[SOLVED] Linode server, and fail2ban --> finds no matches.
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
A few days ago I created a Linode server instance, using Linode's Slackware 15.0 image-file. Shortly thereafter I downloaded from SlackBuilds the "fail2ban" files, created a Slackware package, and installed the result:
Code:
fail2ban-0.11.2-x86_64-1_SBo
I soon discovered that the SSH "jail" is not enabled by default, and enabled it, and restarted fail2ban. Running this command "fail2ban-client status sshd" gives:
Code:
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/secure
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
After a while it seemed to me at least some lines should have been added to the rules in "iptables", and after quite a bit of reading and studying I became convinced the output below indicates a problem.
Code:
root@darkstar:/etc/fail2ban# fail2ban-regex /var/log/secure sshd
Running tests
=============
Use failregex filter file : sshd, basedir: /etc/fail2ban
Use maxlines : 1
Use datepattern : {^LN-BEG} : Default Detectors
Use log file : /var/log/secure
Use encoding : UTF-8
Results
=======
Prefregex: 49991 total
| ^(?P<mlfid>(?:\[\])?\s*(?:<[^.]+\.[^.]+>\s+)?(?:\S+\s+)?(?:kernel:\s?\[ *\d+\.\d+\]:?\s+)?(?:@vserver_\S+\s+)?(?:(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)\s+)?(?:\[ID \d+ \S+\]\s+)?)(?:(?:error|fatal): (?:PAM: )?)?(?P<content>.+)$
`-
Failregex: 16484 total
|- #) [# of hits] regular expression
| 14) [16484] ^<F-NOFAIL>pam_[a-z]+\(sshd:auth\):\s+authentication failure;</F-NOFAIL>(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=<F-ALT_USER>\S*</F-ALT_USER>\s+rhost=<HOST>(?:\s+user=<F-USER>\S*</F-USER>)?(?: (?:port \d+|on \S+|\[preauth\])){0,3}\s*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [49991] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 49991 lines, 16484 ignored, 0 matched, 33507 missed
[processed in 10.44 sec]
Ignored line(s): too many to print. Use --print-all-ignored to print all 16484 lines
Missed line(s): too many to print. Use --print-all-missed to print all 33507 lines
Given my server's "/var/log/secure" file, I think 49991 hits is a reasonable number to be found by the date-regex, and I think 16484 hits is a reasonable number to be found by the fail-regex. There is no regex to use for finding hits to be ignored, so I think zero is reasonable.
I see an sshd SyslogFacility = AUTHPRIV option in the man pages for sshd_config versions 5.3 and 7.4 but it doesn't seem to exist anymore in sshd_config version 8.8
-- kjh
Last edited by kjhambrick; 06-01-2022 at 11:37 AM.
Reason: man pages
I see an sshd SyslogFacility = AUTHPRIV option in the man pages for opensshd_config versions 5.3 and 7.4 but it doesn't seem to exist anymore in sshd_config version 8.8
-- kjh
it's probably undocumented but I can guarantee that it works (I'm using it in production with that version).
Now that fail2ban is generating rules for the iptable --- I see they say "REJECT", and so I have a follow-up question.
Back when I reading in hope of figuring out my fail2ban problem, I came across where a fellow had said about iptable rules (I paraphrase):
In a world of well-intended people, REJECT is a good choice, because it informs the person at the other end there is a problem. However, in this world some nefarious people will spoof the source address and send a small packet to your/my server, and the nefarious people expect your/my server to send a larger REJECT packet to the spoofed address (their intent being to flood the spoofed address), and DROP may be a better choice.
Which is better for fail2ban to do: REJECT or DROP?
FWIW, while, in general, I agree that DROP as a firewall rule is better, in this specific case I definitely agree with the first answer there that's also specific to the fail2ban behavior
Quote:
Quote:
common sense "provide as little information as possible" concept. DROP is NO information.
The block occurs after a failure attempt. The person or script already knows there is a service there.
in other words, giving the bad guys the finger is better that going silent when they already know that you have something listening.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
