View Single Post
  #1  
Old 11th January 2012, 08:34
Djamu Djamu is offline
Member
 
Join Date: Sep 2007
Posts: 51
Thanks: 2
Thanked 12 Times in 7 Posts
Default strange fail2ban behaviour > doesn't ban specific IP

Hi all,

I'm having a strange fail2ban issue ( which otherwise works perfect ).
For some reason the sshd.conf fail2ban regex doesn't pick up a specific brute force attack IP. ( 219.140.165.85 ) which is already for some weeks probing one of my servers, the probing isn't continuously but once every 20-30 minutes.
( the only reason I noticed is because my logwatch reports indicated it )

The regex is the standard regex ( I think ) that came with the package
Code:
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers$
            ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
a grepped auth.log for an IP ( 61.54.242.194 )that got banned.
Code:
Jan 10 01:02:37 localhost sshd[7801]: reverse mapping checking getaddrinfo for hn.kd.dhcp [61.54.242.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 10 01:02:37 localhost sshd[7801]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.54.242.194  user=root
Jan 10 01:02:39 localhost sshd[7801]: Failed password for root from 61.54.242.194 port 60389 ssh2
Jan 10 01:02:47 localhost sshd[12130]: reverse mapping checking getaddrinfo for hn.kd.dhcp [61.54.242.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 10 01:02:47 localhost sshd[12130]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.54.242.194  user=root
Jan 10 01:02:48 localhost sshd[12130]: Failed password for root from 61.54.242.194 port 33303 ssh2
Jan 10 01:02:54 localhost sshd[15027]: reverse mapping checking getaddrinfo for hn.kd.dhcp [61.54.242.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 10 01:02:54 localhost sshd[15027]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.54.242.194  user=root
Jan 10 01:02:57 localhost sshd[15027]: Failed password for root from 61.54.242.194 port 35084 ssh2
Jan 10 01:03:01 localhost sshd[17113]: reverse mapping checking getaddrinfo for hn.kd.dhcp [61.54.242.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 10 01:03:01 localhost sshd[17113]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.54.242.194  user=root
Jan 10 01:03:03 localhost sshd[17113]: Failed password for root from 61.54.242.194 port 36658 ssh2
Jan 10 01:03:07 localhost sshd[19775]: reverse mapping checking getaddrinfo for hn.kd.dhcp [61.54.242.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 10 01:03:07 localhost sshd[19775]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.54.242.194  user=root
Jan 10 01:03:09 localhost sshd[19775]: Failed password for root from 61.54.242.194 port 37816 ssh2
Jan 10 01:03:20 localhost sshd[22300]: reverse mapping checking getaddrinfo for hn.kd.dhcp [61.54.242.194] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 10 01:03:20 localhost sshd[22300]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.54.242.194  user=root
Jan 10 01:03:22 localhost sshd[22300]: Failed password for root from 61.54.242.194 port 38909 ssh2
and the log snippet for the IP ( 219.140.165.85 ) that doesn't get banned
( I only took the 9th of january )
Code:
Jan  9 00:13:28 localhost sshd[26129]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 00:13:30 localhost sshd[26129]: Failed password for root from 219.140.165.85 port 47955 ssh2
Jan  9 00:30:19 localhost sshd[29098]: Did not receive identification string from 219.140.165.85
Jan  9 00:30:19 localhost sshd[29090]: Did not receive identification string from 219.140.165.85
Jan  9 00:47:22 localhost sshd[32029]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 00:47:23 localhost sshd[32029]: Failed password for root from 219.140.165.85 port 41517 ssh2
Jan  9 01:55:08 localhost sshd[17262]: Did not receive identification string from 219.140.165.85
Jan  9 02:12:01 localhost sshd[22038]: Did not receive identification string from 219.140.165.85
Jan  9 02:47:10 localhost sshd[27552]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 02:47:10 localhost sshd[27559]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 02:47:11 localhost sshd[27552]: Failed password for root from 219.140.165.85 port 47819 ssh2
Jan  9 02:47:12 localhost sshd[27559]: Failed password for root from 219.140.165.85 port 46498 ssh2
Jan  9 03:04:20 localhost sshd[921]: Did not receive identification string from 219.140.165.85
Jan  9 03:21:24 localhost sshd[4193]: Did not receive identification string from 219.140.165.85
Jan  9 03:39:01 localhost sshd[6725]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 03:39:03 localhost sshd[6725]: Failed password for root from 219.140.165.85 port 48121 ssh2
Jan  9 03:39:10 localhost sshd[6726]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 03:39:12 localhost sshd[6726]: Failed password for root from 219.140.165.85 port 38199 ssh2
Jan  9 03:56:00 localhost sshd[9882]: Did not receive identification string from 219.140.165.85
Jan  9 04:13:27 localhost sshd[13404]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 04:13:29 localhost sshd[13404]: Failed password for root from 219.140.165.85 port 58637 ssh2
Jan  9 04:47:38 localhost sshd[19128]: Did not receive identification string from 219.140.165.85
Jan  9 04:47:38 localhost sshd[19129]: Did not receive identification string from 219.140.165.85
Jan  9 05:04:41 localhost sshd[22382]: Did not receive identification string from 219.140.165.85
Jan  9 05:22:01 localhost sshd[25527]: Did not receive identification string from 219.140.165.85
Jan  9 05:22:04 localhost sshd[25525]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 05:22:06 localhost sshd[25525]: Failed password for root from 219.140.165.85 port 44002 ssh2
Jan  9 05:39:03 localhost sshd[27919]: Did not receive identification string from 219.140.165.85
Jan  9 05:57:04 localhost sshd[31080]: Did not receive identification string from 219.140.165.85
Jan  9 06:31:48 localhost sshd[23091]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 06:31:50 localhost sshd[23091]: Failed password for root from 219.140.165.85 port 38770 ssh2
Jan  9 07:06:02 localhost sshd[28762]: Did not receive identification string from 219.140.165.85
Jan  9 09:06:01 localhost sshd[18869]: Did not receive identification string from 219.140.165.85
Jan  9 09:06:02 localhost sshd[18876]: Did not receive identification string from 219.140.165.85
Jan  9 09:23:20 localhost sshd[21301]: Did not receive identification string from 219.140.165.85
Jan  9 09:40:34 localhost sshd[24444]: Did not receive identification string from 219.140.165.85
Jan  9 09:57:31 localhost sshd[26825]: Did not receive identification string from 219.140.165.85
Jan  9 09:57:37 localhost sshd[26823]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 09:57:39 localhost sshd[26823]: Failed password for root from 219.140.165.85 port 52388 ssh2
Jan  9 10:31:21 localhost sshd[975]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 10:31:23 localhost sshd[975]: Failed password for root from 219.140.165.85 port 45589 ssh2
Jan  9 10:31:34 localhost sshd[979]: Did not receive identification string from 219.140.165.85
Jan  9 10:31:37 localhost sshd[977]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 10:31:39 localhost sshd[977]: Failed password for root from 219.140.165.85 port 52786 ssh2
Jan  9 10:48:39 localhost sshd[3493]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 10:48:42 localhost sshd[3493]: Failed password for root from 219.140.165.85 port 45118 ssh2
Jan  9 11:05:36 localhost sshd[6921]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 11:05:38 localhost sshd[6921]: Failed password for root from 219.140.165.85 port 54159 ssh2
Jan  9 11:22:34 localhost sshd[9332]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 11:22:34 localhost sshd[9335]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 11:22:36 localhost sshd[9332]: Failed password for root from 219.140.165.85 port 40092 ssh2
Jan  9 11:22:36 localhost sshd[9335]: Failed password for root from 219.140.165.85 port 50890 ssh2
Jan  9 11:39:35 localhost sshd[11784]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 11:39:38 localhost sshd[11784]: Failed password for root from 219.140.165.85 port 52422 ssh2
Jan  9 11:56:33 localhost sshd[14937]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 11:56:35 localhost sshd[14935]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 11:56:36 localhost sshd[14937]: Failed password for root from 219.140.165.85 port 56762 ssh2
Jan  9 11:56:37 localhost sshd[14935]: Failed password for root from 219.140.165.85 port 41024 ssh2
Jan  9 12:13:33 localhost sshd[17514]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 12:13:35 localhost sshd[17513]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 12:13:35 localhost sshd[17514]: Failed password for root from 219.140.165.85 port 50360 ssh2
Jan  9 12:13:37 localhost sshd[17513]: Failed password for root from 219.140.165.85 port 37334 ssh2
Jan  9 12:30:42 localhost sshd[20675]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 12:30:44 localhost sshd[20675]: Failed password for root from 219.140.165.85 port 58037 ssh2
Jan  9 12:30:49 localhost sshd[20679]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 12:30:50 localhost sshd[20679]: Failed password for root from 219.140.165.85 port 33452 ssh2
Jan  9 12:47:35 localhost sshd[23272]: Did not receive identification string from 219.140.165.85
Jan  9 12:47:40 localhost sshd[23270]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 12:47:43 localhost sshd[23270]: Failed password for root from 219.140.165.85 port 47787 ssh2
Jan  9 13:04:47 localhost sshd[25810]: Did not receive identification string from 219.140.165.85
Jan  9 13:22:11 localhost sshd[28947]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 13:22:12 localhost sshd[28947]: Failed password for root from 219.140.165.85 port 39060 ssh2
Jan  9 13:39:20 localhost sshd[31348]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 13:39:21 localhost sshd[31346]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 13:39:23 localhost sshd[31348]: Failed password for root from 219.140.165.85 port 39280 ssh2
Jan  9 13:39:23 localhost sshd[31346]: Failed password for root from 219.140.165.85 port 46194 ssh2
Jan  9 14:14:59 localhost sshd[5822]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 14:15:00 localhost sshd[5822]: Failed password for root from 219.140.165.85 port 60509 ssh2
Jan  9 14:32:05 localhost sshd[8993]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 14:32:08 localhost sshd[8993]: Failed password for root from 219.140.165.85 port 49029 ssh2
Jan  9 14:49:22 localhost sshd[11381]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 14:49:24 localhost sshd[11381]: Failed password for root from 219.140.165.85 port 45999 ssh2
Jan  9 14:49:26 localhost sshd[11383]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 14:49:28 localhost sshd[11383]: Failed password for root from 219.140.165.85 port 53114 ssh2
Jan  9 15:06:39 localhost sshd[14668]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 15:06:40 localhost sshd[14667]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 15:06:41 localhost sshd[14668]: Failed password for root from 219.140.165.85 port 42538 ssh2
Jan  9 15:06:42 localhost sshd[14667]: Failed password for root from 219.140.165.85 port 36010 ssh2
Jan  9 15:23:57 localhost sshd[17064]: Did not receive identification string from 219.140.165.85
Jan  9 15:23:59 localhost sshd[17062]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 15:24:01 localhost sshd[17062]: Failed password for root from 219.140.165.85 port 54651 ssh2
Jan  9 15:41:10 localhost sshd[20197]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 15:41:13 localhost sshd[20197]: Failed password for root from 219.140.165.85 port 54511 ssh2
Jan  9 16:16:05 localhost sshd[28906]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 16:16:08 localhost sshd[28906]: Failed password for root from 219.140.165.85 port 60114 ssh2
Jan  9 16:50:43 localhost sshd[2296]: Did not receive identification string from 219.140.165.85
Jan  9 17:08:10 localhost sshd[5037]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 17:08:12 localhost sshd[5037]: Failed password for root from 219.140.165.85 port 34311 ssh2
Jan  9 17:43:05 localhost sshd[10598]: Did not receive identification string from 219.140.165.85
Jan  9 17:43:05 localhost sshd[10599]: Did not receive identification string from 219.140.165.85
Jan  9 18:00:34 localhost sshd[14688]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 18:00:36 localhost sshd[14688]: Failed password for root from 219.140.165.85 port 45649 ssh2
Jan  9 18:17:47 localhost sshd[17275]: Did not receive identification string from 219.140.165.85
Jan  9 18:34:59 localhost sshd[19689]: Did not receive identification string from 219.140.165.85
Jan  9 18:52:11 localhost sshd[22823]: Did not receive identification string from 219.140.165.85
Jan  9 18:52:25 localhost sshd[22821]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 18:52:27 localhost sshd[22821]: Failed password for root from 219.140.165.85 port 45396 ssh2
Jan  9 19:26:33 localhost sshd[28471]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 19:26:35 localhost sshd[28471]: Failed password for root from 219.140.165.85 port 32955 ssh2
Jan  9 19:43:30 localhost sshd[30865]: Did not receive identification string from 219.140.165.85
Jan  9 20:00:38 localhost sshd[2772]: Did not receive identification string from 219.140.165.85
Jan  9 20:34:55 localhost sshd[7750]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 20:34:58 localhost sshd[7750]: Failed password for root from 219.140.165.85 port 33403 ssh2
Jan  9 21:26:04 localhost sshd[16735]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 21:26:06 localhost sshd[16735]: Failed password for root from 219.140.165.85 port 57975 ssh2
Jan  9 21:43:13 localhost sshd[19132]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 21:43:16 localhost sshd[19132]: Failed password for root from 219.140.165.85 port 41204 ssh2
Jan  9 22:00:10 localhost sshd[22059]: Did not receive identification string from 219.140.165.85
Jan  9 22:00:14 localhost sshd[21803]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.140.165.85  user=root
Jan  9 22:00:16 localhost sshd[21803]: Failed password for root from 219.140.165.85 port 38165 ssh2
Jan  9 22:17:14 localhost sshd[24779]: Did not receive identification string from 219.140.165.85
Jan  9 22:17:15 localhost sshd[24780]: Did not receive identification string from 219.140.165.85
Jan  9 22:34:11 localhost sshd[27170]: Did not receive identification string from 219.140.165.85
Jan  9 22:34:14 localhost sshd[27171]: Did not receive identification string from 219.140.165.85
Jan  9 22:51:15 localhost sshd[30305]: Did not receive identification string from 219.140.165.85
Jan  9 23:08:12 localhost sshd[21738]: Did not receive identification string from 219.140.165.85
Jan  9 23:42:05 localhost sshd[27325]: Did not receive identification string from 219.140.165.85
Jan  9 23:59:06 localhost sshd[29724]: Did not receive identification string from 219.140.165.85
Frankly I can't see a difference in both logs and as to why the 1st gets banned and the other doesn't ...
Any help is greatly appreciated

Jan
__________________
Windows, the only virus you pay for
Reply With Quote
Sponsored Links