Running Fedora 32, Fail2ban 0.11.1-10, my jail.local: [DEFAULT] bantime = 10800 action = %(action_)s usedns = no mta = sendmail backend = auto banaction = firewallcmd-ipset port = 0-65535 bantime.increment = true bantime.rndtime = 8m [sshd] enabled = true maxretry = 4 filter = sshd[mode=aggressive]
Sample logs from /var/log/secure: Sep 18 13:55:35 tartarus sshd[521042]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=198.144.184.32 Sep 18 13:55:37 tartarus sshd[521042]: Failed password for invalid user admin from 198.144.184.32 port 56972 ssh2 Sep 18 13:55:38 tartarus sshd[521042]: Received disconnect from 198.144.184.32 port 56972:11: Bye Bye [preauth] Sep 18 13:55:38 tartarus sshd[521042]: Disconnected from invalid user admin 198.144.184.32 port 56972 [preauth] Sep 18 14:02:32 tartarus sshd[521086]: Invalid user inssserver from 198.144.184.32 port 40946 Sep 18 14:02:32 tartarus sshd[521086]: pam_unix(sshd:auth): check pass; user unknown Sep 18 14:02:32 tartarus sshd[521086]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=198.144.184.32 Sep 18 14:02:33 tartarus sshd[521086]: Failed password for invalid user inssserver from 198.144.184.32 port 40946 ssh2 Sep 18 14:02:34 tartarus sshd[521086]: Received disconnect from 198.144.184.32 port 40946:11: Bye Bye [preauth] Sep 18 14:02:34 tartarus sshd[521086]: Disconnected from invalid user inssserver 198.144.184.32 port 40946 [preauth] Sep 18 14:08:54 tartarus sshd[521108]: Connection closed by 60.52.68.6 port 1305 [preauth] Sep 18 14:09:12 tartarus sshd[521117]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=198.144.184.32 user=root Sep 18 14:09:12 tartarus sshd[521117]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Sep 18 14:09:14 tartarus sshd[521117]: Failed password for root from 198.144.184.32 port 53148 ssh2 Sep 18 14:09:15 tartarus sshd[521117]: Received disconnect from 198.144.184.32 port 53148:11: Bye Bye [preauth] Sep 18 14:12:35 tartarus sshd[521133]: error: kex_exchange_identification: Connection closed by remote host Sep 18 14:13:41 tartarus sshd[521136]: error: kex_exchange_identification: Connection closed by remote host Sep 18 14:15:22 tartarus sshd[521141]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=198.144.184.32 user=root Sep 18 14:15:22 tartarus sshd[521141]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Sep 18 14:15:24 tartarus sshd[521141]: Failed password for root from 198.144.184.32 port 37100 ssh2 Sep 18 14:15:24 tartarus sshd[521141]: Received disconnect from 198.144.184.32 port 37100:11: Bye Bye [preauth] Sep 18 14:15:24 tartarus sshd[521141]: Disconnected from authenticating user root 198.144.184.32 port 37100 [preauth] from /var/log/fail2ban.log: 2020-09-18 14:02:33,008 fail2ban.filter [69632]: INFO [sshd] Found 198.144.184.32 - 2020-09-18 14:02:32 2020-09-18 14:02:33,011 fail2ban.filter [69632]: INFO [pam-generic] Found 198.144.184.32 - 2020-09-18 14:02:32 2020-09-18 14:02:33,364 fail2ban.actions [69632]: NOTICE [sshd] Ban 198.144.184.32 2020-09-18 14:02:33,372 fail2ban.filter [69632]: INFO [recidive] Found 198.144.184.32 - 2020-09-18 14:02:33 2020-09-18 14:02:34,259 fail2ban.filter [69632]: INFO [sshd] Found 198.144.184.32 - 2020-09-18 14:02:33 2020-09-18 14:02:34,263 fail2ban.observer [69632]: INFO [sshd] Found 198.144.184.32, bad - 2020-09-18 14:02:33, 1 # - > 2.0 2020-09-18 14:02:35,011 fail2ban.filter [69632]: INFO [sshd] Found 198.144.184.32 - 2020-09-18 14:02:34 2020-09-18 14:02:35,029 fail2ban.observer [69632]: INFO [sshd] Found 198.144.184.32, bad - 2020-09-18 14:02:34, 1 # - > 2.0 2020-09-18 14:09:12,509 fail2ban.filter [69632]: INFO [pam-generic] Found 198.144.184.32 - 2020-09-18 14:09:12 2020-09-18 14:09:14,718 fail2ban.filter [69632]: INFO [sshd] Found 198.144.184.32 - 2020-09-18 14:09:14 2020-09-18 14:09:14,721 fail2ban.observer [69632]: INFO [sshd] Found 198.144.184.32, bad - 2020-09-18 14:09:14, 1 # - > 2.0 2020-09-18 14:09:16,261 fail2ban.filter [69632]: INFO [sshd] Found 198.144.184.32 - 2020-09-18 14:09:15 2020-09-18 14:09:16,263 fail2ban.observer [69632]: INFO [sshd] Found 198.144.184.32, bad - 2020-09-18 14:09:15, 1 # - > 2.0 2020-09-18 14:09:16,544 fail2ban.actions [69632]: WARNING [sshd] 198.144.184.32 already banned 2020-09-18 14:15:22,769 fail2ban.filter [69632]: INFO [pam-generic] Found 198.144.184.32 - 2020-09-18 14:15:22 2020-09-18 14:15:24,488 fail2ban.filter [69632]: INFO [sshd] Found 198.144.184.32 - 2020-09-18 14:15:24 2020-09-18 14:15:24,493 fail2ban.filter [69632]: INFO [sshd] Found 198.144.184.32 - 2020-09-18 14:15:24 2020-09-18 14:15:24,494 fail2ban.observer [69632]: INFO [sshd] Found 198.144.184.32, bad - 2020-09-18 14:15:24, 1 # -> 2.0 2020-09-18 14:15:24,497 fail2ban.observer [69632]: INFO [sshd] Found 198.144.184.32, bad - 2020-09-18 14:15:24, 1 # -> 2.0 2020-09-18 14:15:24,663 fail2ban.actions [69632]: WARNING [sshd] 198.144.184.32 already banned First, why is pan-generic being triggered only once? Then, how is this "already banned" showing, if, well, the IP is already banned?
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
