Tag Archives: fail2ban

NOTICE Jail started without ‘journalmatch’ set. Jail regexs will be checked against all journal entries

So!, my apache-auth (and others) weren’t showing up the File list.

2018-11-07 20:02:28,651 fail2ban.filtersystemd [23523]: NOTICE Jail started without ‘journalmatch’ set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.

 

Lets edit /etc/fail2ban/jail.d/00-systemd.conf and set backend to auto.

fail2ban.actions [14644]: NOTICE [sshd] 113.131.58.142 already banned

Meanwhile in a new VPS…

2018-04-18 19:56:42,211 fail2ban.actions [14644]: NOTICE [sshd] 113.131.58.142 already banned
2018-04-18 19:56:43,213 fail2ban.actions [14644]: NOTICE [sshd] 113.131.58.142 already banned
2018-04-18 19:56:44,214 fail2ban.actions [14644]: NOTICE [sshd] 113.131.58.142 already banned
2018-04-18 19:56:45,215 fail2ban.actions [14644]: NOTICE [sshd] 113.131.58.142 already banned
2018-04-18 19:56:46,217 fail2ban.actions [14644]: NOTICE [sshd] 113.131.58.142 already banned
2018-04-18 19:56:47,218 fail2ban.actions [14644]: NOTICE [sshd] 195.72.223.106 already banned
2018-04-18 19:56:48,219 fail2ban.actions [14644]: NOTICE [sshd] 195.72.223.106 already banned

YAH!
Take a look at /etc/fail2ban/jail.local or /etc/fail2ban/jail.d/00-firewalld.conf
banaction = firewallcmd-ipset
or
banaction = iptables-multiport

 

fail2ban.actions – ERROR Failed to start jail ‘apache-fakegooglebot’ action ‘firewallcmd-ipset’: Error starting action

Got this sh*t on my error logs…

firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports http,https -m set --match-set fail2ban-apache-fakegooglebot src -j REJECT --reject-with icmp-port-unreachable -- killed with signal 124 (return code: 252)
2017-07-08 21:26:11,212 fail2ban.actions [3781]: ERROR Failed to start jail 'apache-fakegooglebot' action 'firewallcmd-ipset': Error starting action
2017-07-08 21:26:11,416 fail2ban.action [3781]: ERROR ipset create fail2ban-apache-modsecurity hash:ip timeout 6000
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dports http,https -m set --match-set fail2ban-apache-modsecurity src -j REJECT --reject-with icmp-port-unreachable -- stdout: ''

Solution? Let’s set banaction to iptables! 🙂

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport

!!

DigitalOcean droplets used to ssh force entry

Today I was watching my fail2ban logs, on one of my servers and found a DigitalOcean ip trying to brute force via SSH.

2015-10-18 18:08:07,471 fail2ban.actions: WARNING [ssh] Ban 46.101.227.169

IP WHOIS

inetnum: 46.101.128.0 - 46.101.255.255
netname: EU-DIGITALOCEAN-DE1
descr: Digital Ocean, Inc.
country: DE
org: ORG-DOI2-RIPE
admin-c: BU332-RIPE
tech-c: BU332-RIPE
status: ASSIGNED PA
mnt-by: digitalocean
mnt-lower: digitalocean
mnt-routes: digitalocean
mnt-domains: digitalocean
created: 2015-06-03T01:15:35Z
last-modified: 2015-06-03T01:15:35Z
source: RIPE # Filtered

Since, I have 3 droplets @ digitalocean, decided to use their support to see what will they do about it…

Captura de ecrã 2015-10-18, às 17.51.04