entries in the auth log file

Discussion in 'Technical' started by cruz, Jan 22, 2008.

  1. cruz

    cruz New Member

    I have fail2ban installed on my server(debian4.0 perfect setup), but I am not sure it is working. I found this in the auth log file.
    HTML:
    Jan 21 14:01:51 server1 sshd[13695]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
    Jan 21 14:01:53 server1 sshd[13695]: Failed password for root from 85.91.5.69 port 48327 ssh2
    Jan 21 14:01:55 server1 sshd[13699]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
    Jan 21 14:01:57 server1 sshd[13699]: Failed password for root from 85.91.5.69 port 48527 ssh2
    Jan 21 14:01:58 server1 sshd[13701]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
    Jan 21 14:02:00 server1 sshd[13701]: Failed password for root from 85.91.5.69 port 48703 ssh2
    Jan 21 14:02:02 server1 sshd[13703]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
    Jan 21 14:02:04 server1 sshd[13703]: Failed password for root from 85.91.5.69 port 48865 ssh2
    Jan 21 14:02:06 server1 sshd[13707]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
    Jan 21 14:02:08 server1 sshd[13707]: Failed password for root from 85.91.5.69 port 34690 ssh2
    Jan 21 14:02:10 server1 sshd[13709]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
    Jan 21 14:02:12 server1 sshd[13709]: Failed password for root from 85.91.5.69 port 34841 ssh2
    Jan 21 14:02:13 server1 sshd[13711]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
    Jan 21 14:02:16 server1 sshd[13711]: Failed password for root from 85.91.5.69 port 34986 ssh2
    Jan 21 14:02:18 server1 sshd[13715]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
    Jan 21 14:02:20 server1 sshd[13715]: Failed password for root from 85.91.5.69 port 35155 ssh2
    Jan 21 14:02:21 server1 sshd[13717]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
    Jan 21 14:02:23 server1 sshd[13717]: Failed password for root from 85.91.5.69 port 35296 ssh2
    Jan 21 14:02:25 server1 sshd[13721]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
    Jan 21 14:02:28 server1 sshd[13721]: Failed password for root from 85.91.5.69 port 35446 ssh2
    Jan 21 14:02:29 server1 sshd[13723]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
    Jan 21 14:02:31 server1 sshd[13723]: Failed password for root from 85.91.5.69 port 35601 ssh2
    Jan 21 14:02:33 server1 sshd[13725]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
    Jan 21 14:02:35 server1 sshd[13725]: Failed password for root from 85.91.5.69 port 35734 ssh2
    Jan 21 14:02:37 server1 sshd[13729]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
    Jan 21 14:02:39 server1 sshd[13729]: Failed password for root from 85.91.5.69 port 35878 ssh2
    Jan 21 14:02:41 server1 sshd[13731]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
    Jan 21 14:02:43 server1 sshd[13731]: Failed password for root from 85.91.5.69 port 36024 ssh2
    Jan 21 14:02:44 server1 sshd[13735]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
    Jan 21 14:02:47 server1 sshd[13735]: Failed password for root from 85.91.5.69 port 36162 ssh2
    Jan 21 14:02:49 server1 sshd[13737]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
    Jan 21 14:02:51 server1 sshd[13737]: Failed password for root from 85.91.5.69 port 36310 ssh2
    Jan 21 14:02:52 server1 sshd[13739]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
    Jan 21 14:02:54 server1 sshd[13739]: Failed password for root from 85.91.5.69 port 36449 ssh2
    Jan 21 14:02:56 server1 sshd[13743]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=85.91.5.69  user=root
    
    It goes on for a long time like that. Is there a way to check to see if fail2ban is working ok? I know it is blocking it, but I have it set to ban the person after 3 times.
     
  2. cruz

    cruz New Member

    Update

    I was getting ready to setup munin and monit on my system and it told me to run a command, I ran the command and this came up.
    HTML:
    server1:~# dpkg --configure -a
    dpkg: error processing fail2ban (--configure):
     Package is in a very bad inconsistent state - you should
     reinstall it before attempting configuration.
    Errors were encountered while processing:
     fail2ban
    
    I tried to do updates yesterday, but it locked up in the middle of trying to upgrade fail2ban. How can I fix this? Please speak baby Linux talk. Kind of new to Linux. Thanks
    Update
    I found this in the fail2ban log file
    HTML:
    2008-01-22 09:45:04,695 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
    2008-01-22 09:45:04,696 fail2ban.actions.action: INFO   Set actionCheck = iptables -L INPUT | grep -q fail2ban-<name>
    2008-01-22 09:45:05,485 fail2ban.actions.action: ERROR  iptables -N fail2ban-courierpop3
    iptables -A fail2ban-courierpop3 -j RETURN
    iptables -I INPUT -p tcp --dport pop3 -j fail2ban-courierpop3 returned 400
    2008-01-22 09:45:05,499 fail2ban.actions.action: ERROR  iptables -N fail2ban-sasl
    iptables -A fail2ban-sasl -j RETURN
    iptables -I INPUT -p tcp --dport smtp -j fail2ban-sasl returned 400
    [
     
    Last edited: Jan 22, 2008
  3. falko

    falko Super Moderator ISPConfig Developer

    You can try
    Code:
    apt-get install fail2ban
     
  4. o.meyer

    o.meyer ISPConfig Developer ISPConfig Developer

    You can also use denyhosts (ssh only).

    Best regards,

    Olli
     
  5. topdog

    topdog New Member HowtoForge Supporter

    A better way to stop the brute force attacks is use the kernel itself via iptables ipt_recent module, doing network stuff at kernel level is far much more efficient than doing it at application level.

    http://www.snowman.net/projects/ipt_recent/
     
  6. cruz

    cruz New Member

    It worked

    It worked Falko. Thank you. Topdog, The way you are taking about, is it for newbies or is it hard to configure and also dose it protect against difrent ports or do you have to configure each port? like ftp, mail,ssh,etc. What I like about fail2ban is it protects all ports that are used. Thanks for helping me to learn everyone.
     
  7. topdog

    topdog New Member HowtoForge Supporter

    ipt_recent can be used on all ports but you need to be able to write iptables rules to configure it i guess fail2ban and deny-hosts are easier to use.
     
  8. cruz

    cruz New Member

    easy now

    Yes they are easy now, but I hope to learn more and apply it to my server. Thanks for your info topdog.
     

Share This Page