Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Technical

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 22nd January 2008, 06:45
cruz cruz is offline
Senior Member
 
Join Date: Apr 2007
Posts: 365
Thanks: 51
Thanked 2 Times in 2 Posts
Default entries in the auth log file

I have fail2ban installed on my server(debian4.0 perfect setup), but I am not sure it is working. I found this in the auth log file.
HTML Code:
Jan 21 14:01:51 server1 sshd[13695]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:01:53 server1 sshd[13695]: Failed password for root from 85.91.5.69 port 48327 ssh2
Jan 21 14:01:55 server1 sshd[13699]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:01:57 server1 sshd[13699]: Failed password for root from 85.91.5.69 port 48527 ssh2
Jan 21 14:01:58 server1 sshd[13701]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:00 server1 sshd[13701]: Failed password for root from 85.91.5.69 port 48703 ssh2
Jan 21 14:02:02 server1 sshd[13703]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:04 server1 sshd[13703]: Failed password for root from 85.91.5.69 port 48865 ssh2
Jan 21 14:02:06 server1 sshd[13707]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:08 server1 sshd[13707]: Failed password for root from 85.91.5.69 port 34690 ssh2
Jan 21 14:02:10 server1 sshd[13709]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:12 server1 sshd[13709]: Failed password for root from 85.91.5.69 port 34841 ssh2
Jan 21 14:02:13 server1 sshd[13711]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:16 server1 sshd[13711]: Failed password for root from 85.91.5.69 port 34986 ssh2
Jan 21 14:02:18 server1 sshd[13715]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:20 server1 sshd[13715]: Failed password for root from 85.91.5.69 port 35155 ssh2
Jan 21 14:02:21 server1 sshd[13717]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:23 server1 sshd[13717]: Failed password for root from 85.91.5.69 port 35296 ssh2
Jan 21 14:02:25 server1 sshd[13721]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:28 server1 sshd[13721]: Failed password for root from 85.91.5.69 port 35446 ssh2
Jan 21 14:02:29 server1 sshd[13723]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:31 server1 sshd[13723]: Failed password for root from 85.91.5.69 port 35601 ssh2
Jan 21 14:02:33 server1 sshd[13725]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:35 server1 sshd[13725]: Failed password for root from 85.91.5.69 port 35734 ssh2
Jan 21 14:02:37 server1 sshd[13729]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:39 server1 sshd[13729]: Failed password for root from 85.91.5.69 port 35878 ssh2
Jan 21 14:02:41 server1 sshd[13731]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:43 server1 sshd[13731]: Failed password for root from 85.91.5.69 port 36024 ssh2
Jan 21 14:02:44 server1 sshd[13735]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:47 server1 sshd[13735]: Failed password for root from 85.91.5.69 port 36162 ssh2
Jan 21 14:02:49 server1 sshd[13737]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:51 server1 sshd[13737]: Failed password for root from 85.91.5.69 port 36310 ssh2
Jan 21 14:02:52 server1 sshd[13739]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
Jan 21 14:02:54 server1 sshd[13739]: Failed password for root from 85.91.5.69 port 36449 ssh2
Jan 21 14:02:56 server1 sshd[13743]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
It goes on for a long time like that. Is there a way to check to see if fail2ban is working ok? I know it is blocking it, but I have it set to ban the person after 3 times.
Reply With Quote
Sponsored Links
  #2  
Old 22nd January 2008, 19:57
cruz cruz is offline
Senior Member
 
Join Date: Apr 2007
Posts: 365
Thanks: 51
Thanked 2 Times in 2 Posts
Default Update

I was getting ready to setup munin and monit on my system and it told me to run a command, I ran the command and this came up.
HTML Code:
server1:~# dpkg --configure -a
dpkg: error processing fail2ban (--configure):
 Package is in a very bad inconsistent state - you should
 reinstall it before attempting configuration.
Errors were encountered while processing:
 fail2ban
I tried to do updates yesterday, but it locked up in the middle of trying to upgrade fail2ban. How can I fix this? Please speak baby Linux talk. Kind of new to Linux. Thanks
Update
I found this in the fail2ban log file
HTML Code:
2008-01-22 09:45:04,695 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2008-01-22 09:45:04,696 fail2ban.actions.action: INFO   Set actionCheck = iptables -L INPUT | grep -q fail2ban-<name>
2008-01-22 09:45:05,485 fail2ban.actions.action: ERROR  iptables -N fail2ban-courierpop3
iptables -A fail2ban-courierpop3 -j RETURN
iptables -I INPUT -p tcp --dport pop3 -j fail2ban-courierpop3 returned 400
2008-01-22 09:45:05,499 fail2ban.actions.action: ERROR  iptables -N fail2ban-sasl
iptables -A fail2ban-sasl -j RETURN
iptables -I INPUT -p tcp --dport smtp -j fail2ban-sasl returned 400
[

Last edited by cruz; 22nd January 2008 at 20:02.
Reply With Quote
  #3  
Old 23rd January 2008, 14:18
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,751 Times in 2,581 Posts
Default

You can try
Code:
apt-get install fail2ban
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #4  
Old 23rd January 2008, 14:56
o.meyer o.meyer is offline
Senior Member
 
Join Date: Aug 2007
Posts: 167
Thanks: 2
Thanked 24 Times in 23 Posts
Default

You can also use denyhosts (ssh only).

Best regards,

Olli
Reply With Quote
  #5  
Old 23rd January 2008, 20:30
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 154 Times in 151 Posts
Default

A better way to stop the brute force attacks is use the kernel itself via iptables ipt_recent module, doing network stuff at kernel level is far much more efficient than doing it at application level.

http://www.snowman.net/projects/ipt_recent/
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #6  
Old 26th January 2008, 18:11
cruz cruz is offline
Senior Member
 
Join Date: Apr 2007
Posts: 365
Thanks: 51
Thanked 2 Times in 2 Posts
Default It worked

It worked Falko. Thank you. Topdog, The way you are taking about, is it for newbies or is it hard to configure and also dose it protect against difrent ports or do you have to configure each port? like ftp, mail,ssh,etc. What I like about fail2ban is it protects all ports that are used. Thanks for helping me to learn everyone.
Reply With Quote
  #7  
Old 26th January 2008, 18:18
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 154 Times in 151 Posts
Default

ipt_recent can be used on all ports but you need to be able to write iptables rules to configure it i guess fail2ban and deny-hosts are easier to use.
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
  #8  
Old 27th January 2008, 23:17
cruz cruz is offline
Senior Member
 
Join Date: Apr 2007
Posts: 365
Thanks: 51
Thanked 2 Times in 2 Posts
 
Default easy now

Yes they are easy now, but I hope to learn more and apply it to my server. Thanks for your info topdog.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix delivery problem erebus Installation/Configuration 8 29th July 2014 21:17
Chroot SSH + ISPConfig Norman Installation/Configuration 27 26th March 2007 04:40
Systemimager (rsync) doesn't copy all comedit HOWTO-Related Questions 11 19th January 2007 18:17
HotSaNIC domino Tips/Tricks/Mods 23 6th November 2006 06:19
Howto suggestion suse PhP ver 4 + Ver 5 wwparrish Suggest HOWTO 11 7th August 2006 14:29


All times are GMT +2. The time now is 19:24.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.