Fail2Ban not logging attemps from Dropbear

Hi guys. First of all thanks, I appreciate a lot the work you do.

I am setting up a server that will be publicly accessible, and I was trying to set up Fail2Ban, but for some reason it is not picking up logging attempts from Dropbear.

I have tried to block myself using another computer, but It’s not even logging anything. If I run journalctl -u dropbear I do see not only my own attempts but also from who knows where:

Feb 11 17:28:02 DietPi dropbear[3091]: [3091] Feb 11 17:28:02 Child connection from 141.98.11.169:40262
Feb 11 17:28:02 DietPi dropbear[3090]: [3090] Feb 11 17:28:02 Exit before auth from <141.98.11.169:54574>: (user 'root', 1 fails): Exited normally
Feb 11 17:28:02 DietPi dropbear[3091]: [3091] Feb 11 17:28:02 Failed loading /etc/dropbear/dropbear_dss_host_key
Feb 11 17:28:03 DietPi dropbear[3091]: [3091] Feb 11 17:28:03 Bad password attempt for 'root' from 141.98.11.169:40262

And there were several attempts from the same IP.

Running journalctl -f -u fail2ban I get the following and nothing else:

Feb 11 18:32:20 DietPi systemd[1]: Started fail2ban.service - Fail2Ban Service.
Feb 11 18:32:20 DietPi fail2ban-server[7686]: 2024-02-11 18:32:20,816 fail2ban.configreader   [7686]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.server         [7686]: INFO    --------------------------------------------------
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.server         [7686]: INFO    Starting Fail2ban v1.0.2
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.observer       [7686]: INFO    Observer start...
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.database       [7686]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.jail           [7686]: INFO    Creating new jail 'dropbear'
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.jail           [7686]: INFO    Jail 'dropbear' uses systemd {}
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.jail           [7686]: INFO    Initiated 'systemd' backend
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.filter         [7686]: INFO      maxRetry: 3
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.filter         [7686]: INFO      findtime: 600
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.actions        [7686]: INFO      banTime: 600
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.jail           [7686]: INFO    Creating new jail 'sshd'
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.jail           [7686]: INFO    Jail 'sshd' uses systemd {}
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.jail           [7686]: INFO    Initiated 'systemd' backend
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.filter         [7686]: INFO      maxLines: 1
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.filtersystemd  [7686]: INFO    [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.filter         [7686]: INFO      maxRetry: 3
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.filter         [7686]: INFO      findtime: 600
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.actions        [7686]: INFO      banTime: 600
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.filtersystemd  [7686]: NOTICE  [dropbear] Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.filtersystemd  [7686]: INFO    [dropbear] Jail is in operation now (process new journal entries)
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.jail           [7686]: INFO    Jail 'dropbear' started
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.filtersystemd  [7686]: INFO    [sshd] Jail is in operation now (process new journal entries)
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.jail           [7686]: INFO    Jail 'sshd' started
Feb 11 18:32:20 DietPi fail2ban-server[7686]: Server ready

Running fail2ban-client status dropbear shows

Status for the jail: dropbear
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

And then running systemctl status fail2ban shows:

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
     Active: active (running) since Sun 2024-02-11 18:32:20 GMT; 58min ago
       Docs: man:fail2ban(1)
   Main PID: 7686 (fail2ban-server)
      Tasks: 7 (limit: 4531)
     Memory: 11.8M
        CPU: 7.491s
     CGroup: /system.slice/fail2ban.service
             └─7686 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.filtersystemd  [7686]: INFO    [sshd] Added journal match for: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.filter         [7686]: INFO      maxRetry: 3
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.filter         [7686]: INFO      findtime: 600
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.actions        [7686]: INFO      banTime: 600
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.filtersystemd  [7686]: NOTICE  [dropbear] Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.filtersystemd  [7686]: INFO    [dropbear] Jail is in operation now (process new journal entries)
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.jail           [7686]: INFO    Jail 'dropbear' started
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.filtersystemd  [7686]: INFO    [sshd] Jail is in operation now (process new journal entries)
Feb 11 18:32:20 DietPi fail2ban-server[7686]: fail2ban.jail           [7686]: INFO    Jail 'sshd' started
Feb 11 18:32:20 DietPi fail2ban-server[7686]: Server ready

I am not sure if I am missing some configuration or something to make it work with Dropbear

Fail2Ban was installed using dietpi-software, and this is the configuration in services:

┌─────────────────────────────────────────────────┤ DietPi-Services ├──────────────────────────────────────────────────┐
│ Please select an option for: fail2ban                                                                                │
│                                                                                                                      │
│                                               ●─ Service control ───────────────────────────●                        │
│                       State                   : [active]                                                             │
│                       Mode                    : [enabled]                                                            │
│                       Include/Exclude         : [included]                                                           │
│                       Status                  : Display systemd status log                                           │
│                       Edit                    : [/lib/systemd/system/fail2ban.service]                               │

The configuration of jail.local is the following:

[DEFAULT]
enabled = true
#ignoreip = 127.0.0.1/8
ignorecommand =
backend = systemd
mode = normal
filter = %(__name__)s[mode=%(mode)s]
findtime = 600
maxretry = 3
bantime = 600
banaction = route
action = %(banaction)s[blocktype=blackhole]

[dropbear]

[sshd]
# Mode: normal (default), ddos, extra or aggressive (combines all)
# See "filter.d/sshd.conf" for details.
#mode = normal

I commented the ignoreip for testing purposes.
I will appreciate any hint or help on how to make it work.

Thanks.

Here is my working config (I had to modify jail.d/ignore-ips.conf and jail.conf and remove my local IP range from the ignore listto test this, but you’re trying to connect from public IP, right? In your logs I see 141.98.11.169)

filter.d/dropbear.conf:
(check if the prefregex is correct, there was a change some months ago)

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = dropbear

prefregex = ^%(__prefix_line)s\[\d+\] [A-Z][a-z]+ \d\d \d\d:\d\d:\d\d <F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$

failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
            ^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
            ^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$

ignoreregex =

jail.d/dropbear.conf:

[dropbear]
enable=true
daemon = _dropear
port =22
filter = dropbear
banaction = route
action = %(banaction)s[blocktype=blackhole]
maxretry = 3
bantime = 14400
findtime = 14400
mode=normal
backend=systemd

Thank you so much Jappe, I added the missing filter.d/dropbear.conf and updated the prefregex and now it’s working.

141.98.11.169 is not my IP, it must be some bot trying to log into my rpi, which is why I was trying desperately to set up Fail2Ban correctly.

I can rest easy now, thanks!

If you can don’t expose SSH to the public internet, even with fail2ban running.
I’m using a VPN (on my phone) to connect to my LAN and from there I connect to my devices via SSH. Maybe this is also an option for you.
You could also forbid root login with password and allow only login via key for root, if you can not or don’t want to use a VPN.
To deny password login for root you need to set

DROPBEAR_EXTRA_ARGS="-g"

in /etc/default/dropbear.

See also: https://linux.die.net/man/8/dropbear

I think I might do the private key login, since I was planning on accessing my personal server from the office with the work laptop, and we already use a VPN.

Thanks for the info.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.