Hi guys, I run a webserver vps with ubuntu 18.04 and ISPConfig 3 when i try the following command to show me the last failed logins i get this: Code: kei ssh:notty 134.209.247.249 Mon Jul 1 06:27 - 06:27 (00:00) kei ssh:notty 134.209.247.249 Mon Jul 1 06:27 - 06:27 (00:00) ltelles ssh:notty 106.13.44.83 Mon Jul 1 06:27 - 06:27 (00:00) ltelles ssh:notty 106.13.44.83 Mon Jul 1 06:27 - 06:27 (00:00) mardi ssh:notty 178.32.218.192 Mon Jul 1 06:26 - 06:26 (00:00) patrol ssh:notty 94.138.36.201 Mon Jul 1 06:26 - 06:26 (00:00) mardi ssh:notty 178.32.218.192 Mon Jul 1 06:26 - 06:26 (00:00) patrol ssh:notty 94.138.36.201 Mon Jul 1 06:26 - 06:26 (00:00) lp ssh:notty 51.83.104.120 Mon Jul 1 06:26 - 06:26 (00:00) Rim ssh:notty 134.209.247.249 Mon Jul 1 06:26 - 06:26 (00:00) Rim ssh:notty 134.209.247.249 Mon Jul 1 06:26 - 06:26 (00:00) nmurthy ssh:notty 178.32.218.192 Mon Jul 1 06:25 - 06:25 (00:00) nmurthy ssh:notty 178.32.218.192 Mon Jul 1 06:25 - 06:25 (00:00) greg ssh:notty 106.13.44.83 Mon Jul 1 06:25 - 06:25 (00:00) greg ssh:notty 106.13.44.83 Mon Jul 1 06:25 - 06:25 (00:00) As you can see there are a lot of failed logins, so i assume some scripts are trying to hack the password. how can i protect my server from so many failed logins - should i disallow root user to login and login as another user and then sudo? - or should i login to another ssh port - as there are many ip's i could as well block them with ip tables what would be the best solution? thanks a lot for your great help like always
When you followed the perfect server install guide to install your server, then you have fail2ban installed already which blocks these attacks automatically. Check the fail2ban.log to see if you installed it and if it reports that it blocked it. As a side note, this is nothing unusual and happens all the time to any system that's connected to the internet, so no need to worry about that. Just ensure that you use reasonably safe and long passwords.
Hello, thanks a lot for your kind answer. the /var/log/syslog shows an unknown connect from 45.13.39.24 Code: Jul 2 20:06:10 server4 postfix/smtpd[17584]: connect from unknown[45.13.39.24] Jul 2 20:06:13 server4 postfix/smtpd[17584]: warning: unknown[45.13.39.24]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 2 20:06:13 server4 postfix/smtpd[17584]: disconnect from unknown[45.13.39.24] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 Jul 2 20:06:52 server4 postfix/smtpd[18999]: connect from unknown[45.13.39.24] Jul 2 20:06:54 server4 postfix/smtpd[18999]: warning: unknown[45.13.39.24]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jul 2 20:06:54 server4 postfix/smtpd[18999]: disconnect from unknown[45.13.39.24] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 The fail2ban shows it works but it did not block the ip 45.13.39.24 Code: 2019-07-02 19:55:53,974 fail2ban.actions [10552]: NOTICE [sshd] Unban 112.85.42.238 2019-07-02 19:57:04,741 fail2ban.filter [10552]: INFO [sshd] Found 112.85.42.238 - 2019-07-02 19:57:04 2019-07-02 19:57:05,898 fail2ban.filter [10552]: INFO [sshd] Found 112.85.42.238 - 2019-07-02 19:57:05 2019-07-02 19:58:43,801 fail2ban.filter [10552]: INFO [sshd] Found 112.85.42.238 - 2019-07-02 19:58:43 2019-07-02 19:58:46,506 fail2ban.filter [10552]: INFO [sshd] Found 112.85.42.238 - 2019-07-02 19:58:46 2019-07-02 20:00:40,657 fail2ban.filter [10552]: INFO [sshd] Found 112.85.42.238 - 2019-07-02 20:00:40 2019-07-02 20:00:41,005 fail2ban.actions [10552]: NOTICE [sshd] Ban 112.85.42.238 2019-07-02 20:00:43,363 fail2ban.filter [10552]: INFO [sshd] Found 112.85.42.238 - 2019-07-02 20:00:42 2019-07-02 20:02:11,159 fail2ban.actions [10552]: NOTICE [sshd] Unban 122.195.200.137 2019-07-02 20:03:27,282 fail2ban.actions [10552]: NOTICE [sshd] Unban 153.36.233.244 is there a reason why fail2ban not block this ip? however thanks a lot for your kind help so i learned that fail2ban is working thanks so much for your help like always
The login is blocked when a certain amount of wrong logins from an IP is reached, see fail2ban config file for details.
And compare your fail2ban setup with the one from install guide, chapter 15: https://www.howtoforge.com/tutorial...pureftpd-bind-postfix-doveot-and-ispconfig/2/