Re: [Fail2ban-users] Fail2Ban doesn't seem to be working?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

iptables -L -n -v | grep "220.177.198"
22   880 DROP       all  --  *      *       220.177.198.0/24     0.0.0.0/0
527 31984 REJECT     all  --  *      *       220.177.198.31       0.0.0.0/0            reject-with icmp-port-unreachable
16  1044 REJECT     all  --  *      *       220.177.198.33       0.0.0.0/0            reject-with icmp-port-unreachable
 0     0 REJECT     all  --  *      *       220.177.198.0/24     0.0.0.0/0            reject-with icmp-port-unreachable

Ok maybe the word global was the wrong word. I banned the whole subnet rather than 1.

>not sure what is "global ban" is(and thus how it was "put"), thus
>-- first check either you have those rules in your iptables

>iptables -L -n -v

On Sun, 04 May 2014, r fancher wrote:

>    A month ago this "person" made several attempts at accessing my site so I
>    put in a global ban:

>    -A fail2ban-ssh -s 220.177.198.0/24 -j REJECT --reject-with
>    icmp-port-unreachable
>    But today I saw the following which is
 concerning me that fail2ban isn't
>    actually working:
>    May? 2 11:56:57 pcname sshd[21105]: pam_unix(sshd:auth): authentication
>    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.33?
>    user=root
>    May? 2 11:56:59 pcname sshd[21105]: Failed password for root from
>    220.177.198.33 port 41260 ssh2
>    May? 2 11:56:59 pcname sshd[21105]: Received disconnect from
>    220.177.198.33: 11: Bye Bye [preauth]
>    May? 2 19:23:27 pcname sshd[24226]: pam_unix(sshd:auth): authentication
>    failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.31?
>   
 user=root
>    2014-05-02 11:57:00,026 fail2ban.actions: WARNING [ssh] Ban 220.177.198.33
>    2014-05-02 19:23:29,510 fail2ban.actions: WARNING [ssh] Ban 220.177.198.31
>    I have the standard defaults in my conf file:
>    [ssh]
>    enabled? = true
>    port???? = ssh
>    filter?? = sshd
>    logpath? = /var/log/auth.log
>    maxretry = 1
>    I have also seen various other ip's banned yet still give the result logs
>    as if they were met with a user/pass challenge.
>    These were already in place before I put in a global ban:
>    -A fail2ban-ssh -s 220.177.198.31/32 -j REJECT --reject-with
>    icmp-port-unreachable
>    -A fail2ban-ssh -s 220.177.198.33/32 -j REJECT --reject-with
>    icmp-port-unreachable
>    Even without the global ban they used the same IP?s and still was met with
>    the ssh challenge, why is that? I know it works because I have banned
>    myself on several occasions, so why am I still seeing this in the logs?