~alpine/users

1

fail2ban not banning IP address with sshd and sshd-ddos jails

revsuine <pid1@revsuine.xyz>
Details
Message ID
<84cd8f9dfb975b46dd572aef139504dc61dbd9b8.camel@revsuine.xyz>
DKIM signature
missing
Download raw message
a month ago 
Hi all,

I'm using the preinstalled alpine-sshd and alpine-sshd-ddos fail2ban
jails with the following config:

   [sshd]
   enabled  = true
   filter   = alpine-sshd
   port     = ssh
   logpath  = /var/log/messages
   maxretry = 10
   
   [sshd-ddos]
   enabled  = true
   filter   = alpine-sshd-ddos
   port     = ssh
   logpath  = /var/log/messages
   maxretry = 10

There is one user with the same IP address completely spamming my
server with ssh authentication requests filling up /var/log/messages.
But `doas fail2ban-client status sshd` and `doas fail2ban-client status
sshd-ddos` both show

   Status for the jail: sshd
   |- Filter
   |  |- Currently failed:	0
   |  |- Total failed:	0
   |  `- File list:	/var/log/messages
   `- Actions
      |- Currently banned:	0
      |- Total banned:	0
      `- Banned IP list:	

My /etc/fail2ban/jail.local is:

   [DEFUALT]
   bantime = 1d
   banaction = ufw
   banaction_allports = ufw[type=allports]

I also tried banning them manually by doing

   ufw deny from IP to any

but they still seem to be spamming /var/log/messages.

I've also just tried this alpine-sshd-key jail (I have password
authentication off): https://wiki.alpinelinux.org/wiki/Fail2ban
and same effect, no ban.

   $ fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/alpine-
   sshd.conf    
   
   Running tests
   =============
   
   Use      filter file : alpine-sshd, basedir: /etc/fail2ban
   Use         maxlines : 10
   Use      datepattern : {^LN-BEG} : Default Detectors
   Use         log file : /var/log/messages
   Use         encoding : UTF-8
   
   
   Results
   =======
   
   Failregex: 2 total
   |-  #) [# of hits] regular expression
   |   1) [2] Failed [-/\w]+ for .* from <HOST> port \d* ssh2
   `-
   
   Ignoreregex: 0 total
   
   Date template hits:
   |- [# of hits] date format
   |  [1082] {^LN-BEG}(?:DAY )?MON Day
   %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
   `-
   
   Lines: 1082 lines, 0 ignored, 2 matched, 1080 missed
   [processed in 0.06 sec]
   
   Missed line(s): too many to print.  Use --print-all-missed to print
   all 1080 lines

Any ideas?

Thanks

-- 
I sign all my emails with the attached GPG key. If you receive an
unsigned email, it's not from me.

If you don't know what GPG is, you can send me end-to-end encrypted
email using my public GPG key (attached), so that only you and I can
read it. To learn how, see this guide:
https://emailselfdefense.fsf.org/

Free Palestine
Isak Holmström <isak@prehosp.se>
Details
Message ID
<d760cf2b-51de-4720-9021-b42b6fe2c5c5@betaapp.fastmail.com>
In-Reply-To
<84cd8f9dfb975b46dd572aef139504dc61dbd9b8.camel@revsuine.xyz> (view parent)
DKIM signature
missing
Download raw message
20 days ago 
See below..

______
  -ISAK

Mån den 25 nov 2024 kl 20:05 skrev revsuine:
> Hi all,
>
> I'm using the preinstalled alpine-sshd and alpine-sshd-ddos fail2ban
> jails with the following config:
>
>    [sshd]
>    enabled  = true
>    filter   = alpine-sshd
>    port     = ssh
>    logpath  = /var/log/messages
>    maxretry = 10
>   
>    [sshd-ddos]
>    enabled  = true
>    filter   = alpine-sshd-ddos
>    port     = ssh
>    logpath  = /var/log/messages
>    maxretry = 10
>
> There is one user with the same IP address completely spamming my
> server with ssh authentication requests filling up /var/log/messages.
> But `doas fail2ban-client status sshd` and `doas fail2ban-client status
> sshd-ddos` both show
>
>    Status for the jail: sshd
>    |- Filter
>    |  |- Currently failed:	0
>    |  |- Total failed:	0
>    |  `- File list:	/var/log/messages
>    `- Actions
>       |- Currently banned:	0
>       |- Total banned:	0
>       `- Banned IP list:	
>
> My /etc/fail2ban/jail.local is:

Is this misspelled? Default?


>    [DEFUALT]
>    bantime = 1d
>    banaction = ufw
>    banaction_allports = ufw[type=allports]
>
> I also tried banning them manually by doing
>
>    ufw deny from IP to any
>
> but they still seem to be spamming /var/log/messages.
>
> I've also just tried this alpine-sshd-key jail (I have password
> authentication off): https://wiki.alpinelinux.org/wiki/Fail2ban
> and same effect, no ban.
>
>    $ fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/alpine-
>    sshd.conf    
>   
>    Running tests
>    =============
>   
>    Use      filter file : alpine-sshd, basedir: /etc/fail2ban
>    Use         maxlines : 10
>    Use      datepattern : {^LN-BEG} : Default Detectors
>    Use         log file : /var/log/messages
>    Use         encoding : UTF-8
>   
>   
>    Results
>    =======
>   
>    Failregex: 2 total
>    |-  #) [# of hits] regular expression
>    |   1) [2] Failed [-/\w]+ for .* from <HOST> port \d* ssh2
>    `-
>   
>    Ignoreregex: 0 total
>   
>    Date template hits:
>    |- [# of hits] date format
>    |  [1082] {^LN-BEG}(?:DAY )?MON Day
>    %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
>    `-
>   
>    Lines: 1082 lines, 0 ignored, 2 matched, 1080 missed
>    [processed in 0.06 sec]
>   
>    Missed line(s): too many to print.  Use --print-all-missed to print
>    all 1080 lines
>
> Any ideas?
>
> Thanks
>
> -- 
> I sign all my emails with the attached GPG key. If you receive an
> unsigned email, it's not from me.
>
> If you don't know what GPG is, you can send me end-to-end encrypted
> email using my public GPG key (attached), so that only you and I can
> read it. To learn how, see this guide:
> https://emailselfdefense.fsf.org/
>
> Free Palestine
>
> Bilagor:
> * signature.asc
Reply to thread Export thread (mbox)