0 votes
I am struggling with the app with fail2ban. The server is a Community 7 server put up this spring. Last updates appear to be in May. My issue is with fail2ban/fail2ban-server.

I created the /etc/fail2ban/jail.local and enabled sshd. The /var/log/fail2ban.log file is very busy with lots of logging ssh attacks. It reports that an attacking IP address is banned, but, that IP continues to hit the server.

I see the iptables rule for "REJECT all -- match-set f2b-sshd src reject-with icmp-port-unreachable. But, I don't see anywhere in iptables -L -n that the bad ipaddresses are being added. Is there somewhere that I can see the "match-set s2b-sshd" entries?

I tried uninstalling and reinstalling the app-attack-detector which re-installed the fail2ban system. No help. The behavior is the same. IP addresses are recognized as ssh attacks, are logged, and reported as banned, but, are not being stopped by the firewall.

What am I missing?
Wednesday, August 28 2019, 08:50 PM
Share this post:
Responses (1)
  • Accepted Answer

    Thursday, August 29 2019, 06:59 AM - #Permalink
    0 votes
    If you have the Attack Detector app you don't need a jail.local to enable that jail. You can enable it through the webconfig (which enables the jail in /etc/fail2ban/jail.d/clearos-sshd.conf). You may find your own jail definition has a short ban time. The one in /etc/fail2ban/jail.d/clearos-sshd.conf is for a day.

    To see if you have a block in your ipset set, check the app documentation (the slanted book icon at the top right of the webconfig page)

    In terms of updates, there have been plenty of them since May, but not to the Attack Detector of f2b. If your system is not updating then there is something wrong. Try doing a:
    yum update app-base
    yum clean all
    yum update
    And see if updates restart.
    The reply is currently minimized Show
Your Reply