fail2ban and sshd not working
in the default installation the sshd jail does not work.
I raised the loglevel and added vsftpd jail in /etc/fail2ban/
018-06-04 12:47:25,241 fail2ban.jail [4091]: DEBUG Starting jail 'sshd'
2018-06-04 12:47:25,241 fail2ban.
2018-06-04 12:47:25,242 fail2ban.jail [4091]: INFO Jail 'sshd' started
2018-06-04 12:47:25,243 fail2ban.jail [4091]: DEBUG Starting jail 'vsftpd'
2018-06-04 12:47:25,243 fail2ban.
2018-06-04 12:47:25,244 fail2ban.jail [4091]: INFO Jail 'vsftpd' started
2018-06-04 12:47:49,728 fail2ban.
2018-06-04 12:47:49,728 fail2ban.
2018-06-04 12:47:51,335 fail2ban.
2018-06-04 12:47:51,335 fail2ban.
2018-06-04 12:47:54,039 fail2ban.
2018-06-04 12:47:54,040 fail2ban.
2018-06-04 12:48:00,138 fail2ban.
2018-06-04 12:48:00,139 fail2ban.
2018-06-04 12:48:01,171 fail2ban.
2018-06-04 12:48:01,172 fail2ban.
2018-06-04 12:48:02,775 fail2ban.
2018-06-04 12:48:02,775 fail2ban.
2018-06-04 12:48:04,561 fail2ban.
2018-06-04 12:48:04,561 fail2ban.
2018-06-04 12:48:11,962 fail2ban.
2018-06-04 12:48:11,962 fail2ban.
2018-06-04 12:48:13,100 fail2ban.
2018-06-04 12:48:13,100 fail2ban.
2018-06-04 12:48:14,703 fail2ban.
2018-06-04 12:48:14,704 fail2ban.
2018-06-04 12:48:16,525 fail2ban.
2018-06-04 12:48:16,526 fail2ban.
2018-06-04 12:48:24,088 fail2ban.
2018-06-04 12:48:24,089 fail2ban.
2018-06-04 12:48:25,264 fail2ban.
2018-06-04 12:48:25,264 fail2ban.
2018-06-04 12:48:26,867 fail2ban.
2018-06-04 12:48:26,867 fail2ban.
2018-06-04 12:48:28,633 fail2ban.
2018-06-04 12:48:28,634 fail2ban.
2018-06-04 12:48:36,131 fail2ban.
2018-06-04 12:48:36,131 fail2ban.
(END)
and here the /var/log/auth.log:
Jun 4 09:34:47 myhost1 sshd[2549]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedK
Jun 4 09:34:47 myhost1 sshd[2549]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedK
Jun 4 09:34:49 myhost1 sshd[2549]: pam_unix(
Jun 4 09:34:50 myhost1 sshd[2549]: Failed password for root from 192.168.178.111 port 60668 ssh2
Jun 4 09:34:59 myhost1 sshd[2549]: message repeated 2 times: [ Failed password for root from 192.168.178.111 port 60668 ssh2]
Jun 4 09:34:59 myhost1 sshd[2549]: error: maximum authentication attempts exceeded for root from 192.168.178.111 port 60668 ssh2 [preauth]
Jun 4 09:34:59 myhost1 sshd[2549]: Disconnecting authenticating user root 192.168.178.111 port 60668: Too many authentication failures [preauth]
Jun 4 09:34:59 myhost1 sshd[2549]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.
Jun 4 09:35:02 myhost1 sshd[2551]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedK
Jun 4 09:35:02 myhost1 sshd[2551]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedK
Jun 4 09:35:03 myhost1 sshd[2551]: pam_unix(
Jun 4 09:35:05 myhost1 sshd[2551]: Failed password for root from 192.168.178.111 port 60674 ssh2
Jun 4 09:35:11 myhost1 sshd[2551]: message repeated 2 times: [ Failed password for root from 192.168.178.111 port 60674 ssh2]
Jun 4 09:35:11 myhost1 sshd[2551]: error: maximum authentication attempts exceeded for root from 192.168.178.111 port 60674 ssh2 [preauth]
Jun 4 09:35:11 myhost1 sshd[2551]: Disconnecting authenticating user root 192.168.178.111 port 60674: Too many authentication failures [preauth]
Jun 4 09:35:11 myhost1 sshd[2551]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.
Jun 4 09:35:13 myhost1 sshd[2553]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedK
Jun 4 09:35:13 myhost1 sshd[2553]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedK
Jun 4 09:35:15 myhost1 sshd[2553]: pam_unix(
Jun 4 09:35:17 myhost1 sshd[2553]: Failed password for root from 192.168.178.111 port 60676 ssh2
Jun 4 09:35:22 myhost1 sshd[2553]: message repeated 2 times: [ Failed password for root from 192.168.178.111 port 60676 ssh2]
Jun 4 09:35:22 myhost1 sshd[2553]: error: maximum authentication attempts exceeded for root from 192.168.178.111 port 60676 ssh2 [preauth]
Jun 4 09:35:22 myhost1 sshd[2553]: Disconnecting authenticating user root 192.168.178.111 port 60676: Too many authentication failures [preauth]
Jun 4 09:35:22 myhost1 sshd[2553]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.
Jun 4 09:35:23 myhost1 sshd[2555]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedK
Jun 4 09:35:23 myhost1 sshd[2555]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedK
Jun 4 09:35:24 myhost1 sshd[2555]: pam_unix(
Jun 4 09:35:26 myhost1 sshd[2555]: Failed password for root from 192.168.178.111 port 60680 ssh2
Jun 4 09:35:33 myhost1 sshd[2555]: message repeated 2 times: [ Failed password for root from 192.168.178.111 port 60680 ssh2]
If I try "fail2ban-regex /var/log/auth.log /etc/fail2ban/
With vsftpd everything works ok.
t1 sshd[2555]: error: maximum authentication attempts exceeded for root from 192.168.178.111 port 60680 ssh2 [preauth]
Jun 4 09:35:33 myhost1 sshd[2555]: Disconnecting authenticating user root 192.168.178.111 port 60680: Too many authentication failures [preauth]
Jun 4 09:35:33 myhost1 sshd[2555]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.
Jun 4 09:35:34 myhost1 sshd[2557]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedK
Jun 4 09:35:34 myhost1 sshd[2557]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedK
Jun 4 09:35:36 myhost1 sshd[2557]: pam_unix(
Jun 4 09:35:38 myhost1 sshd[2557]: Failed password for root from 192.168.178.111 port 60682 ssh2
Jun 4 09:35:44 myhost1 sshd[2557]: message repeated 2 times: [ Failed password for root from 192.168.178.111 port 60682 ssh2]
Jun 4 09:35:44 myhost1 sshd[2557]: error: maximum authentication attempts exceeded for root from 192.168.178.111 port 60682 ssh2 [preauth]
Jun 4 09:35:44 myhost1 sshd[2557]: Disconnecting authenticating user root 192.168.178.111 port 60682: Too many authentication failures [preauth]
Jun 4 09:35:44 myhost1 sshd[2557]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.
If I try "fail2ban-regex /var/log/auth.log /etc/fail2ban/
Here a the partial output from fail2ban-regex:
Running tests
=============
Use failregex filter file : sshd, basedir: /etc/fail2ban
Use maxlines : 1
Use datepattern : Default Detectors
Use log file : /var/log/auth.log
Use encoding : UTF-8
Results
=======
Failregex: 65 total
|- #) [# of hits] regular expression
| 4) [21] ^Failed \b(?!publickey)\S+ for (?P<cond_
| 14) [26] ^pam_unix\
| 15) [18] ^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?: \[preauth\])?\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [306] {^LN-BEG}(?:DAY )?MON Day %k:Minute:
`-
Lines: 306 lines, 0 ignored, 65 matched, 241 missed
[processed in 0.07 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 241 lines
With vsftpd everything works ok.
Here the content of /etc/fail2ban/
[sshd]
enabled = true
maxretry = 3
action = ufw
[vsftpd]
enabled = true
maxretry = 3
action = ufw
Have I missed something?
Question information
- Language:
- English Edit question
- Status:
- Expired
- For:
- Ubuntu fail2ban Edit question
- Assignee:
- No assignee Edit question
- Last query:
- Last reply: