On Wed, Jul 06, 2016 at 10:11:07PM -0400, Zurd wrote:
[1]https://sourceforge.net/p/fail2ban/mailman/message/28882147/Looks like someone else ask for this filter to be added too back in 2012 but there was no answer unfortunately. Add this in /etc/fail2ban/filter.d/sshd.conf: ^%(__prefix_line)sreverse mapping checking getaddrinfo for .* \[<HOST>\] failed - POSSIBLE BREAK-IN ATTEMPT!\s*$ And try again: fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf Or fail2ban-regex 'Jul 6 11:50:52 Webserver sshd[10275]: reverse mapping checking getaddrinfo for [2]host-237-6-12-185.cloudsigma.net [185.12.6.237] failed - POSSIBLE BREAK-IN ATTEMPT!' /etc/fail2ban/filter.d/sshd.conf
I suspect these won't get added to the default library because they're not, technically, an authentication failure. They are warning that the reverse DNS entry for the IP address of the client doesn't match the name that the client announced itself as. In other words, the client connected and said "Hi, I'm foo.example.com", the server looked up the IP that the client connected from and the DNS said "This IP belongs to bar.example.net". Those don't match so, in the worst case, bar.example.net is masquerading as foo.example.com. Most of the time, however, it is merely a mis-configured client. The client might be announcing itself as "localhost" or something equally vague, for example.
That said, the "Failed password" that comes later IS a failure and SHOULD be caught by fail2ban.
On Wed, Jul 6, 2016 at 5:34 PM, <[3][email protected]> wrote: Shouldn't the stock sshd.conf filter be catching these authentication failures? If not... can someone suggest a new regex line that will? thanks, dave auth.log Jul 6 11:50:52 Webserver sshd[10275]: reverse mapping checking getaddrinfo for [4]host-237-6-12-185.cloudsigma.net [185.12.6.237] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 6 11:50:52 Webserver sshd[10275]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 user=rootJul 6 11:50:55 Webserver sshd[10275]: Failed password for root from185.12.6.237 port 55199 ssh2 Jul 6 11:51:02 Webserver sshd[10275]: Received disconnect from [5] 185.12.6.237: 11: Bye Bye [preauth] Jul 6 11:51:02 Webserver sshd[10277]: reverse mapping checking getaddrinfo for [6]host-237-6-12-185.cloudsigma.net [185.12.6.237] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 6 11:51:02 Webserver sshd[10277]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 user=root Jul 6 11:51:04 Webserver sshd[10277]: Failed password for root from 185.12.6.237 port 56339 ssh2 Jul 6 11:51:04 Webserver sshd[10277]: Received disconnect from [7] 185.12.6.237: 11: Bye Bye [preauth] Jul 6 11:51:04 Webserver sshd[10279]: reverse mapping checking getaddrinfo for [8]host-237-6-12-185.cloudsigma.net [185.12.6.237] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 6 11:51:04 Webserver sshd[10279]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 user=root Jul 6 11:51:06 Webserver sshd[10279]: Failed password for root from 185.12.6.237 port 56581 ssh2 Jul 6 11:51:06 Webserver sshd[10279]: Received disconnect from [9] 185.12.6.237: 11: Bye Bye [preauth] Jul 6 11:51:07 Webserver sshd[10281]: reverse mapping checking getaddrinfo for [10]host-237-6-12-185.cloudsigma.net [185.12.6.237] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 6 11:51:07 Webserver sshd[10281]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 user=root Jul 6 11:51:09 Webserver sshd[10281]: Failed password for root from 185.12.6.237 port 56874 ssh2 <snip> jail.local [ssh] enabled = true port = ssh,sftp filter = sshd logpath = /var/log/auth.log maxretry = 3 sshd.conf failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure |error) for .* from <HOST>( via \S+)?\s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$ ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)? (?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$ ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$ ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$ ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$ ------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. [11]http://sdm.link/attshape _______________________________________________ Fail2ban-users mailing list [12][email protected] [13]https://lists.sourceforge.net/lists/listinfo/fail2ban-users References: [1] https://sourceforge.net/p/fail2ban/mailman/message/28882147/ [2] http://host-237-6-12-185.cloudsigma.net/ [3] mailto:[email protected] [4] http://host-237-6-12-185.cloudsigma.net/ [5] http://185.12.6.237/ [6] http://host-237-6-12-185.cloudsigma.net/ [7] http://185.12.6.237/ [8] http://host-237-6-12-185.cloudsigma.net/ [9] http://185.12.6.237/ [10] http://host-237-6-12-185.cloudsigma.net/ [11] http://sdm.link/attshape [12] mailto:[email protected] [13] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
-- For more information, please reread.
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
