fail2ban applying ban but is not blocking the connection

Question

I have a fail2ban setup enabled for sshd on CentOS. It is reading the logs fine. Doing some testing with SSH failed logins from a remote server:

Nov 23 20:51:52 new fail2ban.filter[29090]: INFO [sshd] Found 199.180.250.xx
Nov 23 20:51:55 new fail2ban.filter[29090]: INFO [sshd] Found 199.180.250.xx
Nov 23 20:51:58 new fail2ban.filter[29090]: INFO [sshd] Found 199.180.250.xx
Nov 23 20:52:07 new fail2ban.filter[29090]: INFO [sshd] Found 199.180.250.22
Nov 23 20:52:07 new fail2ban.actions[29090]: NOTICE [sshd] 199.180.250.xx already banned
Nov 23 20:52:10 new fail2ban.filter[29090]: INFO [sshd] Found 199.180.250.xx
Nov 23 20:52:13 new fail2ban.filter[29090]: INFO [sshd] Found 199.180.250.xx

Connections seem to be allowed even past the ban. I looked in iptables and it looked correct:

Chain f2b-sshd (1 references)
target     prot opt source               destination
REJECT     all  --  199.180.250.xx       0.0.0.0/0           reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

The connection is not persistent. The remote server can still open SSH sessions to this server running fail2ban.

What else am I missing?

Full iptables:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-sshd-ddos  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 22
f2b-sshd   tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:200xyz flags:0x17/0x02

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-sshd (1 references)
target     prot opt source               destination
REJECT     all  --  199.180.250.xx       0.0.0.0/0           reject-with icmp-port-unreachable
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain f2b-sshd-ddos (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

what things like `lsof -i TCP:22` gives you ? do you see connection from and to this IP ? — Kiwy, Nov 29 '19 at 15:19
@Kiwy Nothing currently. I should note SSH is not running on 22 as a security practice. — Zeno, Dec 01 '19 at 18:23
Considering that, it sounds like I have to change `port = ssh` under sshd to `port = 200....` for my port — Zeno, Dec 01 '19 at 19:21

score 5 · Accepted Answer · answered Dec 01 '19 at 19:41

5

In the config, port = ssh had to be changed to the custom SSH port.

I had assumed Linux would know what the SSH port was defined to and fail2ban would follow that system configuration, I was wrong.

answered Dec 01 '19 at 19:41

Zeno

263
2
4
15

fail2ban applying ban but is not blocking the connection

1 Answers1