Fail2ban not working raspbian (ssh)

Question

I just did a fresh install on my raspberry pi (Raspbian) and I can't get fail2ban to do anything, it doesn't block any failed ssh logins. I checked to make sure it was pointing at the correct log file (/var/log/auth.log) which it is, I have confirmed that iptables is active and the fail2ban is started and the sshd jail is turned on and the service is running over port 22, I really don't know what to do at this point i've never had this much trouble getting it to work with ssh before. It normally works right out of the box. Here is my log filter and auth log:

Log:

Jan 22 21:11:25 PI2 sshd[22700]: pam_unix(sshd:auth): authentication failure; lo gname= uid=0 euid=0 tty=ssh ruser= rhost=216.4.56.163 user=pi
Jan 22 21:11:27 PI2 sshd[22700]: Failed password for pi from 216.4.56.163 port 1 6290 ssh2
Jan 22 21:11:27 PI2 sshd[22700]: error: Received disconnect from 216.4.56.163: 3 : com.jcraft.jsch.JSchException: Auth cancel [preauth]
Jan 22 21:17:01 PI2 CRON[22783]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 22 21:17:01 PI2 CRON[22783]: pam_unix(cron:session): session closed for user root
Jan 22 21:17:30 PI2 sshd[22809]: pam_unix(sshd:auth): authentication failure; lo gname= uid=0 euid=0 tty=ssh ruser= rhost=183.3.202.106 user=root
Jan 22 21:17:33 PI2 sshd[22809]: Failed password for root from 183.3.202.106 por t 16766 ssh2
Jan 22 21:17:36 PI2 sshd[22809]: Failed password for root from 183.3.202.106 por t 16766 ssh2
Jan 22 21:17:38 PI2 sshd[22809]: Failed password for root from 183.3.202.106 por t 16766 ssh2
Jan 22 21:17:39 PI2 sshd[22809]: Received disconnect from 183.3.202.106: 11: [p reauth]
Jan 22 21:17:39 PI2 sshd[22809]: PAM 2 more authentication failures; logname= ui d=0 euid=0 tty=ssh ruser= rhost=183.3.202.106 user=root`

Filter:

sshd.conf          [----]  0 L:[ 17+21  38/ 38] *(1772/1772b) <EOF>       [*][X]
    ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*
    ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
    ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
    ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in
    ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in Deny
    ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any gro
    ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
    ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
    ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is lis
    ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's
ignoreregex =.

I'm pretty sure that it's the log filter but I'm not sure how to fix it.

score 0 · Accepted Answer · answered Jan 25 '16 at 23:55

Figured it out,

The issue was that I had a custom jail setup for a different service and it wasn't configured correctly and that was keeping fail2ban from starting correctly.

So when I ran "service fail2ban status" I would get this before I fixed the other jail:

 ● fail2ban.service - LSB: Start/stop fail2ban
   Loaded: loaded (/etc/init.d/fail2ban)
   Active: active (exited) since Mon 2016-01-25 18:41:50 EST; 3s ago
  Process: 11673 ExecStop=/etc/init.d/fail2ban stop (code=exited, status=0/SUCCESS)
  Process: 11683 ExecStart=/etc/init.d/fail2ban start (code=exited, status=0/SUCCESS)

Jan 25 18:41:50 PI2 fail2ban[11683]: Starting authentication failure monitor: fail2banERROR  No file(s) found for glob /wrong/way/service.log #edit to your needs
Jan 25 18:41:50 PI2 fail2ban[11683]: ERROR  Failed during configuration: Have not found any log file for service jail
Jan 25 18:41:50 PI2 fail2ban[11683]: failed!
Jan 25 18:41:50 PI2 systemd[1]: Started LSB: Start/stop fail2ban.

After I fixed it:

 ● fail2ban.service - LSB: Start/stop fail2ban
   Loaded: loaded (/etc/init.d/fail2ban)
   Active: active (running) since Mon 2016-01-25 18:43:03 EST; 3s ago
  Process: 11774 ExecStop=/etc/init.d/fail2ban stop (code=exited, status=0/SUCCESS)
  Process: 11784 ExecStart=/etc/init.d/fail2ban start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/fail2ban.service
           └─11795 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid

Jan 25 18:43:03 PI2 fail2ban[11784]: Starting authentication failure monitor: fail2ban.
Jan 25 18:43:03 PI2 systemd[1]: Started LSB: Start/stop fail2ban.

Fail2ban not working raspbian (ssh)

1 Answers1