I've moved ssh to a non-standard port and it has been discovered by
some hackers. I'm noticing repeated attempts to connect and login
even though the IPs are supposedly banned.
Stuff like this in my log file:
2019-08-24 20:41:04,837 fail2ban.filter [55597]:
INFO [sshd] Found 54.35.136.87
2019-08-24 20:41:05,793 fail2ban.actions [55597]:
NOTICE [sshd] 54.34.136.87 already banned
I do not understand, if I've banned an IP why they're still getting through?
I updated the "port" command in jail.local under the [sshd} section
to include the port number of my ssh - doesn't that block that port
for the banned IP? Are there any limitations to the use of the
"port" command in jail.local, or anything else that needs to be done
to specify specific port blocking? Any other conditions that could
be causing this?
I can do an ipset list fail2ban-sshd and see the IP addresses in the
ipset, but am still getting indications of connections from
supposedly banned IP addresses. Any ideas?
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
