Trying to understand if fail2ban is working on Debian 10 VPS

Question

I have a Debian 10 server running on a VPS. The only software I installed is: tinyproxy (http proxy) and fail2ban

I have included the results of port scan using nmap

I have included my specific settings in the fail2ban jail.local file.

I have included my specific settings in the fail2ban fail2ban.local file.

I have included below a sample of entries from auth log.

I have included below a sample of entries from fail2ban log.

I have included my results from sample scan of IpTables.

I do not understand if fail2ban is working, i.e. causing IPs to be blocked based upon entries in the IP Tables that fail2ban has made.

As example:

== auth.log shows attempted entry by 192.241.141.43, almost every minute

== fail2ban.log shows 192.241.141.43 is banned

== Iptables shows 192.241.141.43 is banned

I thought that based upon the IP being blocked, that the malicious user would NOT be able to attempt a login. Yet it seems that these users are indeed being able to attempt logins.

MY QUESTIONS, Please:

1. Does it appear that fail2ban is working?
2. Why are malicious users allowed to even attempt login if they are banned?

Many thanks !

=== === Results from nmap scan

# Nmap 7.80 scan initiated Sat Jan 27 15:25:04 2024 as: nmap -sS -oG out.txt 

107.174.156.124

Host: 107.174.156.124 (107-174-156-124-host.colocrossing.com)   
Status: 
Up
Host: 107.174.156.124 (107-174-156-124-host.colocrossing.com)   
Ports: 
139/filtered/tcp//netbios-ssn///, 
445/filtered/tcp//microsoft-ds///, 
8888/open/tcp//sun-answerbook///    
Ignored State: closed (997)

# Nmap done at Sat Jan 27 15:25:06 2024 
-- 1 IP address (1 host up) scanned in 2.20 seconds

=== === Here are my entries in jail.local

#
# JAILS
#

#
# SSH servers
#

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
enabled = true
mode = aggressive
port = 63xxx
filter = sshd
logpath = /var/log/auth.log
bantime = 2000000
findtime = 7200
maxretry = 2
backend = %(sshd_backend)s
action = iptables-multiport[name=sshd, port="ssh", protocol=tcp]

=== === Here are my entries in fail2ban.local

# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 2100000

=== === Here is sample Auth log

As example, there are several attempts by 192.241.141.43 And this is repeated almost every minute !

Jan 27 15:54:55 racknerd-64d010 sshd[2232]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.141.43  user=root
Jan 27 15:54:57 racknerd-64d010 sshd[2232]: Failed password for root from 192.241.141.43 port 54798 ssh2
Jan 27 15:54:57 racknerd-64d010 sshd[2232]: Received disconnect from 192.241.141.43 port 54798:11: Bye Bye [preauth]
Jan 27 15:54:57 racknerd-64d010 sshd[2232]: Disconnected from authenticating user root 192.241.141.43 port 54798 [preauth]

=== === Here is sample of fail2ban

As example, fail2ban says 192.241.141.43 is banned

2024-01-27 15:55:50,928 fail2ban.actions        [29992]: WARNING [sshd] 82.102.12.130 already banned
2024-01-27 15:55:50,929 fail2ban.actions        [29992]: WARNING [sshd] 192.241.141.43 already banned
2024-01-27 15:55:50,929 fail2ban.actions        [29992]: WARNING [sshd] 159.75.161.40 already banned

=== === Results from Iptables scan

IP 192.241.141.43 is banned

    0     0 REJECT     all  --  *      *       61.231.64.170        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       192.241.141.43       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       104.250.34.177       0.0.0.0/0            reject-with icmp-port-unreachable

Answer 1

It looks like it's working according to your log file.

/var/log/fail2ban.log

Fail2ban also has it's own tool to check the status with fail2ban-client status sshd

On my machine where it's working it looks like this

Status for the jail: sshd
|- Filter
|  |- Currently failed: 3
|  |- Total failed:     192
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 41
   |- Total banned:     41
   `- Banned IP list:   139.199.207.102 1
57.230.232.203 167.71.61.117 178.128.244.
113 185.36.81.42 221.226.2.122 222.186.16
.186 222.186.16.198 45.155.91.99 52.91.19
4.171 78.68.68.246 212.70.149.150 141.98.
11.90 85.209.11.27 138.68.111.27 183.221.
243.20 218.92.0.56 218.92.0.113 218.92.0.
112 218.92.0.22 218.92.0.25 218.92.0.76 2
18.92.0.107 85.209.11.254 218.92.0.34 218
.92.0.118 180.101.88.197 218.92.0.29 218.
92.0.24 218.92.0.27 141.98.11.11 1.117.16
8.14 180.101.88.196 218.92.0.31 88.182.25
1.194 88.214.25.16 35.243.208.234 124.222
.51.236 118.121.200.110 14.103.25.183 121
.164.71.235