Hello, i have the problem that fail2ban is to slow in order to avoid brute force attacks. I get about 50 login tries before the IP is in the iptables in order to lock. I entered in /etc/pam.d/sshd the Line auth optional pam_faildelay.so delay=1000000 but this does not solve the Problem
What does that do? It would seem that setting does not affect fail2ban at all. What is findtime and maxretry for the jail you are examining?
I thougt that PAM will delay the login tries, so fail2ban has time to block. I have about 50 login tries in 2 seconds, so if PAM will delay fail2ban has time to block
Yes : 2023-04-01 10:29:13,103 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,108 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,109 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,112 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,113 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,116 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,117 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,121 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,192 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,193 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,195 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,200 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,201 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,202 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,203 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,204 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,206 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,211 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,288 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,290 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,298 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,394 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,482 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,602 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:13,857 fail2ban.actions [24096]: NOTICE [sshd] Ban 8.213.25.121 2023-04-01 10:29:14,167 fail2ban.actions [24096]: NOTICE [sshd] 8.213.25.121 already banned 2023-04-01 10:29:15,123 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:15,123 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:15,123 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:15,131 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:15,132 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:15,132 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:15,133 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:15,133 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:15,139 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:15,208 fail2ban.actions [24096]: NOTICE [sshd] 8.213.25.121 already banned 2023-04-01 10:29:15,232 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:15,232 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:15,232 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:15,412 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:15,533 fail2ban.filter [24096]: INFO [sshd] Found 8.213.25.121 2023-04-01 10:29:16,253 fail2ban.actions [24096]: NOTICE [sshd] 8.213.25.121 already banned 2023-04-01 10:29:17,298 fail2ban.actions [24096]: NOTICE [sshd] 8.213.25.121 already banned 2023-04-01 10:29:18,343 fail2ban.actions [24096]: NOTICE [sshd] 8.213.25.121 already banned 2023-04-01 10:29:19,387 fail2ban.actions [24096]: NOTICE [sshd] 8.213.25.121 already banned 2023-04-01 10:29:20,428 fail2ban.actions [24096]: NOTICE [sshd] 8.213.25.121 already banned
After this in IPTABLES its written : -A f2b-sshd -s 8.213.25.121/32 -j DROP Hope this will block all ports .
Problem is I set the value to 3 login attempts, after this fail2ban writes the IP in the iptables to block. But fail2ban is to slow, so the spammer has about 50 tries to find the password. I need a solution to delay the login attempts so fail2ban has time to write the iptables
Have you considered adding recidive jail in fail2ban, and make it trigger after two bans. Put recidive bantime to 1 week, then that culprit has 100 attempts per week.
No, i have not, because fail2ban recognises the login. But it takes fail2ban to long to add the iptables. I have 3 tries and bantime 1 year, that not the Problem. Problem is that someone can try faster than fail2ban can react. You have seen my log ? So I need a solution that for example after every unsuccessful login a delay for one second or so has to be. That was the reason: I entered in /etc/pam.d/sshd the Line auth optional pam_faildelay.so delay=1000000 It has nothing todo direct with fail2ban but it should give it time to react. But does not work. So once more : I there a way to delay sshd login with any config ?
Sorry, does not work. I´m wondering that no one has the same Problemen and there is no solution. Has no one of you Problems with DOS attacks on Port 22 ?
All servers connected to Internet have those. Hundreds of attempts daily. Fail2ban solves the issue on my servers. I'm sure iptables can block rapid fire logins from same IP. There are several articles by different authors in the web about this, they can not all be wrong.
Yes there are a lot of iptable and PAM configs to solve this case. In my mind most of them will work when iptables has only few entries, my has a lot. So ... My workarround is to use the UFW log. I do not use SSH often, so i switch it via ispconfig in the firewall settings off. So all ssh access tries and others are logged in the UFW log. There is a file2ban entry that blocks all unwanted access to blocked ports even the ssh tries. right now i have to block 2 ips each minute, right now my iptables has about 5.000 entries already. I think i have to install a geoip blocker.
well, if you always only connect to ssh from certain places, you could always just whitelist those ip's and disallow ssh connections from any other ip. just have that has permanent iptables/ufw rules... no need for anything in fail2ban to do that. you could then just use fail2ban to monitor for connection attempts from non-whitelisted ip's and block them for all services if you so wish. also, if you want to avoid having to switch ssh on / off via the firewall, which wouldn't really be necessary with the above solution.. you could just configure port knocking for ssh. then the ssh port is not open unless connection attempts are made to a specific sequence of ports from the same source ip first.