Re: [Fail2ban-users] Already banned problem

Harrison Johnson Sun, 14 Jun 2015 09:15:06 -0700

Ted,
You might have a look at you iptables filter table to see if you are
jumping to the chain correctly. Fail2ban does a pretty good job of
putting the rules in the filter, but you still might have a rule like a
default accept that is allowing the connection before the jail
drops/rejects it.


On Sun, 2015-06-14 at 11:38 -0400, Ted To wrote:

> Hi,
> 
> I have a Centos 7 installation where an IP address that has been banned 
> appears to be able to continue to attempt ssh connections.  My 
> sshd.local is:
> 
> [sshd]
> enabled = true
> bantime = 86400
> findtime = 3600
> maxretry = 3
> protocol = all
> 
> Despite this, I am currently being continuously hit by 43.255.188.169 
> (log snippets follow).
> 
> Any ideas what I have done wrong?
> 
> Thanks,
> Ted
> 
> 2015-06-14 11:33:46,545 fail2ban.filter         [28524]: INFO    [sshd] 
> Found 43.255.188.169
> 2015-06-14 11:33:48,350 fail2ban.filter         [28524]: INFO    [sshd] 
> Found 43.255.188.169
> 2015-06-14 11:33:50,421 fail2ban.filter         [28524]: INFO    [sshd] 
> Found 43.255.188.169
> 2015-06-14 11:33:51,086 fail2ban.actions        [28524]: NOTICE  [sshd] 
> 43.255.188.169 already banned
> 2015-06-14 11:33:53,104 fail2ban.filter         [28524]: INFO    [sshd] 
> Found 43.255.188.169
> 2015-06-14 11:33:53,734 fail2ban.filter         [28524]: INFO    [sshd] 
> Found 43.255.188.169
> 2015-06-14 11:33:55,499 fail2ban.filter         [28524]: INFO    [sshd] 
> Found 43.255.188.169
> 2015-06-14 11:33:56,092 fail2ban.actions        [28524]: NOTICE  [sshd] 
> 43.255.188.169 already banned
> 2015-06-14 11:33:57,530 fail2ban.filter         [28524]: INFO    [sshd] 
> Found 43.255.188.169
> 2015-06-14 11:34:00,508 fail2ban.filter         [28524]: INFO    [sshd] 
> Found 43.255.188.169
> 2015-06-14 11:34:01,130 fail2ban.filter         [28524]: INFO    [sshd] 
> Found 43.255.188.169
> 2015-06-14 11:34:02,100 fail2ban.actions        [28524]: NOTICE  [sshd] 
> 43.255.188.169 already banned
> 
> and
> 
> Jun 14 11:36:25 kahlo sshd[28890]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169  
> user=root
> Jun 14 11:36:27 kahlo sshd[28890]: Failed password for invalid user root 
> from 43.255.188.169 port 52618 ssh2
> Jun 14 11:36:29 kahlo sshd[28890]: Failed password for invalid user root 
> from 43.255.188.169 port 52618 ssh2
> Jun 14 11:36:31 kahlo sshd[28890]: Failed password for invalid user root 
> from 43.255.188.169 port 52618 ssh2
> Jun 14 11:36:31 kahlo sshd[28890]: Received disconnect from 
> 43.255.188.169: 11:  [preauth]
> Jun 14 11:36:31 kahlo sshd[28890]: PAM 2 more authentication failures; 
> logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169  user=root
> Jun 14 11:36:32 kahlo sshd[28892]: User root from 43.255.188.169 not 
> allowed because not listed in AllowUsers
> Jun 14 11:36:32 kahlo sshd[28892]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169  
> user=root
> Jun 14 11:36:34 kahlo sshd[28892]: Failed password for invalid user root 
> from 43.255.188.169 port 38784 ssh2
> Jun 14 11:36:36 kahlo sshd[28892]: Failed password for invalid user root 
> from 43.255.188.169 port 38784 ssh2
> Jun 14 11:36:37 kahlo sshd[28892]: Failed password for invalid user root 
> from 43.255.188.169 port 38784 ssh2
> Jun 14 11:36:37 kahlo sshd[28892]: Received disconnect from 
> 43.255.188.169: 11:  [preauth]
> Jun 14 11:36:37 kahlo sshd[28892]: PAM 2 more authentication failures; 
> logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169  user=root
> Jun 14 11:36:38 kahlo sshd[28894]: User root from 43.255.188.169 not 
> allowed because not listed in AllowUsers
> Jun 14 11:36:38 kahlo sshd[28894]: pam_unix(sshd:auth): authentication 
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169  
> user=root
> Jun 14 11:36:40 kahlo sshd[28894]: Failed password for invalid user root 
> from 43.255.188.169 port 53258 ssh2
> Jun 14 11:36:42 kahlo sshd[28894]: Failed password for invalid user root 
> from 43.255.188.169 port 53258 ssh2
> Jun 14 11:36:44 kahlo sshd[28894]: Failed password for invalid user root 
> from 43.255.188.169 port 53258 ssh2
> Jun 14 11:36:44 kahlo sshd[28894]: Received disconnect from 
> 43.255.188.169: 11:  [preauth]
> Jun 14 11:36:44 kahlo sshd[28894]: PAM 2 more authentication failures; 
> logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.169  user=root
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users

------------------------------------------------------------------------------

_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Already banned problem

Reply via email to