> I've moved ssh to a non-standard port and it has been discovered by
> some hackers. I'm noticing repeated attempts to connect and login
> even though the IPs are supposedly banned.
>
> NOTICE [sshd] 54.34.136.87 already banned
> I do not understand, if I've banned an IP why they're still
getting through?
>
"Already banned" implies that the IP is banned on another port.
Have you changed your filter to ban the new port?
Did you unban all of the previously banned standard SSH port IPs?
So here's what i've figured out.
In some cases, it looks like the fail2ban ipset is not configured in iptables.
I am not sure under what circumstance this is happening but sometimes
when I start f2b, it doesn't apply all the ipset rules.
For example, fail2ban may have 4 jails:
vsftpd, pam-generic, dovecot, sshd
Everything appears to work, but then I see errors in the log showing
an IP is already banned but it's still hitting the server. I found out why...
And sometimes after starting f2b I'll run:
iptables -L -n | grep fail2ban
and I'll only see 3 instead of 4 of the jails listed as ipsets
configured. So the iptables aren't reading the jail blacklist.
Sometimes if I execute the command:
fail2ban-client reload <JAIL>
it will add the proper iptables rule to apply the jail ipset that was
not running before.
So I am not sure what's happening? If I run fail2ban-client stop
<JAIL> followed by fail2ban-client start <JAIL> I'll sometimes see this error:
# fail2ban-client start sshd
ERROR NOK: ('sshd',)
Sorry but the jail 'sshd' does not exist
# fail2ban-client reload sshd
ERROR NOK: ('sshd',)
I get an error there, but now the jail is loaded and
working.... What could be causing this?
I have a tendency of editing the jail.local file and routinely
tweaking the configuration without restarting fail2ban proper. And
sometimes I copy a "known good" set of config settings from one
server to another - I'm wondering if I'm leaving out a necessary step
to properly tell fail2ban to set up the jails permanently and execute
the appropriate iptables/firewallcmd command(s) to connect with the
ipset groups created by fail2ban?
Is there a standard workflow of how you make sure you have a certain
jail permanently set up and defined so it will always start up properly?
I can't figure out the exact conditions when sometimes a jail
initilizes, but isn't tied with iptables.
Any ideas?
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
