Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fail2Ban Don't work with sshd #3417

Closed
Rockerking opened this issue Nov 22, 2022 · 2 comments
Closed

Fail2Ban Don't work with sshd #3417

Rockerking opened this issue Nov 22, 2022 · 2 comments
Labels
3rd party issue how-to

Comments

@Rockerking
Copy link

Rockerking commented Nov 22, 2022
edited by sebres
Loading

Hello together,
i have a new standard installation.

[sshd]
enabled = true
port    = ssh
filter = sshd
logpath = /var/log/auth.log
backend = %(sshd_backend)s

Unfortunately, nothing is written in the auth.log.
in the fail2ban log there is only the following:

2022-11-22 21:08:46,067 fail2ban.server         [29349]: INFO    Starting Fail2ban v0.10.2
2022-11-22 21:08:46,083 fail2ban.database       [29349]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2022-11-22 21:08:46,085 fail2ban.jail           [29349]: INFO    Creating new jail 'sshd'
2022-11-22 21:08:46,104 fail2ban.jail           [29349]: INFO    Jail 'sshd' uses pyinotify {}
2022-11-22 21:08:46,108 fail2ban.jail           [29349]: INFO    Initiated 'pyinotify' backend
2022-11-22 21:08:46,111 fail2ban.filter         [29349]: INFO      maxLines: 1
2022-11-22 21:08:46,148 fail2ban.server         [29349]: INFO    Jail sshd is not a JournalFilter instance
2022-11-22 21:08:46,150 fail2ban.filter         [29349]: INFO    Added logfile: '/var/log/auth.log' (pos = 0, hash = da39a3ee5e6b4b0d3255bfef95601890afd80709)
2022-11-22 21:08:46,153 fail2ban.filter         [29349]: INFO      encoding: UTF-8
2022-11-22 21:08:46,153 fail2ban.filter         [29349]: INFO      maxRetry: 3
2022-11-22 21:08:46,154 fail2ban.filter         [29349]: INFO      findtime: 600
2022-11-22 21:08:46,154 fail2ban.actions        [29349]: INFO      banTime: 600
2022-11-22 21:08:46,168 fail2ban.jail           [29349]: INFO    Jail 'sshd' started

I only get a message that I tried it too often, see in the log the ban action and that was.
I can log in again and again.
@sebres
Copy link
Contributor

sebres commented Nov 22, 2022
edited
Loading

Unfortunately, nothing is written in the auth.log.

What do you mean?
Fail2ban would not write in auth.log at all, it reads from there... logpath configures which log file fail2ban will monitor (if the jail is configured with file related backend, and it is the case on your side due to Jail 'sshd' uses pyinotify in log.
If your sshd does not write to auth.log, maybe it writes to systemd journal (and there is no rsyslog rule targeting auth-messages to auth.log file). In this case you need to configure systemd backend for sshd jail:

[sshd]
backend = systemd
...

You can check whether journal contains sshd messages with:

journalctl _SYSTEMD_UNIT=sshd.service + _COMM=sshd

To check whether fail2ban would match anything in systemd journal use fail2ban-regex:

## aggressive mode:
fail2ban-regex systemd-journal 'sshd[mode=aggressive]'
## messages only:
fail2ban-regex -o msg systemd-journal 'sshd[mode=aggressive]'
## normal mode:
fail2ban-regex systemd-journal sshd
## messages only:
fail2ban-regex -o msg systemd-journal sshd

@sebres sebres closed this as not planned Won't fix, can't repro, duplicate, stale Nov 22, 2022
@sebres
Copy link
Contributor

sebres commented Nov 22, 2022

Also note https://github.com/fail2ban/fail2ban/wiki/How-fail2ban-works for further info.

@sebres sebres mentioned this issue Jun 25, 2024
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3rd party issue how-to
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sebres @Rockerking