As from my understanding, the logic (for SSH) should be like this:
IP failed login for 5 times → Fail2Ban record at “fail2ban-client status ssh-iptables” → F2B then update iptables for an entry to block the IP
I found that if I delete the banned IP from interface “Banned IP addresses“. It will remove the entry from iptables. BUT do not clear the record at F2B (i.e. I can still see the banned IP with this command “fail2ban-client status ssh-iptable“) UNTIL the ban time passed (first block should be 10 mins).
This cause some problem.
If I unban an IP, it won’t get banned anymore within the ban time even though they keep failing. (Because iptables do not have such entry but fail2ban won’t track that anymore as it’s already in the record).
→ Workaround: use command “fail2ban-client unban <IP_address>” to remove the record from F2B, so it will start to track that IP again.
If I restart fail2ban service, the banned IP will be re-appear on interface and also insert into iptables. This make some confusion
Is it make more sense to also do “fail2ban-client unban” when operating from “Banned IP Addresses” interface?
Side question:
I am trying to make the SSH policy more tight as below
It seems that nobody thought about performing the unban directly in fail2ban and assumed that deleting the current rule would be enough. It looks like it would be a good idea to also carry out the unban in fail2ban, but I need to run some tests first.
Also, it’s not recommended to use fail2ban-client unban <IP_address> since that command removes the ban from all jails. The correct approach would be to unban the specific jail using fail2ban-client set <JAIL> unbanip <IP_address>, but this requires more work to identify which jail(s) need to be unbanned when v-delete-firewall-ban is executed.
Thanks so much. Yes, indeed it should do the unban form specific rules instead of from whole F2B.
Btw, I’ve tested using a seperate line → mode = aggressive
But then my F2B do not detect any of failure…..
However, this is also stated (like you say) in guideline from their /etc/fail2ban/filter.d/sshd.conf that adding a seperate line….so it’s very confusing
# Parameter "mode": normal (default), ddos, extra or aggressive (combines all)
# Usage example (for jail.local):
# [sshd]
# mode = extra
# # or another jail (rewrite filter parameters of jail):
# [sshd-aggressive]
# filter = sshd[mode=aggressive]
#
mode = normal
Remember to restart fail2ban to apply the changes.
You can test it adding a fake line matching one of the regex used only in aggressive mode to auth.log file:
logger -t "sshd-session[$$]" -p auth.info "Unable to negotiate with 203.0.113.13 port 22: no matching cipher found: client aes128-cbc server [email protected]"