Fail2ban vs denyhosts vs iptables

Discussion in 'Server Operation' started by Desp, May 28, 2014.

  1. Desp

    Desp Member

    Hello everyone,
    I can't seem to get any of this tools working on blocking some bad guys and I am starting to get nervus.

    I have setup fail2ban to take care about some services I am running on my server except SSH.
    I have setup denyhosts to take care of SSH.
    Since I am getting some attacks lately I have added some ips to be blocked with iptables and started using ufw firewall also added subnets as /24.

    The problem is that I am still getting logs that show the blocked ips trying to login and connect to SSH and some errors from fail2ban and denyhosts that some ips allready in block list.:confused:

    Whats should I do next?

    Logs from auth.log

    Code:
    May 27 20:49:43  sshd[14422]: last message repeated 5 times
    May 27 20:49:43 trinity sshd[14422]: Disconnecting: Too many authentication failures for root [preauth]
    May 27 20:49:43 trinity sshd[14422]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.181  user=root
    May 27 20:49:43 trinity sshd[14422]: PAM service(sshd) ignoring max retries; 6 > 3
    May 27 20:49:45 trinity sshd[14424]: reverse mapping checking getaddrinfo for evil.chinese.hacker.cn [116.10.191.181] failed - POSSIBLE BREAK-IN ATTEMPT!
    May 27 20:49:45 trinity sshd[14424]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.181  user=root
    May 27 20:49:47 trinity sshd[14424]: Failed password for root from 116.10.191.181 port 25908 ssh2
    May 27 20:49:58  sshd[14424]: last message repeated 5 times
    May 27 20:49:58 trinity sshd[14424]: Disconnecting: Too many authentication failures for root [preauth]
    May 27 20:49:58 trinity sshd[14424]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.181  user=root
    May 27 20:49:58 trinity sshd[14424]: PAM service(sshd) ignoring max retries; 6 > 3
    May 27 20:49:59 trinity sshd[14426]: reverse mapping checking getaddrinfo for evil.chinese.hacker.cn [116.10.191.181] failed - POSSIBLE BREAK-IN ATTEMPT!
    May 27 20:50:00 trinity sshd[14426]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.181  user=root
    May 27 20:50:02 trinity sshd[14426]: Failed password for root from 116.10.191.181 port 32507 ssh2
    May 27 20:50:13  sshd[14426]: last message repeated 5 times
    May 27 20:50:13 trinity sshd[14426]: Disconnecting: Too many authentication failures for root [preauth]
    May 27 20:50:13 trinity sshd[14426]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.181  user=root
    May 27 20:50:13 trinity sshd[14426]: PAM service(sshd) ignoring max retries; 6 > 3
    May 27 20:50:14 trinity sshd[14482]: refused connect from 116.10.191.181 (116.10.191.181)
    May 28 00:48:59 trinity sshd[18513]: refused connect from 116.10.191.221 (116.10.191.221)
    Logs from fail2ban
    Code:
    2014-05-27 15:31:21,126 fail2ban.jail   : INFO   Creating new jail 'ssh-ddos'
    2014-05-27 15:31:21,127 fail2ban.jail   : INFO   Jail 'ssh-ddos' uses Gamin
    2014-05-27 15:31:21,231 fail2ban.jail   : INFO   Jail 'ssh-ddos' started
    2014-05-27 18:55:54,910 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-default
    2014-05-27 18:55:54,992 fail2ban.jail   : INFO   Jail 'ssh-ddos' stopped
    2014-05-27 18:55:59,828 fail2ban.jail   : INFO   Creating new jail 'ssh-ddos'
    2014-05-27 18:55:59,830 fail2ban.jail   : INFO   Jail 'ssh-ddos' uses Gamin
    2014-05-27 18:55:59,934 fail2ban.jail   : INFO   Jail 'ssh-ddos' started
     
    Last edited: May 28, 2014
  2. srijan

    srijan New Member HowtoForge Supporter

    Here I will suggest you to do port change for the ssh from default to another port
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Is this a VPS or root server?

    Do you see the blocked IP's when you run:

    iptables -L
     
  4. Desp

    Desp Member

    Hi Srijan,
    The problem is that this is a bot that are trying all ports, I have also thinked about that and changed the defaul port to ssh.

    Hi till,
    It's a root server and here is the output of iptables -L

    Code:
    [email protected]:~# iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    fail2ban-dovecot  tcp  --  anywhere             anywhere             multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    fail2ban-sasl  tcp  --  anywhere             anywhere             multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
    fail2ban-postfix  tcp  --  anywhere             anywhere             multiport dports smtp,ssmtp
    fail2ban-proftpd  tcp  --  anywhere             anywhere             multiport dports ftp,ftp-data,ftps,ftps-data
    fail2ban-apache-overflows  tcp  --  anywhere             anywhere             multiport dports http,https
    fail2ban-apache-noscript  tcp  --  anywhere             anywhere             multiport dports http,https
    fail2ban-apache-multiport  tcp  --  anywhere             anywhere             multiport dports http,https
    fail2ban-default  tcp  --  anywhere             anywhere             multiport dports ssh
    fail2ban-default  tcp  --  anywhere             anywhere             multiport dports ssh
    fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
    ufw-before-logging-input  all  --  anywhere             anywhere
    ufw-before-input  all  --  anywhere             anywhere
    ufw-after-input  all  --  anywhere             anywhere
    ufw-after-logging-input  all  --  anywhere             anywhere
    ufw-reject-input  all  --  anywhere             anywhere
    ufw-track-input  all  --  anywhere             anywhere
    DROP       all  --  116.10.191.0/24      anywhere
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ufw-before-logging-forward  all  --  anywhere             anywhere
    ufw-before-forward  all  --  anywhere             anywhere
    ufw-after-forward  all  --  anywhere             anywhere
    ufw-after-logging-forward  all  --  anywhere             anywhere
    ufw-reject-forward  all  --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    ufw-before-logging-output  all  --  anywhere             anywhere
    ufw-before-output  all  --  anywhere             anywhere
    ufw-after-output  all  --  anywhere             anywhere
    ufw-after-logging-output  all  --  anywhere             anywhere
    ufw-reject-output  all  --  anywhere             anywhere
    ufw-track-output  all  --  anywhere             anywhere
    
    Chain fail2ban-apache-multiport (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    Chain fail2ban-apache-noscript (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-apache-overflows (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-default (2 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-dovecot (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-postfix (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-proftpd (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-sasl (1 references)
    target     prot opt source               destination
    DROP       all  --  isg-brass5-213-242-48-182.ivnet.ru  anywhere
    RETURN     all  --  anywhere             anywhere
    
    Chain fail2ban-ssh (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    
    Chain ufw-after-forward (1 references)
    target     prot opt source               destination
    
    Chain ufw-after-input (1 references)
    target     prot opt source               destination
    ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
    ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
    ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
    ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
    ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
    ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
    
    Chain ufw-after-logging-forward (1 references)
    target     prot opt source               destination
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
    
    Chain ufw-after-logging-input (1 references)
    target     prot opt source               destination
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
    
    Chain ufw-after-logging-output (1 references)
    target     prot opt source               destination
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
    
    Chain ufw-after-output (1 references)
    target     prot opt source               destination
    
    Chain ufw-before-forward (1 references)
    target     prot opt source               destination
    ufw-user-forward  all  --  anywhere             anywhere
    
    Chain ufw-before-input (1 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ufw-logging-deny  all  --  anywhere             anywhere             state INVALID
    DROP       all  --  anywhere             anywhere             state INVALID
    ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
    ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
    ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
    ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
    ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
    ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
    ufw-not-local  all  --  anywhere             anywhere
    ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
    ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
    ufw-user-input  all  --  anywhere             anywhere
    
    Chain ufw-before-logging-forward (1 references)
    target     prot opt source               destination
    LOG        all  --  anywhere             anywhere             state NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
    
    Chain ufw-before-logging-input (1 references)
    target     prot opt source               destination
    LOG        all  --  anywhere             anywhere             state NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
    
    Chain ufw-before-logging-output (1 references)
    target     prot opt source               destination
    LOG        all  --  anywhere             anywhere             state NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
    
    Chain ufw-before-output (1 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
    ufw-user-output  all  --  anywhere             anywhere
    
    Chain ufw-logging-allow (0 references)
    target     prot opt source               destination
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
    
    Chain ufw-logging-deny (2 references)
    target     prot opt source               destination
    LOG        all  --  anywhere             anywhere             state INVALID limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT INVALID] "
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
    
    Chain ufw-not-local (1 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
    RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
    RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
    ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
    DROP       all  --  anywhere             anywhere
    
    Chain ufw-reject-forward (1 references)
    target     prot opt source               destination
    
    Chain ufw-reject-input (1 references)
    target     prot opt source               destination
    
    Chain ufw-reject-output (1 references)
    target     prot opt source               destination
    
    Chain ufw-skip-to-policy-forward (0 references)
    target     prot opt source               destination
    DROP       all  --  anywhere             anywhere
    Chain ufw-skip-to-policy-input (7 references)
    target     prot opt source               destination
    DROP       all  --  anywhere             anywhere
    
    Chain ufw-skip-to-policy-output (0 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    
    Chain ufw-track-input (1 references)
    target     prot opt source               destination
    
    Chain ufw-track-output (1 references)
    target     prot opt source               destination
    ACCEPT     tcp  --  anywhere             anywhere             state NEW
    ACCEPT     udp  --  anywhere             anywhere             state NEW
    
    Chain ufw-user-forward (1 references)
    target     prot opt source               destination
    
    Chain ufw-user-input (1 references)
    target     prot opt source               destination
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:ssh
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:http
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:imap2
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:pop3
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:13379
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:13379
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:webmin
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:10000
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
    [B][COLOR="Red"]DROP       all  --  116.10.191.0/24      anywhere[/COLOR][/B]
    
    Chain ufw-user-limit (0 references)
    target     prot opt source               destination
    LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
    
    Chain ufw-user-limit-accept (0 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    
    Chain ufw-user-logging-forward (0 references)
    target     prot opt source               destination
    
    Chain ufw-user-logging-input (0 references)
    target     prot opt source               destination
    
    Chain ufw-user-logging-output (0 references)
    target     prot opt source               destination
    
    Chain ufw-user-output (1 references)
    target     prot opt source               destination
    
     
  5. Desp

    Desp Member

    Some fresh logs from auth.log, Seems working on some ips

    Code:
    May 28 02:23:51 trinity sshd[20124]: refused connect from 116.10.191.164 (116.10.191.164)
    May 28 02:23:52 trinity sshd[20101]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.164  user=root
    May 28 02:23:54 trinity sshd[20101]: Failed password for root from 116.10.191.164 port 22290 ssh2
    May 28 02:24:05  sshd[20101]: last message repeated 5 times
    May 28 02:24:05 trinity sshd[20101]: Disconnecting: Too many authentication failures for root [preauth]
    May 28 02:24:05 trinity sshd[20101]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.10.191.164  user=root
    May 28 02:24:05 trinity sshd[20101]: PAM service(sshd) ignoring max retries; 6 > 3
    May 28 02:24:06 trinity sshd[20125]: refused connect from 116.10.191.164 (116.10.191.164)
    May 28 03:16:46 trinity sshd[21137]: refused connect from 116.10.191.222 (116.10.191.222)
    May 28 09:03:29 trinity sshd[27111]: refused connect from 116.10.191.202 (116.10.191.202)
    May 28 09:29:02 trinity sshd[27484]: refused connect from 116.10.191.163 (116.10.191.163)
    May 28 09:29:24 trinity sshd[27485]: refused connect from 116.10.191.163 (116.10.191.163)
    May 28 09:29:44 trinity sshd[27486]: refused connect from 116.10.191.163 (116.10.191.163)
    May 28 09:30:06 trinity sshd[27531]: refused connect from 116.10.191.163 (116.10.191.163)
    May 28 10:42:19 trinity sshd[28650]: refused connect from 116.10.191.182 (116.10.191.182)
    May 28 10:50:31 trinity sshd[28770]: refused connect from 113.108.211.131 (113.108.211.131)
    May 28 12:07:26 trinity sshd[29941]: Received disconnect from 199.91.135.158: 3: com.jcraft.jsch.JSchException: reject HostKey: 213.112.124.172 [preauth]
    May 28 12:36:46 trinity sshd[30431]: refused connect from 116.10.191.181 (116.10.191.181)
     

Share This Page