You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fail2Ban version (including any possible distribution suffixes): Fail2Ban v0.10.2
OS, including release name/version: Raspbian Buster - Linux raspberrypi3 4.19.50-v7+ Monit config #896 SMP Thu Jun 20 16:11:44 BST 2019 armv7l GNU/Linux
[X] Fail2Ban installed via OS/distribution mechanisms
[X ] You have not applied any additional foreign patches to the codebase
[X ] Some customizations were done to the configuration (provide details below is so)
The issue:
After configuring fail2ban for sshd with a retry count of 3, I noticed that failed connections were getting banned after 2 physical login attempts and a 3rd attempt would never be prompted for?
I had originally configured 2FA (Google Auth) on ssh so thought that this maybe a factor but I've since commented this out of the /etc/pam.d/sshd file and I'm still seeing the double counting of failed attempts (and therefore the connection being banned earlier than the configured 3 attempts)?
Steps to reproduce
(1) Attempt connection (1) with deliberate incorrect password and the following is output to the logs:
2019-07-08 13:16:54,212 fail2ban.filter [3288]: INFO [sshd] Found [IP] - 2019-07-08 13:16:54
2019-07-08 13:16:54,631 fail2ban.actions [3288]: NOTICE [sshd] Ban [IP]
2019-07-08 13:16:55,820 fail2ban.filter [3288]: INFO [sshd] Found [IP] - 2019-07-08 13:16:55
(3) The 3rd ssh login prompt is not presented and the user is banned after 2 physical login attempts rather than the configured maxretry = 3 in /etc/fail2ban/jail.local
Expected behavior
Expected behaviour is that fail2ban identifies that the two log lines (with IP) per connection attempt are a single connection attempt and therefore respects the maxretry = 3 config value for sshd
Observed behavior
See above info in Issue description
Configuration, dump and another helpful excerpts
/etc/fail2ban/jail.local
[sshd]
enabled = true
filter = sshd
bantime = -1
maxretry = 3
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
The text was updated successfully, but these errors were encountered:
n1nj4888
changed the title
Fail2ban double counts sshd login attempts?
Fail2ban double counts failed sshd login attempts?
Jul 8, 2019
Expected behaviour is that fail2ban identifies that the two log lines (with IP) per connection attempt are a single connection attempt and therefore respects the maxretry = 3 config value for sshd
The issue is, the intruder can do several attempts during the same session (up to MaxAuthTries configuration value), so counting it as you suggest "per connection" could be too slightly.
Although this one from example is indeed counted double, but as you can see in current sshd-filter:
this was already fixed in 25cc421 (and released in fail2ban >= 0.10.3).
In this config version, the regex is just a helper (multi-line filter) to obtain IP in case other failures don't contain the IP (tag <F-NOFAIL> avoids counting of a failure).
If you'd try fail2ban-regex with this 2 lines and this config, you would get:
$ fail2ban-regex /tmp/gh-2462.log sshd
...
Results
=======
Failregex: 2 total
|- #) [# of hits] regular expression
| 1) [1] ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?(?: (?:port \d+|on \S+|\[preauth\])){0,3}\s*$
| 14) [1] ^<F-NOFAIL>pam_[a-z]+\(sshd:auth\):\s+authentication failure;</F-NOFAIL>(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=<F-ALT_USER>\S*</F-ALT_USER>\s+rhost=<HOST>(?:\s+user=<F-USER>\S*</F-USER>)?(?: (?:port \d+|on \S+|\[preauth\])){0,3}\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [2] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 2 lines, 1 ignored, 1 matched, 0 missed
[processed in 0.00 sec]
|- Ignored line(s):
| Jul 8 13:16:04 srv sshd[3386]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.0.2.1 user=tester
The regex is matched, but "ignored", so it does not count a failure.
So I'd suggest to update the config or better your fail2ban version (or to increase maxretry unless you get an update to current version).
Environment:
The issue:
After configuring fail2ban for sshd with a retry count of 3, I noticed that failed connections were getting banned after 2 physical login attempts and a 3rd attempt would never be prompted for?
I had originally configured 2FA (Google Auth) on ssh so thought that this maybe a factor but I've since commented this out of the /etc/pam.d/sshd file and I'm still seeing the double counting of failed attempts (and therefore the connection being banned earlier than the configured 3 attempts)?
Steps to reproduce
(1) Attempt connection (1) with deliberate incorrect password and the following is output to the logs:
/var/log/auth.log
/var/log/fail2ban.log
(2) Attempt connection (2) with deliberate incorrect password and the following is output to the logs:
/var/log/auth.log
/var/log/fail2ban.log
(3) The 3rd ssh login prompt is not presented and the user is banned after 2 physical login attempts rather than the configured maxretry = 3 in /etc/fail2ban/jail.local
Expected behavior
Expected behaviour is that fail2ban identifies that the two log lines (with IP) per connection attempt are a single connection attempt and therefore respects the maxretry = 3 config value for sshd
Observed behavior
See above info in Issue description
Configuration, dump and another helpful excerpts
/etc/fail2ban/jail.local
The text was updated successfully, but these errors were encountered: