PDA

View Full Version : entries in the auth log file

cruz
22nd January 2008, 06:45
I have fail2ban installed on my server(debian4.0 perfect setup), but I am not sure it is working. I found this in the auth log file.Jan 21 14:01:51 server1 sshd[13695]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69 user=root
Jan 21 14:01:53 server1 sshd[13695]: Failed password for root from 85.91.5.69 port 48327 ssh2
Jan 21 14:01:55 server1 sshd[13699]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69 user=root
Jan 21 14:01:57 server1 sshd[13699]: Failed password for root from 85.91.5.69 port 48527 ssh2
Jan 21 14:01:58 server1 sshd[13701]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69 user=root
Jan 21 14:02:00 server1 sshd[13701]: Failed password for root from 85.91.5.69 port 48703 ssh2
Jan 21 14:02:02 server1 sshd[13703]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69 user=root
Jan 21 14:02:04 server1 sshd[13703]: Failed password for root from 85.91.5.69 port 48865 ssh2
Jan 21 14:02:06 server1 sshd[13707]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69 user=root
Jan 21 14:02:08 server1 sshd[13707]: Failed password for root from 85.91.5.69 port 34690 ssh2
Jan 21 14:02:10 server1 sshd[13709]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69 user=root
Jan 21 14:02:12 server1 sshd[13709]: Failed password for root from 85.91.5.69 port 34841 ssh2
Jan 21 14:02:13 server1 sshd[13711]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69 user=root
Jan 21 14:02:16 server1 sshd[13711]: Failed password for root from 85.91.5.69 port 34986 ssh2
Jan 21 14:02:18 server1 sshd[13715]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69 user=root
Jan 21 14:02:20 server1 sshd[13715]: Failed password for root from 85.91.5.69 port 35155 ssh2
Jan 21 14:02:21 server1 sshd[13717]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69 user=root
Jan 21 14:02:23 server1 sshd[13717]: Failed password for root from 85.91.5.69 port 35296 ssh2
Jan 21 14:02:25 server1 sshd[13721]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69 user=root
Jan 21 14:02:28 server1 sshd[13721]: Failed password for root from 85.91.5.69 port 35446 ssh2
Jan 21 14:02:29 server1 sshd[13723]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69 user=root
Jan 21 14:02:31 server1 sshd[13723]: Failed password for root from 85.91.5.69 port 35601 ssh2
Jan 21 14:02:33 server1 sshd[13725]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69 user=root
Jan 21 14:02:35 server1 sshd[13725]: Failed password for root from 85.91.5.69 port 35734 ssh2
Jan 21 14:02:37 server1 sshd[13729]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69 user=root
Jan 21 14:02:39 server1 sshd[13729]: Failed password for root from 85.91.5.69 port 35878 ssh2
Jan 21 14:02:41 server1 sshd[13731]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69 user=root
Jan 21 14:02:43 server1 sshd[13731]: Failed password for root from 85.91.5.69 port 36024 ssh2
Jan 21 14:02:44 server1 sshd[13735]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69 user=root
Jan 21 14:02:47 server1 sshd[13735]: Failed password for root from 85.91.5.69 port 36162 ssh2
Jan 21 14:02:49 server1 sshd[13737]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69 user=root
Jan 21 14:02:51 server1 sshd[13737]: Failed password for root from 85.91.5.69 port 36310 ssh2
Jan 21 14:02:52 server1 sshd[13739]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69 user=root
Jan 21 14:02:54 server1 sshd[13739]: Failed password for root from 85.91.5.69 port 36449 ssh2
Jan 21 14:02:56 server1 sshd[13743]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69 user=root
It goes on for a long time like that. Is there a way to check to see if fail2ban is working ok? I know it is blocking it, but I have it set to ban the person after 3 times.
cruz
22nd January 2008, 19:57
I was getting ready to setup munin and monit on my system and it told me to run a command, I ran the command and this came up.server1:~# dpkg --configure -a
dpkg: error processing fail2ban (--configure):
Package is in a very bad inconsistent state - you should
reinstall it before attempting configuration.
Errors were encountered while processing:
fail2ban
I tried to do updates yesterday, but it locked up in the middle of trying to upgrade fail2ban. How can I fix this? Please speak baby Linux talk. Kind of new to Linux. Thanks
Update
I found this in the fail2ban log file
2008-01-22 09:45:04,695 fail2ban.actions.action: INFO Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2008-01-22 09:45:04,696 fail2ban.actions.action: INFO Set actionCheck = iptables -L INPUT | grep -q fail2ban-<name>
2008-01-22 09:45:05,485 fail2ban.actions.action: ERROR iptables -N fail2ban-courierpop3
iptables -A fail2ban-courierpop3 -j RETURN
iptables -I INPUT -p tcp --dport pop3 -j fail2ban-courierpop3 returned 400
2008-01-22 09:45:05,499 fail2ban.actions.action: ERROR iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp --dport smtp -j fail2ban-sasl returned 400
[
falko
23rd January 2008, 14:18
You can try
apt-get install fail2ban
o.meyer
23rd January 2008, 14:56
You can also use denyhosts (ssh only).

Best regards,

Olli
topdog
23rd January 2008, 20:30
A better way to stop the brute force attacks is use the kernel itself via iptables ipt_recent module, doing network stuff at kernel level is far much more efficient than doing it at application level.

http://www.snowman.net/projects/ipt_recent/
cruz
26th January 2008, 18:11
It worked Falko. Thank you. Topdog, The way you are taking about, is it for newbies or is it hard to configure and also dose it protect against difrent ports or do you have to configure each port? like ftp, mail,ssh,etc. What I like about fail2ban is it protects all ports that are used. Thanks for helping me to learn everyone.
topdog
26th January 2008, 18:18
ipt_recent can be used on all ports but you need to be able to write iptables rules to configure it i guess fail2ban and deny-hosts are easier to use.
cruz
27th January 2008, 23:17
Yes they are easy now, but I hope to learn more and apply it to my server. Thanks for your info topdog.