From: r f. <rfa...@ya...> - 2014-05-07 10:49:31
|
iptables -L -n -v | grep "220.177.198" 22 880 DROP all -- * * 220.177.198.0/24 0.0.0.0/0 527 31984 REJECT all -- * * 220.177.198.31 0.0.0.0/0 reject-with icmp-port-unreachable 16 1044 REJECT all -- * * 220.177.198.33 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 220.177.198.0/24 0.0.0.0/0 reject-with icmp-port-unreachable Ok maybe the word global was the wrong word. I banned the whole subnet rather than 1. >not sure what is "global ban" is(and thus how it was "put"), thus >-- first check either you have those rules in your iptables >iptables -L -n -v On Sun, 04 May 2014, r fancher wrote: > A month ago this "person" made several attempts at accessing my site so I > put in a global ban: > -A fail2ban-ssh -s 220.177.198.0/24 -j REJECT --reject-with > icmp-port-unreachable > But today I saw the following which is concerning me that fail2ban isn't > actually working: > May? 2 11:56:57 pcname sshd[21105]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.33? > user=root > May? 2 11:56:59 pcname sshd[21105]: Failed password for root from > 220.177.198.33 port 41260 ssh2 > May? 2 11:56:59 pcname sshd[21105]: Received disconnect from > 220.177.198.33: 11: Bye Bye [preauth] > May? 2 19:23:27 pcname sshd[24226]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.177.198.31? > user=root > 2014-05-02 11:57:00,026 fail2ban.actions: WARNING [ssh] Ban 220.177.198.33 > 2014-05-02 19:23:29,510 fail2ban.actions: WARNING [ssh] Ban 220.177.198.31 > I have the standard defaults in my conf file: > [ssh] > enabled? = true > port???? = ssh > filter?? = sshd > logpath? = /var/log/auth.log > maxretry = 1 > I have also seen various other ip's banned yet still give the result logs > as if they were met with a user/pass challenge. > These were already in place before I put in a global ban: > -A fail2ban-ssh -s 220.177.198.31/32 -j REJECT --reject-with > icmp-port-unreachable > -A fail2ban-ssh -s 220.177.198.33/32 -j REJECT --reject-with > icmp-port-unreachable > Even without the global ban they used the same IP?s and still was met with > the ssh challenge, why is that? I know it works because I have banned > myself on several occasions, so why am I still seeing this in the logs? |