Hi all, I am getting a strange problem with Fail2Ban with regards to 'already banned' ips, and subsequently more than the allowed number of connection attempts. I've tried a couple of things to fix it, but I am by no means an expert. The latest change made was to change the port on ssh from: Code: port = ssh to Code: port = all Prior to that I changed the protocol from: Code: protocol = tcp to Code: protocol = all Here's my jail.local, default and the SSH jail: Code: [DEFAULT] ignoreip = 127.0.0.1/8 xx.xx.xx.xx/32 (the xx is the webserver external ip) bantime = 3600 protocol = all [ssh] enabled = true port = all #action = iptables-multiport[name=ssh, port=all, protocol=all] logpath = /var/log/auth.log* maxretry = 6 The action line is commented out, as I thought this might be causing it. select lines from jail.conf (let me know if you need more) Code: [DEFAULT] findtime = 6000 ; 100 mins maxretry = 3 banaction = iptables-multiport- [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6 jail.conf has protocol = tcp, but my understanding is that anything in the jail.local will override the jail.conf settings. Let me know if you need anything else. Any help appreciated.
Yes. Anyone who tries to login via SSH should be immediately banned on all ports. Due to the nature of the service, there is no reason a legitimate user would require this functionality.
Yes, that's right. I want those IPs to be banned for every protocol on every port. In fact, anyone who tries to log in to root SSH even once could be permabanned. There is no legitimate-use case whatsoever. I'll add that filter later on. It seems Code: port = all is not the correct syntax. It needs to be Code: port=0:65535 Also, I have used iptables-allports and this seems to be working better. Possibly iptables-multiport doesn't like blocking on all ports.
But if you really only need to check ssh port for ssh traffic. Hacker ip will be blocked if matched. No usecase for checking auth log for port 80 traffic , its not there. You asked why custumers got blocked? Well dont change the default rule. Good luck anyway.
SSH can be moved to any port, it doesn't just have to be port 22. The problem is not that customers are getting blocked, it's that blocked IPs are being listed as 'already banned' - they shouldn't be getting through at all! Thanks for any assistance.
