Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR]: sshd failed login attempts not detected? #3721

Closed
merlinz01 opened this issue Apr 12, 2024 · 1 comment
Closed

[FR]: sshd failed login attempts not detected? #3721

merlinz01 opened this issue Apr 12, 2024 · 1 comment
Labels
closed-as-duplicate

Comments

@merlinz01
Copy link

merlinz01 commented Apr 12, 2024
edited
Loading

It seems like fail2ban is not detecting failed ssh login attempts. If fail2ban is scanning /var/log/auth.log it will not detect them, as that file is empty and has always been. I am seeing plenty of failed login attempts in journalctl output. Maybe I need to tell sshd to log to a file? Or can fail2ban watch systemd logs?

This is affecting more than one of my servers.

Environment:

  • Fail2Ban version: v1.02
  • OS, including release name/version : Debian 12

Service, project or product which log or journal should be monitored

  • Name of filter or jail in Fail2Ban (if already exists) : sshd
  • Service, project or product name, including release name/version :
  • Repository or URL (if known) :
  • Service type : SSH
  • Ports and protocols the service is listening : 22

Log or journal information

# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
     Active: active (running) since Fri 2024-04-12 20:23:01 BST; 33min ago
       Docs: man:fail2ban(1)
   Main PID: 58237 (fail2ban-server)
      Tasks: 5 (limit: 8265)
     Memory: 16.8M
        CPU: 1.165s
     CGroup: /system.slice/fail2ban.service
             └─58237 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Apr 12 20:23:01 xxx systemd[1]: Started fail2ban.service - Fail2Ban Service.
Apr 12 20:23:01 xxx fail2ban-server[58237]: 2024-04-12 20:23:01,205 fail2ban.confi>
Apr 12 20:23:01 xxx fail2ban-server[58237]: Server ready

# journalctl -f
[Many many of the following]
Apr 12 21:00:42 xxx sshd[59239]: Invalid user oii from 43.163.195.237 port 39636
Apr 12 21:00:43 xxx sshd[59239]: Received disconnect from 43.163.195.237 port 39636:11: Bye Bye [preauth]
Apr 12 21:00:43 xxx sshd[59239]: Disconnected from invalid user oii 43.163.195.237 port 39636 [preauth]


# fail2ban-client banned
[{'sshd': []}]

Top 10 failed IP addresses since fail2ban was started:

# journalctl -S "2024-4-12 20:23:00" | grep -E -o "from ([0-9]{1,3}\.){3}[0-9]{1,3} port" | sort | uniq -c | sort -nr | head
     52 from 43.155.144.147 port
     52 from 223.113.121.94 port
     50 from 64.227.170.125 port
     50 from 43.155.160.230 port
     48 from 84.227.185.213 port
     48 from 43.163.195.237 port
     48 from 43.153.226.61 port
     48 from 164.92.112.124 port
     48 from 118.193.35.41 port
     46 from 198.244.198.103 port
  • Journal identifier or unit name : sshd

Any additional information

# fail2ban-client -d
2024-04-12 21:10:06,234 fail2ban.configreader   [59330]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
['set', 'syslogsocket', 'auto']
['set', 'loglevel', 'INFO']
['set', 'logtarget', '/var/log/fail2ban.log']
['set', 'allowipv6', 'auto']
['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
['set', 'dbmaxmatches', 10]
['set', 'dbpurgeage', '1d']
['add', 'sshd', 'auto']
['set', 'sshd', 'usedns', 'warn']
['set', 'sshd', 'prefregex', '^<F-MLFID>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?</F-MLFID>(?:(?:error|fatal): (?:PAM: )?)?<F-CONTENT>.+</F-CONTENT>$']
['set', 'sshd', 'maxlines', 1]
['multi-set', 'sshd', 'addfailregex', ['^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \\S+)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^Failed publickey for invalid user <F-USER>(?P<cond_user>\\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^Failed (?:<F-NOFAIL>publickey</F-NOFAIL>|\\S+) for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST>', '^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because not listed in AllowUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because listed in DenyUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because not in any group(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^refused connect from \\S+ \\(<HOST>\\)', '^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*3: .*: Auth fail(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because a group is listed in DenyGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', "^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$", '^<F-NOFAIL>pam_[a-z]+\\(sshd:auth\\):\\s+authentication failure;</F-NOFAIL>(?:\\s+(?:(?:logname|e?uid|tty)=\\S*)){0,4}\\s+ruser=<F-ALT_USER>\\S*</F-ALT_USER>\\s+rhost=<HOST>(?:\\s+user=<F-USER>\\S*</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> not allowed because account is locked(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*', '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\\S+</F-USER> <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*Change of username or service not allowed:\\s*.*\\[preauth\\]\\s*$', '^Disconnecting: Too many authentication failures(?: for <F-USER>\\S+|.*?</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*11:', '^<F-NOFAIL><F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)(?: (?:invalid|authenticating) user <F-USER>\\S+|.*?</F-USER>)? <HOST>(?:(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*|\\s*)$', '^<F-MLFFORGET><F-MLFGAINED>Accepted \\w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\\S+</F-USER> from <HOST>(?:\\s|$)', '^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>']]
['set', 'sshd', 'datepattern', '{^LN-BEG}']
['set', 'sshd', 'addjournalmatch', '_SYSTEMD_UNIT=sshd.service', '+', '_COMM=sshd']
['set', 'sshd', 'maxretry', 5]
['set', 'sshd', 'maxmatches', 5]
['set', 'sshd', 'findtime', '10m']
['set', 'sshd', 'bantime', '10m']
['set', 'sshd', 'ignorecommand', '']
['set', 'sshd', 'logencoding', 'auto']
['set', 'sshd', 'addlogpath', '/var/log/auth.log', 'head']
['set', 'sshd', 'addaction', 'iptables-multiport']
['multi-set', 'sshd', 'action', 'iptables-multiport', [['actionstart', "{ <iptables> -C f2b-sshd -j RETURN >/dev/null 2>&1; } || { <iptables> -N f2b-sshd || true; <iptables> -A f2b-sshd -j RETURN; }\nfor proto in $(echo 'tcp' | sed 's/,/ /g'); do\n{ <iptables> -C INPUT -p $proto -m multiport --dports ssh -j f2b-sshd >/dev/null 2>&1; } || { <iptables> -I INPUT -p $proto -m multiport --dports ssh -j f2b-sshd; }\ndone"], ['actionstop', "for proto in $(echo 'tcp' | sed 's/,/ /g'); do\n<iptables> -D INPUT -p $proto -m multiport --dports ssh -j f2b-sshd\ndone\n<iptables> -F f2b-sshd\n<iptables> -X f2b-sshd"], ['actionflush', '<iptables> -F f2b-sshd'], ['actioncheck', "for proto in $(echo 'tcp' | sed 's/,/ /g'); do\n<iptables> -C INPUT -p $proto -m multiport --dports ssh -j f2b-sshd\ndone"], ['actionban', '<iptables> -I f2b-sshd 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-sshd -s <ip> -j <blocktype>'], ['port', 'ssh'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['name', 'sshd'], ['actname', 'iptables-multiport'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]]
['start', 'sshd']

Relevant lines from monitored log files:

/var/log/auth.log is empty.
@sebres
Copy link
Contributor

sebres commented Apr 12, 2024
edited
Loading

['add', 'sshd', 'auto']

This means that jails backend is auto (depending on availability pyinotify, polling, etc, but monitoring log-files only), you have to set backend = systemd to the jail (to monitor systemd journal).

Also note #3292 (comment)

@sebres sebres closed this as not planned Won't fix, can't repro, duplicate, stale Apr 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
closed-as-duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sebres @merlinz01