Perplexe avec fail2ban

J’ai un serveur, sous Ubuntu 22, sur lequel fonctionne fail2ban avec cette config /etc/fail2ban/jail.local

banaction = iptables-allports
bantime = 30h
findtime = 25m
maxretry = 3

Je pense que cette ip 103.91.136.18 devrait être bannie

tail /var/log/auth.log | grep 103

Jan 23 19:41:36 vps7 sshd[1300617]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.91.136.18
Jan 23 19:43:30 vps7 sshd[1300805]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.91.136.18
Jan 23 19:45:25 vps7 sshd[1301009]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.91.136.18 user=root
Jan 23 19:47:17 vps7 sshd[1301272]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.91.136.18
Jan 23 19:49:07 vps7 sshd[1301454]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.91.136.18 user=root
Jan 23 19:51:03 vps7 sshd[1301642]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.91.136.18 user=root

et pourtant elle ne l’est pas

J’ai donc testé avec une de mes IP, et le bannissement se fait bien, mais j’observe des logs différents.

Jan 23 19:32:31 vps7 sshd[1298589]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx.xx.xx.xx user=root
Jan 23 19:32:34 vps7 sshd[1298580]: error: PAM: Authentication failure for root from xx.xx.xx.xx
Jan 23 19:32:34 vps7 sshd[1298580]: error: maximum authentication attempts exceeded for root from xx.xx.xx.xx port 53452 ssh2 [preauth]

Un lecteur a-t-il une explication

1. Pourquoi pas de bannissements?
2. Pourquoi des logs différents?

Merci d’avance pour tout avis.

que dit /var/log/fail2ban.log ?

je me demande si ta conf banaction = iptables-allports est valable
man jail.conf montre seuleme nt
banaction_allports= iptables-allports

mais je ne sais pas

Merci @dindoun pour ta réponse.

Peut-être un piste avec le warning ?

2024-01-23 19:31:18,751 fail2ban.server [1298464]: INFO Starting Fail2ban v0.11.2
2024-01-23 19:31:18,751 fail2ban.observer [1298464]: INFO Observer start…
2024-01-23 19:31:18,753 fail2ban.database [1298464]: INFO Connected to fail2ban persistent database ‹ /var/lib/fail2ban/fail2ban.sqlite3 ›
2024-01-23 19:31:18,754 fail2ban.jail [1298464]: INFO Creating new jail ‹ sshd ›
2024-01-23 19:31:18,764 fail2ban.jail [1298464]: INFO Jail ‹ sshd › uses systemd {}
2024-01-23 19:31:18,765 fail2ban.jail [1298464]: INFO Initiated ‹ systemd › backend
2024-01-23 19:31:18,766 fail2ban.filter [1298464]: INFO maxLines: 1
2024-01-23 19:31:18,791 fail2ban.filtersystemd [1298464]: INFO [sshd] Added journal match for: ‹ _SYSTEMD_UNIT=sshd.service + _COMM=sshd ›
2024-01-23 19:31:18,791 fail2ban.filter [1298464]: INFO maxRetry: 3
2024-01-23 19:31:18,791 fail2ban.filter [1298464]: INFO findtime: 1500
2024-01-23 19:31:18,791 fail2ban.actions [1298464]: INFO banTime: 108000
2024-01-23 19:31:18,791 fail2ban.filter [1298464]: INFO encoding: UTF-8
2024-01-23 19:31:18,793 fail2ban.jail [1298464]: INFO Jail ‹ sshd › started
2024-01-23 19:31:18,850 fail2ban.filter [1298464]: WARNING [sshd] Simulate NOW in operation since found time has too large deviation 1706033189.365511 ~ 1706034678.8502316 +/- 60
2024-01-23 19:31:18,850 fail2ban.filter [1298464]: WARNING [sshd] Please check jail has possibly a timezone issue. Line with odd timestamp: (’’, ‹ 2024-01-23T19:06:29.365511 ›, ‹ vps761618 sshd[1295526]: pam_unix(sshd:auth): check pass; user unknown ›)
2024-01-23 19:32:30,608 fail2ban.filter [1298464]: INFO [sshd] Found xx.xx.xx.xx - 2024-01-23 19:32:30
2024-01-23 19:32:34,593 fail2ban.filter [1298464]: INFO [sshd] Found xx.xx.xx.xx - 2024-01-23 19:32:34
2024-01-23 19:32:34,594 fail2ban.filter [1298464]: INFO [sshd] Found xx.xx.xx.xx - 2024-01-23 19:32:34
2024-01-23 19:32:34,883 fail2ban.actions [1298464]: NOTICE [sshd] Ban xx.xx.xx.xx

ouaip : si tu as deux dates dans le calcul de findtime, alors le findtime ne peut pas
marcher
ça peut être la raison

que donne
fail2ban-client -d
env|grep LC
fail2ban-client -d> /tmp/f2b && md5sum /tmp/f2b
chez moi : ea1918e297ab150330b7ab142fda1724 /tmp/f2b

j’ai trouvé ça ( Some timezone warnings since version 0.11.2 · Issue #2882 · fail2ban/fail2ban · GitHub ; en anglais mais comme je ne suis pas sur du pb je préfère ne pas résumer)

`Fail2ban knows two modes now:

not in operation - if fail2ban starts or when a new log-file gets added to the jail (fail2ban has to process messages there are already written in file at some point)
in operation mode - fail2ban reached once the end of log-file (so hereafter every message read from this log will be considered as new)

I dont have a problem with the warnings of a possible timezone problem (though in my case the error is 8hrs from a rtkit log message - a known problem so its annoying.

But this is (was) a problem previously - fail2ban just assumed too old failure and ignored it (now this handling is changed, and it does not expect too old failure in operation mode).

This is a change of status implying that the system is no longer operating but has gone offline into a simulation mode.

No, this means that fail2ban is in operation mode with this log-file, and despite the timestamp seems to be old (but because also incorrect), fail2ban throws a warning and simulate now as occurrence time for this failure.

Can you confirm that there is no change in operational status of fail2ban

There is a change in « operational status » - previously it used the time of the failure (read from log) to consider:

the failure must be forgotten if now > time_of_fail + findtime;
the failure is completely obsolete (would cause a ban with immediate unban, due to now > time_of_fail + bantime;

Normally this handling is used if timestamp is not deviating too much. Just in operation mode, fail2ban consider new messages (no matter which timestamp) as currently written, so the warning is throwed to signal something is wrong with timestamp.
And now this failure is considered as NEW regardless its timestamp.

and perhaps clarify the warning message if its harmless to the operational status of fail2ban?

Sure, how you would like to see that? (note, it must be as short as possible).
`

Besoin de temps pour comprendre mais cela semble la bonne piste.

De mon côté j’ai trouvé ce lien Fail2Ban "Please check jail has possibly a timezone issue" - ℹ️ Support - Nextcloud community

qui évoque le même problème.

@dindoun

Encore plus perdu

J’ai viré mon jail.local, rebooté, je n’ai plus de warning … et toujours aucun bannissement !!! … Je reprendrai demain soir.

@dindoun

Hier soir j’ai continué un peu, j’avais oublié de préciser dans mon précédent post que j’avais également mis la config par défaut : backend = auto.

En remettant systemd, j’ai retrouvé le warning.

En fouillant un peu la doc, j’ai fini par mettre backend = polling et j’ai remis pour la nuit mon jail.local.

Ce matin, je constate qu’il y a bien des « found » dans mon fail2ban.log mais a priori pas 3 consécutifs dans une tranche de 25mn, ce qui semble indiquer qu’il fonctionne bien.

Il me reste à

• vérifier ce point (en augmentant le findtime par exemple)
• comprendre les logs, par exemple

Jan 24 01:31:17 vps7 sshd[12142]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.233.13.170 user=root
Jan 24 01:31:23 vps7 sshd[12142]: error: PAM: Authentication failure for root from 219.233.13.170
Jan 24 02:48:56 vps7 sshd[21903]: pam_unix(sshd:auth): check pass; user unknown
Jan 24 02:48:56 vps7 sshd[21903]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62.122.184.247
Jan 24 04:45:33 vps7 sshd[34219]: pam_unix(sshd:auth): check pass; user unknown
Jan 24 04:45:33 vps7 sshd[34219]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=159.65.220.18
Jan 24 05:29:32 vps7 sshd[38962]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.233.13.170 user=root
Jan 24 05:29:38 vps7 sshd[38962]: error: PAM: Authentication failure for root from 219.233.13.170
Jan 24 05:55:31 vps7 sshd[41654]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.233.13.170 user=root
Jan 24 05:55:35 vps7 sshd[41654]: error: PAM: Authentication failure for root from 219.233.13.170

et au final, idéalement, expliquer le problème avec systemd

si ça peut t’aider,chez moi

$ fail2ban-client -d

2024-01-24 19:10:07,338 fail2ban.configreader   [10472]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
['set', 'syslogsocket', 'auto']
['set', 'loglevel', 'INFO']
['set', 'logtarget', '/var/log/fail2ban.log']
['set', 'allowipv6', 'auto']
['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
['set', 'dbmaxmatches', 10]
['set', 'dbpurgeage', '1d']
['add', 'sshd', 'auto']
['set', 'sshd', 'usedns', 'warn']
['set', 'sshd', 'prefregex', '^<F-MLFID>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?</F-MLFID>(?:(?:error|fatal): (?:PAM: )?)?<F-CONTENT>.+</F-CONTENT>$']
['set', 'sshd', 'maxlines', 1]
['multi-set', 'sshd', 'addfailregex', ['^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \\S+)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^Failed publickey for invalid user <F-USER>(?P<cond_user>\\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^Failed (?:<F-NOFAIL>publickey</F-NOFAIL>|\\S+) for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST>', '^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because not listed in AllowUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because listed in DenyUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because not in any group(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^refused connect from \\S+ \\(<HOST>\\)', '^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*3: .*: Auth fail(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because a group is listed in DenyGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', "^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$", '^<F-NOFAIL>pam_[a-z]+\\(sshd:auth\\):\\s+authentication failure;</F-NOFAIL>(?:\\s+(?:(?:logname|e?uid|tty)=\\S*)){0,4}\\s+ruser=<F-ALT_USER>\\S*</F-ALT_USER>\\s+rhost=<HOST>(?:\\s+user=<F-USER>\\S*</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> not allowed because account is locked(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*', '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\\S+</F-USER> <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*Change of username or service not allowed:\\s*.*\\[preauth\\]\\s*$', '^Disconnecting: Too many authentication failures(?: for <F-USER>\\S+|.*?</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*11:', '^<F-NOFAIL><F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)(?: (?:invalid|authenticating) user <F-USER>\\S+|.*?</F-USER>)? <HOST>(?:(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*|\\s*)$', '^<F-MLFFORGET><F-MLFGAINED>Accepted \\w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\\S+</F-USER> from <HOST>(?:\\s|$)', '^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>']]
['set', 'sshd', 'datepattern', '{^LN-BEG}']
['set', 'sshd', 'addjournalmatch', '_SYSTEMD_UNIT=sshd.service', '+', '_COMM=sshd']
['set', 'sshd', 'maxretry', 5]
['set', 'sshd', 'maxmatches', 5]
['set', 'sshd', 'findtime', '10m']
['set', 'sshd', 'bantime', '10m']
['set', 'sshd', 'ignorecommand', '']
['set', 'sshd', 'logencoding', 'auto']
['set', 'sshd', 'addlogpath', '/var/log/auth.log', 'head']
['set', 'sshd', 'addaction', 'iptables-multiport']
['multi-set', 'sshd', 'action', 'iptables-multiport', [['actionstart', "{ <iptables> -C f2b-sshd -j RETURN >/dev/null 2>&1; } || { <iptables> -N f2b-sshd || true; <iptables> -A f2b-sshd -j RETURN; }\nfor proto in $(echo 'tcp' | sed 's/,/ /g'); do\n{ <iptables> -C INPUT -p $proto -m multiport --dports ssh -j f2b-sshd >/dev/null 2>&1; } || { <iptables> -I INPUT -p $proto -m multiport --dports ssh -j f2b-sshd; }\ndone"], ['actionstop', "for proto in $(echo 'tcp' | sed 's/,/ /g'); do\n<iptables> -D INPUT -p $proto -m multiport --dports ssh -j f2b-sshd\ndone\n<iptables> -F f2b-sshd\n<iptables> -X f2b-sshd"], ['actionflush', '<iptables> -F f2b-sshd'], ['actioncheck', "for proto in $(echo 'tcp' | sed 's/,/ /g'); do\n<iptables> -C INPUT -p $proto -m multiport --dports ssh -j f2b-sshd\ndone"], ['actionban', '<iptables> -I f2b-sshd 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-sshd -s <ip> -j <blocktype>'], ['port', 'ssh'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['name', 'sshd'], ['actname', 'iptables-multiport'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]]
['start', 'sshd']

et mon /var/log/fail2ban.log

2024-01-24 17:50:54,915 fail2ban.server         [1352]: INFO    Starting Fail2ban v1.0.2
2024-01-24 17:50:54,916 fail2ban.observer       [1352]: INFO    Observer start...
2024-01-24 17:50:55,616 fail2ban.database       [1352]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2024-01-24 17:50:55,740 fail2ban.jail           [1352]: INFO    Creating new jail 'sshd'
2024-01-24 17:51:31,474 fail2ban.jail           [1352]: INFO    Jail 'sshd' uses pyinotify {}
2024-01-24 17:51:31,489 fail2ban.jail           [1352]: INFO    Initiated 'pyinotify' backend
2024-01-24 17:51:31,492 fail2ban.filter         [1352]: INFO      maxLines: 1
2024-01-24 17:51:31,508 fail2ban.filter         [1352]: INFO      maxRetry: 5
2024-01-24 17:51:31,509 fail2ban.filter         [1352]: INFO      findtime: 600
2024-01-24 17:51:31,509 fail2ban.actions        [1352]: INFO      banTime: 600
2024-01-24 17:51:31,509 fail2ban.filter         [1352]: INFO      encoding: UTF-8
2024-01-24 17:51:31,555 fail2ban.filter         [1352]: INFO    Added logfile: '/var/log/auth.log' (pos = 3120789, hash = d72d366c2f8210daa2eec22aca47174c6eefc69f)
2024-01-24 17:51:31,654 fail2ban.jail           [1352]: INFO    Jail 'sshd' started

où on voit que j’utilise pyinotify pas systemd, mais sans volonté particulière ( je fais des upgrades des debian depuis deb9 ou deb10

mais je ne sais pas si ça bloque les attaques ( je n’ai pas de ssh autorisé , donc pas d’attaques )

@dindoun

Je viens de tester une ligne non détectée

> ln= "Jan 24 17:30:16 vps7 sshd[121778]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.101.160.198";fail2ban-regex "$ln" /etc/fail2ban/filter.d/sshd.conf

Non détectée sur Ubuntu 22 (Fail2Ban v0.11.) et Debian 12* (Fail2Ban v1.0.2)
*avec une ligne de log issue d’Ubuntu.

Ce serait bien que l’on valide si c’est un bug à plusieurs avant de le poster sur Github.

j’ai ça aussi mais peut utile ici :

PS je n’ai pas bien compris ton message précédent sur le bug

Tu peux lancer la commande sur ton poste, cela permet de voir si la ligne (extraite d’un log) est détectée ou non.