[GLLUG] Maybe OT - Fail2ban and what triggers it

Alain Williams addw at phcomp.co.uk
Mon Mar 18 10:17:10 UTC 2013 

On Mon, Mar 18, 2013 at 09:30:45AM +0000, Ken Smith wrote:
> 
> tid wrote:
> >On 18 March 2013 07:39, Ken Smith<kens at kensnet.org>  wrote:
> >
> >>Interesting - to me anyway....
> >And to me, Ken. I spend a sizable portion of time poring over log
> >files looking at ssh attempts. I also see
> >a high number of attacks from the GFW, but am less interested in their
> >geographical location than the
> >fact that they happen at all. Luckily the boxes in question are only
> >available to a small user set ( for ssh only)
> >so after months of arguing the toss with colleagues, I have moved ssh
> >to another port. There are now almost
> >no login attempts although fail2ban is still in place, and I sleep
> >somewhat easier.
> >
> >Tid.
> >
> I normally move the ssh port somewhere obscure too, I checked with
> the hoster of my VM and they said it would disrupt their monitoring
> tools so I left it on port 22 and added a key to the one the hoster
> already had there. I would prefer not to use port 22 though.

Having a quick look through my log of failures. There are 335 of them.

The count of users is:

operator 1
apache 2
games 1
bin 2
tomcat 3
nagios 1
root 324
adm 1

The vast majority are for root

You MUST put in your /etc/ssh/sshd_config

    PermitRootLogin no

You thus force everyone to login as themselves and go 'su'.

I also have a line like the following to give an explicit list of who can login:

    AllowUsers me my_friend

I don't run fail2ban, but I do have the following in my firewall

    iptables -A INPUT -p TCP --dport ssh    -j In_ssh

    # SSH rate limit new connections to 3 in 3 minutes from any one address
    iptables -A In_ssh -m recent -m state --state NEW --hitcount 3 --seconds 180 --update -j DROP
    iptables -A In_ssh -m recent -m state --set --state NEW -j ACCEPT
    iptables -A In_ssh -j DROP

(Actually my firewall is much more complicated, having ~300 rules, IPv4 - I
don't see ssh login attempts on IPv6).

The result is that over 1/2 the attacking IP addresses I only see 3 times.
1/2 I see once or twice (about the same frequency)

The top 5 are (IP count where):

218.26.89.179	9	China
116.11.252.194	9	China
212.68.54.156	12	Czech Republic
101.44.1.4	17	China
117.79.91.214	21	China

-- 
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h>

More information about the GLLUG mailing list