Ok so i just did a fresh install on my raspberry pi (Raspbian) and i can't get fail2ban to do anything, it doesn't block any failed ssh logins. I checked to make sure it was pointing at the correct log file (/var/log/auth.log) which it is, i have confirmed that iptables is active and the fail2ban is started and the sshd jail is turned on, I really don't know what to do at this point i've never had this much trouble getting it to work with ssh before. It normally works right out of the box. I'll post my log filter and auth log here: Log: Code: Jan 22 21:11:25 PI2 sshd[22700]: pam_unix(sshd:auth): authentication failure; lo gname= uid=0 euid=0 tty=ssh ruser= rhost=216.4.56.163 user=pi Jan 22 21:11:27 PI2 sshd[22700]: Failed password for pi from 216.4.56.163 port 1 6290 ssh2 Jan 22 21:11:27 PI2 sshd[22700]: error: Received disconnect from 216.4.56.163: 3 : com.jcraft.jsch.JSchException: Auth cancel [preauth] Jan 22 21:17:01 PI2 CRON[22783]: pam_unix(cron:session): session opened for user root by (uid=0) Jan 22 21:17:01 PI2 CRON[22783]: pam_unix(cron:session): session closed for user root Jan 22 21:17:30 PI2 sshd[22809]: pam_unix(sshd:auth): authentication failure; lo gname= uid=0 euid=0 tty=ssh ruser= rhost=183.3.202.106 user=root Jan 22 21:17:33 PI2 sshd[22809]: Failed password for root from 183.3.202.106 por t 16766 ssh2 Jan 22 21:17:36 PI2 sshd[22809]: Failed password for root from 183.3.202.106 por t 16766 ssh2 Jan 22 21:17:38 PI2 sshd[22809]: Failed password for root from 183.3.202.106 por t 16766 ssh2 Jan 22 21:17:39 PI2 sshd[22809]: Received disconnect from 183.3.202.106: 11: [p reauth] Jan 22 21:17:39 PI2 sshd[22809]: PAM 2 more authentication failures; logname= ui d=0 euid=0 tty=ssh ruser= rhost=183.3.202.106 user=root 1Help 2UnWrap 3Quit 4Hex 5Goto 6 7Search 8Raw 9Format10Quit Filter: Code: sshd.conf [----] 0 L:[ 17+21 38/ 38] *(1772/1772b) <EOF> [*][X] ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d* ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in Deny ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any gro ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$ ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is lis ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's ignoreregex =. I'm pretty sure that it's the log filter but i'm not sure how to fix it. Any help you guys could offer would be greatly appreciated Thanks
Figured it out, The issue was that I had a custom jail setup for a different service and it wasn't configured correctly and that was keeping fail2ban from starting correctly. So when I ran "service fail2ban status" I would get this before I fixed the other jail: Code: ● fail2ban.service - LSB: Start/stop fail2ban Loaded: loaded (/etc/init.d/fail2ban) Active: active (exited) since Mon 2016-01-25 18:41:50 EST; 3s ago Process: 11673 ExecStop=/etc/init.d/fail2ban stop (code=exited, status=0/SUCCESS) Process: 11683 ExecStart=/etc/init.d/fail2ban start (code=exited, status=0/SUCCESS) Jan 25 18:41:50 PI2 fail2ban[11683]: Starting authentication failure monitor: fail2banERROR No file(s) found for glob /wrong/way/service.log #edit to your needs Jan 25 18:41:50 PI2 fail2ban[11683]: ERROR Failed during configuration: Have not found any log file for service jail Jan 25 18:41:50 PI2 fail2ban[11683]: failed! Jan 25 18:41:50 PI2 systemd[1]: Started LSB: Start/stop fail2ban. After I fixed it: Code: ● fail2ban.service - LSB: Start/stop fail2ban Loaded: loaded (/etc/init.d/fail2ban) Active: active (running) since Mon 2016-01-25 18:43:03 EST; 3s ago Process: 11774 ExecStop=/etc/init.d/fail2ban stop (code=exited, status=0/SUCCESS) Process: 11784 ExecStart=/etc/init.d/fail2ban start (code=exited, status=0/SUCCESS) CGroup: /system.slice/fail2ban.service └─11795 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid Jan 25 18:43:03 PI2 fail2ban[11784]: Starting authentication failure monitor: fail2ban. Jan 25 18:43:03 PI2 systemd[1]: Started LSB: Start/stop fail2ban.
