From: billy n. <bil...@gm...> - 2013-08-24 11:51:45
|
thanks tom, yes, it is often the same ip. for example in yesterday's log i see the ip 189.50.1.206 attempting to connect about 10 times per minute for 5 hours straight. every attempt generates these two lines in the auth.log: sshd[9816]: Received disconnect from 189.50.1.206: 11: Bye Bye [preauth] sshd[9818]: reverse mapping checking getaddrinfo for ns2.caroneonline.com.br[189.50.1.206] failed - POSSIBLE BREAK-IN ATTEMPT! i really don't know how much of a threat this is but it doesn't look particularly friendly and i'm usually curious when my logs scream something like "POSSIBLE BREAK-IN ATTEMPT!" in all caps. that being said, my ssh accepts key only now, so in theory there's not much of anything that should be a threat. before i stopped allowing passworded logins i was getting thousands of brute force login attempts per day. i really don't know, what's your opinion? is this a threat? should i even bother running fail2ban with key only ssh or is that enough by itself? -billy- On Sat, Aug 24, 2013 at 3:21 AM, Tom Hendrikx <to...@wh...> wrote: > On 24-08-13 00:36, billynoah wrote: > > hello everyone, > > > > receiving this msg in my auth.log over and over: > > > > /Received disconnect from (some.ip.add.ress): Bye Bye [preauth]/ > > / > > / > > but fail2ban is not banning the associated ip. can anyone help me? what > > do i need to do to get fail2ban to recognize this and ban the ip? is > > this even a threat? > > > > thanks > > > > billy > > > > Your questions are in the wrong order :) > > The first question should be 'what is causing this?', then you should > determine whether it is an actual threat, then you could add a line in > f2b for it :) > > AFAIK, the log line comes from ssh, and indicate a connection from > something that doesn't try (or is able) to authenticate. This could be a > probe or portscan, but it could also be a monitoring tool that only > connects to the ssh port to find if it's still up (f.i.nagios monitoring > ssh remotely). A monitoring process would typically come back every n > minutes. > > As far as it being a threat: it doesn't try to auth, so even with 100 > connects a day it doesn't do any kind of dictionary attack. Do you even > see the same ip coming back multiple times? > > Now, are the connects a threat to you, or not? > > -- > Tom > > > ------------------------------------------------------------------------------ > Introducing Performance Central, a new site from SourceForge and > AppDynamics. Performance Central is your source for news, insights, > analysis and resources for efficient Application Performance Management. > Visit us today! > http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |