Hello everyone, I can't seem to get any of this tools working on blocking some bad guys and I am starting to get nervus. I have setup fail2ban to take care about some services I am running on my server except SSH. I have setup denyhosts to take care of SSH. Since I am getting some attacks lately I have added some ips to be blocked with iptables and started using ufw firewall also added subnets as /24. The problem is that I am still getting logs that show the blocked ips trying to login and connect to SSH and some errors from fail2ban and denyhosts that some ips allready in block list. Whats should I do next? Logs from auth.log Code: May 27 20:49:43 sshd[14422]: last message repeated 5 times May 27 20:49:43 trinity sshd[14422]: Disconnecting: Too many authentication failures for root [preauth] May 27 20:49:43 trinity sshd[14422]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.181 user=root May 27 20:49:43 trinity sshd[14422]: PAM service(sshd) ignoring max retries; 6 > 3 May 27 20:49:45 trinity sshd[14424]: reverse mapping checking getaddrinfo for evil.chinese.hacker.cn [116.10.191.181] failed - POSSIBLE BREAK-IN ATTEMPT! May 27 20:49:45 trinity sshd[14424]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.181 user=root May 27 20:49:47 trinity sshd[14424]: Failed password for root from 116.10.191.181 port 25908 ssh2 May 27 20:49:58 sshd[14424]: last message repeated 5 times May 27 20:49:58 trinity sshd[14424]: Disconnecting: Too many authentication failures for root [preauth] May 27 20:49:58 trinity sshd[14424]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.181 user=root May 27 20:49:58 trinity sshd[14424]: PAM service(sshd) ignoring max retries; 6 > 3 May 27 20:49:59 trinity sshd[14426]: reverse mapping checking getaddrinfo for evil.chinese.hacker.cn [116.10.191.181] failed - POSSIBLE BREAK-IN ATTEMPT! May 27 20:50:00 trinity sshd[14426]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.181 user=root May 27 20:50:02 trinity sshd[14426]: Failed password for root from 116.10.191.181 port 32507 ssh2 May 27 20:50:13 sshd[14426]: last message repeated 5 times May 27 20:50:13 trinity sshd[14426]: Disconnecting: Too many authentication failures for root [preauth] May 27 20:50:13 trinity sshd[14426]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.181 user=root May 27 20:50:13 trinity sshd[14426]: PAM service(sshd) ignoring max retries; 6 > 3 May 27 20:50:14 trinity sshd[14482]: refused connect from 116.10.191.181 (116.10.191.181) May 28 00:48:59 trinity sshd[18513]: refused connect from 116.10.191.221 (116.10.191.221) Logs from fail2ban Code: 2014-05-27 15:31:21,126 fail2ban.jail : INFO Creating new jail 'ssh-ddos' 2014-05-27 15:31:21,127 fail2ban.jail : INFO Jail 'ssh-ddos' uses Gamin 2014-05-27 15:31:21,231 fail2ban.jail : INFO Jail 'ssh-ddos' started 2014-05-27 18:55:54,910 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-default 2014-05-27 18:55:54,992 fail2ban.jail : INFO Jail 'ssh-ddos' stopped 2014-05-27 18:55:59,828 fail2ban.jail : INFO Creating new jail 'ssh-ddos' 2014-05-27 18:55:59,830 fail2ban.jail : INFO Jail 'ssh-ddos' uses Gamin 2014-05-27 18:55:59,934 fail2ban.jail : INFO Jail 'ssh-ddos' started
Hi Srijan, The problem is that this is a bot that are trying all ports, I have also thinked about that and changed the defaul port to ssh. Hi till, It's a root server and here is the output of iptables -L Code: root@trinity:~# iptables -L Chain INPUT (policy DROP) target prot opt source destination fail2ban-dovecot tcp -- anywhere anywhere multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s fail2ban-sasl tcp -- anywhere anywhere multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s fail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,ssmtp fail2ban-proftpd tcp -- anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data fail2ban-apache-overflows tcp -- anywhere anywhere multiport dports http,https fail2ban-apache-noscript tcp -- anywhere anywhere multiport dports http,https fail2ban-apache-multiport tcp -- anywhere anywhere multiport dports http,https fail2ban-default tcp -- anywhere anywhere multiport dports ssh fail2ban-default tcp -- anywhere anywhere multiport dports ssh fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere DROP all -- 116.10.191.0/24 anywhere Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- anywhere anywhere ufw-before-forward all -- anywhere anywhere ufw-after-forward all -- anywhere anywhere ufw-after-logging-forward all -- anywhere anywhere ufw-reject-forward all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- anywhere anywhere ufw-before-output all -- anywhere anywhere ufw-after-output all -- anywhere anywhere ufw-after-logging-output all -- anywhere anywhere ufw-reject-output all -- anywhere anywhere ufw-track-output all -- anywhere anywhere Chain fail2ban-apache-multiport (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-apache-noscript (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-apache-overflows (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-default (2 references) target prot opt source destination RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere Chain fail2ban-dovecot (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-postfix (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-proftpd (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-sasl (1 references) target prot opt source destination DROP all -- isg-brass5-213-242-48-182.ivnet.ru anywhere RETURN all -- anywhere anywhere Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] " Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ufw-user-forward all -- anywhere anywhere Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ufw-logging-deny all -- anywhere anywhere state INVALID DROP all -- anywhere anywhere state INVALID ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc ufw-not-local all -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900 ufw-user-input all -- anywhere anywhere Chain ufw-before-logging-forward (1 references) target prot opt source destination LOG all -- anywhere anywhere state NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] " Chain ufw-before-logging-input (1 references) target prot opt source destination LOG all -- anywhere anywhere state NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] " Chain ufw-before-logging-output (1 references) target prot opt source destination LOG all -- anywhere anywhere state NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] " Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ufw-user-output all -- anywhere anywhere Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) target prot opt source destination LOG all -- anywhere anywhere state INVALID limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT INVALID] " LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10 DROP all -- anywhere anywhere Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- anywhere anywhere Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- anywhere anywhere Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere state NEW ACCEPT udp -- anywhere anywhere state NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT udp -- anywhere anywhere udp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 ACCEPT udp -- anywhere anywhere udp dpt:imap2 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT udp -- anywhere anywhere udp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:13379 ACCEPT udp -- anywhere anywhere udp dpt:13379 ACCEPT tcp -- anywhere anywhere tcp dpt:webmin ACCEPT udp -- anywhere anywhere udp dpt:10000 ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 [B][COLOR="Red"]DROP all -- 116.10.191.0/24 anywhere[/COLOR][/B] Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] " REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination
Some fresh logs from auth.log, Seems working on some ips Code: May 28 02:23:51 trinity sshd[20124]: refused connect from 116.10.191.164 (116.10.191.164) May 28 02:23:52 trinity sshd[20101]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.164 user=root May 28 02:23:54 trinity sshd[20101]: Failed password for root from 116.10.191.164 port 22290 ssh2 May 28 02:24:05 sshd[20101]: last message repeated 5 times May 28 02:24:05 trinity sshd[20101]: Disconnecting: Too many authentication failures for root [preauth] May 28 02:24:05 trinity sshd[20101]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.164 user=root May 28 02:24:05 trinity sshd[20101]: PAM service(sshd) ignoring max retries; 6 > 3 May 28 02:24:06 trinity sshd[20125]: refused connect from 116.10.191.164 (116.10.191.164) May 28 03:16:46 trinity sshd[21137]: refused connect from 116.10.191.222 (116.10.191.222) May 28 09:03:29 trinity sshd[27111]: refused connect from 116.10.191.202 (116.10.191.202) May 28 09:29:02 trinity sshd[27484]: refused connect from 116.10.191.163 (116.10.191.163) May 28 09:29:24 trinity sshd[27485]: refused connect from 116.10.191.163 (116.10.191.163) May 28 09:29:44 trinity sshd[27486]: refused connect from 116.10.191.163 (116.10.191.163) May 28 09:30:06 trinity sshd[27531]: refused connect from 116.10.191.163 (116.10.191.163) May 28 10:42:19 trinity sshd[28650]: refused connect from 116.10.191.182 (116.10.191.182) May 28 10:50:31 trinity sshd[28770]: refused connect from 113.108.211.131 (113.108.211.131) May 28 12:07:26 trinity sshd[29941]: Received disconnect from 199.91.135.158: 3: com.jcraft.jsch.JSchException: reject HostKey: 213.112.124.172 [preauth] May 28 12:36:46 trinity sshd[30431]: refused connect from 116.10.191.181 (116.10.191.181)
