Bug#594643: marked as done (fail2ban fails to ban ssh attacks)

Debian Bug Tracking System Sat, 28 Aug 2010 12:39:19 -0700

Your message dated Sat, 28 Aug 2010 15:35:28 -0400
with message-id <20100828193527.gq22...@onerussian.com>
and subject line Re: Bug#594643: fail2ban fails to ban ssh attacks
has caused the Debian Bug report #594643,
regarding fail2ban fails to ban ssh attacks
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
594643: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594643
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: fail2ban
Version: 0.8.3-2sid1
Severity: grave
Justification: renders package unusable


Greetings Yarik!  fail2ban has worked great for years.  Our last 
conversation was in 2005!  Upon updating (belatedly) to Lenny and 
changing my ssh port, I find fail2ban fails to ban ssh attacks.  So 
either this is a grave bug rendering the package unable to fulfill its 
security function, or somehow I have inadvertently defeated it by 
changing the ssh port or something.

I am using the default fail2ban configuration/installation and no 
firewall package.  (This box is behind a router.)

auth.log shows attacks continuing while fail2ban.log shows the 
offending ip "already banned."

 ~$ cat  /var/log/fail2ban.log
2010-08-27 08:03:40,275 fail2ban.server : INFO   Changed logging target 
to /var/log/fail2ban.log for Fail2ban v0.8.3
2010-08-27 08:03:40,287 fail2ban.jail   : INFO   Creating new jail 
'ssh'
2010-08-27 08:03:40,288 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2010-08-27 08:03:40,417 fail2ban.filter : INFO   Added logfile = 
/var/log/auth.log
2010-08-27 08:03:40,420 fail2ban.filter : INFO   Set maxRetry = 6
2010-08-27 08:03:40,425 fail2ban.filter : INFO   Set findtime = 600
2010-08-27 08:03:40,429 fail2ban.actions: INFO   Set banTime = 600
2010-08-27 08:03:40,763 fail2ban.jail   : INFO   Jail 'ssh' started
2010-08-27 14:38:27,694 fail2ban.actions: WARNING [ssh] Ban 
87.118.253.2
2010-08-27 14:40:02,859 fail2ban.actions: WARNING [ssh] 87.118.253.2 
already banned
2010-08-27 14:41:42,946 fail2ban.actions: WARNING [ssh] 87.118.253.2 
already banned
2010-08-27 14:43:42,062 fail2ban.actions: WARNING [ssh] 87.118.253.2 
already banned
2010-08-27 14:45:11,155 fail2ban.actions: WARNING [ssh] 87.118.253.2 
already banned
2010-08-27 14:46:42,236 fail2ban.actions: WARNING [ssh] 87.118.253.2 
already banned
2010-08-27 14:48:15,321 fail2ban.actions: WARNING [ssh] 87.118.253.2 
already banned


 ~$ sudo iptables -L 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  anywhere             anywhere            
multiport dports ssh 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
DROP       all  --  host-2.PARUS.87.118.253.0.0xfffffff0.macomnet.net  
anywhere            
RETURN     all  --  anywhere             anywhere            

Forcing this worked by manually dropping the attacking ip::

 ~$ sudo iptables -I INPUT -j DROP -s 87.118.253.2

Am I missing something?

Thanks!

Ralph

-- System Information:
Debian Release: 5.0.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-bpo.5-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages fail2ban depends on:
ii  lsb-base                      3.2-20     Linux Standard Base 3.2 init scrip
ii  python                        2.5.2-3    An interactive high-level object-o
ii  python-central                0.6.8      register and build utility for Pyt

Versions of packages fail2ban recommends:
ii  iptables                      1.4.2-6    administration tools for packet fi
ii  whois                         4.7.30     an intelligent whois client

Versions of packages fail2ban suggests:
ii  bsd-mailx [mailx]  8.1.2-0.20071201cvs-3 A simple mail user agent
pn  python-gamin       <none>                (no description available)

-- no debconf information

--- End Message ---

--- Begin Message ---

On Fri, 27 Aug 2010, Ralph Katz wrote:
> I am using the default fail2ban configuration/installation and no 
> firewall package.  (This box is behind a router.)

> auth.log shows attacks continuing while fail2ban.log shows the 
> offending ip "already banned."
yes -- default action is iptables-multiport and fail2ban banned ssh
port correctly as you show in the iptables output:

>  ~$ sudo iptables -L 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination         
> fail2ban-ssh  tcp  --  anywhere             anywhere             multiport 
> dports ssh 


> Chain fail2ban-ssh (1 references)
> target     prot opt source               destination         
> DROP       all  --  host-2.PARUS.87.118.253.0.0xfffffff0.macomnet.net  
> anywhere            

So the issue RTFM -- add your changed port to list of ports to be
banned in the ssh jail, thus closing this non-issue.  Feel free to
reopen if you think that there is indeed a bug in fail2ban ;-)

Cheers,
-- 
                                  .-.
=------------------------------   /v\  ----------------------------=
Keep in touch                    // \\     (yoh@|www.)onerussian.com
Yaroslav Halchenko              /(   )\               ICQ#: 60653192
                   Linux User    ^^-^^    [175555]

--- End Message ---

Bug#594643: marked as done (fail2ban fails to ban ssh attacks)

Reply via email to