staging.inyokaproject.org

Hallo zusammen,

ich habe heute fail2ban installiert und eingerichtet.

in der Jail.local habe ich folgendes eingegeben:

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

enable =  true
maxretry = 3
findtime = 3600
bantime = 3600

Aber ich werde nicht geblockt.

Gebe ich den Befehl systemctl status fail2ban ein bekomme ich folgendes:

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2023-02-08 01:10:51 CET; 16s ago
       Docs: man:fail2ban(1)
    Process: 1499 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
   Main PID: 1500 (f2b/server)
      Tasks: 5 (limit: 2101)
     CGroup: /system.slice/fail2ban.service
             └─1500 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Feb 08 01:10:51 server systemd[1]: Starting Fail2Ban Service...
Feb 08 01:10:51 server systemd[1]: Started Fail2Ban Service.
Feb 08 01:10:51 server fail2ban-server[1500]: Server ready

Mit dem Befehl systemctl status sshd kommt:

sven@server:/etc/fail2ban/filter.d$ sudo systemctl status sshd
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2023-02-08 00:58:32 CET; 13min ago
       Docs: man:sshd(8)
             man:sshd_config(5)
   Main PID: 829 (sshd)
      Tasks: 1 (limit: 2101)
     CGroup: /system.slice/ssh.service
             └─829 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

Feb 08 01:02:29 server sshd[1270]: pam_unix(sshd:auth): check pass; user unknown
Feb 08 01:02:31 server sshd[1270]: Failed password for invalid user test from 192.168.178.20 port 50861 ssh2
Feb 08 01:02:42 server sshd[1270]: pam_unix(sshd:auth): check pass; user unknown
Feb 08 01:02:44 server sshd[1270]: Failed password for invalid user test from 192.168.178.20 port 50861 ssh2
Feb 08 01:02:45 server sshd[1270]: Connection closed by invalid user test 192.168.178.20 port 50861 [preauth]
Feb 08 01:02:45 server sshd[1270]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.178.20
Feb 08 01:02:52 server sshd[1278]: Accepted password for sven from 192.168.178.20 port 50862 ssh2
Feb 08 01:02:52 server sshd[1278]: pam_unix(sshd:session): session opened for user sven by (uid=0)
Feb 08 01:03:54 server sshd[1364]: Accepted password for sven from 192.168.178.20 port 50863 ssh2
Feb 08 01:03:54 server sshd[1364]: pam_unix(sshd:session): session opened for user sven by (uid=0)

kann mir da jemand helfen?

Im zweiten Codeblock steht, dass Fail2ban 16 Sekunden zuvor gestartet wurde. War das wirklich so? Ich hatte schon Prozesse, die instabil waren und immer wieder neu starteten.

Was steht in der Filter-Datei und was in den Logs, die von Fail2ban ausgewertet werden?

Siehe auch fail2ban.

Gibt es da Neues?

Hi !

hast du auch irgendwelche actions definiert ?

Gruss Gerd