Debian User Forums

[robbo007]

Hiya all,

I've got loads of brute force attempts in my logwatch log. I use fail2ban but does not look like its applying the rules correctly.

Can someone help out?

I've got in the /etc/fail2ban/jail.conf y sshd.conf

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6


failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers$
^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$



The root brute force attempts are logged here:

Jun 17 11:30:01 sosaria CRON[25921]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:30:01 sosaria CRON[25922]: pam_unix(cron:session): session closed for user root
Jun 17 11:30:01 sosaria CRON[25921]: pam_unix(cron:session): session closed for user root
Jun 17 11:30:02 sosaria CRON[25920]: pam_unix(cron:session): session closed for user root
Jun 17 11:33:36 sosaria CRON[25919]: pam_unix(cron:session): session closed for user root
Jun 17 11:35:01 sosaria CRON[26082]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:35:02 sosaria CRON[26082]: pam_unix(cron:session): session closed for user root
Jun 17 11:39:01 sosaria CRON[26153]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:39:01 sosaria CRON[26153]: pam_unix(cron:session): session closed for user root
Jun 17 11:40:01 sosaria CRON[26168]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:40:01 sosaria CRON[26168]: pam_unix(cron:session): session closed for user root
Jun 17 11:45:01 sosaria CRON[26244]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:45:01 sosaria CRON[26244]: pam_unix(cron:session): session closed for user root
Jun 17 11:50:01 sosaria CRON[26338]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:50:01 sosaria CRON[26338]: pam_unix(cron:session): session closed for user root
Jun 17 11:51:19 sosaria sshd[26373]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.209.171.162 user=root
Jun 17 11:51:22 sosaria sshd[26373]: Failed password for root from 115.209.171.162 port 56229 ssh2
Jun 17 11:52:16 sosaria sshd[26384]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.199.52.73 user=root
Jun 17 11:52:18 sosaria sshd[26384]: Failed password for root from 121.199.52.73 port 33520 ssh2
Jun 17 11:55:01 sosaria CRON[26426]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 11:55:02 sosaria CRON[26426]: pam_unix(cron:session): session closed for user root
Jun 17 12:00:01 sosaria CRON[26507]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:00:01 sosaria CRON[26506]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:00:01 sosaria CRON[26504]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:00:01 sosaria CRON[26505]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:00:01 sosaria CRON[26507]: pam_unix(cron:session): session closed for user root
Jun 17 12:00:01 sosaria CRON[26506]: pam_unix(cron:session): session closed for user root
Jun 17 12:00:03 sosaria CRON[26505]: pam_unix(cron:session): session closed for user root
Jun 17 12:03:34 sosaria CRON[26504]: pam_unix(cron:session): session closed for user root
Jun 17 12:05:01 sosaria CRON[26662]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:05:01 sosaria CRON[26662]: pam_unix(cron:session): session closed for user root
Jun 17 12:09:01 sosaria CRON[26750]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:09:01 sosaria CRON[26750]: pam_unix(cron:session): session closed for user root
Jun 17 12:10:01 sosaria CRON[26781]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 17 12:10:01 sosaria CRON[26781]: pam_unix(cron:session): session closed for user root
Jun 17 12:10:51 sosaria sshd[26812]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.224.160.39 user=root
Jun 17 12:10:53 sosaria sshd[26812]: Failed password for root from 91.224.160.39 port 36601 ssh2
Jun 17 12:10:55 sosaria sshd[26812]: Failed password for root from 91.224.160.39 port 36601 ssh2
Jun 17 12:10:58 sosaria sshd[26812]: Failed password for root from 91.224.160.39 port 36601 ssh2
Jun 17 12:11:00 sosaria sshd[26812]: Failed password for root from 91.224.160.39 port 36601 ssh2
Jun 17 12:11:03 sosaria sshd[26812]: Failed password for root from 91.224.160.39 port 36601 ssh2
Jun 17 12:11:06 sosaria sshd[26812]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.224.160.39 user=root
Jun 17 12:11:07 sosaria sshd[26823]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.224.160.39 user=root
Jun 17 12:11:09 sosaria sshd[26823]: Failed password for root from 91.224.160.39 port 34538 ssh2
Jun 17 12:11:11 sosaria sshd[26823]: Failed password for root from 91.224.160.39 port 34538 ssh2
Jun 17 12:11:14 sosaria sshd[26823]: Failed password for root from 91.224.160.39 port 34538 ssh2
Jun 17 12:11:15 sosaria sshd[26823]: Failed password for root from 91.224.160.39 port 34538 ssh2
Jun 17 12:11:18 sosaria sshd[26823]: Failed password for root from 91.224.160.39 port 34538 ssh2
Jun 17 12:11:20 sosaria sshd[26823]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.224.160.39 user=root
Jun 17 12:11:20 sosaria sshd[26825]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=91.224.160.39 user=root
Jun 17 12:11:22 sosaria sshd[26825]: Failed password for root from 91.224.160.39 port 44559 ssh2
Jun 17 12:11:24 sosaria sshd[26825]: Failed password for root from 91.224.160.39 port 44559 ssh2

My logwatch report:

Failed logins from:
5.189.144.15 (vmi74005.contabo.host): 1608 times
root/password: 1591 times
nobody/password: 3 times
backup/password: 2 times
ftp/password: 2 times
mysql/password: 2 times
sshd/password: 2 times
sync/password: 2 times
games/password: 1 time
mail/password: 1 time
news/password: 1 time
www-data/password: 1 time
54.67.14.28 (ec2-54-67-14-28.us-west-1.compute.amazonaws.com): 60 times
root/password: 60 times
91.201.236.158: 73 times
root/password: 73 times
91.224.160.10: 24 times
root/password: 24 times
103.207.36.136: 2 times
root/password: 2 times
113.57.232.34: 1 time
root/password: 1 time
187.141.5.177 (lan-d32-0806-1134.uninet-ide.com.mx): 10 times
root/password: 9 times
ftp/password: 1 time
190.214.44.21 (mail.19d04.mspz7.gob.ec): 79 times
root/password: 79 times
201.249.231.59 (201-249-231-59.estatic.cantv.net): 3 times
root/password: 3 times
212.83.145.18 (212-83-145-18.rev.poneytelecom.eu): 2 times
root/password: 2 times
212.83.148.113 (212-83-148-113.rev.poneytelecom.eu): 2 times
root/password: 2 times
212.129.61.148 (212-129-61-148.rev.poneytelecom.eu): 6 times
root/password: 4 times
ftp/password: 2 times
217.144.201.243 (static-201-243.is.net.pl): 713 times
root/password: 713 times

Thanks,
Rob

[day]

use a different port than 22

[GarryRicketson]

It would be nice if the OP would use code boxes.
http://forums.debian.net/viewtopic.php?f=16&t=123831

A lot of these that the OP shows, are common bots and they constantly
go from site to site , trying to access them, the main thing is , that they do
not succeed.
I noticed this 1, and there are other the OP show, but it is to much trouble
trying to read them,with out code boxes:

From the list posted by the OP:

Code: Select all

54.67.14.28 (ec2-54-67-14-28.us-west-1.compute.amazonaws.com): 60 times


For example, on this, why do you allow it to stay connected and try 60 times ?
It should be blocked, and simply not allowed any access.
It should not even be getting a chance to try login. They are
known to be "bad".


Example, from my logs, :

Code: Select all

 #: 28872 @: Thu, 16 Jun 2016 03:25:39 -0700 Running: 0.4.10a3 / 75d
Host: ec2-54-82-97-53.compute-1.amazonaws.com
IP: 54.82.97.53
Score: 1
Violation count: 1
Why blocked: Amazon Web Services. Not an access provider ISP. Used by hackers, Keyword spamming SEO bots, and other unsavories (CLD-0AMZ). Checked for bypass -
Query:
Referer:
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36

==============================

[robbo007]

How can I stop it connecting 60 times? In fail2ban its set to 6. But I think its not catching it as the ports are not 22. They are using a different port each time.

[GarryRicketson]

I am not much of a expert at all on this, so can't say much,..
How ever there are some "experts" here , or used to be,
http://spambotsecurity.com/
And this forum:
http://www.spambotsecurity.com/forum/

All thought it says "spambot security" , they do go beyond just spam bots.
A lot may depend on and need some better details, about your server,
if it is a "production" server ? ,...
I am assuming it is online, ..these kind of attempts would not be seen on a
"local host" server, that is not online (internet).

Security is a pretty complex subject, also I really have never used "failtoban", all though
I have heard of it and seen it mentioned quite often.
This might be a good place to start,
https://www.debian.org/doc/manuals/securing-debian-howto/ch10.en.html

https://debian-administration.org/article/87/Keeping_SSH_access_secure

and this:
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-debian-7

I have to go out, for some errands, and can not say any more just now, maybe some
one else will have more details,..
There are data bases , that have lists, of most of the IPs and ISPs that you need to be blocking, that is why I like the "ZBBLOCK" script, it access them, and checks, and then
if it is listed, it gets blocked,.. some searches may also be of help to you,.. I will try to get back later on this.

[pylkko]

No firewall? Block all ports except ssh 22 if that is what you need. Move ssh to another port and block root logons entirely.

[dasein]

...block root logons entirely.

+1

Having a password-based root login available is going to make your machine a target, period.

Two options:

1) Disable root logins and use su. That way:

- There's no "known" user name (i.e. "root") for attackers to try to hack
- An attacker has to be able to compromise TWO passwords not just
one, in order to wreak root-level havoc on your machine

2) Better still: use passwordless key-based login if at all practical.

tl;dr: Having a machine on the interwebs with remote root login available is a stunningly bad idea.