Hiya all,
I've got loads of brute force attempts in my logwatch log. I use fail2ban but does not look like its applying the rules correctly.
Can someone help out?
I've got in the /etc/fail2ban/jail.conf y sshd.conf
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
The root brute force attempts are logged here:
Jun 17 11:30:01 sosaria CRON[25921]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:30:01 sosaria CRON[25922]: pam_unix(cron:session): session closed for user root
Jun 17 11:30:01 sosaria CRON[25921]: pam_unix(cron:session): session closed for user root
Jun 17 11:30:02 sosaria CRON[25920]: pam_unix(cron:session): session closed for user root
Jun 17 11:33:36 sosaria CRON[25919]: pam_unix(cron:session): session closed for user root
Jun 17 11:35:01 sosaria CRON[26082]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:35:02 sosaria CRON[26082]: pam_unix(cron:session): session closed for user root
Jun 17 11:39:01 sosaria CRON[26153]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:39:01 sosaria CRON[26153]: pam_unix(cron:session): session closed for user root
Jun 17 11:40:01 sosaria CRON[26168]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:40:01 sosaria CRON[26168]: pam_unix(cron:session): session closed for user root
Jun 17 11:45:01 sosaria CRON[26244]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:45:01 sosaria CRON[26244]: pam_unix(cron:session): session closed for user root
Jun 17 11:50:01 sosaria CRON[26338]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:50:01 sosaria CRON[26338]: pam_unix(cron:session): session closed for user root
Jun 17 11:51:19 sosaria sshd[26373]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.209.171.162 user=root
Jun 17 11:51:22 sosaria sshd[26373]: Failed password for root from 115.209.171.162 port 56229 ssh2
Jun 17 11:52:16 sosaria sshd[26384]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.199.52.73 user=root
Jun 17 11:52:18 sosaria sshd[26384]: Failed password for root from 121.199.52.73 port 33520 ssh2
Jun 17 11:55:01 sosaria CRON[26426]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:55:02 sosaria CRON[26426]: pam_unix(cron:session): session closed for user root
Jun 17 12:00:01 sosaria CRON[26507]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:00:01 sosaria CRON[26506]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:00:01 sosaria CRON[26504]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:00:01 sosaria CRON[26505]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:00:01 sosaria CRON[26507]: pam_unix(cron:session): session closed for user root
Jun 17 12:00:01 sosaria CRON[26506]: pam_unix(cron:session): session closed for user root
Jun 17 12:00:03 sosaria CRON[26505]: pam_unix(cron:session): session closed for user root
Jun 17 12:03:34 sosaria CRON[26504]: pam_unix(cron:session): session closed for user root
Jun 17 12:05:01 sosaria CRON[26662]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:05:01 sosaria CRON[26662]: pam_unix(cron:session): session closed for user root
Jun 17 12:09:01 sosaria CRON[26750]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:09:01 sosaria CRON[26750]: pam_unix(cron:session): session closed for user root
Jun 17 12:10:01 sosaria CRON[26781]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:10:01 sosaria CRON[26781]: pam_unix(cron:session): session closed for user root
Jun 17 12:10:51 sosaria sshd[26812]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.224.160.39 user=root
Jun 17 12:10:53 sosaria sshd[26812]: Failed password for root from 91.224.160.39 port 36601 ssh2
Jun 17 12:10:55 sosaria sshd[26812]: Failed password for root from 91.224.160.39 port 36601 ssh2
Jun 17 12:10:58 sosaria sshd[26812]: Failed password for root from 91.224.160.39 port 36601 ssh2
Jun 17 12:11:00 sosaria sshd[26812]: Failed password for root from 91.224.160.39 port 36601 ssh2
Jun 17 12:11:03 sosaria sshd[26812]: Failed password for root from 91.224.160.39 port 36601 ssh2
Jun 17 12:11:06 sosaria sshd[26812]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.224.160.39 user=root
Jun 17 12:11:07 sosaria sshd[26823]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.224.160.39 user=root
Jun 17 12:11:09 sosaria sshd[26823]: Failed password for root from 91.224.160.39 port 34538 ssh2
Jun 17 12:11:11 sosaria sshd[26823]: Failed password for root from 91.224.160.39 port 34538 ssh2
Jun 17 12:11:14 sosaria sshd[26823]: Failed password for root from 91.224.160.39 port 34538 ssh2
Jun 17 12:11:15 sosaria sshd[26823]: Failed password for root from 91.224.160.39 port 34538 ssh2
Jun 17 12:11:18 sosaria sshd[26823]: Failed password for root from 91.224.160.39 port 34538 ssh2
Jun 17 12:11:20 sosaria sshd[26823]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.224.160.39 user=root
Jun 17 12:11:20 sosaria sshd[26825]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.224.160.39 user=root
Jun 17 12:11:22 sosaria sshd[26825]: Failed password for root from 91.224.160.39 port 44559 ssh2
Jun 17 12:11:24 sosaria sshd[26825]: Failed password for root from 91.224.160.39 port 44559 ssh2
My logwatch report:
Failed logins from:
5.189.144.15 (vmi74005.contabo.host): 1608 times
root/password: 1591 times
nobody/password: 3 times
backup/password: 2 times
ftp/password: 2 times
mysql/password: 2 times
sshd/password: 2 times
sync/password: 2 times
games/password: 1 time
mail/password: 1 time
news/password: 1 time
www-data/password: 1 time
54.67.14.28 (ec2-54-67-14-28.us-west-1.compute.amazonaws.com): 60 times
root/password: 60 times
91.201.236.158: 73 times
root/password: 73 times
91.224.160.10: 24 times
root/password: 24 times
103.207.36.136: 2 times
root/password: 2 times
113.57.232.34: 1 time
root/password: 1 time
187.141.5.177 (lan-d32-0806-1134.uninet-ide.com.mx): 10 times
root/password: 9 times
ftp/password: 1 time
190.214.44.21 (mail.19d04.mspz7.gob.ec): 79 times
root/password: 79 times
201.249.231.59 (201-249-231-59.estatic.cantv.net): 3 times
root/password: 3 times
212.83.145.18 (212-83-145-18.rev.poneytelecom.eu): 2 times
root/password: 2 times
212.83.148.113 (212-83-148-113.rev.poneytelecom.eu): 2 times
root/password: 2 times
212.129.61.148 (212-129-61-148.rev.poneytelecom.eu): 6 times
root/password: 4 times
ftp/password: 2 times
217.144.201.243 (static-201-243.is.net.pl): 713 times
root/password: 713 times
Thanks,
Rob