[SOLVED] Fail2Ban doesnt work

basti2s

Member
Jul 27, 2021
35
0
6
31
Hello,

i want to do a fire save Backup on my PBS. So the PVE is at building 1 and the PBS on building2. For the backup they are connected via Internet. For this reason i have to open port 8007. For some safety reasons i want to protect the port via Fail2Ban. I made a first try and installed fail2ban on the pbs. First i want to test fail2ban a bit and i added a rule for port 22 in my jail.local (again, only for testing, later it will be port 8007).

Code:
enabled = true
port    = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 2m
backend = %(sshd_backend)s

The fail2ban Service seems to be working well:
Code:
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2021-09-17 20:53:26 CEST; 19s ago
       Docs: man:fail2ban(1)
    Process: 48095 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
   Main PID: 48096 (fail2ban-server)
      Tasks: 5 (limit: 9079)
     Memory: 11.2M
        CPU: 156ms
     CGroup: /system.slice/fail2ban.service
             └─48096 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Sep 17 20:53:26 pbs systemd[1]: Starting Fail2Ban Service...
Sep 17 20:53:26 pbs systemd[1]: Started Fail2Ban Service.
Sep 17 20:53:27 pbs fail2ban-server[48096]: Server ready

But, if i am trying to login via SSH with the wrong password i dont get banned.

fail2ban-client status sshd tells me:
Code:
Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     4
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   192.168.178.170

So fail2ban blocks my Ip-adress, but why am i still able to login via SSH with the correct password?

The Logfile tells me:
Code:
Running tests
=============

Use   failregex filter file : sshd, basedir: /etc/fail2ban
Use         maxlines : 1
Use      datepattern : {^LN-BEG} : Default Detectors
Use         log file : /var/log/auth.log
Use         encoding : UTF-8


Results
=======

Prefregex: 347 total
|  ^(?P<mlfid>(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$
`-

Failregex: 71 total
|-  #) [# of hits] regular expression
|   4) [51] ^Failed (?:<F-NOFAIL>publickey</F-NOFAIL>|\S+) for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: (?:port \d+|on \S+)){0,2}(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
|  14) [11] ^<F-NOFAIL>pam_[a-z]+\(sshd:auth\):\s+authentication failure;</F-NOFAIL>(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=<F-ALT_USER>\S*</F-ALT_USER>\s+rhost=<HOST>(?:\s+user=<F-USER>\S*</F-USER>)?(?: (?:port \d+|on \S+|\[preauth\])){0,3}\s*$
|  15) [2] ^maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>(?: (?:port \d+|on \S+)){0,2}(?: ssh\d*)?(?: (?:port \d+|on \S+|\[preauth\])){0,3}\s*$
|  21) [7] ^<F-MLFFORGET><F-MLFGAINED>Accepted \w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\S+</F-USER> from <HOST>(?:\s|$)
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [347] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 347 lines, 18 ignored, 53 matched, 276 missed
[processed in 0.03 sec]

|- Ignored line(s):
|  Sep 17 20:02:13 pbs sshd[18146]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.178.170  user=root
|  Sep 17 20:02:49 pbs sshd[18996]: Accepted password for root from 192.168.178.170 port 64175 ssh2
|  Sep 17 20:13:51 pbs sshd[47462]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.178.170  user=root
|  Sep 17 20:14:26 pbs sshd[47469]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.178.170  user=root
|  Sep 17 20:21:02 pbs sshd[47558]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.178.170  user=root
|  Sep 17 20:28:03 pbs sshd[47731]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.178.170  user=root
|  Sep 17 20:32:39 pbs sshd[47786]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.178.170  user=root
|  Sep 17 20:34:45 pbs sshd[47814]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.178.170  user=root
|  Sep 17 20:37:25 pbs sshd[47841]: Accepted password for root from 192.168.178.170 port 55380 ssh2
|  Sep 17 20:38:16 pbs sshd[47885]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.178.170  user=root
|  Sep 17 20:39:57 pbs sshd[47885]: Accepted password for root from 192.168.178.170 port 55395 ssh2
|  Sep 17 20:44:20 pbs sshd[47966]: Accepted password for root from 192.168.178.170 port 55419 ssh2
|  Sep 17 20:44:34 pbs sshd[47999]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.178.170  user=root
|  Sep 17 20:51:53 pbs sshd[48053]: Accepted password for root from 192.168.178.170 port 55456 ssh2
|  Sep 17 20:56:21 pbs sshd[48159]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.178.170  user=root
|  Sep 17 21:01:46 pbs sshd[48227]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.178.170  user=root
|  Sep 17 21:02:16 pbs sshd[48227]: Accepted password for root from 192.168.178.170 port 64720 ssh2
|  Sep 17 21:05:28 pbs sshd[48281]: Accepted password for root from 192.168.178.170 port 64736 ssh2
`-
Missed line(s): too many to print.  Use --print-all-missed to print all 276 lines

I hope you can help me.
 
Wouldn't it be even better to just setup a point-to-point VPN between the two servers so your port 8007 isn't accessible from the internet at all?
 
not at all. I want to do it in this way. Can anyone help me?
You could try with banaction = iptables-allports instead of multiport (if that's in your jail.local) to see if that blocks the ssh, but isuppose you need to check your iptables and in/out chains, i suppose fail2ban utilize iptables for doing the actual blocking
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!