{"id":1508,"date":"2018-04-29T16:15:58","date_gmt":"2018-04-29T20:15:58","guid":{"rendered":"http:\/\/www.xavignu.com\/?p=1508"},"modified":"2018-05-16T18:07:31","modified_gmt":"2018-05-16T22:07:31","slug":"fixing-fail2ban","status":"publish","type":"post","link":"https:\/\/www.xavignu.com\/?p=1508","title":{"rendered":"Fixing fail2ban"},"content":{"rendered":"<p>I had installed <a href=\"https:\/\/www.fail2ban.org\/wiki\/index.php\/Main_Page\" target=\"_blank\">fail2ban<\/a> but had noticed it wasn&#8217;t working blocking ssh brute force attacks. Attacks such as below.<\/p>\n<pre id=\"terminal\">grep sshd \/var\/log\/auth.log | tail\r\nApr 29 08:06:17 sd-229337 sshd[20646]: pam_unix(sshd:auth): check pass; user unknown\r\nApr 29 08:06:17 sd-229337 sshd[20646]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=211-75-3-35.hinet-ip.hinet.net\r\nApr 29 08:06:18 sd-229337 sshd[20646]: Failed password for invalid user db2inst from 211.75.3.35 port 52724 ssh2\r\nApr 29 08:06:19 sd-229337 sshd[20646]: Connection closed by 211.75.3.35 [preauth]\r\nApr 29 08:18:21 sd-229337 sshd[20711]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59-120-243-8.hinet-ip.hinet.net  user=root\r\nApr 29 08:18:25 sd-229337 sshd[20711]: Failed password for root from 59.120.243.8 port 34312 ssh2\r\nApr 29 08:18:25 sd-229337 sshd[20711]: Connection closed by 59.120.243.8 [preauth]\r\nApr 29 08:19:14 sd-229337 sshd[20713]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=195-154-136-62.rev.poneytelecom.eu  user=root\r\nApr 29 08:19:16 sd-229337 sshd[20713]: Failed password for root from 195.154.136.62 port 24329 ssh2\r\nApr 29 08:19:16 sd-229337 sshd[20713]: Connection closed by 195.154.136.62 [preauth]\r\n<\/pre>\n<p>In order to fix this we need to modify \/etc\/fail2ban\/filter.d\/common.local and modify bsd_syslog_verbose entry. Substitute <strong>__bsd_syslog_verbose = (<[^.]+\\.[^.]+>)<\/strong> for <strong>__bsd_syslog_verbose = (<[^.]+ [^.]+>)<\/strong>.<\/p>\n<pre id=\"terminal\">grep bsd_syslog_verbose \/etc\/fail2ban\/filter.d\/common.local\r\n#__bsd_syslog_verbose = (<[^.]+\\.[^.]+>)\r\n__bsd_syslog_verbose = (<[^.]+ [^.]+>)\r\n__prefix_line = \\s*%(__bsd_syslog_verbose)s?\\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\\S+ )?%(__daemon_combs_re)s?\\s%(__daemon_extra_re)s?\\s*\r\n<\/pre>\n<p>Restart fail2ban and you shall now see IPs performing brute force attacks being blocked as below.<\/p>\n<pre id=\"terminal\">tail -30 \/var\/log\/fail2ban.log | grep actions\r\n2018-04-29 18:43:19,835 fail2ban.actions[28271]: WARNING [ssh] Unban 163.172.159.119\r\n2018-04-29 18:43:20,742 fail2ban.actions[28519]: INFO    Set banTime = 1800\r\n2018-04-29 18:43:20,936 fail2ban.actions[28519]: INFO    Set banTime = 600\r\n2018-04-29 18:43:59,119 fail2ban.actions[28519]: WARNING [ssh] Ban 171.244.27.195\r\n2018-04-29 18:46:05,286 fail2ban.actions[28519]: WARNING [ssh] Ban 5.188.10.185\r\n2018-04-29 19:13:59,938 fail2ban.actions[28519]: WARNING [ssh] Unban 171.244.27.195\r\n2018-04-29 19:14:50,026 fail2ban.actions[28519]: WARNING [ssh] Ban 171.244.27.195\r\n2018-04-29 19:15:35,102 fail2ban.actions[28519]: WARNING [ssh] Ban 159.65.10.166\r\n2018-04-29 19:16:06,167 fail2ban.actions[28519]: WARNING [ssh] Unban 5.188.10.185\r\n2018-04-29 19:44:50,740 fail2ban.actions[28519]: WARNING [ssh] Unban 171.244.27.195\r\n2018-04-29 19:45:35,821 fail2ban.actions[28519]: WARNING [ssh] Unban 159.65.10.166\r\n2018-04-29 19:45:38,858 fail2ban.actions[28519]: WARNING [ssh] Ban 171.244.27.195\r\n<\/pre>\n<p>But why is this happening? It is because of <a href=\"https:\/\/en.wikipedia.org\/wiki\/Regular_expression\" target=\"_blank\">regular expressions<\/a>. The way logs are being written it will never find a match with the original __bsd_syslog_verbose. Below script test both bsd_syslog_verbose settings. Originally we needed to have a ., but in reality we have a space in our logs, so we need to modify bsd_syslog_verbose.<br \/>\n[python]<br \/>\n#!\/usr\/bin\/env python<\/p>\n<p>import re<\/p>\n<p>testline = &#8216;May 13 06:24:36&#8217;<\/p>\n<p>match = re.search(&#8216;[^.]+\\.[^.]+&#8217;, testline)<br \/>\nif match:<br \/>\n    print &#8216;Found:&#8217;, match.group()<br \/>\nelse:<br \/>\n    print &#8216;Not found for bsd_syslog_verbose=[^.]+\\.[^.]+&#8217;<\/p>\n<p>match = re.search(&#8216;[^.]+ [^.]+&#8217;, testline)<br \/>\nif match:<br \/>\n    print &#8216;Found:&#8217;, match.group()<br \/>\nelse:<br \/>\n    print &#8216;Not found for bsd_syslog_verbose=[^.]+ [^.]+&#8217;<br \/>\n[\/python]<br \/>\nAnd we execute:<\/p>\n<pre id=\"terminal\"> python regex.py \r\nNot found for bsd_syslog_verbose=[^.]+\\.[^.]+\r\nFound: May 13 06:24:36\r\n<\/pre>\n<p>More info <a href=\"https:\/\/serverfault.com\/questions\/597832\/fail2ban-not-working-on-fresh-install-of-ubuntu-14-04-why#597854\" target=\"_blank\">here<\/a> and some instructive <a href=\"https:\/\/developers.google.com\/edu\/python\/regular-expressions\" target=\"_blank\">regex google doc<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I had installed fail2ban but had noticed it wasn&#8217;t working blocking ssh brute force attacks. Attacks such as below. grep sshd \/var\/log\/auth.log | tail Apr 29 08:06:17 sd-229337 sshd[20646]: pam_unix(sshd:auth): check pass; user unknown Apr 29 08:06:17 sd-229337 sshd[20646]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=211-75-3-35.hinet-ip.hinet.net Apr 29 08:06:18 sd-229337 sshd[20646]: Failed password [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[92],"tags":[56,22,6,23,67,7],"jetpack_featured_media_url":"","jetpack_publicize_connections":[],"jetpack_shortlink":"https:\/\/wp.me\/pTQgt-ok","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/posts\/1508"}],"collection":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1508"}],"version-history":[{"count":6,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/posts\/1508\/revisions"}],"predecessor-version":[{"id":1539,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=\/wp\/v2\/posts\/1508\/revisions\/1539"}],"wp:attachment":[{"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1508"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1508"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.xavignu.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1508"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}