entries in the auth log file

Discussion in 'Technical' started by cruz, Jan 22, 2008.

  1. cruz

    cruz New Member

    I have fail2ban installed on my server(debian4.0 perfect setup), but I am not sure it is working. I found this in the auth log file.
    HTML:
    Jan 21 14:01:51 server1 sshd[13695]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:01:53 server1 sshd[13695]: Failed password for root from 85.91.5.69 port 48327 ssh2
Jan 21 14:01:55 server1 sshd[13699]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:01:57 server1 sshd[13699]: Failed password for root from 85.91.5.69 port 48527 ssh2
Jan 21 14:01:58 server1 sshd[13701]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:00 server1 sshd[13701]: Failed password for root from 85.91.5.69 port 48703 ssh2
Jan 21 14:02:02 server1 sshd[13703]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:04 server1 sshd[13703]: Failed password for root from 85.91.5.69 port 48865 ssh2
Jan 21 14:02:06 server1 sshd[13707]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:08 server1 sshd[13707]: Failed password for root from 85.91.5.69 port 34690 ssh2
Jan 21 14:02:10 server1 sshd[13709]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:12 server1 sshd[13709]: Failed password for root from 85.91.5.69 port 34841 ssh2
Jan 21 14:02:13 server1 sshd[13711]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:16 server1 sshd[13711]: Failed password for root from 85.91.5.69 port 34986 ssh2
Jan 21 14:02:18 server1 sshd[13715]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:20 server1 sshd[13715]: Failed password for root from 85.91.5.69 port 35155 ssh2
Jan 21 14:02:21 server1 sshd[13717]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:23 server1 sshd[13717]: Failed password for root from 85.91.5.69 port 35296 ssh2
Jan 21 14:02:25 server1 sshd[13721]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:28 server1 sshd[13721]: Failed password for root from 85.91.5.69 port 35446 ssh2
Jan 21 14:02:29 server1 sshd[13723]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:31 server1 sshd[13723]: Failed password for root from 85.91.5.69 port 35601 ssh2
Jan 21 14:02:33 server1 sshd[13725]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:35 server1 sshd[13725]: Failed password for root from 85.91.5.69 port 35734 ssh2
Jan 21 14:02:37 server1 sshd[13729]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:39 server1 sshd[13729]: Failed password for root from 85.91.5.69 port 35878 ssh2
Jan 21 14:02:41 server1 sshd[13731]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:43 server1 sshd[13731]: Failed password for root from 85.91.5.69 port 36024 ssh2
Jan 21 14:02:44 server1 sshd[13735]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:47 server1 sshd[13735]: Failed password for root from 85.91.5.69 port 36162 ssh2
Jan 21 14:02:49 server1 sshd[13737]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:51 server1 sshd[13737]: Failed password for root from 85.91.5.69 port 36310 ssh2
Jan 21 14:02:52 server1 sshd[13739]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:54 server1 sshd[13739]: Failed password for root from 85.91.5.69 port 36449 ssh2
Jan 21 14:02:56 server1 sshd[13743]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
    It goes on for a long time like that. Is there a way to check to see if fail2ban is working ok? I know it is blocking it, but I have it set to ban the person after 3 times.
     
    cruz, Jan 22, 2008
    #1
  2. cruz

    cruz New Member

    Update

    I was getting ready to setup munin and monit on my system and it told me to run a command, I ran the command and this came up.
    HTML:
    server1:~# dpkg --configure -a
dpkg: error processing fail2ban (--configure):
 Package is in a very bad inconsistent state - you should
 reinstall it before attempting configuration.
Errors were encountered while processing:
 fail2ban
    I tried to do updates yesterday, but it locked up in the middle of trying to upgrade fail2ban. How can I fix this? Please speak baby Linux talk. Kind of new to Linux. Thanks
    Update
    I found this in the fail2ban log file
    HTML:
    2008-01-22 09:45:04,695 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2008-01-22 09:45:04,696 fail2ban.actions.action: INFO   Set actionCheck = iptables -L INPUT | grep -q fail2ban-<name>
2008-01-22 09:45:05,485 fail2ban.actions.action: ERROR  iptables -N fail2ban-courierpop3
iptables -A fail2ban-courierpop3 -j RETURN
iptables -I INPUT -p tcp --dport pop3 -j fail2ban-courierpop3 returned 400
2008-01-22 09:45:05,499 fail2ban.actions.action: ERROR  iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp --dport smtp -j fail2ban-sasl returned 400
[
     
    Last edited: Jan 22, 2008
    cruz, Jan 22, 2008
    #2
  3. falko

    falko Super Moderator Howtoforge Staff

    You can try
    Code:
    apt-get install fail2ban
     
    falko, Jan 23, 2008
    #3
  4. o.meyer

    o.meyer New Member Moderator

    You can also use denyhosts (ssh only).

    Best regards,

    Olli
     
    o.meyer, Jan 23, 2008
    #4
  5. topdog

    topdog Active Member

    A better way to stop the brute force attacks is use the kernel itself via iptables ipt_recent module, doing network stuff at kernel level is far much more efficient than doing it at application level.

    http://www.snowman.net/projects/ipt_recent/
     
    topdog, Jan 23, 2008
    #5
  6. cruz

    cruz New Member

    It worked

    It worked Falko. Thank you. Topdog, The way you are taking about, is it for newbies or is it hard to configure and also dose it protect against difrent ports or do you have to configure each port? like ftp, mail,ssh,etc. What I like about fail2ban is it protects all ports that are used. Thanks for helping me to learn everyone.
     
    cruz, Jan 26, 2008
    #6
  7. topdog

    topdog Active Member

    ipt_recent can be used on all ports but you need to be able to write iptables rules to configure it i guess fail2ban and deny-hosts are easier to use.
     
    topdog, Jan 26, 2008
    #7
  8. cruz

    cruz New Member

    easy now

    Yes they are easy now, but I hope to learn more and apply it to my server. Thanks for your info topdog.
     
    cruz, Jan 27, 2008
    #8

Share This Page