From: Tom H. <to...@wh...> - 2014-01-15 15:45:25
|
Hi, This doesn't look too critical since the attempts are no successful dictionary attack: they will never be able to access your root account. Attempts for non-locked accounts are already caught. On 01/15/2014 03:31 PM, Eugene Zhukov wrote: > Forwarding the discussion to the list as requested. > > ---------- Forwarded message ---------- > From: Yaroslav Halchenko <de...@on...> > Date: Wed, Jan 15, 2014 at 3:54 PM > Subject: Re: fail2ban & anonymous ssh login failing attempts > To: Eugene Zhukov <jev...@gm...> > > > On Wed, 15 Jan 2014, Eugene Zhukov wrote: > >> Hi, > >> First of all I'd like to thank you for a great tool fail2ban. >> I'm using it on my server, but since recently I began to observe this >> in my auth.log: > >> [...] >> Jan 13 01:42:22 debian sshd[21118]: User root not allowed because >> account is locked >> Jan 13 01:42:22 debian sshd[21118]: input_userauth_request: invalid >> user root [preauth] >> Jan 13 01:42:24 debian sshd[21115]: Disconnecting: Too many >> authentication failures for root [preauth] >> Jan 13 01:42:25 debian sshd[21118]: Disconnecting: Too many >> authentication failures for root [preauth] >> Jan 13 01:42:27 debian sshd[21123]: User root not allowed because >> account is locked >> Jan 13 01:42:27 debian sshd[21123]: input_userauth_request: invalid >> user root [preauth] >> Jan 13 01:42:28 debian sshd[21127]: User root not allowed because >> account is locked >> Jan 13 01:42:28 debian sshd[21127]: input_userauth_request: invalid >> user root [preauth] >> Jan 13 01:42:29 debian sshd[21123]: Disconnecting: Too many >> authentication failures for root [preauth] >> Jan 13 01:42:30 debian sshd[21127]: Disconnecting: Too many >> authentication failures for root [preauth] >> Jan 13 01:42:32 debian sshd[21131]: User root not allowed because >> account is locked >> Jan 13 01:42:32 debian sshd[21131]: input_userauth_request: invalid >> user root [preauth] >> Jan 13 01:42:34 debian sshd[21135]: User root not allowed because >> account is locked >> Jan 13 01:42:34 debian sshd[21135]: input_userauth_request: invalid >> user root [preauth] >> Jan 13 01:42:35 debian sshd[21131]: Disconnecting: Too many >> authentication failures for root [preauth] >> Jan 13 01:42:36 debian sshd[21135]: Disconnecting: Too many >> authentication failures for root [preauth] >> Jan 13 01:42:38 debian sshd[21140]: User root not allowed because >> account is locked >> Jan 13 01:42:38 debian sshd[21140]: input_userauth_request: invalid >> user root [preauth] >> Jan 13 01:42:40 debian sshd[21144]: User root not allowed because >> account is locked >> Jan 13 01:42:40 debian sshd[21144]: input_userauth_request: invalid >> user root [preauth] >> [...] > >> These attempts don't seem to have any kind of identification. >> Any idea how I could track these bots and ban them? Only occasionally >> (in the end) in this loooong chain of failing attempts I can see >> something like >> Jan 13 01:44:13 debian sshd[21256]: Connection closed by 1.93.26.11 [preauth] > > ssh jail of fail2ban should be able to catch those but only in the 0.9 > branch (yet to be released) since we would need to match multiple lines here > > please forward this discussion and any future follow ups to the list > fail2ban-users > > > -- > Yaroslav O. Halchenko, Ph.D. > http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org > Senior Research Associate, Psychological and Brain Sciences Dept. > Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 > Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 > WWW: http://www.linkedin.com/in/yarik > > ------------------------------------------------------------------------------ > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |