From: Yaroslav H. <li...@on...> - 2014-05-05 14:10:46
|
not sure what is "global ban" is(and thus how it was "put"), thus -- first check either you have those rules in your iptables iptables -L -n -v On Sun, 04 May 2014, r fancher wrote: > A month ago this "person" made several attempts at accessing my site so I > put in a global ban: > -A fail2ban-ssh -s 220.177.198.0/24 -j REJECT --reject-with > icmp-port-unreachable > But today I saw the following which is concerning me that fail2ban isn't > actually working: > May 2 11:56:57 pcname sshd[21105]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.33 > user=root > May 2 11:56:59 pcname sshd[21105]: Failed password for root from > 220.177.198.33 port 41260 ssh2 > May 2 11:56:59 pcname sshd[21105]: Received disconnect from > 220.177.198.33: 11: Bye Bye [preauth] > May 2 19:23:27 pcname sshd[24226]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.31 > user=root > 2014-05-02 11:57:00,026 fail2ban.actions: WARNING [ssh] Ban 220.177.198.33 > 2014-05-02 19:23:29,510 fail2ban.actions: WARNING [ssh] Ban 220.177.198.31 > I have the standard defaults in my conf file: > [ssh] > enabled = true > port = ssh > filter = sshd > logpath = /var/log/auth.log > maxretry = 1 > I have also seen various other ip's banned yet still give the result logs > as if they were met with a user/pass challenge. > These were already in place before I put in a global ban: > -A fail2ban-ssh -s 220.177.198.31/32 -j REJECT --reject-with > icmp-port-unreachable > -A fail2ban-ssh -s 220.177.198.33/32 -j REJECT --reject-with > icmp-port-unreachable > Even without the global ban they used the same IP’s and still was met with > the ssh challenge, why is that? I know it works because I have banned > myself on several occasions, so why am I still seeing this in the logs? > ------------------------------------------------------------------------------ > Is your legacy SCM system holding you back? Join Perforce May 7 to find out: > • 3 signs your SCM is hindering your productivity > • Requirements for releasing software faster > • Expert tips and advice for migrating your SCM now > http://p.sf.net/sfu/perforce > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- Yaroslav O. Halchenko, Ph.D. http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org Research Scientist, Psychological and Brain Sciences Dept. Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik |