I installed fail2ban, but noticed ssh is not getting blocked for failed logins using putty
Ubuntu 16.04.5, Webmin 1.979, Virtualmin 6.16
Fail2ban Version 0.10.2
Note, for some reason i'm using FirewallD (Not Linux Firewall), and see message " Warning! It appears that FirewallD is being used to generate your system's firewall. Maybe you should use the FirewallD module instead."
SSH Service is in FirewallD
fail2ban is loaded, and working ok
rob@server:/etc/fail2ban$ systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/etc/systemd/system/fail2ban.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2021-08-15 17:06:55 EDT; 17min ago
Docs: man:fail2ban(1)
Process: 29509 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 29532 ExecStartPre=/bin/mkdir -p /var/run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 29534 (fail2ban-server)
Tasks: 15 (limit: 4915)
CGroup: /system.slice/fail2ban.service
└─29534 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
if i run : iptables -L -n , i do not see any chain for f2b, no mention
if I tail , /var/log/fail2ban.log i see it is trying to ban
2021-08-15 06:08:42,103 fail2ban.actions [404]: NOTICE [postfix-sasl] Ban 212.70.149.71
2021-08-15 06:09:45,740 fail2ban.filter [404]: INFO [postfix-sasl] Found 185.143.223.27 - 2021-08-15 06:09:45
2021-08-15 06:09:51,649 fail2ban.filter [404]: INFO [postfix-sasl] Found 185.143.223.26 - 2021-08-15 06:09:51
2021-08-15 06:09:54,432 fail2ban.filter [404]: INFO [postfix-sasl] Found 31.210.20.41 - 2021-08-15 06:09:54
2021-08-15 06:09:59,330 fail2ban.filter [404]: INFO [postfix-sasl] Found 185.143.223.11 - 2021-08-15 06:09:58
2021-08-15 06:10:03,591 fail2ban.filter [404]: INFO [postfix-sasl] Found 185.143.223.17 - 2021-08-15 06:10:03
but no f2b in IPtables:
rob@server:/etc/fail2ban$ sudo iptables -L f2b-sshd
iptables: No chain/target/match by that name.
I can try any enter my login on SSH , and i see fail2ban does indeed record that my.ip is blocked, but it does not get listed in iptables, nor am i actually blocked from logging in !!!
rob@server:/etc/fail2ban$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 8
| - File list: /var/log/auth.log- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: My.IP.address
please help, don't shout, i've lost a day on this.... :-(
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I installed fail2ban, but noticed ssh is not getting blocked for failed logins
using putty
Ubuntu 16.04.5, Webmin 1.979, Virtualmin 6.16
Fail2ban Version 0.10.2
Note, for some reason i'm using FirewallD (Not Linux Firewall), and see message
" Warning! It appears that FirewallD is being used to generate your system's firewall.
Maybe you should use the FirewallD module instead."
SSH Service is in FirewallD
fail2ban is loaded, and working ok
rob@server:/etc/fail2ban$ systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/etc/systemd/system/fail2ban.service; enabled; vendor preset:
enabled) Active: active (running) since Sun 2021-08-15 17:06:55 EDT; 17min ago
Docs: man:fail2ban(1)
Process: 29509 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 29532 ExecStartPre=/bin/mkdir -p /var/run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 29534 (fail2ban-server)
Tasks: 15 (limit: 4915)
CGroup: /system.slice/fail2ban.service
└─29534 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Warning: Journal has been rotated since unit was started. Log output is incomplete
or unavailable.
if i run : iptables -L -n , i do not see any chain for f2b, no mention
if I tail , /var/log/fail2ban.log i see it is trying to ban
2021-08-15 06:08:42,103 fail2ban.actions [404]: NOTICE [postfix-sasl] Ban
212.70.149.71
2021-08-15 06:09:45,740 fail2ban.filter [404]: INFO [postfix-sasl] Found
185.143.223.27 - 2021-08-15 06:09:45
2021-08-15 06:09:51,649 fail2ban.filter [404]: INFO [postfix-sasl] Found
185.143.223.26 - 2021-08-15 06:09:51
2021-08-15 06:09:54,432 fail2ban.filter [404]: INFO [postfix-sasl] Found
31.210.20.41 - 2021-08-15 06:09:54
2021-08-15 06:09:59,330 fail2ban.filter [404]: INFO [postfix-sasl] Found
185.143.223.11 - 2021-08-15 06:09:58
2021-08-15 06:10:03,591 fail2ban.filter [404]: INFO [postfix-sasl] Found
185.143.223.17 - 2021-08-15 06:10:03
but no f2b in IPtables:
rob@server:/etc/fail2ban$ sudo iptables -L f2b-sshd
iptables: No chain/target/match by that name.
I can try any enter my login on SSH , and i see fail2ban does indeed record that
my.ip is blocked, but it does not get listed in iptables, nor am i actually blocked
from logging in !!!
rob@server:/etc/fail2ban$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 8
| - File list: /var/log/auth.log- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: My.IP.address
please help, don't shout, i've lost a day on this.... :-(
Once configured, start the service:
sudo systemctl start fail2ban
And enable it to run on system startup:
sudo systemctl enable fail2ban
Check the status:
systemctl status fail2ban
Check the log file:
sudo tail /var/log/fail2ban.log
ok, please close
the issues was firewallD, I just coudl NOT get it to work correctly.
I removed firewallD and fail2ban, and installed CSF
all is good with CSF, i love the functionality and the depth of alerts you get....
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I installed fail2ban, but noticed ssh is not getting blocked for failed logins using putty
Ubuntu 16.04.5, Webmin 1.979, Virtualmin 6.16
Fail2ban Version 0.10.2
Note, for some reason i'm using FirewallD (Not Linux Firewall), and see message " Warning! It appears that FirewallD is being used to generate your system's firewall. Maybe you should use the FirewallD module instead."
SSH Service is in FirewallD
fail2ban is loaded, and working ok
rob@server:/etc/fail2ban$ systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/etc/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-08-15 17:06:55 EDT; 17min ago
Docs: man:fail2ban(1)
Process: 29509 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 29532 ExecStartPre=/bin/mkdir -p /var/run/fail2ban (code=exited, status=0/SUCCESS)
Main PID: 29534 (fail2ban-server)
Tasks: 15 (limit: 4915)
CGroup: /system.slice/fail2ban.service
└─29534 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
jail.local:
[sshd]
enabled = true
port = ssh
maxretry = 3
findtime = 5m
bantime = 1h
ignoreip = 127.0.0.1/8
if i run :
iptables -L -n
, i do not see any chain for f2b, no mentionif I tail ,
/var/log/fail2ban.log
i see it is trying to ban2021-08-15 06:08:42,103 fail2ban.actions [404]: NOTICE [postfix-sasl] Ban 212.70.149.71
2021-08-15 06:09:45,740 fail2ban.filter [404]: INFO [postfix-sasl] Found 185.143.223.27 - 2021-08-15 06:09:45
2021-08-15 06:09:51,649 fail2ban.filter [404]: INFO [postfix-sasl] Found 185.143.223.26 - 2021-08-15 06:09:51
2021-08-15 06:09:54,432 fail2ban.filter [404]: INFO [postfix-sasl] Found 31.210.20.41 - 2021-08-15 06:09:54
2021-08-15 06:09:59,330 fail2ban.filter [404]: INFO [postfix-sasl] Found 185.143.223.11 - 2021-08-15 06:09:58
2021-08-15 06:10:03,591 fail2ban.filter [404]: INFO [postfix-sasl] Found 185.143.223.17 - 2021-08-15 06:10:03
but no f2b in IPtables:
rob@server:/etc/fail2ban$ sudo iptables -L f2b-sshd
iptables: No chain/target/match by that name.
I can try any enter my login on SSH , and i see fail2ban does indeed record that my.ip is blocked, but it does not get listed in iptables, nor am i actually blocked from logging in !!!
rob@server:/etc/fail2ban$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 8
|
- File list: /var/log/auth.log
- Actions|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: My.IP.address
please help, don't shout, i've lost a day on this.... :-(
F2B creates an IPSET, so you need to get F2B to write into the firewall the offending IP address.
I use F2b with Shorewall and know little about FirewallD but hopefully this article will point you in all the right directions ...
https://fedoraproject.org/wiki/Fail2ban_with_FirewallD
Nigel.
Robert Walker riwalker@users.sourceforge.net wrote ..
Thanks, I tried the link
There is an existing file, so cannot be this:
also, there was not the 2nd file, so I added this:
but this did not help, even restarting fail2ban
Once configured, start the service:
sudo systemctl start fail2ban
And enable it to run on system startup:
sudo systemctl enable fail2ban
Check the status:
systemctl status fail2ban
Check the log file:
sudo tail /var/log/fail2ban.log
Note: I did stop FirewalD, and it gave an error
So checked here:
I also noticed in Linux Firewall, that there is an error message now:
I'm wondering if FirewallD is compatible with Webmin / Fail2ban on Ubuntu 16.04 ?
I start the firewallD, 'systemctl status firewalld.service' and see an error:
sudo firewall-cmd --get-zones
BUT, no active Zones !! ??
sudo firewall-cmd --get-active-zones
<blank></blank>
BUT , I do see public listed ?
sudo firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client smtp smtps ftp pop3 pop3s imap imaps http https
ports: 587/tcp 53/tcp 20/tcp 2222/tcp 10000-10100/tcp 20000/tcp 1025-65535/tcp 53/udp 9777-9787/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
and tried again to see if active:
sudo firewall-cmd --get-active-zones
<blank></blank>
HELP ?
ok, please close
the issues was firewallD, I just coudl NOT get it to work correctly.
I removed firewallD and fail2ban, and installed CSF
all is good with CSF, i love the functionality and the depth of alerts you get....