My steps are as follows: 1.) I created the domain git.example.com and I've added a domain alias tester1.git.example.com 2.) I created a the ssh key pair on my machine using : $ ssh-keygen -b 4096 3.) Then I go to ISPC gui and create a new shell, for the url git.example.com from the drop down, enter the user name, then copy and paste the content id_test_tgit_rsa.pib into text field in the ISPC gui, and click "save" (remembered today.. yay me) 4.) from there I go back to my host and attempt to ssh into the server using: $ssh -t -i ~/.ssh/id_test_tgit_rsa [email protected] Result: Code: ssh -t -i ~/.ssh/id_test_tgit_rsa [email protected] The authenticity of host 'tester1.git.example.com (192.168.0.47)' can't be established. ECDSA key fingerprint is SHA256:/UbY27WLpQv3cKjD9DYVcBFO9PvWOGQedqZBiNMmDgQ. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Failed to add the host to the list of known hosts (/home/user/.ssh/known_hosts). More detail (verbose) [CODE]$ ssh -vvv -t -i ~/.ssh/id_test_tgit_rsa [email protected] OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /home/user/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug2: resolving "tester1.git.example.com" port 22 debug2: ssh_connect_direct debug1: Connecting to tester1.git.example.com [192.168.0.47] port 22. debug1: Connection established. debug1: identity file /home/user/.ssh/id_test_tgit_rsa type 0 debug1: identity file /home/user/.ssh/id_test_tgit_rsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u2 debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to tester1.git.example.com:22 as 'adminguytgit' debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts" debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,[email protected],zlib debug2: compression stoc: none,[email protected],zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none debug2: compression stoc: none debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:/UbY27WLpQv3cKjD9DYVcBFO9PvWOGQedqZBiNMmDgQ debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts" debug3: hostkeys_foreach: reading file "/home/user/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /home/user/.ssh/known_hosts:10 debug3: load_hostkeys: loaded 1 keys from 192.168.0.47 The authenticity of host 'tester1.git.example.com (192.168.0.47)' can't be established. ECDSA key fingerprint is SHA256:/kukbiouoefelrpe Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Failed to add the host to the list of known hosts (/home/user/.ssh/known_hosts). debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/user/.ssh/id_test_tgit_rsa RSA SHA256:9kBcvnrue98uh3RPHoOV8E4r/IgKlLIq3Oa8KsO7s1qHs explicit agent debug1: Will attempt key: [email protected] RSA SHA256:+jj6IX5B5jLV8fdeoruer(2BOsBskTVeyCntS/HBl4 agent debug1: Will attempt key: user@machine RSA SHA256:ZMRVqFFj5DTLf4YoQfiT60QBIkW+vcXsK258fcGp2tY agent debug1: Will attempt key: [email protected] RSA SHA256:KbRGHfik360ABsRjJiJCI510NgG5KdVX4fke/CPtatU agent debug1: Will attempt key: user@machine RSA SHA256:TQWa71nSVJymQdYoARcsvGhmSE31yO6DM5TvNBNKl6c agent debug1: Will attempt key: user@machine RSA SHA256:FenNaEH+EdsSWrLVcaUf6zbP8aJ9lgVvy4SjgjWdZZ0 agent debug1: Will attempt key: [email protected] RSA SHA256:8Sf4OrQe4yN9tazaN8YaO4Kr5kg2joiuhyIK0OXAkTc agent debug1: Will attempt key: user@machine RSA SHA256:c1WlRsZ0QDVGdedwerffe4c5Rp/JszHuA2ExMXoMIhM2xw agent debug1: Will attempt key: user@machine RSA SHA256:9/DO/j+xQ4Fdc4LxKZdgDpwL0uiP1kr1wfNM+ran4Rw agent debug1: Will attempt key: user@machine RSA SHA256:6JqrTqw4CUC071WoM754FTxZm4LJ/tjDsa9RAYPK7M0U agent debug1: Will attempt key: user@machine RSA SHA256:seCSTO+I434r40Zvfked3MS+2GI44344f5guh0DvCiA agent debug1: Will attempt key: user@machine RSA SHA256:qwYYwsNwkbYrwY8r43435tO1oQc4rr3rerf9kVDkXW0 agent debug1: Will attempt key: user@machine RSA SHA256:gXFadksBd77onWktQeQxfrfer4ib5KLpLs8m7aExymY agent debug1: Will attempt key: user@machine RSA SHA256:es4wc46qNFnQtXbSV85fmFgLPGSidXz+FKaTtRFwBSQ agent debug1: Will attempt key: user@machine RSA SHA256:C+8B+Kt44BqbCOJX1G3ZU+O4IrodlrMQUCU+YKCvwXE agent debug1: Will attempt key: user@machine RSA SHA256:S0QKfoorpgO7sVoEn7yUSYtuAfZeGrszci+piIqT1No agent debug2: pubkey_prepare: done debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 53 debug3: input_userauth_banner debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/user/.ssh/id_test_tgit_rsa RSA SHA256:9kBuyafregtgoOV8E4r/IgKlLIq3Oa8KsO7s1qHs explicit agent debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password debug1: Offering public key: [email protected] RSA SHA256:+jj6IX5B5jLV8f49/3EPFg62BOs434ntS/HBl4 agent debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password debug1: Offering public key: user@machine RSA SHA256:ZMRVqFFj5DTLf4YoQfiT60QBIkW43r43rfg8fcGp2tY agent debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 1 Received disconnect from 192.168.0.47 port 22:2: Too many authentication failures Disconnected from 192.168.0.47 port 22 Received disconnect from 192.168.0.47 port 22:2: Too many authentication failures Disconnected from 192.168.0.47 port 22 [/CODE] Finally, I try to manually upload the pub key to the server using: ssh-copy-id -i ~/.ssh/id_test_tgit_rsa.pub [email protected] And this also fails with "too many authentication failures."
You have to wait until fail2ban unbans your IP. You caused too many auth failures and therefore fail2ban banned your IP temporarily.
https://www.howtoforge.com/how-to-whitelist-an-ip-in-fail2ban-on-debian-wheezy The ban times are defined in the fail2ban config files as well.
I followed the instructions, easy enough, but I am still banned.. Code: # added this to the file: /etc/fail2ban/jail.conf # [DEFAULT] # bantime = 1h ignoreip = 192.168.0.10 # Then I #service fail2ban restart Still banned.
This whitelists your IP to prevent future bans, it does not stop the current ban. Wait until your unbanned automatically or use the fail2ban commands to unban your IP, you can find them by using a search engine of your choice. And then you should try if you can log in by password instead of using the ssh key. And the SSH key must be inserted into the ssh key field of the user in ISPConfig. The ssh copy command you used can't work as you copy the key to a completely wrong user (root instead of adminguytgit).
I don't see any mention that you are using jailkit, but if so check what version you have installed and update if it's v2.22
I checked the fail2ban log using # cat /var/log/fail2ban.log and yeah, my IP is listed Code: 2021-10-08 15:55:53,220 fail2ban.filter [819]: INFO [sshd] Found 192.168.0.10 - 2021-10-08 15:55:51 2021-10-08 15:55:53,221 fail2ban.filter [819]: INFO [sshd] Found 192.168.0.18 - 2021-10-08 15:55:51 2021-10-08 15:59:49,980 fail2ban.filter [819]: INFO [sshd] Found 192.168.0.18 - 2021-10-08 15:59:49 2021-10-08 15:59:50,156 fail2ban.filter [819]: INFO [sshd] Found 192.168.0.18 - 2021-10-08 15:59:50 2021-10-08 16:23:43,967 fail2ban.filter [819]: INFO [sshd] Found 192.168.0.18 - 2021-10-08 16:23:43 2021-10-08 16:23:44,061 fail2ban.filter [819]: INFO [sshd] Found 192.168.0.18 - 2021-10-08 16:23:44 But I am now having a strange problem... the fail2ban service itself has failed... and for whatever reason I cannot restart it. #systemctl restart fail2ban has no effect...
If fail2ban has a problem, the reason would probably be in the log. Is it running? Try starting it and see what shows up in the log.
log Code: # fail2ban-client status Failed to access socket path: /var/run/fail2ban/fail2ban.sock. Is fail2ban running? You have new mail in /var/mail/root root@tester1:~# cat /var/log/fail2ban.log https://pastebin.com/z4vuAXVF
In any case... it seems that my IP was not banned by fail2ban... I got the service working again... Code: fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: but my ssh still ins't working... guess, I will have to investigate jailkit versions
So now I know fail2ban isn't the problem and my ip is whitelisted against future issues.. I now have jailkit updated to the latest version Code: # dpkg --install jailkit_2.23-1_amd64.deb (Reading database ... 240467 files and directories currently installed.) Preparing to unpack jailkit_2.23-1_amd64.deb ... Unpacking jailkit (2.23-1) over (2.21-2~bpo10+1) ... Setting up jailkit (2.23-1) ... But the original problem of not being able to ssh into the directory still exists (too many authentication errors). suggestions definitely, welcome.
So, I fixed it and the problem had no relation to fail2ban or jailkit.. 1.) set a password in the gui for the shell-user 2.) temporarily added "-o IdentitiesOnly=yes" 3.) ssh -o IdentitiesOnly=yes -t -i ~/.ssh/id_test_tgit_rsa [email protected] 4.) changed my ~/.ssh/known_hosts permissions back to 644... 5.) ssh -t -i ~/.ssh/id_test_tgit_rsa [email protected] works without a problem
