fail2ban not working ..

I installed fail2ban and enabled the ssh

filter.d/sshd.conf

before = common.conf

[Definition]

_daemon = sshd

failregex = (?:error: PAM: )?Authentication failure for .* from <host>\s*$
            Failed [-/\w]+ for .* from <host>(?: port \d*)?(?: ssh\d*)?\s*$
            ROOT LOGIN REFUSED.* FROM <host>\s*$
            [iI](?:llegal|nvalid) user .* from <host>\s*$
            Invalid user .* from <host>\s*$
            User .+ from <host>not allowed because not listed in AllowUsers\s*$
            User .+ from <host>not allowed because none of user's groups are listed in AllowGroups\s*$
            Address <host>.* POSSIBLE BREAK-IN ATTEMPT\s*$
            authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<host>(?:\s+user=.*)?\s*$</host></host></host></host></host></host></host></host></host> 

command

fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

is showing 0 results …

Which setting can be wrong?

Richard

16 Replies

This is what filter.d/sshd.conf looks like for me on CentOS 5.5. I don't recall customizing it:

[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = sshd

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<host>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <host>\s*$
            ^%(__prefix_line)sFailed [-/\w]+ for .* from <host>(?: port \d*)?(?: ssh\d*)?$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <host>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <host>\s*$
            ^%(__prefix_line)sUser \S+ from <host> not allowed because not listed in AllowUsers$
            ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<host>(?:\s+user=.*)?\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<host>\)\s*$
            ^%(__prefix_line)sAddress <host> .* POSSIBLE BREAK-IN ATTEMPT\s*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =</host></host></host></host></host></host></host></host></host></host>

Running the same fail2ban-regex command as you turns up a number of results. Things to check:

  • Is the conf file being read correctly? (What is shown under "Regular expressions:" when you run fail2ban-regex?)

  • Is there anything in the log file to match? (Maybe it's just been rotated and is nearly empty. What does grep -i fail /var/log/secure yield?)

At least on my Ubuntu systems I don't see a /var/log/secure, there is a /var/log/auth.log.

Hi Vance,

The output is as follows:

[root@linode ~]# fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file   : /var/log/secure

Results
=======

Failregex
|- Regular expressions:
|  [1] (?:error: PAM: )?Authentication failure for .* from <host>\s*$
|  [2] Failed [-/\w]+ for .* from <host>(?: port \d*)?(?: ssh\d*)?\s*$
|  [3] ROOT LOGIN REFUSED.* FROM <host>\s*$
|  [4] [iI](?:llegal|nvalid) user .* from <host>\s*$
|  [5] Invalid user .* from <host>\s*$
|  [6] User .+ from <host>not allowed because not listed in AllowUsers\s*$
|  [7] User .+ from <host>not allowed because none of user's groups are listed                                                                              in AllowGroups\s*$
|  [8] Address <host>.* POSSIBLE BREAK-IN ATTEMPT\s*$
|  [9] authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rh                                                                             ost=<host>(?:\s+user=.*)?\s*$
|
`- Number of matches:
   [1] 0 match(es)
   [2] 0 match(es)
   [3] 0 match(es)
   [4] 0 match(es)
   [5] 0 match(es)
   [6] 0 match(es)
   [7] 0 match(es)
   [8] 0 match(es)
   [9] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.</host></host></host></host></host></host></host></host></host> 

I see many entries in secure log. The default version did not worked for me, so I removed the _prefixline and tried it.

Richard

I removed all regexps .. just one simple one

Still …

[root@linode filter.d]# fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/sshd.conf
Use log file   : /var/log/secure

Results
=======

Failregex
|- Regular expressions:
|  [1] Invalid user .* from <host>\s*
|
`- Number of matches:
   [1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match</host> 

@richardvc:

is showing 0 results …

Which setting can be wrong?

Richard

One thing that triped me up a few months back with fail2ban is timezones. If you've changed your timezone without rebooting or restarting syslog then all your logs will be generated with the old timezone. This means that as soon as fail2ban see's the entry in the log it think's it's old and ignores it….

You can test this easily by generating a log entry and confirming the timestamp is correct.

Scott Phillips

I feel this could be the reason.

I changed the timezone to IST … how can I fix this?

Richard

@richardvc:

I changed the timezone to IST … how can I fix this?

The simplest solution is to reboot your machine instance…. Or you could restart syslog.

Scott Phillips

What is the best way to restart the syslog deamon?

If you're on a recent version of ubuntu try

reload rsyslog

other distros

service syslog restart

might work.

none worked .. I am on centos

how about /bin/kill -HUP `cat /var/run/syslogd.pid?

Richard

That'll probably work as long as syslog.pid exists (check for rsyslog.pid or ksyslog.pid if it doesn't).

tried both, even restarted the system.

reinstalled the fail2ban again. Still does not work.

What can be the reason.

Richard

One sample line from /var/log/secure

2011-02-01T00:58:06.205040+05:18 linode dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
2011-02-01T00:58:06.205100+05:18 linode dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=import@tglsa.in rhost=178.239.85.254
^

I see one strange thing in time, the letter "T" … is this the reason? From where this T is coming on logfiles?

Pureftp log also show similar time.

Richard

Have you actually tried logging in with a bad password? Otherwise the regex tool should report zero right?

Yes, the secure log has more than 500+ various types of error messages.

This error was because of timezone settings. I changed the timezone to IST … the new version of fail2ban (Installed from sources) works without an issue.

Thanks

Richard

I've been beating my head against the wall trying to get fail2ban to work. I was constantly running fail2ban-regex and finding new matches for every test but fail2ban was doing nothing. Restarting rsyslog worked, thank you so much for that.

P.S. I know this is an old post, but I found it and it helped me so thought I would add to that.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct