How can fail2ban block a host which scans server ports?

linumo

New Member
Joined
Jul 9, 2021
Messages
5
Reaction score
1
Credits
52
Recently I saw a port scan on my ubuntu server.
The log lines in auth.log look like this:
Jul 2 01:14:30 host12907 sshd[14010]: Failed password for root from 64.225.102.51 port 41676 ssh2
Jul 2 01:14:30 host12907 sshd[14011]: Failed password for root from 64.225.102.51 port 41696 ssh2
Jul 2 01:14:30 host12907 sshd[14032]: Failed password for root from 64.225.102.51 port 42768 ssh2
Jul 2 01:14:30 host12907 sshd[14008]: Failed password for root from 64.225.102.51 port 41610 ssh2
Jul 2 01:14:30 host12907 sshd[14019]: Failed password for root from 64.225.102.51 port 41958 ssh2
Jul 2 01:14:30 host12907 sshd[14027]: Failed password for root from 64.225.102.51 port 42528 ssh2
Jul 2 01:14:30 host12907 sshd[14038]: Failed password for root from 64.225.102.51 port 43020 ssh2
Jul 2 01:14:30 host12907 sshd[14030]: Failed password for root from 64.225.102.51 port 42660 ssh2
Jul 2 01:14:30 host12907 sshd[14035]: Failed password for root from 64.225.102.51 port 42860 ssh2
Jul 2 01:14:31 host12907 sshd[14041]: Failed password for root from 64.225.102.51 port 43112 ssh2
Jul 2 01:14:31 host12907 sshd[14022]: Failed password for root from 64.225.102.51 port 42360 ssh2
Jul 2 01:14:31 host12907 sshd[14029]: Failed password for root from 64.225.102.51 port 42584 ssh2


I did check the fail2ban filter for sshd with:
fail2ban-regex --print-all-matched /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf and the lines were matched correctly.
Thus, it obviously is the ssh jail which doesn't block the scan as expected.
The current jail for ssh shows:

[ssh]
enabled = true
filter = sshd
action = iptables[name=ssh, port=ssh]
logpath = /var/log/auth.log
maxretry = 5


I suppose the action line in the sshd jail can be configured to not only ban failed attempts to the single actually configured sshd port, but to any port.
Alas, I don't know how to change the action line so that fail2ban sums up failed ssh attempts to any port in its maxretry counter.
How can I get the ssh jail to process failed attempts on all ports?
Would it work correctly if I leave out the port specification at all?
Or should the port specification just specify port=all?
Or should the jail specification look totally different?
I am reluctant to experiment with it because my server is a vServer and I am anxious to lock me out if I do something wrong.
 


In /etc/fail2ban/jail.conf, add your own ip to the following line and then restart fail2ban.
Code:
ignoreip = 127.0.0.1/8 ::1
That way you will never lock yourself out.
 
My vServer is hosted by an internet provider, and thus I do need a working ssh from my home pc to connect to it.
 
My vServer is hosted by an internet provider, and thus I do need a working ssh from my home pc to connect to it.
I reacted to this part.
I am reluctant to experiment with it because my server is a vServer and I am anxious to lock me out if I do something wrong.
If you configure your external ip to that setting and restart fail2ban you won't lock yourself out.
 
Thanks, I now got your point.
It helps me to experiment, although it is not an answer to my original question.
 
It helps me to experiment, although it is not an answer to my original question.
Which Ubuntu version are you running on your server, that way I can test it out in my virtual lab since I do use fail2ban but not on Ubuntu.
 
I am on Ubuntu 18 LTS with fail2ban v0.11.2as my provider does not offer Ubuntu 20 yet.
I have attached the sshd.conf filter
 

Attachments

  • sshd.conf.zip
    2.7 KB · Views: 322
I installed test vm with Ubuntu 18 and I got it working, this is what my fail2ban ssh configuration looks like in /etc/fail2ban/jail.conf
Code:
[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
action = %(action_)s
Then I restarted and try to login with the wrong credentials.
Code:
2021-07-09 15:52:04,184 fail2ban.filter         [2063]: INFO    [sshd] Found 11.22.13.16 - 2021-07-09 15:52:04
2021-07-09 15:52:06,889 fail2ban.filter         [2063]: INFO    [sshd] Found 11.22.13.16 - 2021-07-09 15:52:06
2021-07-09 15:52:18,272 fail2ban.filter         [2063]: INFO    [sshd] Found 11.22.13.16 - 2021-07-09 15:52:18
2021-07-09 15:52:20,977 fail2ban.filter         [2063]: INFO    [sshd] Found 11.22.13.16 - 2021-07-09 15:52:20
2021-07-09 15:52:24,760 fail2ban.filter         [2063]: INFO    [sshd] Found 11.22.13.16 - 2021-07-09 15:52:24
2021-07-09 15:52:24,816 fail2ban.actions        [2063]: NOTICE  [sshd] Ban 11.22.13.16
2021-07-09 15:52:26,383 fail2ban.filter         [2063]: INFO    [sshd] Found 11.22.13.16 - 2021-07-09 15:52:26
The action is actually already set globally in the configuration file with this.
Code:
action = %(action_)s
So I would think if you change your configuration setup from this.
[ssh]
enabled = true
filter = sshd
action = iptables[name=ssh, port=ssh]
logpath = /var/log/auth.log
maxretry = 5
To this, that it should work.
Code:
[sshd]
enabled = true
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
Also is in your original ssh configuration you used ssh instead of sshd , the part in the [ ] defines which filter is used, so if you spelled the name of the filter wrong it won't work. So if you change it to the following it should probably work too.
Code:
[sshd]
enabled = true
action = iptables[name=ssh, port=ssh]
logpath = /var/log/auth.log
maxretry = 5
 
Last edited:
I also tried your original ssh fail2ban configuration which also seems to work for me, so the problem may be somewhere else. But at least you can try what I mentioned in my other post and see how far that gets you.
 
Recently I saw a port scan on my ubuntu server.
The log lines in auth.log look like this:

Jul 2 01:14:31 host12907 sshd[14029]: Failed password for root from 64.225.102.51 port 42584 ssh2
The current jail for ssh shows:

[ssh]
enabled = true
filter = sshd
action = iptables[name=ssh, port=ssh]
logpath = /var/log/auth.log
maxretry = 5

What port is "ssh2" running on? search /etc/services for ssh2... I simply added an additional line in /etc/services for ssh with my changed port, ie.
ssh 22/tcp # SSH Remote Login Protocol
ssh 12345/tcp # SSH Remote Login Protocol

fail2ban is referencing "ssh", but your logs show ssh2... I'm no expert, but I would check that first. I hope this helps!
 


Top