Greetings everyone. I have managed to configure fail2ban once on a debian machine and it works as it should because of systemd and this config:
debian jail.local:
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
port = ssh
#logpath = %(sshd_log)s
logparth = /var/log/fail2ban
#backend = %(sshd_backend)s
backend = systemd
maxretry = 3
bantime = 1y
But on this openwrt one, which is installed on the rpi4 is a little different, because it's got no systemd so I can't make the config as the same as above.
openwrt jail.local:
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
mode = aggressive
enabled = true
port = ssh
#logpath = %(sshd_log)s
logpath = /var/log/messages
#logparth = /var/log/fail2ban
#backend = %(sshd_backend)s
maxretry = 3
#bantime = 1y
bantime = 31536000
I tried multiple options in the openwrt's jail.local and still failed to make fail2ban work. I restarted the fail2ban service, network and others, even reboots.
The /var/log/messages logs were being successfully written by syslog-ng. Thanks to it I can see who attempts to login from ssh:
ct 20 21:51:07 OpenWrt sshd-session[26393]: Failed password for root from 192.168.1.150 port 59234 ssh2
Oct 20 21:51:07 OpenWrt sshd-session[26393]: Failed password for root from 192.168.1.150 port 59234 ssh2
Oct 20 21:51:07 OpenWrt sshd-session[26393]: Connection closed by authenticating user root 192.168.1.150 port 59234 [preauth]
Oct 20 21:54:22 OpenWrt sshd-session[26486]: Failed password for root from 192.168.1.150 port 34528 ssh2
Oct 20 21:54:23 OpenWrt sshd-session[26486]: Failed password for root from 192.168.1.150 port 34528 ssh2
Oct 20 21:54:23 OpenWrt sshd-session[26486]: Connection closed by authenticating user root 192.168.1.150 port 34528 [preauth]
Oct 20 21:54:24 OpenWrt sshd-session[26489]: Failed password for root from 192.168.1.150 port 34532 ssh2
Oct 20 21:54:25 OpenWrt sshd-session[26489]: Failed password for root from 192.168.1.150 port 34532 ssh2
Oct 20 21:54:25 OpenWrt sshd-session[26489]: Connection closed by authenticating user root 192.168.1.150 port 34532 [preauth]
Oct 20 21:54:27 OpenWrt sshd-session[26491]: Failed password for root from 192.168.1.150 port 58914 ssh2
Oct 20 21:54:27 OpenWrt sshd-session[26491]: Failed password for root from 192.168.1.150 port 58914 ssh2
Oct 20 21:54:27 OpenWrt sshd-session[26491]: Connection closed by authenticating user root 192.168.1.150 port 58914 [preauth]
The problem is that I can't ban this IP from the log, just like is shown here:
fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/messages
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
It makes me wonder why f2b does not read the log.
Does anyone know how to fix this problem? I use the stable version [OpenWrt 23.05.6 (r24232-539228933c)]
Your release is eol-d recently, will not hurt or repair to upgrade to a supported one.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option delegate '0'
config interface 'wg0'
option proto 'wireguard'
option private_key 'some-key'
option listen_port '51820'
list addresses '100.0.1.1/24'
config wireguard_wg0
option description 'phone'
option public_key 'some-key'
option private_key 'some-key'
option route_allowed_ips '1'
list allowed_ips '100.0.1.2/32'
firewall:
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg0'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config redirect
option name 'firewall-ssh-access'
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '25212'
option dest_ip '192.168.1.2'
option dest_port '22'
option enabled '0'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.fail2ban'
option enabled '1'
option reload '1'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'vpn'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.1.2'
option dest_port '51820'
config redirect 'dns_int'
option name 'Intercept-DNS'
option family 'any'
option proto 'tcp udp'
option src 'lan'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config rule 'dot_fwd'
option name 'Deny-DoT'
option src 'lan'
option dest 'wan'
option dest_port '853'
option proto 'tcp udp'
option target 'REJECT'
Also, I'm a little 'afraid' to upgrade to the latest version because, I have installed many packages that interest me and I can't remember all of their names and dependencies in case the upgrade breaks my system and I have to start almost from 0 even if I have the '/etc/config' files
I've also resized my rootfs to max (128G) with a special script, and backing it up with dd would take a lot of time and space. I've also tried my luck with banIP, looked around in it's documentation and it does not work. There has to be another way.
Well, OpenSSH package is without any support of tcp wrappers and you have to use a NETWORK FIREWALL to block, no change from drop bear ssh. Also DNAT implies accept
Hate to be the one to tell you but - you have advanced to the level that your haphazard way of getting to where you are and not taking notes along the way is now rising up and biting you in the ass.
You are not the first tech that has had this happen and you won't be the last.
You can either do ONE of the following:
Go on a campaign to convince the world that the particular release you are on is Better Than Anything New and contains the One True Secret Of Ultimate OpenWRTness and demand that everyone bend over backwards to support you. Occasionally you may get some help but ultimately, you're going to end up mumbling in a corner somewhere, never progressing, never advancing.
Rationally realize that your journey has taught you much and you are now at the doorway between Advanced Amateur, and True Guru Professional, and the rest of us are beckoning you to join us. But that doorway is a hard one to go through and you must learn to let go of the past and begin anew to go through it. The past is now holding you back. Let it go. Shove everything from the past into a glass case that you can look at from time to time and admire as a reference, begin again with a new more powerful device, a current new copy of OpenWRT, a blank yellow pad, and start the journey over. But this time, using what you have learned, documenting along the way.
Just as an add-on. @wormzy
If you start fresh which is a good idea now, use the image builder and keep track of all changes with git.
If you fiddle on the live router then copy edited files back and check in your changes, build new image and flash. If everything works then next step....
no, no, NO! This is NOT how a pro does it. He said he has an RPI4 - these things are going for $80 off Amazon - less than the cost of a college textbook. Leave his existing system running, buy a new one, built it up like a pro, then swap them when ready.
A pro always keeps his production stuff separate from the skunkworks. The skunkworks network is for learning. The production network is for keeping your wife from yelling at you "when the Internet goes down and I was going to watch a movie while you fiddled with your "hobby""
Dude chill.
If you need high availability then build your network with high availability. Otherwise nobody will loose its shit if the router does a reboot for like 45 sec.
No offense but Nope. I could not distinguish that from other shit talk when people say that same stuff seriously...
Maybe suffix such points with an /s
Oh, one more thing, before I'll mark this as solved: I've noticed that the maxretry = 3 parameter for the [sshd] section in jail.local does not work. It's locked to the default value of 5. On my other debian machine this change works. And I think this also applies to bantime = 1y or bantime = 31536000 and any other parameters on any other section from jail.local.
I also don't see any entry of maxretry from /etc/fail2ban/filter.d/sshd.conf. Should I add that entry there myself? Or does those changes need to be made from someplace else?
Oh, sorry, on my phone's termux I had to enter the password 6 times. And when you showed me the logs and so I decided to look on my own and saw that it looked similar to yours.
I did further testing with by decreasing the bantime to 10 and maxretry to 1. I've entered the password 3 times and when I tried to log in again, I could not.
Then I realized that must be a bug from my termux client.
So, after I got unbanned myself after 10 seconds or miliseconds or so, I tried to login one more time and right after I pressed ctrl+c on termux. I pressed upper arrow and tried to log in one more time and got banned for another 10 milliseconds or so.
So yeah, I think this thorough testing sums it up. Thanks for helping me out once more.
