Hi,
this is definitely an attack:
Nov 12 08:10:16 linuxserver sshd[10216]: Connection from xxx.xxx.xxx.xxx port
58404 on 192.168.2.2 port 22
Nov 12 08:10:17 linuxserver sshd[10216]: Received disconnect from
xxx.xxx.xxx.xxx port 58404:11: Bye Bye [preauth]
Nov 12 08:10:17 linuxserver sshd[10216]: Disconnected from xxx.xxx.xxx.xxx port
58404 [preauth]
there are no more lines in journalctl....
info: xxx.xxx.xxx.xxx is some bullshit from bavaria
there are no loginnames!
this is definitely not an attack, it's my login:
Nov 12 11:36:23 linuxserver sshd[12895]: Connection from 84.156.117.187 port
55468 on 192.168.2.2 port 22
Nov 12 11:36:23 linuxserver sshd[12895]: Postponed keyboard-interactive for
root from 84.156.117.187 port 55468 ssh2 [preauth]
Nov 12 11:36:23 linuxserver sshd[12895]: Postponed keyboard-interactive/pam for
root from 84.156.117.187 port 55468 ssh2 [preauth]
Nov 12 11:36:23 linuxserver sshd[12895]: Accepted keyboard-interactive/pam for
root from 84.156.117.187 port 55468 ssh2
Nov 12 11:36:23 linuxserver sshd[12895]: pam_unix(sshd:session): session opened
for user root by (uid=0)
Nov 12 11:36:23 linuxserver systemd-logind[1035]: New session 37 of user root.
Nov 12 11:36:23 linuxserver systemd[1]: Started Session 37 of user root.
Nov 12 11:36:24 linuxserver sshd[12895]: User child is on pid 12899
Nov 12 11:36:24 linuxserver sshd[12899]: Starting session: shell on pts/0 for
root from 84.156.117.187 port 55468 id 0
Nov 12 11:36:25 linuxserver su[12930]: (to root) root on pts/0
Nov 12 11:36:25 linuxserver su[12930]: pam_unix(su:session): session opened for
user root by root(uid=1023)
Nov 12 11:36:25 linuxserver su[12930]: pam_systemd(su:session): Cannot create
session: Already running in a session
Nov 12 11:36:49 linuxserver su[12930]: pam_unix(su:session): session closed for
user root
Nov 12 11:36:50 linuxserver sshd[12899]: Close session: user root from
84.156.117.187 port 55468 id 0
Nov 12 11:36:50 linuxserver sshd[12899]: Received disconnect from
84.156.117.187 port 55468:11: disconnected by user
Nov 12 11:36:50 linuxserver sshd[12899]: Disconnected from 84.156.117.187 port
55468
Nov 12 11:36:50 linuxserver sshd[12895]: pam_unix(sshd:session): session closed
for user root
info: 84.156.117.187 is german telekom (my provider)
loginname is root (not in reality!)
we'll see more discussion (aprox 10 lines!) about loggin_procedure, than from
bavaria
my question: HOW can I ban my "bad bavarian friend" off my server?
=================================================================
who can I define in fail2ban-rules, that this is NOT a friendly visit?
Nov 12 08:10:16 linuxserver sshd[10216]: Connection from xxx.xxx.xxx.xxx port
58404 on 192.168.2.2 port 22
Nov 12 08:10:17 linuxserver sshd[10216]: Received disconnect from
xxx.xxx.xxx.xxx port 58404:11: Bye Bye [preauth]
Nov 12 08:10:17 linuxserver sshd[10216]: Disconnected from xxx.xxx.xxx.xxx port
58404 [preauth]
can I really define this?
I we have a closer look an the "good german" from telekom
I will !same! lines:
Nov 12 11:36:23 linuxserver sshd[12895]: Connection from 84.156.117.187 port
55468 on 192.168.2.2 port 22
Nov 12 11:36:50 linuxserver sshd[12899]: Received disconnect from
84.156.117.187 port 55468:11: disconnected by user
Nov 12 11:36:50 linuxserver sshd[12899]: Disconnected from 84.156.117.187 port
55468
But I have no lines like:
Nov 12 11:36:23 linuxserver sshd[12895]: Postponed keyboard-interactive for
root from 84.156.117.187 port 55468 ssh2 [preauth]
and so on. there's on bavarina side no existing user! there's not any user!
A moment please:
================
Between those three lines, there's a difference!!!!
Nov 12 08:10:17 linuxserver sshd[10216]: Received disconnect from
xxx.xxx.xxx.xxx port 58404:11: Bye Bye [preauth]
"Bye Bye" !!!!!!
Searching in /etc/fail2ban/filter.s/sshd.conf
cmnfailre =
^<F-NOFAIL>Received
<F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from
<HOST>%(__on_port_opt)s:\s*11:
1st: this isn't working!
2nd: if we get this working, than ist better to define this like
this: ^<F-NOFAIL>Received
<F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from
<HOST>%(__on_port_opt)s:\s*11: "Bye Bye [preauth]"
good idea?
and:
in jail.local I have strong rules:
[sshd]
enabled = true
mode = aggressive
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
bantime = 1d
maxretry = 0
---> maxretry = 0 !!!!
I wish to those bavarian users OFF from my servers ;-)
how?
does there anybody have the same problem?
thanks and yours Klaus
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
