Hi all,
I have installed fail2ban on my 10.1 box. As it does not work out of the box, I have tried to customize it to my needs.
First, I have built my own action in action.d/ipfw-oz.conf:
Next, I have customized my ipfw script:
My assumption: all IP addresses in table 1 should be blocked.
Last, I have set up jail.local:
My problem: fail2ban does not detect brute force SSH login attempts. auth.log says:
Meanwhile, the fail2ban log shows nothing new. It looks as if it could not detect SSH login attempts as root with password authentication.
sshd's loggin is set to verbose.
Any ideas?
Olaf
I have installed fail2ban on my 10.1 box. As it does not work out of the box, I have tried to customize it to my needs.
First, I have built my own action in action.d/ipfw-oz.conf:
Code:
[Definition]
actionstart =
actionstop = ipfw table 1 flush
actioncheck =
actionban = ipfw table 1 add <ip>
actionban = ipfw table 1 delete <ip>
[Init]
blocktype = deny
Next, I have customized my ipfw script:
Code:
-q flush
-q add deny log logamount 20 ip from table(1) to me
-q add check-state
-q add allow ip from any to any via lo0
-q add allow tcp from any to any established
-q add allow tcp from me to any out setup
-q add allow udp from me to any out keep-state
[...]
My assumption: all IP addresses in table 1 should be blocked.
Last, I have set up jail.local:
Code:
[DEFAULT]
banaction = ipfw-oz
bantime = 3600
maxretry = 3
destemail = [email]olaf@zaplinski.de[/email]
sender = [email]root@betsy.tuxfriends.net[/email]
mta = mail
action = %(action_mwl)s
[sshd]
port = ssh
logpath = %(sshd_log)s
enabled = true
[sshd-ddos]
port = ssh
logpath = %(sshd_log)s
enabled = true
My problem: fail2ban does not detect brute force SSH login attempts. auth.log says:
Code:
error: Received disconnect from 1.2.3.4: 14: No supported authentication methods available [preauth]
Meanwhile, the fail2ban log shows nothing new. It looks as if it could not detect SSH login attempts as root with password authentication.
sshd's loggin is set to verbose.
Any ideas?
Olaf