Unable to find a corresponding IP address for authenticating: Name does not resolve
schklom opened this issue · 1 comments
schklom commented
Behaviour
I made a remote PC try to ssh with password to my raspberry pi server with password authentication turned off (only public key), and it doesn't recognize the IP address.
Steps to reproduce this issue
jail.local
jail.d/jail.local
[DEFAULT]
bantime = 1h
maxretry = 3
findtime = 1h
ignoreip = 127.0.0.1/8 ::1 10.0.0.1/24
logencoding = auto
usedns = warn
enabled = false
mode = aggressive
destemail = myemail@gmail.com
sendername = Fail2Ban Schklom
fq-hostname = Schklom
port = 0:65535
#banaction = iptables-multiport
banaction = iptables-allports
protocol = tcp
bantime.increment = true
bantime.factor = 1
bantime.maxtime = 4w
bantime.rndtime = 38
# Email with sendername activated (copied from jail.conf and arranged according to git issue below)
# Email with fq-hostname activated (copied from jail.conf and arranged according to git issue below)
# https://github.com/fail2ban/fail2ban/issues/2071
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", sendername="%(sendername)s", fq-hostname="%(fq-hostname)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action = %(action_mwl)s
sshd_log = /var/log/auth.log
- Jail sshd
jail.d/sshd.local
[sshd]
enabled = true
chain = INPUT
port = 1234
filter = sshd[mode=aggressive]
logpath = %(sshd_log)s
maxretry = 3
# When I turn off usedns, the log's line "Unable to ..." disappears, but still no ban
#usedns = no
- Filter added to sshd
I tried to manually make the line recognized, but this doesn't work either.
filter.d/sshd.local
[Definition]
failregex = %(known/failregex)s
%(__prefix_line)sConnection closed by authenticating user <F-USER>.+</F-USER> <HOST> port \d+ [preauth]$
Expected behaviour
The ip should be banned when /var/log/auth.log has these lines
Oct 29 17:58:34 raspberrypi sshd[25644]: Connection reset by authenticating user pi 123.456.78.910 port 53945 [preauth]
Oct 29 17:59:24 raspberrypi sshd[25960]: Connection reset by authenticating user pi 123.456.78.910 port 53977 [preauth]
Oct 29 18:38:10 raspberrypi sshd[32493]: Connection reset by authenticating user pi 123.456.78.910 port 61479 [preauth]
Actual behaviour
It doesn't read the IP, and doesn't ban it.
Configuration
- Docker version (type
docker --version) :Docker version 19.03.13, build 4484c46 - Docker compose version if applicable (type
docker-compose --version) :docker-compose version 1.27.3, build unknown - Platform (Debian 9, Ubuntu 18.04, ...) : Raspberry Pi OS (based on Debian 10)
- System info (type
uname -a) :Linux raspberrypi 5.4.72-v7l+ #1356 SMP Thu Oct 22 13:57:51 BST 2020 armv7l GNU/Linux - Include all necessary configuration files :
docker-compose.yml,.env, ...
docker-compose.yml
version: "3.8"
services:
fail2ban:
image: crazymax/fail2ban:latest
container_name: fail2ban
security_opt:
- no-new-privileges:true
network_mode: "host"
cap_add:
- NET_ADMIN
- NET_RAW
volumes:
- ${DOCKERCONFIG}/fail2ban:/data
- /var/log:/var/log:ro
environment:
- TZ=${TZ}
- F2B_LOG_TARGET=STDOUT
- F2B_LOG_LEVEL=DEBUG
- F2B_DB_PURGE_AGE=1d
- SSMTP_HOST=smtp.gmail.com
- SSMTP_PORT=465
- SSMTP_HOSTNAME=gmail.com
- SSMTP_USER=${FAIL2BAN_SSMTP_USER}
- SSMTP_PASSWORD=${FAIL2BAN_SSMTP_PASSWORD}
- SSMTP_TLS=YES
restart: always
Docker info
> Output of command `docker info`
Client:
Debug Mode: false
Server:
Containers: 10
Running: 9
Paused: 0
Stopped: 1
Images: 12
Server Version: 19.03.13
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 8fba4e9a7d01810a393d5d25a3621dc101981175
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 5.4.72-v7l+
Operating System: Raspbian GNU/Linux 10 (buster)
OSType: linux
Architecture: armv7l
CPUs: 4
Total Memory: 7.691GiB
Name: raspberrypi
ID: HNQJ:2QLW:NIJP:OCJQ:6RLW:B7TX:EGNG:VBNS:MLKF:76S3:DMWF:CWNU
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No memory limit support
WARNING: No swap limit support
WARNING: No kernel memory limit support
WARNING: No kernel memory TCP limit support
WARNING: No oom kill disable support
### Logs
docker logs fail2ban
Setting timezone to Europe/Oslo...
Setting SSMTP configuration...
Initializing files and folders...
Setting Fail2ban configuration...
Checking for custom actions in /data/action.d...
Checking for custom filters in /data/filter.d...
Add custom filter sshd.local...
2020-10-29 18:53:44,378 fail2ban.configreader [1]: INFO Loading configs for fail2ban under /etc/fail2ban
2020-10-29 18:53:44,385 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
2020-10-29 18:53:44,388 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
2020-10-29 18:53:44,395 fail2ban [1]: INFO Using socket file /var/run/fail2ban/fail2ban.sock
2020-10-29 18:53:44,396 fail2ban [1]: INFO Using pid file /var/run/fail2ban/fail2ban.pid, [DEBUG] logging to STDOUT
2020-10-29 18:53:44,407 fail2ban.configreader [1]: INFO Loading configs for jail under /etc/fail2ban
2020-10-29 18:53:44,409 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/jail.conf']
2020-10-29 18:53:44,460 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/paths-debian.conf']
2020-10-29 18:53:44,469 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/paths-common.conf']
2020-10-29 18:53:44,473 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/paths-overrides.local']
2020-10-29 18:53:44,490 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/jail.d/sshd.local']
2020-10-29 18:53:44,500 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-debian.conf', '/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.d/jail.local', '/etc/fail2ban/jail.d/sshd.local']
2020-10-29 18:53:44,504 fail2ban.configreader [1]: INFO Loading configs for filter.d/sshd under /etc/fail2ban
2020-10-29 18:53:44,512 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/filter.d/sshd.conf']
2020-10-29 18:53:44,518 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.conf']
2020-10-29 18:53:44,523 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.local']
2020-10-29 18:53:44,524 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/filter.d/sshd.local']
2020-10-29 18:53:44,525 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/filter.d/common.conf', '/etc/fail2ban/filter.d/sshd.conf', '/etc/fail2ban/filter.d/sshd.local']
2020-10-29 18:53:44,558 fail2ban.configreader [1]: INFO Loading configs for action.d/iptables-allports under /etc/fail2ban
2020-10-29 18:53:44,560 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables-allports.conf']
2020-10-29 18:53:44,565 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.conf']
2020-10-29 18:53:44,569 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables-blocktype.local']
2020-10-29 18:53:44,570 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.local']
2020-10-29 18:53:44,571 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.conf', '/etc/fail2ban/action.d/iptables-allports.conf']
2020-10-29 18:53:44,576 fail2ban.configreader [1]: INFO Loading configs for action.d/sendmail-whois-lines under /etc/fail2ban
2020-10-29 18:53:44,578 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/action.d/sendmail-whois-lines.conf']
2020-10-29 18:53:44,582 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/action.d/sendmail-common.conf']
2020-10-29 18:53:44,585 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/action.d/sendmail-common.local']
2020-10-29 18:53:44,587 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/action.d/mail-whois-common.conf']
2020-10-29 18:53:44,589 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/action.d/mail-whois-common.local']
2020-10-29 18:53:44,595 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/action.d/helpers-common.conf']
2020-10-29 18:53:44,597 fail2ban.configparserin [1]: INFO Loading files: ['/etc/fail2ban/action.d/sendmail-common.conf', '/etc/fail2ban/action.d/mail-whois-common.conf', '/etc/fail2ban/action.d/helpers-common.conf', '/etc/fail2ban/action.d/sendmail-whois-lines.conf']
2020-10-29 18:53:44,758 fail2ban.server [1]: INFO --------------------------------------------------
2020-10-29 18:53:44,759 fail2ban.server [1]: INFO Starting Fail2ban v0.11.1
2020-10-29 18:53:44,760 fail2ban.server [1]: DEBUG Creating PID file /var/run/fail2ban/fail2ban.pid
2020-10-29 18:53:44,763 fail2ban.observer [1]: INFO Observer start...
2020-10-29 18:53:44,767 fail2ban.server [1]: DEBUG Starting communication
2020-10-29 18:53:44,783 fail2ban.database [1]: INFO Connected to fail2ban persistent database '/data/db/fail2ban.sqlite3'
2020-10-29 18:53:44,786 fail2ban.jail [1]: INFO Creating new jail 'sshd'
2020-10-29 18:53:44,818 fail2ban.jail [1]: INFO Jail 'sshd' uses pyinotify {}
2020-10-29 18:53:44,819 fail2ban.filter [1]: DEBUG Setting usedns = warn for FilterPyinotify(Jail('sshd'))
2020-10-29 18:53:44,819 fail2ban.filter [1]: DEBUG Created FilterPyinotify(Jail('sshd'))
2020-10-29 18:53:44,822 fail2ban.filterpyinotif [1]: DEBUG Created FilterPyinotify
2020-10-29 18:53:44,822 fail2ban.jail [1]: INFO Initiated 'pyinotify' backend
2020-10-29 18:53:44,824 fail2ban.filter [1]: DEBUG Setting usedns = warn for FilterPyinotify(Jail('sshd'))
2020-10-29 18:53:44,824 fail2ban.server [1]: DEBUG prefregex: '^<F-MLFID>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?</F-MLFID>(?:(?:error|fatal): (?:PAM: )?)?<F-CONTENT>.+</F-CONTENT>$'
2020-10-29 18:53:44,831 fail2ban.filter [1]: INFO maxLines: 1
2020-10-29 18:53:44,832 fail2ban.server [1]: DEBUG failregex: '^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \\S+)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,838 fail2ban.server [1]: DEBUG failregex: '^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,843 fail2ban.server [1]: DEBUG failregex: '^Failed publickey for invalid user <F-USER>(?P<cond_user>\\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2020-10-29 18:53:44,849 fail2ban.server [1]: DEBUG failregex: '^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)'
2020-10-29 18:53:44,857 fail2ban.server [1]: DEBUG failregex: '^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST>'
2020-10-29 18:53:44,861 fail2ban.server [1]: DEBUG failregex: '^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,867 fail2ban.server [1]: DEBUG failregex: '^User <F-USER>.+</F-USER> from <HOST> not allowed because not listed in AllowUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,872 fail2ban.server [1]: DEBUG failregex: '^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,878 fail2ban.server [1]: DEBUG failregex: '^User <F-USER>.+</F-USER> from <HOST> not allowed because not in any group(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,884 fail2ban.server [1]: DEBUG failregex: '^refused connect from \\S+ \\(<HOST>\\)'
2020-10-29 18:53:44,888 fail2ban.server [1]: DEBUG failregex: '^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*3: .*: Auth fail(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,894 fail2ban.server [1]: DEBUG failregex: '^User <F-USER>.+</F-USER> from <HOST> not allowed because a group is listed in DenyGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,900 fail2ban.server [1]: DEBUG failregex: "^User <F-USER>.+</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$"
2020-10-29 18:53:44,907 fail2ban.server [1]: DEBUG failregex: '^<F-NOFAIL>pam_[a-z]+\\(sshd:auth\\):\\s+authentication failure;</F-NOFAIL>(?:\\s+(?:(?:logname|e?uid|tty)=\\S*)){0,4}\\s+ruser=<F-ALT_USER>\\S*</F-ALT_USER>\\s+rhost=<HOST>(?:\\s+user=<F-USER>\\S*</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,915 fail2ban.server [1]: DEBUG failregex: '^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,923 fail2ban.server [1]: DEBUG failregex: '^User <F-USER>.+</F-USER> not allowed because account is locked(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*'
2020-10-29 18:53:44,926 fail2ban.server [1]: DEBUG failregex: '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\\S+</F-USER> <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*Change of username or service not allowed:\\s*.*\\[preauth\\]\\s*$'
2020-10-29 18:53:44,933 fail2ban.server [1]: DEBUG failregex: '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$'
2020-10-29 18:53:44,937 fail2ban.server [1]: DEBUG failregex: '^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*11:'
2020-10-29 18:53:44,942 fail2ban.server [1]: DEBUG failregex: '^<F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET> (?:by|from)(?: (?:invalid|authenticating) user <F-USER>\\S+|.+?</F-USER>)? <HOST>(?: (?:port \\d+|on \\S+)){0,2}\\s+\\[preauth\\]\\s*$'
2020-10-29 18:53:44,949 fail2ban.server [1]: DEBUG failregex: '^<F-MLFFORGET><F-MLFGAINED>Accepted \\w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\\S+</F-USER> from <HOST>(?:\\s|$)'
2020-10-29 18:53:44,955 fail2ban.server [1]: DEBUG failregex: '^Did not receive identification string from <HOST>'
2020-10-29 18:53:44,971 fail2ban.server [1]: DEBUG failregex: "^Bad protocol version identification '.*' from <HOST>"
2020-10-29 18:53:44,976 fail2ban.server [1]: DEBUG failregex: '^Connection <F-MLFFORGET>reset</F-MLFFORGET> by <HOST>'
2020-10-29 18:53:44,980 fail2ban.server [1]: DEBUG failregex: '^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\\d+;[A-Z]\\w+:'
2020-10-29 18:53:44,991 fail2ban.server [1]: DEBUG failregex: '^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer'
2020-10-29 18:53:44,992 fail2ban.server [1]: DEBUG failregex: '^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*14: No supported authentication methods available'
2020-10-29 18:53:45,003 fail2ban.server [1]: DEBUG failregex: '^Unable to negotiate with <HOST>(?: (?:port \\d+|on \\S+)){0,2}: no matching (?:(?:\\w+ (?!found\\b)){0,2}\\w+) found.'
2020-10-29 18:53:45,008 fail2ban.server [1]: DEBUG failregex: '^Unable to negotiate a (?:(?:\\w+ (?!found\\b)){0,2}\\w+)'
2020-10-29 18:53:45,010 fail2ban.server [1]: DEBUG failregex: '^no matching (?:(?:\\w+ (?!found\\b)){0,2}\\w+) found:'
2020-10-29 18:53:45,012 fail2ban.server [1]: DEBUG failregex: '^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>'
2020-10-29 18:53:45,016 fail2ban.server [1]: DEBUG failregex: '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?Connection closed by authenticating user <F-USER>.+</F-USER> <HOST> port \\d+ [preauth]$'
2020-10-29 18:53:45,049 fail2ban.filter [1]: INFO maxRetry: 3
2020-10-29 18:53:45,050 fail2ban.filter [1]: INFO findtime: 3600
2020-10-29 18:53:45,051 fail2ban.actions [1]: INFO banTime: 3600
2020-10-29 18:53:45,051 fail2ban.jail [1]: INFO Set banTime.increment = True
2020-10-29 18:53:45,052 fail2ban.jail [1]: INFO Set banTime.factor = 1
2020-10-29 18:53:45,052 fail2ban.jail [1]: INFO Set banTime.maxtime = 4w
2020-10-29 18:53:45,053 fail2ban.jail [1]: INFO Set banTime.rndtime = 38
2020-10-29 18:53:45,055 fail2ban.filter [1]: DEBUG Add '127.0.0.0/8' to ignore list ('127.0.0.1/8')
2020-10-29 18:53:45,055 fail2ban.filter [1]: DEBUG Add '::1' to ignore list ('::1')
2020-10-29 18:53:45,056 fail2ban.filter [1]: DEBUG Add '10.2.0.0/24' to ignore list ('10.2.0.1/24')
2020-10-29 18:53:45,056 fail2ban.filter [1]: DEBUG Add '10.0.0.0/24' to ignore list ('10.0.0.1/24')
2020-10-29 18:53:45,057 fail2ban.filter [1]: INFO encoding: UTF-8
2020-10-29 18:53:45,058 fail2ban.filter [1]: INFO Added logfile: '/var/log/auth.log' (pos = 303192, hash = ccd6530adb8309f16718f1b271d3c1c104b3da5e)
2020-10-29 18:53:45,059 fail2ban.filterpyinotif [1]: DEBUG New <Watch wd=1 path=/var/log mask=1073745280 proc_fun=None auto_add=False exclude_filter=<function WatchManager.<lambda> at 0xb60265c8> dir=True >
2020-10-29 18:53:45,060 fail2ban.filterpyinotif [1]: DEBUG Added monitor for the parent directory /var/log
2020-10-29 18:53:45,061 fail2ban.filterpyinotif [1]: DEBUG New <Watch wd=2 path=/var/log/auth.log mask=2 proc_fun=None auto_add=False exclude_filter=<function WatchManager.<lambda> at 0xb60265c8> dir=False >
2020-10-29 18:53:45,062 fail2ban.filterpyinotif [1]: DEBUG Added file watcher for /var/log/auth.log
2020-10-29 18:53:45,062 fail2ban.filter [1]: DEBUG Seek to find time 1603990425.062525 (2020-10-29 17:53:45), file size 303516
2020-10-29 18:53:45,076 fail2ban.filter [1]: DEBUG Position 303192 from 303516, found time 1603994017.0 (2020-10-29 18:53:37) within 1 seeks
2020-10-29 18:53:45,077 fail2ban.CommandAction [1]: DEBUG Created <class 'fail2ban.server.action.CommandAction'>
2020-10-29 18:53:45,077 fail2ban.CommandAction [1]: DEBUG Set actionstart = '<iptables> -N f2b-sshd\n<iptables> -A f2b-sshd -j RETURN\n<iptables> -I INPUT -p tcp -j f2b-sshd'
2020-10-29 18:53:45,078 fail2ban.CommandAction [1]: DEBUG Set actionstop = '<iptables> -D INPUT -p tcp -j f2b-sshd\n<iptables> -F f2b-sshd\n<iptables> -X f2b-sshd'
2020-10-29 18:53:45,078 fail2ban.CommandAction [1]: DEBUG Set actionflush = '<iptables> -F f2b-sshd'
2020-10-29 18:53:45,078 fail2ban.CommandAction [1]: DEBUG Set actioncheck = "<iptables> -n -L INPUT | grep -q 'f2b-sshd[ \\t]'"
2020-10-29 18:53:45,078 fail2ban.CommandAction [1]: DEBUG Set actionban = '<iptables> -I f2b-sshd 1 -s <ip> -j <blocktype>'
2020-10-29 18:53:45,079 fail2ban.CommandAction [1]: DEBUG Set actionunban = '<iptables> -D f2b-sshd -s <ip> -j <blocktype>'
2020-10-29 18:53:45,079 fail2ban.CommandAction [1]: DEBUG Set name = 'sshd'
2020-10-29 18:53:45,079 fail2ban.CommandAction [1]: DEBUG Set port = '55821'
2020-10-29 18:53:45,079 fail2ban.CommandAction [1]: DEBUG Set protocol = 'tcp'
2020-10-29 18:53:45,080 fail2ban.CommandAction [1]: DEBUG Set chain = 'INPUT'
2020-10-29 18:53:45,080 fail2ban.CommandAction [1]: DEBUG Set actname = 'iptables-allports'
2020-10-29 18:53:45,080 fail2ban.CommandAction [1]: DEBUG Set blocktype = 'REJECT --reject-with icmp-port-unreachable'
2020-10-29 18:53:45,081 fail2ban.CommandAction [1]: DEBUG Set returntype = 'RETURN'
2020-10-29 18:53:45,081 fail2ban.CommandAction [1]: DEBUG Set lockingopt = '-w'
2020-10-29 18:53:45,082 fail2ban.CommandAction [1]: DEBUG Set iptables = 'iptables <lockingopt>'
2020-10-29 18:53:45,082 fail2ban.CommandAction [1]: DEBUG Set blocktype?family=inet6 = 'REJECT --reject-with icmp6-port-unreachable'
2020-10-29 18:53:45,082 fail2ban.CommandAction [1]: DEBUG Set iptables?family=inet6 = 'ip6tables <lockingopt>'
2020-10-29 18:53:45,085 fail2ban.CommandAction [1]: DEBUG Created <class 'fail2ban.server.action.CommandAction'>
2020-10-29 18:53:45,085 fail2ban.CommandAction [1]: DEBUG Set actionstart = 'printf %b "Subject: [Fail2Ban] sshd: started on Schklom\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban Schklom <root@Schklom>\nTo: myemail@gmail.com\\n\nHi,\\n\nThe jail sshd has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@Schklom" "myemail@gmail.com"'
2020-10-29 18:53:45,085 fail2ban.CommandAction [1]: DEBUG Set actionstop = 'printf %b "Subject: [Fail2Ban] sshd: stopped on Schklom\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban Schklom <root@Schklom>\nTo: myemail@gmail.com\\n\nHi,\\n\nThe jail sshd has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f "root@Schklom" "myemail@gmail.com"'
2020-10-29 18:53:45,085 fail2ban.CommandAction [1]: DEBUG Set actioncheck = ''
2020-10-29 18:53:45,086 fail2ban.CommandAction [1]: DEBUG Set actionban = '( printf %b "Subject: [Fail2Ban] sshd: banned <ip> from Schklom\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: Fail2Ban Schklom <root@Schklom>\nTo: myemail@gmail.com\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against sshd.\\n\\n\nHere is more information about <ip> :\\n"\nwhois <ip> || echo "missing whois program";\nprintf %b "\\nLines containing failures of <ip> (max 1000)\\n";\nlogpath="/var/log/auth.log"; grep -m 1000 -wF "<ip>" $logpath | tail -n 1000;\nprintf %b "\\n\nRegards,\\n\nFail2Ban" ) | /usr/sbin/sendmail -f "root@Schklom" "myemail@gmail.com"'
2020-10-29 18:53:45,086 fail2ban.CommandAction [1]: DEBUG Set actionunban = ''
2020-10-29 18:53:45,086 fail2ban.CommandAction [1]: DEBUG Set norestored = True
2020-10-29 18:53:45,087 fail2ban.CommandAction [1]: DEBUG Set name = 'sshd'
2020-10-29 18:53:45,087 fail2ban.CommandAction [1]: DEBUG Set sender = 'root@<fq-hostname>'
2020-10-29 18:53:45,087 fail2ban.CommandAction [1]: DEBUG Set sendername = 'Fail2Ban Schklom'
2020-10-29 18:53:45,087 fail2ban.CommandAction [1]: DEBUG Set fq-hostname = 'Schklom'
2020-10-29 18:53:45,088 fail2ban.CommandAction [1]: DEBUG Set dest = 'myemail@gmail.com'
2020-10-29 18:53:45,088 fail2ban.CommandAction [1]: DEBUG Set logpath = '/var/log/auth.log'
2020-10-29 18:53:45,088 fail2ban.CommandAction [1]: DEBUG Set chain = 'INPUT'
2020-10-29 18:53:45,088 fail2ban.CommandAction [1]: DEBUG Set actname = 'sendmail-whois-lines'
2020-10-29 18:53:45,089 fail2ban.CommandAction [1]: DEBUG Set mailcmd = '/usr/sbin/sendmail -f "<sender>" "<dest>"'
2020-10-29 18:53:45,089 fail2ban.CommandAction [1]: DEBUG Set greplimit = 'tail -n <grepmax>'
2020-10-29 18:53:45,089 fail2ban.CommandAction [1]: DEBUG Set grepmax = '1000'
2020-10-29 18:53:45,089 fail2ban.CommandAction [1]: DEBUG Set grepopts = '-m <grepmax>'
2020-10-29 18:53:45,090 fail2ban.jail [1]: DEBUG Starting jail 'sshd'
2020-10-29 18:53:45,099 fail2ban.filterpyinotif [1]: DEBUG [sshd] filter started (pyinotifier)
2020-10-29 18:53:45,135 fail2ban.jail [1]: INFO Jail 'sshd' started
2020-10-29 18:53:45,148 fail2ban.transmitter [1]: DEBUG Status: ready
Server ready
2020-10-29 18:53:46,655 fail2ban.utils [1]: DEBUG b6034160 -- returned successfully 0
2020-10-29 18:53:52,278 fail2ban.filterpyinotif [1]: DEBUG Event queue size: 16
2020-10-29 18:53:52,279 fail2ban.filterpyinotif [1]: DEBUG <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-10-29 18:53:52,284 fail2ban.filterpyinotif [1]: DEBUG Event queue size: 16
2020-10-29 18:53:52,285 fail2ban.filterpyinotif [1]: DEBUG <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-10-29 18:53:52,418 fail2ban.filterpyinotif [1]: DEBUG Event queue size: 16
2020-10-29 18:53:52,418 fail2ban.filterpyinotif [1]: DEBUG <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-10-29 19:01:01,319 fail2ban.filterpyinotif [1]: DEBUG Event queue size: 16
2020-10-29 19:01:01,320 fail2ban.filterpyinotif [1]: DEBUG <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
2020-10-29 19:01:01,366 fail2ban.ipdns [1]: WARNING Unable to find a corresponding IP address for authenticating: [Errno -2] Name does not resolve
2020-10-29 19:01:02,405 fail2ban.filterpyinotif [1]: DEBUG Event queue size: 16
2020-10-29 19:01:02,405 fail2ban.filterpyinotif [1]: DEBUG <_RawEvent cookie=0 mask=0x2 name='' wd=2 >
PS: I am using this container instead of Fail2Ban on host, because while I don't have the problem I just described, I can't manage to setup email notifications.
If someone could help, I would be very grateful :)
Many thanks
crazy-max commented