Folks
I'm new to Fail2ban. I installed it on a Centos 8 system, defined
some parameters in jail.local (which I've enclosed below with all
commented lines omitted). I modified no other files of Fail2ban. I
find the fail2ban log file saying that it's banned a bunch of IPs
trying to get into sshd, yet when I run
iptables -L INPUT
there is no evidence of any of the bans. What am I doing wrong in
the jail.local file?
Asking Fail2ban-client:
[root@xxx ~]# fail2ban-client status
Status
|- Number of jail: 13
`- Jail list: apache-auth, apache-badbots, apache-botsearch,
apache-fakegooglebot, apache-modsecurity, apache-nohome,
apache-noscript, apache-overflows, postfix, postfix-rbl,
sendmail-auth, sendmail-reject, sshd
[root@xxxd ~]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 173
| |- Total failed: 13018
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 79
|- Total banned: 343
`- Banned IP list: 112.85.42.94 195.54.160.180 195.54.160.183
218.92.0.148 218.92.0.215 218.92.0.216 218.92.0.219 218.92.0.220
218.92.0.221 222.186.175.23 222.186.30.167 222.186.30.218
222.186.31.166 222.186.31.83 222.186.42.137 222.186.42.155
222.186.30.57 222.186.15.115 222.186.30.112 222.186.42.57
222.186.15.158 51.38.176.42 222.186.42.213 222.186.15.62
129.211.54.147 106.13.226.170 139.198.122.19 64.227.18.173
49.233.72.72 213.60.19.18 222.186.190.14 106.54.75.144 49.232.132.10
51.158.20.200 150.136.8.207 218.108.52.58 106.12.217.128 182.122.6.62
61.148.90.118 185.121.33.136 114.67.254.244 187.125.100.253
106.12.189.65 60.2.242.182 181.189.144.206 106.54.202.131
213.244.123.182 35.200.203.6 106.13.26.62 35.187.239.32
190.104.157.142 112.85.42.104 160.16.148.161 203.150.243.176
27.191.237.67 124.160.96.249 58.64.215.151 181.30.28.198
218.29.219.20 124.207.165.138 212.64.78.151 31.132.151.46
106.75.56.56 103.8.119.166 52.130.74.246 103.87.230.1 50.67.178.164
220.76.205.178 107.174.44.184 192.144.218.101 111.229.110.107
118.24.151.254 190.24.6.162 175.24.23.31 35.188.182.88 138.197.149.97
185.148.38.26 121.46.26.126 180.76.151.189
[root@xxx ~]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- anywhere anywhere
multiport dports ssh
[root@xxx ~]#
My jail.local file with comments removed:
[root@xxx ~]# grep -v -e '^\#' /etc/fail2ban/jail.local
[INCLUDES]
before = paths-fedora.conf
[DEFAULT]
bantime.increment=true ; David
bantime.rndtime = 600 ; David
ignoreip = 127.0.0.1/8 ::1
ignorecommand =
bantime = 60m
findtime = 24h
maxretry = 5
maxmatches = %(maxretry)s
backend = auto
usedns = warn
logencoding = auto
enabled = false
mode = normal
filter = %(__name__)s[mode=%(mode)s]
destemail = [email protected] ; David
sender = root@<fq-hostname>
mta = sendmail
protocol = tcp
chain = <known/chain>
port = 0:65535
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
banaction = iptables-multiport
banaction_allports = iptables-allports
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s",
dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s,
sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s",
chain="%(chain)s"]
action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s,
sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s,
sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s",
chain="%(chain)s"]
action_blocklist_de = blocklist_de[email="%(sender)s",
service=%(filter)s, apikey="%(blocklist_de_apikey)s",
agent="%(fail2ban_agent)s"]
action_badips = badips.py[category="%(__name__)s",
banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
action_badips_report = badips[category="%(__name__)s",
agent="%(fail2ban_agent)s"]
action_abuseipdb = abuseipdb
action = %(action_)s
[sshd]
enabled=true ; David
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[dropbear]
port = ssh
logpath = %(dropbear_log)s
backend = %(dropbear_backend)s
[selinux-ssh]
port = ssh
logpath = %(auditd_log)s
[apache-auth]
enabled=true ; David
port = :10080,https
logpath = %(apache_error_log)s
[apache-badbots]
enabled=true ; David
port = :10080,https
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1
[apache-noscript]
enabled=true ; David
port = :10080,https
logpath = %(apache_error_log)s
[apache-overflows]
enabled=true ; David
port = :10080,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-nohome]
enabled=true ; David
port = :10080,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-botsearch]
enabled=true ; David
port = :10080,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-fakegooglebot]
enabled=true ; David
port = :10080,https
logpath = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
[apache-modsecurity]
enabled=true ; David
port = :10080,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-shellshock]
port = :10080,https
logpath = %(apache_error_log)s
maxretry = 1
[openhab-auth]
filter = openhab
action = iptables-allports[name=NoAuthFailures]
logpath = /opt/openhab/logs/request.log
[nginx-http-auth]
port = :10080,https
logpath = %(nginx_error_log)s
[nginx-limit-req]
port = :10080,https
logpath = %(nginx_error_log)s
[nginx-botsearch]
port = :10080,https
logpath = %(nginx_error_log)s
maxretry = 2
[php-url-fopen]
port = :10080,https
logpath = %(nginx_access_log)s
%(apache_access_log)s
[suhosin]
port = :10080,https
logpath = %(suhosin_log)s
[lighttpd-auth]
port = :10080,https
logpath = %(lighttpd_error_log)s
[roundcube-auth]
port = :10080,https
logpath = %(roundcube_errors_log)s
[openwebmail]
port = :10080,https
logpath = /var/log/openwebmail.log
[horde]
port = :10080,https
logpath = /var/log/horde/horde.log
[groupoffice]
port = :10080,https
logpath = /home/groupoffice/log/info.log
[sogo-auth]
port = :10080,https
logpath = /var/log/sogo/sogo.log
[tine20]
logpath = /var/log/tine20/tine20.log
port = :10080,https
[drupal-auth]
port = :10080,https
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
[guacamole]
port = :10080,https
logpath = /var/log/tomcat*/catalina.out
[monit]
port = 2812
logpath = /var/log/monit
/var/log/monit.log
[webmin-auth]
port = 10000
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[froxlor-auth]
port = :10080,https
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[squid]
port = 80,443,3128,8080
logpath = /var/log/squid/access.log
[3proxy]
port = 3128
logpath = /var/log/3proxy.log
[proftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(proftpd_log)s
backend = %(proftpd_backend)s
[pure-ftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(pureftpd_log)s
backend = %(pureftpd_backend)s
[gssftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
[wuftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(wuftpd_log)s
backend = %(wuftpd_backend)s
[vsftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
[assp]
port = smtp,465,submission
logpath = /root/path/to/assp/logs/maillog.txt
[courier-smtp]
port = smtp,465,submission
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[postfix]
enabled=true ; David
mode = more
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[postfix-rbl]
enabled=true ; David
filter = postfix[mode=rbl]
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 1
[sendmail-auth]
enabled=true ; David
port = submission,465,smtp
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[sendmail-reject]
enabled=true ; David
mode=extra ; David
port = smtp,465,submission
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[qmail-rbl]
filter = qmail
port = smtp,465,submission
logpath = /service/qmail/log/main/current
[dovecot]
port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
[sieve]
port = smtp,465,submission
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
[solid-pop3d]
port = pop3,pop3s
logpath = %(solidpop3d_log)s
[exim]
port = smtp,465,submission
logpath = %(exim_main_log)s
[exim-spam]
port = smtp,465,submission
logpath = %(exim_main_log)s
[kerio]
port = imap,smtp,imaps,465
logpath = /opt/kerio/mailserver/store/logs/security.log
[courier-auth]
port = smtp,465,submission,imap,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[postfix-sasl]
filter = postfix[mode=auth]
port = smtp,465,submission,imap,imaps,pop3,pop3s
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[perdition]
port = imap,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[squirrelmail]
port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,:10080,https,socks
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
[cyrus-imap]
port = imap,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[uwimap-auth]
port = imap,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[named-refused]
port = domain,953
logpath = /var/log/named/security.log
[nsd]
port = 53
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s",
protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/nsd.log
[asterisk]
port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s",
protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/messages
maxretry = 10
[freeswitch]
port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s",
protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/freeswitch.log
maxretry = 10
[znc-adminlog]
port = 6667
logpath = /var/lib/znc/moddata/adminlog/znc.log
[mysqld-auth]
port = 3306
logpath = %(mysql_log)s
backend = %(mysql_backend)s
[mongodb-auth]
port = 27017
logpath = /var/log/mongodb/mongodb.log
[recidive]
logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = 1w
findtime = 1d
[pam-generic]
banaction = %(banaction_allports)s
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[xinetd-fail]
banaction = iptables-multiport-log
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
maxretry = 2
[stunnel]
logpath = /var/log/stunnel4/stunnel.log
[ejabberd-auth]
port = 5222
logpath = /var/log/ejabberd/ejabberd.log
[counter-strike]
logpath = /opt/cstrike/logs/L[0-9]*.log
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
udpport =
1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s",
protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(udpport)s",
protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
[bitwarden]
port = :10080,https
logpath = /home/*/bwdata/logs/identity/Identity/log.txt
[centreon]
port = :10080,https
logpath = /var/log/centreon/login.log
[nagios]
logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility
backend = %(syslog_backend)s
maxretry = 1
[oracleims]
logpath = /opt/sun/comms/messaging64/log/mail.log_current
banaction = %(banaction_allports)s
[directadmin]
logpath = /var/log/directadmin/login.log
port = 2222
[portsentry]
logpath = /var/lib/portsentry/portsentry.history
maxretry = 1
[pass2allow-ftp]
port = ftp,ftp-data,ftps,ftps-data
knocking_url = /knocking/
filter = apache-pass[knocking_url="%(knocking_url)s"]
logpath = %(apache_access_log)s
blocktype = RETURN
returntype = DROP
action = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s,
actionstart_on_demand=false,
actionrepair_on_unban=true]
bantime = 1h
maxretry = 1
findtime = 1
[murmur]
port = 64738
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s",
protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/mumble-server/mumble-server.log
[screensharingd]
logpath = /var/log/system.log
logencoding = utf-8
[haproxy-http-auth]
logpath = /var/log/haproxy.log
[slapd]
port = ldap,ldaps
logpath = /var/log/slapd.log
[domino-smtp]
port = smtp,ssmtp
logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
[phpmyadmin-syslog]
port = :10080,https
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[zoneminder]
port = :10080,https
logpath = %(apache_error_log)s
[traefik-auth]
port = :10080,https
logpath = /var/log/traefik/access.log
[root@beid ~]#
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
