Hello,
I have seen these messages also, but found that fail2ban was working. You
should see the lines appearing at least as many times as your “maxretry" values
within the "findtime" timeframe. The fail2ban.log file will show which
ipaddresses are being banned and unbanned, and by what service (such as SSH).
Also, check the output of "iptables -L”. You should see a chain titled
“fail2ban-ssh”: this is where fail2ban inserts it’s rules. If there are any
bans present, you should see a corresponding rule there. For example, right
now mine shows as
Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP all -- 10.189.255.250 anywhere
RETURN all -- anywhere anywhere
The log entries you show are in groups of four. It won’t trigger on the
“POSSIBLE BREAK-IN ATTEMPT” (line 1). It probably should trigger on line two
(authentication failure…). It definitely should trigger on line 3 “failed
password for root from <ip>…”, and line 4 is just a notification.
1) reverse mapping checking getaddrinfo for host-237-6-12-185.cloudsigma.net
[185.12.6.237] failed - POSSIBLE BREAK-IN ATTEMPT!
2) pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=185.12.6.237 user=root
3) Failed password for root from 185.12.6.237 port 55199 ssh2
4) Received disconnect from 185.12.6.237: 11: Bye Bye [preauth]
Check your fail2ban log file: If the remote ip address isn’t being banned, then
definitely add that line.
—jason
Jason Brooks Systems Administrator
eROI Performance is Art.
m: 505 nw couch #300 w: eroi.com <http://eroi.com/>
t: 503.290.3105 f: 503.228.4249
fb: fb.com/eROI <http://www.facebook.com/eROI>
> On Jul 7, 2016, at 11:29 AM, [email protected] wrote:
>
> Zurd, Thanks for the regex for the "POSSIBLE BREAK-IN" entries. I will test
> and add to my custom filter.
>
> But I was concerned that the stock sshd filter should be catching the
> "authentication failure" and "Failed password" entries...
>
> Can you suggest a new regex that will allow sshd to catch these?
>
> Thanks
> dave
>
> On 7/6/2016 7:11 PM, Zurd wrote:
>> https://sourceforge.net/p/fail2ban/mailman/message/28882147/
>> <https://sourceforge.net/p/fail2ban/mailman/message/28882147/>
>>
>> Looks like someone else ask for this filter to be added too back in 2012 but
>> there was no answer unfortunately.
>>
>> Add this in /etc/fail2ban/filter.d/sshd.conf:
>> ^%(__prefix_line)sreverse mapping checking getaddrinfo for .* \[<HOST>\]
>> failed - POSSIBLE BREAK-IN ATTEMPT!\s*$
>>
>> And try again:
>> fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
>>
>> Or
>> fail2ban-regex 'Jul 6 11:50:52 Webserver sshd[10275]: reverse mapping
>> checking getaddrinfo for host-237-6-12-185.cloudsigma.net
>> <http://host-237-6-12-185.cloudsigma.net/> [185.12.6.237] failed - POSSIBLE
>> BREAK-IN ATTEMPT!' /etc/fail2ban/filter.d/sshd.conf
>>
>>
>>
>> On Wed, Jul 6, 2016 at 5:34 PM, <[email protected]
>> <mailto:[email protected]>> wrote:
>> Shouldn't the stock sshd.conf filter be catching these authentication
>> failures? If not... can someone suggest a new regex line that will?
>> thanks,
>> dave
>>
>> auth.log
>> Jul 6 11:50:52 Webserver sshd[10275]: reverse mapping checking getaddrinfo
>> for host-237-6-12-185.cloudsigma.net
>> <http://host-237-6-12-185.cloudsigma.net/> [185.12.6.237] failed - POSSIBLE
>> BREAK-IN ATTEMPT!
>> Jul 6 11:50:52 Webserver sshd[10275]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 user=root
>> Jul 6 11:50:55 Webserver sshd[10275]: Failed password for root from
>> 185.12.6.237 port 55199 ssh2
>> Jul 6 11:51:02 Webserver sshd[10275]: Received disconnect from 185.12.6.237
>> <http://185.12.6.237/>: 11: Bye Bye [preauth]
>> Jul 6 11:51:02 Webserver sshd[10277]: reverse mapping checking getaddrinfo
>> for host-237-6-12-185.cloudsigma.net
>> <http://host-237-6-12-185.cloudsigma.net/> [185.12.6.237] failed - POSSIBLE
>> BREAK-IN ATTEMPT!
>> Jul 6 11:51:02 Webserver sshd[10277]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 user=root
>> Jul 6 11:51:04 Webserver sshd[10277]: Failed password for root from
>> 185.12.6.237 port 56339 ssh2
>> Jul 6 11:51:04 Webserver sshd[10277]: Received disconnect from 185.12.6.237
>> <http://185.12.6.237/>: 11: Bye Bye [preauth]
>> Jul 6 11:51:04 Webserver sshd[10279]: reverse mapping checking getaddrinfo
>> for host-237-6-12-185.cloudsigma.net
>> <http://host-237-6-12-185.cloudsigma.net/> [185.12.6.237] failed - POSSIBLE
>> BREAK-IN ATTEMPT!
>> Jul 6 11:51:04 Webserver sshd[10279]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 user=root
>> Jul 6 11:51:06 Webserver sshd[10279]: Failed password for root from
>> 185.12.6.237 port 56581 ssh2
>> Jul 6 11:51:06 Webserver sshd[10279]: Received disconnect from 185.12.6.237
>> <http://185.12.6.237/>: 11: Bye Bye [preauth]
>> Jul 6 11:51:07 Webserver sshd[10281]: reverse mapping checking getaddrinfo
>> for host-237-6-12-185.cloudsigma.net
>> <http://host-237-6-12-185.cloudsigma.net/> [185.12.6.237] failed - POSSIBLE
>> BREAK-IN ATTEMPT!
>> Jul 6 11:51:07 Webserver sshd[10281]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.12.6.237 user=root
>> Jul 6 11:51:09 Webserver sshd[10281]: Failed password for root from
>> 185.12.6.237 port 56874 ssh2
>> <snip>
>>
>> jail.local
>> [ssh]
>> enabled = true
>> port = ssh,sftp
>> filter = sshd
>> logpath = /var/log/auth.log
>> maxretry = 3
>>
>> sshd.conf
>> failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication
>> (?:failure|error) for .* from <HOST>( via \S+)?\s*$
>> ^%(__prefix_line)s(?:error: PAM: )?User not known to the
>> underlying authentication module for .* from <HOST>\s*$
>> ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port
>> \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+
>> %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
>> ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
>> ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
>> ^%(__prefix_line)sUser .+ from <HOST> not allowed because not
>> listed in AllowUsers\s*$
>> ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed
>> in DenyUsers\s*$
>> ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in
>> any group\s*$
>> ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
>> ^%(__prefix_line)sUser .+ from <HOST> not allowed because a
>> group is listed in DenyGroups\s*$
>> ^%(__prefix_line)sUser .+ from <HOST> not allowed because none
>> of user's groups are listed in AllowGroups\s*$
>>
> ------------------------------------------------------------------------------
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
> present their vision of the future. This family event has something for
> everyone, including kids. Get more information and register today.
> http://sdm.link/attshape_______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
