thanks tom.  no it's not just this one ip.  i am wondering if these messages have something to do with changing my ssh to only accept private keys?  why would a single ip address attempt connection for 5 hours straight?  just curious if you have any theories about what the intention of a bot like this would be.

it's clearly not legit, but it may not be a threat either.


On Sat, Aug 24, 2013 at 9:02 AM, Tom Hendrikx <tom@whyscream.net> wrote:
Hi,


If it's only that single ip, I'd just block it manually in the firewall.

The 'POSSIBLE BREAK-IN ATTEMPT' is a bit overstated by ssh developers
imho, since the reason is that a rdns check for the ip failed: that's
not uncommon for normal connections too.

Anyway, if you want f2b to block these attempts, you can create
/etc/fail2ban/filter.d/sshd-preauth.conf looking something like this:

[INCLUDES]

before = common.conf

[Definition]

_daemon = sshd

failregex = ^%(__prefix_line)sReceived disconnect from
<HOST>:.*\[preauth\]\s*$
            ^%(__prefix_line)sConnection closed by <HOST> \[preauth\]\s*$

Be careful with linewrapping. Also make sure your jail allows at least
10 or so failures before banning, since this will also affect regular
users that fail to enter correct credentials.

Tom

On 24-08-13 13:51, billy noah wrote:
> thanks tom,
>
> yes, it is often the same ip.  for example in yesterday's log i see the
> ip 189.50.1.206 attempting to connect about 10 times per minute for 5
> hours straight.  every attempt generates these two lines in the auth.log:
>
> sshd[9816]: Received disconnect from 189.50.1.206 <http://189.50.1.206>:
> 11: Bye Bye [preauth]
> sshd[9818]: reverse mapping checking getaddrinfo for
> ns2.caroneonline.com.br <http://ns2.caroneonline.com.br> [189.50.1.206]
> failed - POSSIBLE BREAK-IN ATTEMPT!
>
> i really don't know how much of a threat this is but it doesn't look
> particularly friendly and i'm usually curious when my logs scream
> something like "POSSIBLE BREAK-IN ATTEMPT!" in all caps.  that being
> said, my ssh accepts key only now, so in theory there's not much of
> anything that should be a threat.  before i stopped allowing passworded
> logins i was getting thousands of brute force login attempts per day.
>
> i really don't know, what's your opinion?  is this a threat?  should i
> even bother running fail2ban with key only ssh or is that enough by itself?
>
> -billy-
>
>
> On Sat, Aug 24, 2013 at 3:21 AM, Tom Hendrikx <tom@whyscream.net
> <mailto:tom@whyscream.net>> wrote:
>
>     On 24-08-13 00:36, billynoah wrote:
>     > hello everyone,
>     >
>     > receiving this msg in my auth.log over and over:
>     >
>     > /Received disconnect from (some.ip.add.ress): Bye Bye [preauth]/
>     > /
>     > /
>     > but fail2ban is not banning the associated ip.  can anyone help
>     me? what
>     > do i need to do to get fail2ban to recognize this and ban the ip?  is
>     > this even a threat?
>     >
>     > thanks
>     >
>     > billy
>     >
>
>     Your questions are in the wrong order :)
>
>     The first question should be 'what is causing this?', then you should
>     determine whether it is an actual threat, then you could add a line in
>     f2b for it :)
>
>     AFAIK, the log line comes from ssh, and indicate a connection from
>     something that doesn't try (or is able) to authenticate. This could be a
>     probe or portscan, but it could also be a monitoring tool that only
>     connects to the ssh port to find if it's still up (f.i.nagios monitoring
>     ssh remotely). A monitoring process would typically come back every n
>     minutes.
>
>     As far as it being a threat: it doesn't try to auth, so even with 100
>     connects a day it doesn't do any kind of dictionary attack. Do you even
>     see the same ip coming back multiple times?
>
>     Now, are the connects a threat to you, or not?
>
>     --
>     Tom
>
>     ------------------------------------------------------------------------------
>     Introducing Performance Central, a new site from SourceForge and
>     AppDynamics. Performance Central is your source for news, insights,
>     analysis and resources for efficient Application Performance Management.
>     Visit us today!
>     http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
>     _______________________________________________
>     Fail2ban-users mailing list
>     Fail2ban-users@lists.sourceforge.net
>     <mailto:Fail2ban-users@lists.sourceforge.net>
>     https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
>
>
> ------------------------------------------------------------------------------
> Introducing Performance Central, a new site from SourceForge and
> AppDynamics. Performance Central is your source for news, insights,
> analysis and resources for efficient Application Performance Management.
> Visit us today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>


------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users