Received: from out-177.mta0.migadu.com (out-177.mta0.migadu.com [91.218.175.177])
	by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id D65CD225DD6
	for <~alpine/users@lists.alpinelinux.org>; Fri,  6 Dec 2024 10:22:04 +0000 (UTC)
X-ME-Sender: <xms:RtBSZ-q96yjFtvRg3OjWPWCb83OYOVEQRjB6Mt-i5ooQ0gjJ0xOkOg>
    <xme:RtBSZ8o0roB3EuXGMEX8kjLJlwiaaUbNLIPnPAU0YasqnRdvuawGvKdRgAxE5eQ1B
    pjSzCIN_S2r4Pg>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=prehosp.se; s=key1;
	t=1733480523;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=ePljOU3Y+fQi99pn+42nJEjsDSifJK4eafeg9HqafIY=;
	b=sXO4YokYRRPWH3xLGjmjd9RPvjJjUNLApyNreLMt2jEVPaOr4W3/gAtRcjtZhnStGH2Q1Y
	Csl87jlOPG7In5tT/3dO1PWUoDEQeyZeHhXiMaGH+mf0qIlj2fI6ApA6h7FDEvYC2hupJq
	jwHJ21LddlHrUOxQEaXKE/CiNivjXY0=
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrieelgddugecutefuodetggdotefrodftvf
    curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr
    tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecunecujfgurhepofggfffhvf
    fkjghfufgtgfesthhqredtredtjeenucfhrhhomhepkfhsrghkucfjohhlmhhsthhrnphm
    uceoihhsrghksehprhgvhhhoshhprdhsvgeqnecuggftrfgrthhtvghrnhepveetgfevge
    etudffteduudduudffgeduffdthfevhfeluedtueevfeeftedtjeejnecuffhomhgrihhn
    pegrlhhpihhnvghlihhnuhigrdhorhhgpdhfshhfrdhorhhgnecuvehluhhsthgvrhfuih
    iivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepihhsrghkodhmvghsmhhtphgruhht
    hhhpvghrshhonhgrlhhithihqdduudeihedtuddvleeiqdduudegiedvuddtuddqihhsrg
    hkpeepphhrvghhohhsphdrshgvsehhohhlmhhsthhrohhmrdgvmhgrihhlpdhnsggprhgt
    phhtthhopedupdhmohguvgepshhmthhpohhuthdprhgtphhtthhopeimrghlphhinhgvsd
    hushgvrhhssehlihhsthhsrdgrlhhpihhnvghlihhnuhigrdhorhhg
X-ME-Proxy: <xmx:RtBSZzNOMhtZPxBe8l_rx3RMc5UmCrROcpGOZSiTQLNMrFCQ7cZo4w>
    <xmx:RtBSZ96JlFyhTWKlQLWkvjOn0YIYw71C13bnJxy7KZ_TRCnyUGztEg>
    <xmx:RtBSZ97rB7ik2HX3SCCWnlE1xycaDfM1FW5yaj0tWZY9hHZJOMrIBA>
    <xmx:RtBSZ9h91-5-fa-0BifZwl3D85tGRcmI8DZHqiKSuI_OljHA1lpEmQ>
    <xmx:RtBSZ342jhIND_scHSFyjfnXeYg-Po19z5ihn6sf_uhb9ut12wd2ZEEa>
Feedback-ID: i9ee9475f:Fastmail
MIME-Version: 1.0
Date: Fri, 06 Dec 2024 11:21:37 +0100
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
From: =?UTF-8?Q?Isak_Holmstr=C3=B6m?= <isak@prehosp.se>
To: ~alpine/users@lists.alpinelinux.org
Message-Id: <d760cf2b-51de-4720-9021-b42b6fe2c5c5@betaapp.fastmail.com>
In-Reply-To: <84cd8f9dfb975b46dd572aef139504dc61dbd9b8.camel@revsuine.xyz>
References: <84cd8f9dfb975b46dd572aef139504dc61dbd9b8.camel@revsuine.xyz>
Subject: Re: fail2ban not banning IP address with sshd and sshd-ddos jails
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Migadu-Flow: FLOW_OUT

See below..

______
  -ISAK

M=C3=A5n den 25 nov 2024 kl 20:05 skrev revsuine:
> Hi all,
>
> I'm using the preinstalled alpine-sshd and alpine-sshd-ddos fail2ban
> jails with the following config:
>
>    [sshd]
>    enabled  =3D true
>    filter   =3D alpine-sshd
>    port     =3D ssh
>    logpath  =3D /var/log/messages
>    maxretry =3D 10
>  =20
>    [sshd-ddos]
>    enabled  =3D true
>    filter   =3D alpine-sshd-ddos
>    port     =3D ssh
>    logpath  =3D /var/log/messages
>    maxretry =3D 10
>
> There is one user with the same IP address completely spamming my
> server with ssh authentication requests filling up /var/log/messages.
> But `doas fail2ban-client status sshd` and `doas fail2ban-client status
> sshd-ddos` both show
>
>    Status for the jail: sshd
>    |- Filter
>    |  |- Currently failed:	0
>    |  |- Total failed:	0
>    |  `- File list:	/var/log/messages
>    `- Actions
>       |- Currently banned:	0
>       |- Total banned:	0
>       `- Banned IP list:=09
>
> My /etc/fail2ban/jail.local is:

Is this misspelled? Default?


>    [DEFUALT]
>    bantime =3D 1d
>    banaction =3D ufw
>    banaction_allports =3D ufw[type=3Dallports]
>
> I also tried banning them manually by doing
>
>    ufw deny from IP to any
>
> but they still seem to be spamming /var/log/messages.
>
> I've also just tried this alpine-sshd-key jail (I have password
> authentication off): https://wiki.alpinelinux.org/wiki/Fail2ban
> and same effect, no ban.
>
>    $ fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/alpine-
>    sshd.conf   =20
>  =20
>    Running tests
>    =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>  =20
>    Use      filter file : alpine-sshd, basedir: /etc/fail2ban
>    Use         maxlines : 10
>    Use      datepattern : {^LN-BEG} : Default Detectors
>    Use         log file : /var/log/messages
>    Use         encoding : UTF-8
>  =20
>  =20
>    Results
>    =3D=3D=3D=3D=3D=3D=3D
>  =20
>    Failregex: 2 total
>    |-  #) [# of hits] regular expression
>    |   1) [2] Failed [-/\w]+ for .* from <HOST> port \d* ssh2
>    `-
>  =20
>    Ignoreregex: 0 total
>  =20
>    Date template hits:
>    |- [# of hits] date format
>    |  [1082] {^LN-BEG}(?:DAY )?MON Day
>    %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
>    `-
>  =20
>    Lines: 1082 lines, 0 ignored, 2 matched, 1080 missed
>    [processed in 0.06 sec]
>  =20
>    Missed line(s): too many to print.  Use --print-all-missed to print
>    all 1080 lines
>
> Any ideas?
>
> Thanks
>
> --=20
> I sign all my emails with the attached GPG key. If you receive an
> unsigned email, it's not from me.
>
> If you don't know what GPG is, you can send me end-to-end encrypted
> email using my public GPG key (attached), so that only you and I can
> read it. To learn how, see this guide:
> https://emailselfdefense.fsf.org/
>
> Free Palestine
>
> Bilagor:
> * signature.asc