Issue
Trouble with Fail2Ban
I am struggling with the app with fail2ban. The server is a Community 7 server put up this spring. Last updates appear to be in May. My issue is with fail2ban/fail2ban-server.
I created the /etc/fail2ban/jail.local and enabled sshd. The /var/log/fail2ban.log file is very busy with lots of logging ssh attacks. It reports that an attacking IP address is banned, but, that IP continues to hit the server.
I see the iptables rule for "REJECT all -- 0.0.0.0/0 0.0.0.0/0 match-set f2b-sshd src reject-with icmp-port-unreachable. But, I don't see anywhere in iptables -L -n that the bad ipaddresses are being added. Is there somewhere that I can see the "match-set s2b-sshd" entries?
I tried uninstalling and reinstalling the app-attack-detector which re-installed the fail2ban system. No help. The behavior is the same. IP addresses are recognized as ssh attacks, are logged, and reported as banned, but, are not being stopped by the firewall.
What am I missing?
I created the /etc/fail2ban/jail.local and enabled sshd. The /var/log/fail2ban.log file is very busy with lots of logging ssh attacks. It reports that an attacking IP address is banned, but, that IP continues to hit the server.
I see the iptables rule for "REJECT all -- 0.0.0.0/0 0.0.0.0/0 match-set f2b-sshd src reject-with icmp-port-unreachable. But, I don't see anywhere in iptables -L -n that the bad ipaddresses are being added. Is there somewhere that I can see the "match-set s2b-sshd" entries?
I tried uninstalling and reinstalling the app-attack-detector which re-installed the fail2ban system. No help. The behavior is the same. IP addresses are recognized as ssh attacks, are logged, and reported as banned, but, are not being stopped by the firewall.
What am I missing?
Share this post:
Responses (1)
-
Accepted Answer
If you have the Attack Detector app you don't need a jail.local to enable that jail. You can enable it through the webconfig (which enables the jail in /etc/fail2ban/jail.d/clearos-sshd.conf). You may find your own jail definition has a short ban time. The one in /etc/fail2ban/jail.d/clearos-sshd.conf is for a day.
To see if you have a block in your ipset set, check the app documentation (the slanted book icon at the top right of the webconfig page)
In terms of updates, there have been plenty of them since May, but not to the Attack Detector of f2b. If your system is not updating then there is something wrong. Try doing a:
And see if updates restart.yum update app-base
yum clean all
yum update
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »