Still banning my ip, can not login

Discussion in 'General' started by pecka33, Aug 16, 2021.

  1. pecka33

    pecka33 Member

    Hi, i have a new problem. everything works fine, before 1 hour i lougout from putty, but when i try login again i can not. In fail2ban protocol in isp config i can other IP address but still my ip address 94.112.151.194. In this time i dont try to login bud still access as you can see. What can i do? I try to login with another ip, but problem is same and this new ip is added to fail2ban too.

    Any idea? In last 2 hours i didnt do any changes

    Code:
    2021-08-16 09:45:51,909 fail2ban.filter [711]: INFO [sshd] Found 94.112.151.194 - 2021-08-16 09:45:51
    2021-08-16 09:45:55,152 fail2ban.filter [711]: INFO [sshd] Found 43.129.199.55 - 2021-08-16 09:45:55
    2021-08-16 09:45:57,970 fail2ban.filter [711]: INFO [sshd] Found 94.112.151.194 - 2021-08-16 09:45:57
    2021-08-16 09:46:06,570 fail2ban.filter [711]: INFO [sshd] Found 94.112.151.194 - 2021-08-16 09:46:06
    2021-08-16 09:46:19,513 fail2ban.filter [711]: INFO [sshd] Found 111.177.18.226 - 2021-08-16 09:46:19
    2021-08-16 09:46:20,631 fail2ban.filter [711]: INFO [sshd] Found 94.112.151.194 - 2021-08-16 09:46:20
    2021-08-16 09:46:20,805 fail2ban.actions [711]: NOTICE [sshd] Ban 94.112.151.194
    
    
    2021-08-16 09:56:20,383 fail2ban.actions [711]: NOTICE [sshd] Unban 94.112.151.194
    2021-08-16 09:56:30,720 fail2ban.filter [711]: INFO [sshd] Found 94.112.151.194 - 2021-08-16 09:56:30
    2021-08-16 09:56:45,144 fail2ban.filter [711]: INFO [sshd] Found 94.112.151.194 - 2021-08-16 09:56:45
    2021-08-16 09:56:59,570 fail2ban.filter [711]: INFO [sshd] Found 94.112.151.194 - 2021-08-16 09:56:59
    2021-08-16 09:57:14,003 fail2ban.filter [711]: INFO [sshd] Found 94.112.151.194 - 2021-08-16 09:57:13
    2021-08-16 09:57:27,927 fail2ban.filter [711]: INFO [sshd] Found 94.112.151.194 - 2021-08-16 09:57:27
    2021-08-16 09:57:28,534 fail2ban.actions [711]: NOTICE [sshd] Ban 94.112.151.194
    2021-08-16 09:57:41,666 fail2ban.filter [711]: INFO [sshd] Found 222.186.42.213 - 2021-08-16 09:57:41
    2021-08-16 10:05:09,046 fail2ban.filter [711]: INFO [sshd] Found 222.186.30.76 - 2021-08-16 10:04:56
    2021-08-16 10:07:27,568 fail2ban.actions [711]: NOTICE [sshd] Unban 94.112.151.194
    2021-08-16 10:08:31,849 fail2ban.filter [711]: INFO [sshd] Found 94.112.151.194 - 2021-08-16 10:08:31
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You can remove that IP from being banned:
    Code:
    fail2ban-client set sshd unbanip 94.112.151.194
    
    More info by reading man fail2ban-client.
    Then you have to figure out what is trying to log in from you computer and failing. Otherwise it gets banned again after 5 failed attempts.
     
  3. pecka33

    pecka33 Member

    Yes, i know but how can i use this command if i can not login via putty to my server because IP is banned? I tried to not login about 30 minutes, but IP is still ban/unban and if i try to login with new ip the problem is same.
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Then next time you are able to log in, whitelist your IP:
    https://www.fail2ban.org/wiki/index.php/Whitelist
    But still, find out why your IP gets banned. The log you showed indicates something tries to log in with less than 1 minute intervals. Shortest was 1 second.
    I have no guesses what it could be, unless you yourself try logging in with Putty or other SSH client with wrong password. I have had this problem with IP getting banned minutes after unbanning when it was a mobile phone with e-mail client still using the users old password and trying to read e-mails every 30 seconds.
    Terveisiä Porista, sikäli mikäli nimimerkki tulee Pekka -nimestä.
     
  5. pecka33

    pecka33 Member

    Thank you, i try it. IP was unban, try to write my host in putty but cant login and banned again, tried to remove all clients and reinstall but does not help.

    In isp panel in syslog i can see and guess that there is a problem. Dont know why but before was in log only two records about cron done

    Code:
    Aug 16 11:21:01 CRON[13174]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 16 11:21:01 CRON[13177]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 16 11:22:01 CRON[13194]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 16 11:22:01 CRON[13197]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 16 11:23:01 CRON[13212]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 16 11:23:01 CRON[13214]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 16 11:24:01 CRON[13230]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 16 11:24:01 CRON[13231]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    Aug 16 11:25:01 CRON[13250]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
    
    Code:
    Aug 16 11:25:08 mariadbd[817]: 2021-08-16 11:25:08 11471 [Warning] Aborted connection 11471 to db: 'unconnected' user: 'unauthenticated' host: 'localhost' (This connection closed normally without authentication)
    
    After yesterday debian upgrade to 11 i can not sent emails with webmail and all mails get to mail quote - with phpmail i can sent mails.
    and in mail quote is
    Code:
    Aug 16 11:18:15 postfix/lmtp[13050]: 36A3012BC: to=<xxx>, relay=none, delay=4513, delays=4513/0.04/0/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:10026: Connection refused)
    
    Maybe because i tried to sent emails and about 3 mails are in quote?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    is your server behind a NAT router? if yes, then the server sees the same IP for all incoming SSH connections and therefore blocking can't work or will block all connections.

    The log looks perfectly fine, there must be a record for server.sh and one for cron.sh once a minute, and that#s what your log shows.

    Debian 11 is not supported yet by ISPConfig, so it's quite likely that parts of the system break when you update it to an unsupported OS version. You should have waited with the dist upgrade until ISPConfig is compatible with that new OS version.
     
  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Problem with fail2ban is because sshd jail detects failed login attempts. e-mail problems are unrelated.
    I would assume ISPConfig does not support Debian 11, the not fail2ban problems may be because ISPConfig just does not work with Debian 11 (which was released the day before yesterday).
     
  8. pecka33

    pecka33 Member

    Thank you for reply, yes, that is my mistake. So most probably if the problem is with unsupported OS, i cant do nothing and can not access as a root, i am lock.
    I did upgrade yesterday and everything works fine until today
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    as @Taleman pointed out, your login problem is not related to unsupported OS, the problem is independent of ISPconfig. The mail problem though is probably related to the unsupported os.
     
  10. pecka33

    pecka33 Member

    Thank you so much. Best way in this case should be whitelist my IP, but i dont know why when i can not login via ssh because my IP is banned. Any idea? Is here anything what can i do in isp config?
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    No.

    Does your server has a rescue system that you can boot the system in and disable fail2ban service?
     
  12. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Log in from console or from some other IP. Those should work since Fail2Ban has banned only that one IP. By the way, is it the IP of your workstation or of some router between your server and Internet?
    From memory the default ban time in Fail2Ban is 10 minutes, so if you wait 10 minutes and can not log in with SSH then there may be some other problem. Or there is something in your workstation that tries logins and triggers the ban.
     
  13. pecka33

    pecka33 Member

    Thank you. Yes, before that works, i wrote there wrong passowrd and after 10 minutes was fine, but now after unban i wrote my password once and blocked.
    At all i found that i can use vnc and i am login in my vps. Tried to run /etc/init.d/fail2ban stop but its not look like that works, same problem with login.
     
  14. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Fail2ban may have blocked your IP in several jails. Check them all. Escpecially if you use recidive jail it has bantime of one week. Try grep your IP form fail2ban log to see if it appears in several jails.
    You can also check iptables for the actual block that fail2ban makes:
    Code:
    iptables --list | grep 94.112.151.194
    Use fail2ban-client to unbanip from all jails where it appears.
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    And Debian 11 (and also 10) does not use init scripts anymore, use systemd commands to stop services.

    systemctl stop fail2ban
     
  16. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Some other thoughts, it could be you have another tool banning you, eg sshguard; if it is fail2ban, and the logs do indicate you are being unbanned, maybe check the unban commands for the action(s) you are using in the jail(s) where you are being banned, it's possible that unbanning isn't working.
     
  17. pecka33

    pecka33 Member

    Thank you. I check all what i can but does not work for me. I tried to remove/install fail2ban again bud still same problem. iptables does not work well now, just found ip, but not ban them anonymore in iptables.

    I check server and maybe this could be bacuse jailkit status is "?". When i type command to get status os jailkit a get this meesage. Any idea? [​IMG]

    Sorry for screenshot from phone, but console does not allow make screen because security :D
     
  18. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  19. pecka33

    pecka33 Member

    So finally i solved problem with login via putty. I dont know why, i tried two computers with another IP address, phone client with another IP but always was the same problem. Most probably firewall blocking somewhere ALL request tried login as root, but i dont know where, can not find it.

    But my problem solved allow my IP address in etc/hosts.allow with
    Code:
    sshd: 94.112.151.194:allow
     
  20. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Have you allowed root login in sshd_config?
     

Share This Page