Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 9th March 2009, 17:22
vbrookie vbrookie is offline
Junior Member
 
Join Date: May 2006
Posts: 16
Thanks: 2
Thanked 2 Times in 2 Posts
Default fail2ban not banning

Hello all I've just upgraded my server few days ago from Etch to Lenny, and my fail2ban is not working. And for the past few days somebody is trying to break in to my server.
There are 100s of these entry on my auth.log.

Code:
Mar  9 09:42:33 ns1 sshd[15779]: Invalid user custom from 210.51.171.74
Mar  9 09:42:36 ns1 sshd[15781]: Invalid user custom from 210.51.171.74
Mar  9 09:42:39 ns1 sshd[15783]: Invalid user paula from 210.51.171.74
Mar  9 09:42:41 ns1 sshd[15785]: Invalid user tony from 210.51.171.74
Mar  9 09:42:44 ns1 sshd[15789]: Invalid user angie from 210.51.171.74
Mar  9 11:30:01 ns1 CRON[17155]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar  9 11:30:01 ns1 CRON[17155]: pam_unix(cron:session): session closed for user root
Mar  9 11:39:01 ns1 CRON[17269]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar  9 11:39:01 ns1 CRON[17269]: pam_unix(cron:session): session closed for user root
Mar  9 12:00:01 ns1 CRON[17827]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar  9 12:00:01 ns1 CRON[17827]: pam_unix(cron:session): session closed for user root
Mar  9 12:01:28 ns1 sshd[17897]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:01:30 ns1 sshd[17900]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:01:32 ns1 sshd[17903]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:01:34 ns1 sshd[17906]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:01:36 ns1 sshd[17911]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:01:38 ns1 sshd[17913]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:01:39 ns1 sshd[17916]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:01:41 ns1 sshd[17919]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:04:10 ns1 sshd[18190]: Invalid user netdump from 134.159.122.26
Mar  9 12:04:12 ns1 sshd[18193]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:04:12 ns1 sshd[18193]: Invalid user user1 from 134.159.122.26
Mar  9 12:04:14 ns1 sshd[18196]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:04:14 ns1 sshd[18196]: Invalid user user1 from 134.159.122.26
Mar  9 12:04:16 ns1 sshd[18201]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:04:16 ns1 sshd[18201]: Invalid user student from 134.159.122.26
Mar  9 12:04:17 ns1 sshd[18204]: reverse mapping checking getaddrinfo for unknown.net.reach.com [134.159.122.26] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  9 12:04:18 ns1 sshd[18204]: Invalid user student1 from 134.159.122.26
Help.
Reply With Quote
Sponsored Links
  #2  
Old 10th March 2009, 19:39
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

Did you check the regular expressions for fail2ban (I think they are in the /etc/fail2ban/filters directory (or somewhere similar)?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 11th June 2009, 14:09
Been Told Been Told is offline
HowtoForge Supporter
 
Join Date: Nov 2008
Posts: 123
Thanks: 29
Thanked 10 Times in 4 Posts
Default

I just installed fail2ban too and it doesn't seem to ban. I made 6 wrong attempts (max is 5) and the session was closed (so far so good), but then when I try to re-connect I can keep making wrong login attempts.
Here's my jail.local file:
Code:
[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = e-mail@ddress.remov.ed

# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]


[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 5


[apache]

enabled = true
port    = http
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 5


[apache-noscript]

enabled = false
port    = http
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 5


[vsftpd]

enabled  = false
port     = ftp
filter   = vsftpd
logpath  = /var/log/auth.log
maxretry = 5


[proftpd]

enabled  = true
port     = ftp
filter   = proftpd
logpath  = /var/log/auth.log
failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST>
maxretry = 5


[wuftpd]

enabled  = false
port     = ftp
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 5


[postfix]

enabled  = false
port     = smtp
filter   = postfix
logpath  = /var/log/mail.log
maxretry = 5


[courierpop3]

enabled  = true
port     = pop3
filter   = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5


[courierimap]

enabled  = true
port     = imap2
filter   = courierlogin
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
logpath  = /var/log/mail.log
maxretry = 5


[sasl]

enabled  = true
port     = smtp
filter   = sasl
failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
logpath  = /var/log/mail.log
maxretry = 5
__________________
My stats:
  • RootServer running ISPconfig 2 on Debian Lenny
  • vServer running PLESK 8.4 on openSUSE 10.3
  • vServer running PLESK 9 on Ubuntu
Reply With Quote
  #4  
Old 12th June 2009, 16:46
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

On what service did you make the 6 login attempts? SSH, FTP, ...?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 12th June 2009, 17:16
Been Told Been Told is offline
HowtoForge Supporter
 
Join Date: Nov 2008
Posts: 123
Thanks: 29
Thanked 10 Times in 4 Posts
Default

Ah sorry for the omission. It was SSH.
__________________
My stats:
  • RootServer running ISPconfig 2 on Debian Lenny
  • vServer running PLESK 8.4 on openSUSE 10.3
  • vServer running PLESK 9 on Ubuntu
Reply With Quote
  #6  
Old 13th June 2009, 10:43
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

What's in /var/log/auth.log when there's a failed login attempt?
What's the failregex for SSH? (There should be a file for SSH in the filters.d subdirectory.)
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 13th June 2009, 11:35
Been Told Been Told is offline
HowtoForge Supporter
 
Join Date: Nov 2008
Posts: 123
Thanks: 29
Thanked 10 Times in 4 Posts
Default

The filter.d\sshd.conf is:
Code:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 663 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = sshd

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
            ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT\s*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
And here're the entries in /var/log/auth.log:
Code:
Jun 13 11:33:01 server1 sshd[24297]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxxxxxxx.dip.t-dialin.net  user=root
Jun 13 11:33:04 server1 sshd[24297]: Failed password for root from xxxxxxxxx port 49475 ssh2
Jun 13 11:33:17 server1 last message repeated 5 times
Jun 13 11:33:17 server1 sshd[24297]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxxxxxxx.dip.t-dialin.net  user=root
Jun 13 11:33:17 server1 sshd[24297]: PAM service(sshd) ignoring max retries; 5 > 3
__________________
My stats:
  • RootServer running ISPconfig 2 on Debian Lenny
  • vServer running PLESK 8.4 on openSUSE 10.3
  • vServer running PLESK 9 on Ubuntu
Reply With Quote
  #8  
Old 14th June 2009, 14:27
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

Can you add this line to failregex and restart fail2ban?

Code:
^%(__prefix_line)spam_unix(sshd:auth): authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #9  
Old 14th June 2009, 14:41
Been Told Been Told is offline
HowtoForge Supporter
 
Join Date: Nov 2008
Posts: 123
Thanks: 29
Thanked 10 Times in 4 Posts
Default

Hi falko!
Did that, still the same problem.
Here's the log:
Code:
Jun 14 14:38:14 server1 sshd[17278]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXXXXXX.dip.t-dialin.net  user=root
Jun 14 14:38:16 server1 sshd[17278]: Failed password for root from XXXXXXX port 52562 ssh2
Jun 14 14:38:30 server1 last message repeated 5 times
Jun 14 14:38:30 server1 sshd[17278]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXXXXXX.dip.t-dialin.net  user=root
Jun 14 14:38:30 server1 sshd[17278]: PAM service(sshd) ignoring max retries; 5 > 3
Jun 14 14:38:58 server1 sshd[17315]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XXXXXXX.dip.t-dialin.net  user=root
Jun 14 14:38:59 server1 sshd[17315]: Failed password for root from XXXXXXX port 52571 ssh2
Jun 14 14:39:01 server1 CRON[17321]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 14 14:39:01 server1 CRON[17321]: pam_unix(cron:session): session closed for user root
Jun 14 14:39:03 server1 sshd[17315]: Failed password for root from XXXXXXX port 52571 ssh2
Jun 14 14:39:06 server1 sshd[17315]: Failed password for root from XXXXXXX port 52571 ssh2
__________________
My stats:
  • RootServer running ISPconfig 2 on Debian Lenny
  • vServer running PLESK 8.4 on openSUSE 10.3
  • vServer running PLESK 9 on Ubuntu
Reply With Quote
  #10  
Old 15th June 2009, 14:13
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
 
Default

What about this line?

Code:
authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Relay access attempts cat Installation/Configuration 12 22nd January 2010 17:15
fail2ban not working linuxwannabe Installation/Configuration 1 25th January 2009 06:09
Fail2Ban not banning? tristanlee85 Server Operation 4 15th October 2008 13:44
Fail2Ban not working bswinnerton Installation/Configuration 17 16th May 2008 20:12
Fail2ban question joelee HOWTO-Related Questions 1 3rd April 2008 20:16


All times are GMT +2. The time now is 04:42.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.