DMARC-Filter: OpenDMARC Filter v1.4.2 master.revsuine.xyz 69B1D1288E1
Message-ID: <84cd8f9dfb975b46dd572aef139504dc61dbd9b8.camel@revsuine.xyz>
Subject: fail2ban not banning IP address with sshd and sshd-ddos jails
From: revsuine <pid1@revsuine.xyz>
To: ~alpine/users@lists.alpinelinux.org
Date: Mon, 25 Nov 2024 19:05:40 +0000
Autocrypt: addr=pid1@revsuine.xyz; prefer-encrypt=mutual;
 keydata=mDMEZyVzwBYJKwYBBAHaRw8BAQdAzm30We2ByUPsD1LBP0QIcI7h6LkySRdocl5oC8HGf
 VC0HHJldnN1aW5lIDxwaWQxQHJldnN1aW5lLnh5ej6ImQQTFgoAQRYhBI+0GM2VICLlu8QyYT8le2
 j1vJM5BQJnJXPAAhsDBQkB4TOABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJED8le2j1vJM
 5CfkA/2v/NSi/tOzMFEftZL8Xvs9KXwsVjQ3ApJ4C0SUDQl6xAQD2N3ezdBYr6+jBb6RmUGmcqqj5
 j6sQqf9WpUX/jzpFBg==
Content-Type: multipart/signed; micalg="pgp-sha512";
	protocol="application/pgp-signature"; boundary="=-4x5JTlCncvBFaHV7r3j9"
MIME-Version: 1.0


--=-4x5JTlCncvBFaHV7r3j9
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi all,

I'm using the preinstalled alpine-sshd and alpine-sshd-ddos fail2ban
jails with the following config:

   [sshd]
   enabled  =3D true
   filter   =3D alpine-sshd
   port     =3D ssh
   logpath  =3D /var/log/messages
   maxretry =3D 10
  =20
   [sshd-ddos]
   enabled  =3D true
   filter   =3D alpine-sshd-ddos
   port     =3D ssh
   logpath  =3D /var/log/messages
   maxretry =3D 10

There is one user with the same IP address completely spamming my
server with ssh authentication requests filling up /var/log/messages.
But `doas fail2ban-client status sshd` and `doas fail2ban-client status
sshd-ddos` both show

   Status for the jail: sshd
   |- Filter
   |  |- Currently failed:	0
   |  |- Total failed:	0
   |  `- File list:	/var/log/messages
   `- Actions
      |- Currently banned:	0
      |- Total banned:	0
      `- Banned IP list:=09

My /etc/fail2ban/jail.local is:

   [DEFUALT]
   bantime =3D 1d
   banaction =3D ufw
   banaction_allports =3D ufw[type=3Dallports]

I also tried banning them manually by doing

   ufw deny from IP to any

but they still seem to be spamming /var/log/messages.

I've also just tried this alpine-sshd-key jail (I have password
authentication off): https://wiki.alpinelinux.org/wiki/Fail2ban
and same effect, no ban.

   $ fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/alpine-
   sshd.conf   =20
  =20
   Running tests
   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
  =20
   Use      filter file : alpine-sshd, basedir: /etc/fail2ban
   Use         maxlines : 10
   Use      datepattern : {^LN-BEG} : Default Detectors
   Use         log file : /var/log/messages
   Use         encoding : UTF-8
  =20
  =20
   Results
   =3D=3D=3D=3D=3D=3D=3D
  =20
   Failregex: 2 total
   |-  #) [# of hits] regular expression
   |   1) [2] Failed [-/\w]+ for .* from <HOST> port \d* ssh2
   `-
  =20
   Ignoreregex: 0 total
  =20
   Date template hits:
   |- [# of hits] date format
   |  [1082] {^LN-BEG}(?:DAY )?MON Day
   %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
   `-
  =20
   Lines: 1082 lines, 0 ignored, 2 matched, 1080 missed
   [processed in 0.06 sec]
  =20
   Missed line(s): too many to print.  Use --print-all-missed to print
   all 1080 lines

Any ideas?

Thanks

--=20
I sign all my emails with the attached GPG key. If you receive an
unsigned email, it's not from me.

If you don't know what GPG is, you can send me end-to-end encrypted
email using my public GPG key (attached), so that only you and I can
read it. To learn how, see this guide:
https://emailselfdefense.fsf.org/

Free Palestine

--=-4x5JTlCncvBFaHV7r3j9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQSPtBjNlSAi5bvEMmE/JXto9byTOQUCZ0TKhAAKCRA/JXto9byT
ObMHAQDP1x05spJ27Asdfu4FU4edr5pzmFwPWM56KIPICsMTogD/aF7JhKN7au2n
T+DL5dryC5Br8K4vtI9wSKL2Y1dQkQs=
=jcB8
-----END PGP SIGNATURE-----

--=-4x5JTlCncvBFaHV7r3j9--