Package: fail2ban Version: 0.9.6-2 Severity: important
-- System Information: Debian Release: 9.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=hu_HU.utf8, LC_CTYPE=hu_HU.utf8 (charmap=UTF-8), LANGUAGE=hu_HU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages fail2ban depends on: ii init-system-helpers 1.48 ii lsb-base 9.20161125 ii python3 3.5.3-1 Versions of packages fail2ban recommends: ii iptables 1.6.0+snapshot20161117-6 ii python 2.7.13-2 ii python3-pyinotify 0.9.6-1 ii python3-systemd 233-1 ii whois 5.2.15 Versions of packages fail2ban suggests: ii mailutils [mailx] 1:3.1.1-1 pn monit <none> ii rsyslog [system-log-daemon] 8.24.0-1 -- Configuration Files: /etc/fail2ban/action.d/shorewall.conf changed: [Definition] actionstart = actionstop = actioncheck = actionban = shorewall <blocktype> <ip> actionunban = shorewall allow <ip> [Init] blocktype = drop -- no debconf information The problem is that default sshd-ddos filter does not match lines in /var/log/auth.log where it should. Test command run: fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd-ddos.conf result: Failregex: 0 total while grep -c "^.*Did not receive identification string from.*$" /var/log/auth.log gives 1024 The problem (bug?) has benne recognized as both fail2ban-client status sshd-ddos and fail2ban-client status sshd returns 0 for every line, while there are intrusion events in the log. My first guess was that usage of shorewall is behind the lack of banned ips, but the fact that fail2ban-regex does not produce the intended output made me think otherwise. Filter files are untouched and jail.conf as well. jail.local contains the following: *** [Default] banaction = shorewall default_backend = systemd [sshd] enabled = true [sshd-ddos] enabled = true maxretry=2 *** banaction and default_backend ended up in the conf file after I realized fail2ban does not do its job. Any ide what can be the problem? Thanks for the help in advance, Gergely Horváth
