Hi, I am attempting to set up fail2ban so that it will ban any IP that fails to provide the proper credentials after 5 attempts for ssh. I copied the jail.conf in /etc/fail2ban to jail.local and have edited the ssh-iptables section so that it is enabled (and uses the port I have ssh listen to).
Then I just restarted the fail2ban service and can confirm it added something to iptables. The problem is when I try to ssh and intentionally fail at providing the password for the key, I am not banned after 5 attempts. This is my very first time using fail2ban so i think I am just doing something stupid, but I have looked at all the tutorials that I can find and I just dont understand what is wrong.
I am using a key + password for it to log in and when I enter the password wrong ~7 times I still have not been banned. The same goes for if I dont posses the pub key at all.
> banned after 5 attempts. This is my very first time using fail2ban so i
> think I am just doing something stupid, but I have looked at all the
> tutorials that I can find and I just dont understand what is wrong.
I’m not familiar with fail2ban myself, but the port for ssh is 22, not
22222. Typo?
And for your tests, you probably have to connect from internet, not from
the same machine - I mention this because people tend to forget this
when testing
If your intention is only to block only ssh, the distribution firewall,
susefirewall, can natively block repetitive failed ssh attempts and a
few others. It is trivial to setup.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
heh no I just used 22222 as an example for the fact that I am not using the standard port. And yeah I ssh to my school servers and then attempt to ssh back
And thanks I will look into doing this with susefirewall
> And thanks I will look into doing this with susefirewall
/etc/sysconfig/SuSEfirewall2:
> ## Type: string
> ## Default:
> #
> # Services to allow. This is a more generic form of FW_SERVICES_XXX_{IP,UDP,TCP}
> # and more specific than FW_TRUSTED_NETS
> #
> # Format: space separated list of net,protocol,dport,sport,flags]]]
> # Example: "0/0,tcp,22"
> #
> # Supported flags are
> # hitcount=NUMBER : ipt_recent --hitcount parameter
> # blockseconds=NUMBER : ipt_recent --seconds parameter
> # recentname=NAME : ipt_recent --name parameter
> # Example:
> # Allow max three ssh connects per minute from the same IP address:
> # "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
> #
> # The special value _rpc_ is recognized as protocol and means that dport is
> # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
> # details.
> #
> # Note1: keep in mind that FW_SERVICES_EXT_TCP, FW_SERVICES_EXT_UDP
> # take precedence over FW_SERVICES_ACCEPT_EXT so don't open the same
> # port with both options.
> #
> # Note2: the iptables recent module may not be available for ipv6. To
> # avoid an error message use 0.0.0.0/0 instead of 0/0. This will
> # install the rule for ipv4 only.
> #
> #FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
This does not need to read/write any file, it works on memory. The
kernel handles it.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
