Fail2Ban port number for SSH

[Ghillie-up]

So as most of you I am running shell access on an alternative port, let's say 2220 as an example.

Fail 2 band is listening for attempts on ssh via the ssh port number right? IE 22? How do I change this to the port number sshd is listening on so I can prevent brute force attempts on my box.

I have amended jail.conf to say:

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=2220, protocol=tcp]
sendmail-whois[name=SSH, dest=[email protected], sender=[email protected], sendername="Fail2Ban"]
logpath = /var/log/secure
maxretry = 5

And restarted the service but I can still hammer ssh with Hydra. Any ideas guys?

Thanks.

[Milka]

You could try and edit the right file and then restart fail2ban again.

Code: Select all

/etc/fail2ban/jail.local

;-)

[Ghillie-up]

What do I amend in this file exactly ?

[ssh-iptables]
enabled = true
filter = sshd
action = vesta[name=SSH]
logpath = /var/log/secure
maxretry = 5

Ta.

[Milka]

What do I amend in this file exactly ?

Anything or everything you're written or changed in jail.conf... Just the fact that you haven't seen the port option in jail.local by default, doesn't mean you can't use it. The default fail2ban configuration file is jail.conf, but the configuration work should not be done in that file, hence we use a local copy of it. This is common fail2ban practice, not just in Vesta. You should make all of your desired configuration changes within the jail.local file.

[Ghillie-up]

Ahh, makes sense. I have never used fail2ban before and the topics on serverfault suggest using .conf not .local hence where i went wrong.

Does fail2ban have logs itself ? I can see IPtables is injecting a rule but yet I am still hammering ssh with passwords. It's like it's oblivious.