I recently setup a VPS on hetzner and tried to secure it with fail2ban and by changing the default ssh port.
Firstly, regardles of fail2ban, I'm confused as I set firewall settings in hetzner console as follows firewall
Even so in /var/log/auth.log I can see login attempts to various ports that should not be reachable by firewall rules?
2024-07-22T13:51:24.101913+00:00 my-vps1 sshd[12348]: Failed password for invalid user wasadmin from 77.105.181.192 port 33368 ssh2
2024-07-22T13:51:24.210456+00:00 my-vps1 sshd[12348]: Connection closed by invalid user wasadmin 77.105.181.192 port 33368 [preauth]
2024-07-22T13:51:31.912246+00:00 my-vps1 sshd[12355]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=77.105.181.192 user=root
2024-07-22T13:51:33.812492+00:00 my-vps1 sshd[12355]: Failed password for root from 77.105.181.192 port 54096 ssh2
2024-07-22T13:51:35.381849+00:00 my-vps1 sshd[12355]: Connection closed by authenticating user root 77.105.181.192 port 54096 [preauth]
In addition, fail2ban seems to be partially working. In /var/log/fail2ban.log I see:
2024-07-22 13:53:26,902 fail2ban.actions [10849]: WARNING [sshd] 77.105.181.192 already banned
2024-07-22 13:53:33,822 fail2ban.filter [10849]: INFO [sshd] Found 77.105.181.192 - 2024-07-22 13:53:33
2024-07-22 13:53:33,823 fail2ban.observer [10849]: INFO [sshd] Found 77.105.181.192, bad - 2024-07-22 13:53:33, 5 # -> 3, Ban
2024-07-22 13:53:34,116 fail2ban.actions [10849]: WARNING [sshd] 77.105.181.192 already banned
2024-07-22 13:53:35,726 fail2ban.filter [10849]: INFO [sshd] Found 77.105.181.192 - 2024-07-22 13:53:35
2024-07-22 13:53:35,727 fail2ban.observer [10849]: INFO [sshd] Found 77.105.181.192, bad - 2024-07-22 13:53:35, 5 # -> 3, Ban
2024-07-22 13:53:36,126 fail2ban.actions [10849]: WARNING [sshd] 77.105.181.192 already banned
My changes in jail.local after reading through some other posts here:
bantime.increment = true
bantime.factor = 1
bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor
...
Default protocol
protocol = all
Specify chain where jumps would need to be added in ban-actions expecting parameter chain
chain = DOCKER-USER
...
banaction = iptables-allports
...
[sshd]
port = all
My iptables -S after supposedly banning the offending IP:
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N f2b-sshd
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-5c13137a1368 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-5c13137a1368 -j DOCKER
-A FORWARD -i br-5c13137a1368 ! -o br-5c13137a1368 -j ACCEPT
-A FORWARD -i br-5c13137a1368 -o br-5c13137a1368 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-5c13137a1368 -o br-5c13137a1368 -p tcp -m tcp --dport 5006 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-5c13137a1368 -o br-5c13137a1368 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-5c13137a1368 -o br-5c13137a1368 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-5c13137a1368 ! -o br-5c13137a1368 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-5c13137a1368 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j f2b-sshd
-A DOCKER-USER -j RETURN
-A f2b-sshd -s 77.105.181.192/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -j RETURN
Server OS: Ubuntu 24.04 LTS
