Hello all I've just upgraded my server few days ago from Etch to Lenny, and my fail2ban is not working. And for the past few days somebody is trying to break in to my server. There are 100s of these entry on my auth.log. Code: Mar 9 09:42:33 ns1 sshd[15779]: Invalid user custom from 210.51.171.74 Mar 9 09:42:36 ns1 sshd[15781]: Invalid user custom from 210.51.171.74 Mar 9 09:42:39 ns1 sshd[15783]: Invalid user paula from 210.51.171.74 Mar 9 09:42:41 ns1 sshd[15785]: Invalid user tony from 210.51.171.74 Mar 9 09:42:44 ns1 sshd[15789]: Invalid user angie from 210.51.171.74 Mar 9 11:30:01 ns1 CRON[17155]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 9 11:30:01 ns1 CRON[17155]: pam_unix(cron:session): session closed for user root Mar 9 11:39:01 ns1 CRON[17269]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 9 11:39:01 ns1 CRON[17269]: pam_unix(cron:session): session closed for user root Mar 9 12:00:01 ns1 CRON[17827]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 9 12:00:01 ns1 CRON[17827]: pam_unix(cron:session): session closed for user root Mar 9 12:01:28 ns1 sshd[17897]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT! Mar 9 12:01:30 ns1 sshd[17900]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT! Mar 9 12:01:32 ns1 sshd[17903]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT! Mar 9 12:01:34 ns1 sshd[17906]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT! Mar 9 12:01:36 ns1 sshd[17911]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT! Mar 9 12:01:38 ns1 sshd[17913]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT! Mar 9 12:01:39 ns1 sshd[17916]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT! Mar 9 12:01:41 ns1 sshd[17919]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT! Mar 9 12:04:10 ns1 sshd[18190]: Invalid user netdump from 134.159.122.26 Mar 9 12:04:12 ns1 sshd[18193]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT! Mar 9 12:04:12 ns1 sshd[18193]: Invalid user user1 from 134.159.122.26 Mar 9 12:04:14 ns1 sshd[18196]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT! Mar 9 12:04:14 ns1 sshd[18196]: Invalid user user1 from 134.159.122.26 Mar 9 12:04:16 ns1 sshd[18201]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT! Mar 9 12:04:16 ns1 sshd[18201]: Invalid user student from 134.159.122.26 Mar 9 12:04:17 ns1 sshd[18204]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT! Mar 9 12:04:18 ns1 sshd[18204]: Invalid user student1 from 134.159.122.26 Help.
Did you check the regular expressions for fail2ban (I think they are in the /etc/fail2ban/filters directory (or somewhere similar)?
I just installed fail2ban too and it doesn't seem to ban. I made 6 wrong attempts (max is 5) and the session was closed (so far so good), but then when I try to re-connect I can keep making wrong login attempts. Here's my jail.local file: Code: [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 bantime = 600 maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". # yoh: For some reason Debian shipped python-gamin didn't work as expected # This issue left ToDo, so polling is default backend for now backend = polling # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = [email protected] # Default action to take: ban only action = iptables[name=%(__name__)s, port=%(port)s] [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 5 [apache] enabled = true port = http filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 5 [apache-noscript] enabled = false port = http filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 5 [vsftpd] enabled = false port = ftp filter = vsftpd logpath = /var/log/auth.log maxretry = 5 [proftpd] enabled = true port = ftp filter = proftpd logpath = /var/log/auth.log failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST> maxretry = 5 [wuftpd] enabled = false port = ftp filter = wuftpd logpath = /var/log/auth.log maxretry = 5 [postfix] enabled = false port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 5 [courierpop3] enabled = true port = pop3 filter = courierlogin failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\] logpath = /var/log/mail.log maxretry = 5 [courierimap] enabled = true port = imap2 filter = courierlogin failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\] logpath = /var/log/mail.log maxretry = 5 [sasl] enabled = true port = smtp filter = sasl failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed logpath = /var/log/mail.log maxretry = 5
What's in /var/log/auth.log when there's a failed login attempt? What's the failregex for SSH? (There should be a file for SSH in the filters.d subdirectory.)
The filter.d\sshd.conf is: Code: # Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision: 663 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = sshd # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$ ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$ ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$ ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = And here're the entries in /var/log/auth.log: Code: Jun 13 11:33:01 server1 sshd[24297]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxxxxxxx.dip.t-dialin.net user=root Jun 13 11:33:04 server1 sshd[24297]: Failed password for root from xxxxxxxxx port 49475 ssh2 Jun 13 11:33:17 server1 last message repeated 5 times Jun 13 11:33:17 server1 sshd[24297]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxxxxxxx.dip.t-dialin.net user=root Jun 13 11:33:17 server1 sshd[24297]: PAM service(sshd) ignoring max retries; 5 > 3
Can you add this line to failregex and restart fail2ban? Code: ^%(__prefix_line)spam_unix(sshd:auth): authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
Hi falko! Did that, still the same problem. Here's the log: Code: Jun 14 14:38:14 server1 sshd[17278]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXXXXXX.dip.t-dialin.net user=root Jun 14 14:38:16 server1 sshd[17278]: Failed password for root from XXXXXXX port 52562 ssh2 Jun 14 14:38:30 server1 last message repeated 5 times Jun 14 14:38:30 server1 sshd[17278]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXXXXXX.dip.t-dialin.net user=root Jun 14 14:38:30 server1 sshd[17278]: PAM service(sshd) ignoring max retries; 5 > 3 Jun 14 14:38:58 server1 sshd[17315]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXXXXXX.dip.t-dialin.net user=root Jun 14 14:38:59 server1 sshd[17315]: Failed password for root from XXXXXXX port 52571 ssh2 Jun 14 14:39:01 server1 CRON[17321]: pam_unix(cron:session): session opened for user root by (uid=0) Jun 14 14:39:01 server1 CRON[17321]: pam_unix(cron:session): session closed for user root Jun 14 14:39:03 server1 sshd[17315]: Failed password for root from XXXXXXX port 52571 ssh2 Jun 14 14:39:06 server1 sshd[17315]: Failed password for root from XXXXXXX port 52571 ssh2
What about this line? Code: authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*
The problem is the date format in LOG file the timestamp must be YYYY.MM.DD HH:MM:SS and not MMM DD HH:MM:SS