strange fail2ban behaviour > doesn't ban specific IP

Discussion in 'Server Operation' started by Djamu, Jan 11, 2012.

  1. Djamu

    Djamu New Member

    Hi all,

    I'm having a strange fail2ban issue ( which otherwise works perfect ).
    For some reason the sshd.conf fail2ban regex doesn't pick up a specific brute force attack IP. ( 219.140.165.85 ) which is already for some weeks probing one of my servers, the probing isn't continuously but once every 20-30 minutes.
    ( the only reason I noticed is because my logwatch reports indicated it )

    The regex is the standard regex ( I think ) that came with the package
    Code:
    failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers$
            ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
    a grepped auth.log for an IP ( 61.54.242.194 )that got banned.
    Code:
    Jan 10 01:02:37 localhost sshd[7801]: reverse mapping checking getaddrinfo for hn.kd.dhcp [61.54.242.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 10 01:02:37 localhost sshd[7801]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.54.242.194  user=root
Jan 10 01:02:39 localhost sshd[7801]: Failed password for root from 61.54.242.194 port 60389 ssh2
Jan 10 01:02:47 localhost sshd[12130]: reverse mapping checking getaddrinfo for hn.kd.dhcp [61.54.242.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 10 01:02:47 localhost sshd[12130]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.54.242.194  user=root
Jan 10 01:02:48 localhost sshd[12130]: Failed password for root from 61.54.242.194 port 33303 ssh2
Jan 10 01:02:54 localhost sshd[15027]: reverse mapping checking getaddrinfo for hn.kd.dhcp [61.54.242.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 10 01:02:54 localhost sshd[15027]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.54.242.194  user=root
Jan 10 01:02:57 localhost sshd[15027]: Failed password for root from 61.54.242.194 port 35084 ssh2
Jan 10 01:03:01 localhost sshd[17113]: reverse mapping checking getaddrinfo for hn.kd.dhcp [61.54.242.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 10 01:03:01 localhost sshd[17113]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.54.242.194  user=root
Jan 10 01:03:03 localhost sshd[17113]: Failed password for root from 61.54.242.194 port 36658 ssh2
Jan 10 01:03:07 localhost sshd[19775]: reverse mapping checking getaddrinfo for hn.kd.dhcp [61.54.242.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 10 01:03:07 localhost sshd[19775]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.54.242.194  user=root
Jan 10 01:03:09 localhost sshd[19775]: Failed password for root from 61.54.242.194 port 37816 ssh2
Jan 10 01:03:20 localhost sshd[22300]: reverse mapping checking getaddrinfo for hn.kd.dhcp [61.54.242.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 10 01:03:20 localhost sshd[22300]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.54.242.194  user=root
Jan 10 01:03:22 localhost sshd[22300]: Failed password for root from 61.54.242.194 port 38909 ssh2
    and the log snippet for the IP ( 219.140.165.85 ) that doesn't get banned
    ( I only took the 9th of january )
    Code:
    Jan  9 00:13:28 localhost sshd[26129]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 00:13:30 localhost sshd[26129]: Failed password for root from 219.140.165.85 port 47955 ssh2
Jan  9 00:30:19 localhost sshd[29098]: Did not receive identification string from 219.140.165.85
Jan  9 00:30:19 localhost sshd[29090]: Did not receive identification string from 219.140.165.85
Jan  9 00:47:22 localhost sshd[32029]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 00:47:23 localhost sshd[32029]: Failed password for root from 219.140.165.85 port 41517 ssh2
Jan  9 01:55:08 localhost sshd[17262]: Did not receive identification string from 219.140.165.85
Jan  9 02:12:01 localhost sshd[22038]: Did not receive identification string from 219.140.165.85
Jan  9 02:47:10 localhost sshd[27552]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 02:47:10 localhost sshd[27559]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 02:47:11 localhost sshd[27552]: Failed password for root from 219.140.165.85 port 47819 ssh2
Jan  9 02:47:12 localhost sshd[27559]: Failed password for root from 219.140.165.85 port 46498 ssh2
Jan  9 03:04:20 localhost sshd[921]: Did not receive identification string from 219.140.165.85
Jan  9 03:21:24 localhost sshd[4193]: Did not receive identification string from 219.140.165.85
Jan  9 03:39:01 localhost sshd[6725]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 03:39:03 localhost sshd[6725]: Failed password for root from 219.140.165.85 port 48121 ssh2
Jan  9 03:39:10 localhost sshd[6726]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 03:39:12 localhost sshd[6726]: Failed password for root from 219.140.165.85 port 38199 ssh2
Jan  9 03:56:00 localhost sshd[9882]: Did not receive identification string from 219.140.165.85
Jan  9 04:13:27 localhost sshd[13404]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 04:13:29 localhost sshd[13404]: Failed password for root from 219.140.165.85 port 58637 ssh2
Jan  9 04:47:38 localhost sshd[19128]: Did not receive identification string from 219.140.165.85
Jan  9 04:47:38 localhost sshd[19129]: Did not receive identification string from 219.140.165.85
Jan  9 05:04:41 localhost sshd[22382]: Did not receive identification string from 219.140.165.85
Jan  9 05:22:01 localhost sshd[25527]: Did not receive identification string from 219.140.165.85
Jan  9 05:22:04 localhost sshd[25525]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 05:22:06 localhost sshd[25525]: Failed password for root from 219.140.165.85 port 44002 ssh2
Jan  9 05:39:03 localhost sshd[27919]: Did not receive identification string from 219.140.165.85
Jan  9 05:57:04 localhost sshd[31080]: Did not receive identification string from 219.140.165.85
Jan  9 06:31:48 localhost sshd[23091]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 06:31:50 localhost sshd[23091]: Failed password for root from 219.140.165.85 port 38770 ssh2
Jan  9 07:06:02 localhost sshd[28762]: Did not receive identification string from 219.140.165.85
Jan  9 09:06:01 localhost sshd[18869]: Did not receive identification string from 219.140.165.85
Jan  9 09:06:02 localhost sshd[18876]: Did not receive identification string from 219.140.165.85
Jan  9 09:23:20 localhost sshd[21301]: Did not receive identification string from 219.140.165.85
Jan  9 09:40:34 localhost sshd[24444]: Did not receive identification string from 219.140.165.85
Jan  9 09:57:31 localhost sshd[26825]: Did not receive identification string from 219.140.165.85
Jan  9 09:57:37 localhost sshd[26823]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 09:57:39 localhost sshd[26823]: Failed password for root from 219.140.165.85 port 52388 ssh2
Jan  9 10:31:21 localhost sshd[975]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 10:31:23 localhost sshd[975]: Failed password for root from 219.140.165.85 port 45589 ssh2
Jan  9 10:31:34 localhost sshd[979]: Did not receive identification string from 219.140.165.85
Jan  9 10:31:37 localhost sshd[977]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 10:31:39 localhost sshd[977]: Failed password for root from 219.140.165.85 port 52786 ssh2
Jan  9 10:48:39 localhost sshd[3493]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 10:48:42 localhost sshd[3493]: Failed password for root from 219.140.165.85 port 45118 ssh2
Jan  9 11:05:36 localhost sshd[6921]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 11:05:38 localhost sshd[6921]: Failed password for root from 219.140.165.85 port 54159 ssh2
Jan  9 11:22:34 localhost sshd[9332]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 11:22:34 localhost sshd[9335]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 11:22:36 localhost sshd[9332]: Failed password for root from 219.140.165.85 port 40092 ssh2
Jan  9 11:22:36 localhost sshd[9335]: Failed password for root from 219.140.165.85 port 50890 ssh2
Jan  9 11:39:35 localhost sshd[11784]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 11:39:38 localhost sshd[11784]: Failed password for root from 219.140.165.85 port 52422 ssh2
Jan  9 11:56:33 localhost sshd[14937]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 11:56:35 localhost sshd[14935]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 11:56:36 localhost sshd[14937]: Failed password for root from 219.140.165.85 port 56762 ssh2
Jan  9 11:56:37 localhost sshd[14935]: Failed password for root from 219.140.165.85 port 41024 ssh2
Jan  9 12:13:33 localhost sshd[17514]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 12:13:35 localhost sshd[17513]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 12:13:35 localhost sshd[17514]: Failed password for root from 219.140.165.85 port 50360 ssh2
Jan  9 12:13:37 localhost sshd[17513]: Failed password for root from 219.140.165.85 port 37334 ssh2
Jan  9 12:30:42 localhost sshd[20675]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 12:30:44 localhost sshd[20675]: Failed password for root from 219.140.165.85 port 58037 ssh2
Jan  9 12:30:49 localhost sshd[20679]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 12:30:50 localhost sshd[20679]: Failed password for root from 219.140.165.85 port 33452 ssh2
Jan  9 12:47:35 localhost sshd[23272]: Did not receive identification string from 219.140.165.85
Jan  9 12:47:40 localhost sshd[23270]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 12:47:43 localhost sshd[23270]: Failed password for root from 219.140.165.85 port 47787 ssh2
Jan  9 13:04:47 localhost sshd[25810]: Did not receive identification string from 219.140.165.85
Jan  9 13:22:11 localhost sshd[28947]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 13:22:12 localhost sshd[28947]: Failed password for root from 219.140.165.85 port 39060 ssh2
Jan  9 13:39:20 localhost sshd[31348]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 13:39:21 localhost sshd[31346]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 13:39:23 localhost sshd[31348]: Failed password for root from 219.140.165.85 port 39280 ssh2
Jan  9 13:39:23 localhost sshd[31346]: Failed password for root from 219.140.165.85 port 46194 ssh2
Jan  9 14:14:59 localhost sshd[5822]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 14:15:00 localhost sshd[5822]: Failed password for root from 219.140.165.85 port 60509 ssh2
Jan  9 14:32:05 localhost sshd[8993]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 14:32:08 localhost sshd[8993]: Failed password for root from 219.140.165.85 port 49029 ssh2
Jan  9 14:49:22 localhost sshd[11381]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 14:49:24 localhost sshd[11381]: Failed password for root from 219.140.165.85 port 45999 ssh2
Jan  9 14:49:26 localhost sshd[11383]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 14:49:28 localhost sshd[11383]: Failed password for root from 219.140.165.85 port 53114 ssh2
Jan  9 15:06:39 localhost sshd[14668]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 15:06:40 localhost sshd[14667]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 15:06:41 localhost sshd[14668]: Failed password for root from 219.140.165.85 port 42538 ssh2
Jan  9 15:06:42 localhost sshd[14667]: Failed password for root from 219.140.165.85 port 36010 ssh2
Jan  9 15:23:57 localhost sshd[17064]: Did not receive identification string from 219.140.165.85
Jan  9 15:23:59 localhost sshd[17062]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 15:24:01 localhost sshd[17062]: Failed password for root from 219.140.165.85 port 54651 ssh2
Jan  9 15:41:10 localhost sshd[20197]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 15:41:13 localhost sshd[20197]: Failed password for root from 219.140.165.85 port 54511 ssh2
Jan  9 16:16:05 localhost sshd[28906]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 16:16:08 localhost sshd[28906]: Failed password for root from 219.140.165.85 port 60114 ssh2
Jan  9 16:50:43 localhost sshd[2296]: Did not receive identification string from 219.140.165.85
Jan  9 17:08:10 localhost sshd[5037]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 17:08:12 localhost sshd[5037]: Failed password for root from 219.140.165.85 port 34311 ssh2
Jan  9 17:43:05 localhost sshd[10598]: Did not receive identification string from 219.140.165.85
Jan  9 17:43:05 localhost sshd[10599]: Did not receive identification string from 219.140.165.85
Jan  9 18:00:34 localhost sshd[14688]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 18:00:36 localhost sshd[14688]: Failed password for root from 219.140.165.85 port 45649 ssh2
Jan  9 18:17:47 localhost sshd[17275]: Did not receive identification string from 219.140.165.85
Jan  9 18:34:59 localhost sshd[19689]: Did not receive identification string from 219.140.165.85
Jan  9 18:52:11 localhost sshd[22823]: Did not receive identification string from 219.140.165.85
Jan  9 18:52:25 localhost sshd[22821]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 18:52:27 localhost sshd[22821]: Failed password for root from 219.140.165.85 port 45396 ssh2
Jan  9 19:26:33 localhost sshd[28471]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 19:26:35 localhost sshd[28471]: Failed password for root from 219.140.165.85 port 32955 ssh2
Jan  9 19:43:30 localhost sshd[30865]: Did not receive identification string from 219.140.165.85
Jan  9 20:00:38 localhost sshd[2772]: Did not receive identification string from 219.140.165.85
Jan  9 20:34:55 localhost sshd[7750]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 20:34:58 localhost sshd[7750]: Failed password for root from 219.140.165.85 port 33403 ssh2
Jan  9 21:26:04 localhost sshd[16735]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 21:26:06 localhost sshd[16735]: Failed password for root from 219.140.165.85 port 57975 ssh2
Jan  9 21:43:13 localhost sshd[19132]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 21:43:16 localhost sshd[19132]: Failed password for root from 219.140.165.85 port 41204 ssh2
Jan  9 22:00:10 localhost sshd[22059]: Did not receive identification string from 219.140.165.85
Jan  9 22:00:14 localhost sshd[21803]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 22:00:16 localhost sshd[21803]: Failed password for root from 219.140.165.85 port 38165 ssh2
Jan  9 22:17:14 localhost sshd[24779]: Did not receive identification string from 219.140.165.85
Jan  9 22:17:15 localhost sshd[24780]: Did not receive identification string from 219.140.165.85
Jan  9 22:34:11 localhost sshd[27170]: Did not receive identification string from 219.140.165.85
Jan  9 22:34:14 localhost sshd[27171]: Did not receive identification string from 219.140.165.85
Jan  9 22:51:15 localhost sshd[30305]: Did not receive identification string from 219.140.165.85
Jan  9 23:08:12 localhost sshd[21738]: Did not receive identification string from 219.140.165.85
Jan  9 23:42:05 localhost sshd[27325]: Did not receive identification string from 219.140.165.85
Jan  9 23:59:06 localhost sshd[29724]: Did not receive identification string from 219.140.165.85
    Frankly I can't see a difference in both logs and as to why the 1st gets banned and the other doesn't ...
    Any help is greatly appreciated

    Jan
     
    Djamu, Jan 11, 2012
    #1
  2. falko

    falko Super Moderator Howtoforge Staff

    Did you check if that IP is whitelisted in your fail2ban configuration?
     
    falko, Jan 12, 2012
    #2
  3. Djamu

    Djamu New Member

    Thanks Falko for your suggestion,

    No it's not on the whitelist.
    But I started thinking of another route as the attack is a very slow one + the fact that a properly written daemon ( fail2ban ) wouldn't parse the complete logs ( as to resource intensive ).

    So I asked an their mailing list if there would be a time setting the daemon uses to parse logs back in time counting offending IP's.
    Lo and behold there is....

    As reference for other users ...

    The default is at 10 min.
    the parameter is called "findtime = 600" ( time in seconds ).
    and should go in jail.local under [DEFAULT]
    I have set it now at 4 hours. > 14400 sec
    My setting
    Code:
    [DEFAULT]
ignoreip = 127.0.0.1
destemail = *****@*****
maxretry = 3
bantime  = 86400
[B][COLOR="Red"]findtime = 14400[/COLOR][/B]
backend = polling
banaction = iptables-multiport
mta = sendmail
protocol = tcp
.....
.....
    my 5 cents
     
    Djamu, Jan 13, 2012
    #3

Share This Page