Fail2ban not blocking IP

3
votes

I've installed Fail2ban and trying to get it to block IP's. According to the logs its detecting SSH scans and adding the IP Addresses to the ban list but I can still SSH in from a test IP on the internet that is on the banned list.

OS = openSUSE Leap 42.2

Fail2ban v0.10.3

jail.local:

[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.1.0/24

ignorecommand =
bantime  = 1d
findtime  = 600
maxretry = 3

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
abuseipdb[abuseipdb_apikey="my_key", abuseipdb_category="18,22"]
logpath  = /var/log/messages
maxretry = 3

The IP Address is being picked up and says its already banned? fail2ban.log file:

2018-05-01 15:21:59,207 fail2ban.filter         [20450]: INFO    [ssh-iptables] Found x.x.x.x - 2018-05-01 15:21:59
2018-05-01 15:22:02,315 fail2ban.filter         [20450]: INFO    [ssh-iptables] Found x.x.x.x - 2018-05-01 15:22:02
2018-05-01 15:22:02,324 fail2ban.filter         [20450]: INFO    [ssh-iptables] Found x.x.x.x - 2018-05-01 15:22:02
2018-05-01 15:22:02,364 fail2ban.actions        [20450]: NOTICE  [ssh-iptables] x.x.x.x already banned

Status of fail2ban-client status ssh-iptables

Status for the jail: ssh-iptables
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     51
|  `- File list:        /var/log/messages
    `- Actions
|- Currently banned: 47
|- Total banned:     437

Output of IP Tables:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-SSH    tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain f2b-SSH (1 references)
target     prot opt source               destination

Apart from that nothing is being sent to AbuseIPDB. Any ides what I'm missing?

I've read through a few forums but don't seem to get able to get it to work.

2
fail2ban

2 Answers

1
votes

Managed to get it working. Restarting fail2ban fixed the blocking issue. Odd as I did a fail2ban-client reload, which didn't help. Had to kill and restart the service.

Abuseipdb was fixed by changing jail.local file

action   = iptables[name=SSH, port=ssh, protocol=tcp]
           abuseipdb[abuseipdb_category="18,22"]
1
votes

First make sure that fail2ban is in version v0.10.0, to know this enter:

fail2ban-client -V

The reporting feature for https://www.abuseipdb.com is only native from this release.

If you have a previous version, you should do the following:

sudo nano /etc/fail2ban/action.d/abuseipdb.conf

Paste the content of the link https://github.com/fail2ban/fail2ban/blob/0.11/config/action.d/abuseipdb.conf into the file and save it.

Then open /etc/fail2ban/jail.local and paste before the line containing action =% (action_) s the following content:

# Report ban via abuseipdb.com.
#
# See action.d / abuseipdb.conf for usage example and details.
#
action_abuseipdb = abuseipdb

Then add the following content in the jail corresponding to the service you want to report (here I used brutal force ssh as an example):

 # Ban IP and report to AbuseIPDB for SSH Brute-Forcing
action =% (action_) s
         % (action_abuseipdb) s [abuseipdb_apikey = "my-api-key", abuseipdb_category = "18,22"]

Fill "my-api-key" with your key created on the site abuseipdb and then

fail2ban-client reload

If you have any doubt the reference is here:

https://www.abuseipdb.com/fail2ban.html