Code:
    [DEFAULT]
    findtime = 6000  ; 100 mins
    maxretry = 3
    
    banaction = iptables-multiport-
    
    [ssh]
    
    enabled  = true
    port  = ssh
    filter  = sshd
    logpath  = /var/log/auth.log
    maxretry = 6
    
    jail.conf has protocol = tcp, but my understanding is that anything in the jail.local will override the jail.conf settings.

    Let me know if you need anything else.
    Any help appreciated.
     
  2. elmacus

    elmacus Active Member

    Port = all , means 0 - 65535.
    Do you really want to block all traffic?
     
  3. edooze

    edooze Member

    Yes. Anyone who tries to login via SSH should be immediately banned on all ports. Due to the nature of the service, there is no reason a legitimate user would require this functionality.
     
  4. elmacus

    elmacus Active Member

    But SSH is only a name. You really forcing it to block whole internet i guess...
     
  5. edooze

    edooze Member

    Yes, that's right. I want those IPs to be banned for every protocol on every port. In fact, anyone who tries to log in to root SSH even once could be permabanned. There is no legitimate-use case whatsoever. I'll add that filter later on.

    It seems
    Code:
    port = all
    is not the correct syntax. It needs to be
    Code:
    port=0:65535
    Also, I have used iptables-allports and this seems to be working better. Possibly iptables-multiport doesn't like blocking on all ports.
     
  6. elmacus

    elmacus Active Member

    But if you really only need to check ssh port for ssh traffic.
    Hacker ip will be blocked if matched.
    No usecase for checking auth log for port 80 traffic , its not there.
    You asked why custumers got blocked? Well dont change the default rule.
    Good luck anyway.
     
  7. edooze

    edooze Member

    SSH can be moved to any port, it doesn't just have to be port 22.

    The problem is not that customers are getting blocked, it's that blocked IPs are being listed as 'already banned' - they shouldn't be getting through at all!

    Thanks for any assistance.
     

Share This Page