From: John T. <joh...@ou...> - 2013-11-24 03:38:56
|
Hi community :) I am using Fail2Ban v0.8.6 on Debian squeeze. My auth.log looks like: Nov 23 21:50:07 sshd[8142]: Disconnecting: Too many authentication failures for root [preauth] Nov 23 21:50:12 sshd[8144]: Disconnecting: Too many authentication failures for root [preauth] Nov 23 21:50:15 sshd[8146]: Disconnecting: Too many authentication failures for root [preauth] Nov 23 21:50:19 sshd[8148]: Disconnecting: Too many authentication failures for root [preauth] Nov 23 21:50:23 sshd[8150]: Disconnecting: Too many authentication failures for root [preauth] Nov 23 21:50:27 sshd[8152]: Disconnecting: Too many authentication failures for root [preauth] Nov 23 21:50:31 sshd[8154]: Disconnecting: Too many authentication failures for root [preauth] Nov 23 21:50:35 sshd[8156]: Disconnecting: Too many authentication failures for root [preauth] Nov 23 21:50:37 sshd[8158]: Connection closed by 6X.XXX.XXX.XXX [preauth] But fail2ban is not able to ban these attempts. What is wrong here? Google search does not reveal much. - JT |
From: Zurd <zu...@gm...> - 2013-11-24 03:46:59
|
auth.log should log instead: Nov 23 22:43:58 users sshd[4441]: Failed password for root from 1.2.3.4 port 37458 ssh2 and not 'Connection closed by', check your config in /etc/ssh, there might be something in there to modify how auth.log print failed lines. Maybe in /etc/ssh/sshd_config you need: PrintLastLog yes On Sat, Nov 23, 2013 at 10:38 PM, John Thoe <joh...@ou...> wrote: > Hi community :) > > I am using Fail2Ban v0.8.6 on Debian squeeze. My auth.log looks like: > > Nov 23 21:50:07 sshd[8142]: Disconnecting: Too many authentication > failures for root [preauth] > Nov 23 21:50:12 sshd[8144]: Disconnecting: Too many authentication > failures for root [preauth] > Nov 23 21:50:15 sshd[8146]: Disconnecting: Too many authentication > failures for root [preauth] > Nov 23 21:50:19 sshd[8148]: Disconnecting: Too many authentication > failures for root [preauth] > Nov 23 21:50:23 sshd[8150]: Disconnecting: Too many authentication > failures for root [preauth] > Nov 23 21:50:27 sshd[8152]: Disconnecting: Too many authentication > failures for root [preauth] > Nov 23 21:50:31 sshd[8154]: Disconnecting: Too many authentication > failures for root [preauth] > Nov 23 21:50:35 sshd[8156]: Disconnecting: Too many authentication > failures for root [preauth] > Nov 23 21:50:37 sshd[8158]: Connection closed by 6X.XXX.XXX.XXX [preauth] > > But fail2ban is not able to ban these attempts. What is wrong here? Google > search does not reveal much. > > - JT > > ------------------------------------------------------------------------------ > Shape the Mobile Experience: Free Subscription > Software experts and developers: Be at the forefront of tech innovation. > Intel(R) Software Adrenaline delivers strategic insight and game-changing > conversations that shape the rapidly evolving mobile landscape. Sign up > now. > http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: John T. <joh...@ou...> - 2013-11-24 03:59:52
|
hi Thanks for replying > auth.log should log instead: > Nov 23 22:43:58 users sshd[4441]: Failed password for root from 1.2.3.4 > port 37458 ssh2 > > and not 'Connection closed by', check your config in /etc/ssh, there > might be something in there to modify how auth.log print failed lines. I don't follow what you mean by when you say it not should be this. I did not change any setting if that is what you meant? > > Maybe in /etc/ssh/sshd_config you need: > PrintLastLog yes This line is already there.. |
From: Daniel B. <dan...@in...> - 2013-11-25 04:01:46
|
John, Thanks for the log sample. As "Nov 23 21:50:37 sshd[8158]: Connection closed by 6X.XXX.XXX.XXX [preauth]" will probably match legitimate disconnections I can't use it on its own, so a multiline match is needed. Unfortunately multi line matching won't occur until a 0.9 release however lets get ready for this. https://github.com/fail2ban/fail2ban/pull/457 Can you just confirm with your logs that there is a line Nov 23 21:50:35 sshd[8158]: Disconnecting: Too many authentication failures for root [preauth] with the same ssh process number as: Nov 23 21:50:37 sshd[8158]: Connection closed by 6X.XXX.XXX.XXX [preauth] On average how far apart are these log messages? |
From: Fabian W. <fa...@we...> - 2013-11-27 23:12:09
|
Hello John On 24.11.2013 04:38, John Thoe wrote: > Hi community :) > > I am using Fail2Ban v0.8.6 on Debian squeeze. My auth.log looks like: > > Nov 23 21:50:35 sshd[8156]: Disconnecting: Too many authentication failures for root [preauth] > Nov 23 21:50:37 sshd[8158]: Connection closed by 6X.XXX.XXX.XXX [preauth] > > But fail2ban is not able to ban these attempts. What is wrong > here? Google search does not reveal much. The default sshd configuration (at least on Debian Wheezy, probably also on Squeeze) is in a way that it only does allow login with ssh key. Login with password is disabled. With this setting you see only the above lines for existing users. If other non-existing usernames are tried, then you will see the source IP in the same line and fail2ban will react to it. Unfortunately the last line is also the same when a legit ssh session is closed, so it can currently not be used to ban. The multi line matching Daniel was talking about will solve this. This root login attempts are only annoying as they fill up the log file, but your root login is not at danger. bye Fabian |