LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   What part of the Fail2Ban configuration is wrong? (https://www.linuxquestions.org/questions/linux-security-4/what-part-of-the-fail2ban-configuration-is-wrong-4175734267/)

Jason.nix 02-26-2024 04:21 AM
What part of the Fail2Ban configuration is wrong?
 
Hello,
The SSH part of Fail2ban is as follows:
Code:
[sshd]
enabled = true
port    = 22
logpath = /var/log/ssh-fail2ban.log
backend = %(sshd_backend)s
maxretry  = 2
findtime  = 10
bantime  = 4w
I connected to the host and entered the wrong SSH password a few times, but I was not blocked. Why?

Thank you.

TenTenths 02-26-2024 06:19 AM
Quote:
Originally Posted by Jason.nix (Post 6485981)
I connected to the host and entered the wrong SSH password a few times, but I was not blocked. Why?
Because your Fail2Ban config doesn't make sense.
Quote:
Originally Posted by Jason.nix (Post 6485981)
Code:
logpath = /var/log/ssh-fail2ban.log
That's supposed to be the path to the log containing the authentication errors, not where F2B will log its activity.

bitfuzzy 02-26-2024 07:42 AM
Try

Code:
logpath = %(sshd_log)s

bitfuzzy 02-26-2024 07:48 AM
IMO you might want to consider allowing connections to SSH from only trusted IP's and BLOCK access to all others
Though this works best where connecting clients are using Static IP's.

It's not meant to replace fail2ban's ssh policy, but to act as your first line of defense.

Jason.nix 02-26-2024 10:53 AM
Quote:
Originally Posted by bitfuzzy (Post 6486011)
Try

Code:
logpath = %(sshd_log)s
Hello,
Thank you so much for your reply.
When I use logpath = %(sshd_log)s, then when I restart the Fail2Ban service I get the following error message:
Quote:
Failed during configuration: Have not found any log file for sshd jail.

bitfuzzy 02-26-2024 02:03 PM
Check /etc/fail2ban/

You should have a file named paths-common.conf

Make a copy of the file and name it paths-common.local

open the file and search for sshd

If you don't find sshd_log add:
Code:
sshd_log = %(syslog_authpriv)s
If you don't find sshd_backend also add:
Code:
sshd_backend = %(default_backend)s
Restart fail2ban and see if that helps

Ken

Jason.nix 02-26-2024 11:45 PM
Quote:
Originally Posted by bitfuzzy (Post 6486104)
Check /etc/fail2ban/

You should have a file named paths-common.conf

Make a copy of the file and name it paths-common.local

open the file and search for sshd

If you don't find sshd_log add:
Code:
sshd_log = %(syslog_authpriv)s
If you don't find sshd_backend also add:
Code:
sshd_backend = %(default_backend)s
Restart fail2ban and see if that helps

Ken
Hello,
Thank you so much for your reply.
After this I restarted the Fail2Ban service and got the following errors:
Code:
[715]: ERROR  Failed during configuration: Have not found any log file for sshd jail
[715]: ERROR  Async configuration of server failed
In the jail.local file, I changed the backend value from %(sshd_backend)s to systemd and the problem was solved.


All times are GMT -5. The time now is 08:24 PM.