root@DD-WRT:/opt# ps | grep fail
5537 root 65252 S {fail2ban-server} /opt/bin/python3 /opt/bin/fail2ban-server -xf start
5550 root 1428 S grep fail
root@DD-WRT:/opt# cat /opt/var/log/fail2ban.log
2023-02-04 22:08:35,003 fail2ban.server [5537]: INFO --------------------------------------------------
2023-02-04 22:08:35,004 fail2ban.server [5537]: INFO Starting Fail2ban v0.11.2
2023-02-04 22:08:35,007 fail2ban.observer [5537]: INFO Observer start...
2023-02-04 22:08:35,020 fail2ban.database [5537]: INFO Connected to fail2ban persistent database '/opt/var/lib/fail2ban/fail2ban.sqlite3'
2023-02-04 22:08:35,029 fail2ban.database [5537]: WARNING New database created. Version '4'
2023-02-04 22:08:35,032 fail2ban.jail [5537]: INFO Creating new jail 'openvpn'
2023-02-04 22:08:35,048 fail2ban.jail [5537]: INFO Jail 'openvpn' uses poller {}
2023-02-04 22:08:35,050 fail2ban.jail [5537]: INFO Initiated 'polling' backend
2023-02-04 22:08:35,088 fail2ban.filter [5537]: INFO maxRetry: 5
2023-02-04 22:08:35,090 fail2ban.filter [5537]: INFO findtime: 600
2023-02-04 22:08:35,091 fail2ban.actions [5537]: INFO banTime: 600
2023-02-04 22:08:35,091 fail2ban.filter [5537]: INFO encoding: UTF-8
2023-02-04 22:08:35,093 fail2ban.filter [5537]: INFO Added logfile: '/tmp/var/log/messages' (pos = 0, hash = ff47fa5c92dbe3fa84e8dcc0d61c6795169502c9)
2023-02-04 22:08:35,103 fail2ban.jail [5537]: INFO Jail 'openvpn' started
root@DD-WRT:/opt#
You are a godsend and a great asset to this community! I followed these steps all the way through again, and it worked. You were right, I had my [openvpn] log location misconfigured. This was a great deal of help! I can't thank you enough good sir! Thank you! _________________ DanRanRocks - Tech Tutorials by Dan Ran
Joined: 16 Apr 2018 Posts: 107 Location: Milwaukee, WI
Posted: Thu Feb 09, 2023 18:34 Post subject:
ho1Aetoo wrote:
also you have sshd enabled, you know it's for the openssh server that you have to install and configure separately?
Does sshd in fail2ban not use dropbear? Must I use openssh for fail2ban to block my ssh port? _________________ DanRanRocks - Tech Tutorials by Dan Ran
Joined: 16 Apr 2018 Posts: 107 Location: Milwaukee, WI
Posted: Thu Feb 09, 2023 18:40 Post subject:
ho1Aetoo wrote:
then have fun with the rest, which must also be adjusted ...
I'm out, I do not use openvpn and I have already done more than enough
Thanks a ton for all of this! But what exactly is "the rest"? I'm not sure I'm seeing what else needs to be adjusted. I know you've put a lot of time into this, but might you be able to push a hint in my direction? Really appreciate it my friend! _________________ DanRanRocks - Tech Tutorials by Dan Ran
also you have sshd enabled, you know it's for the openssh server that you have to install and configure separately?
Does sshd in fail2ban not use dropbear? Must I use openssh for fail2ban to block my ssh port?
sshd uses openssh regex filter and openssh is not dropbear
if you want to use dropbear you have to enable the dropbear jail and adjust the logpath.
and if you have a look at the dropbear regex filter then you know why it can't work with an openssh filter.
Quote:
# Fail2Ban filter for dropbear
#
# NOTE: The regex below is ONLY intended to work with a patched
# version of Dropbear as described here:
# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
# ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
#
# The standard Dropbear output doesn't provide enough information to
# ban all types of attack. The Dropbear patch adds IP address
# information to the 'exit before auth' message which is always
# produced for any form of non-successful login. It is that message
# which this file matches.
#
# More information: http://bugs.debian.org/546913
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
I can't tell you if the regex works, you have to test it yourself.
Above I gave you some useful hints how to test the regex.
(since I don't use openvpn myself I took an entry from your syslog and simply wrote it via echo into my syslog etc.)
atomicamp wrote:
ho1Aetoo wrote:
then have fun with the rest, which must also be adjusted ...
I'm out, I do not use openvpn and I have already done more than enough
Thanks a ton for all of this! But what exactly is "the rest"? I'm not sure I'm seeing what else needs to be adjusted. I know you've put a lot of time into this, but might you be able to push a hint in my direction? Really appreciate it my friend!