Re: [Fail2ban-users] Someone somehow bypassing fail2ban?

Steven Jones Tue, 16 Dec 2014 11:49:39 -0800

duh I should have seen the port....bangs head against wall.

regards


Steven Jones

B.Eng (Hons)

Technical Specialist - Linux RHCE

Victoria University ITS,

Level 8 Rankin Brown Building,

Wellington, NZ

6012

0064 4 463 6272

________________________________________
From: Charles Bradshaw <[email protected]>
Sent: Tuesday, 16 December 2014 10:05 p.m.
To: Steven Jones
Cc: [email protected]
Subject: Re: [Fail2ban-users] Someone somehow bypassing fail2ban?

You're ssh attacks are not blocked because they on ports other than the
one used by sshd! Fail2ban blocks the default port 22 unless you modify
the jail.

How is ssh seeing attempts on high number ports? These should all be
closed by your firewall/router. In fact your firewall should be
configured to block everything except those ports you specifically
allow.

On Mon, 2014-12-15 at 19:46 +0000, Steven Jones wrote:
> Hi,
>
> I seem to have some brute force root attacks beating fail2ban,
>
> Just as a selection, these are clearly more than 5 failures,  hundreds get 
> through over night,
>
> Have I missed a setting?  or something else?
>
> ======
> 8><-------
> Dec 16 08:28:58 vuwuniconnect01 sshd[3065]: Failed password for root from 
> 23.97.163.146 port 1105 ssh2
> Dec 16 08:28:59 vuwuniconnect01 sshd[3065]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:29:01 vuwuniconnect01 sshd[3068]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:29:04 vuwuniconnect01 sshd[3068]: Failed password for root from 
> 23.97.163.146 port 1128 ssh2
> Dec 16 08:29:04 vuwuniconnect01 sshd[3068]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:29:08 vuwuniconnect01 sshd[3071]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:29:10 vuwuniconnect01 sshd[3071]: Failed password for root from 
> 23.97.163.146 port 1129 ssh2
> Dec 16 08:29:13 vuwuniconnect01 sshd[3075]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:29:15 vuwuniconnect01 sshd[3075]: Failed password for root from 
> 23.97.163.146 port 1024 ssh2
> Dec 16 08:29:15 vuwuniconnect01 sshd[3075]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:29:18 vuwuniconnect01 sshd[3078]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:29:20 vuwuniconnect01 sshd[3078]: Failed password for root from 
> 23.97.163.146 port 1080 ssh2
> Dec 16 08:29:20 vuwuniconnect01 sshd[3078]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:29:23 vuwuniconnect01 sshd[3089]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:29:25 vuwuniconnect01 sshd[3089]: Failed password for root from 
> 23.97.163.146 port 1128 ssh2
> Dec 16 08:29:25 vuwuniconnect01 sshd[3089]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:29:28 vuwuniconnect01 sshd[3092]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:29:30 vuwuniconnect01 sshd[3092]: Failed password for root from 
> 23.97.163.146 port 1104 ssh2
> Dec 16 08:29:30 vuwuniconnect01 sshd[3092]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:29:33 vuwuniconnect01 sshd[3095]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:29:35 vuwuniconnect01 sshd[3095]: Failed password for root from 
> 23.97.163.146 port 1081 ssh2
> Dec 16 08:29:35 vuwuniconnect01 sshd[3095]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:29:37 vuwuniconnect01 sshd[3098]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:29:40 vuwuniconnect01 sshd[3098]: Failed password for root from 
> 23.97.163.146 port 1040 ssh2
> Dec 16 08:29:40 vuwuniconnect01 sshd[3098]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:29:43 vuwuniconnect01 sshd[3101]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:29:45 vuwuniconnect01 sshd[3101]: Failed password for root from 
> 23.97.163.146 port 1105 ssh2
> Dec 16 08:29:46 vuwuniconnect01 sshd[3101]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:29:49 vuwuniconnect01 sshd[3104]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:29:51 vuwuniconnect01 sshd[3104]: Failed password for root from 
> 23.97.163.146 port 1176 ssh2
> Dec 16 08:29:51 vuwuniconnect01 sshd[3104]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:29:54 vuwuniconnect01 sshd[3107]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:29:56 vuwuniconnect01 sshd[3107]: Failed password for root from 
> 23.97.163.146 port 1144 ssh2
> Dec 16 08:29:57 vuwuniconnect01 sshd[3107]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:29:59 vuwuniconnect01 sshd[3110]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:30:01 vuwuniconnect01 sshd[3110]: Failed password for root from 
> 23.97.163.146 port 1040 ssh2
> Dec 16 08:30:01 vuwuniconnect01 sshd[3110]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:30:04 vuwuniconnect01 sshd[3118]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:30:06 vuwuniconnect01 sshd[3118]: Failed password for root from 
> 23.97.163.146 port 1168 ssh2
> Dec 16 08:30:06 vuwuniconnect01 sshd[3118]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:30:09 vuwuniconnect01 sshd[3121]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:30:11 vuwuniconnect01 sshd[3121]: Failed password for root from 
> 23.97.163.146 port 1176 ssh2
> Dec 16 08:30:11 vuwuniconnect01 sshd[3121]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:30:13 vuwuniconnect01 sshd[3124]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:30:16 vuwuniconnect01 sshd[3124]: Failed password for root from 
> 23.97.163.146 port 1024 ssh2
> Dec 16 08:30:16 vuwuniconnect01 sshd[3124]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:30:19 vuwuniconnect01 sshd[3127]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:30:21 vuwuniconnect01 sshd[3127]: Failed password for root from 
> 23.97.163.146 port 1144 ssh2
> Dec 16 08:30:21 vuwuniconnect01 sshd[3127]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:30:24 vuwuniconnect01 sshd[3139]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:30:26 vuwuniconnect01 sshd[3139]: Failed password for root from 
> 23.97.163.146 port 1120 ssh2
> Dec 16 08:30:26 vuwuniconnect01 sshd[3139]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:30:29 vuwuniconnect01 sshd[3142]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:30:31 vuwuniconnect01 sshd[3142]: Failed password for root from 
> 23.97.163.146 port 1176 ssh2
> Dec 16 08:30:31 vuwuniconnect01 sshd[3142]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:30:34 vuwuniconnect01 sshd[3145]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:30:36 vuwuniconnect01 sshd[3145]: Failed password for root from 
> 23.97.163.146 port 1145 ssh2
> Dec 16 08:30:37 vuwuniconnect01 sshd[3145]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:30:39 vuwuniconnect01 sshd[3311]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:30:41 vuwuniconnect01 sshd[3311]: Failed password for root from 
> 23.97.163.146 port 1040 ssh2
> Dec 16 08:30:42 vuwuniconnect01 sshd[3311]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:30:44 vuwuniconnect01 sshd[3715]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:30:46 vuwuniconnect01 sshd[3715]: Failed password for root from 
> 23.97.163.146 port 1136 ssh2
> Dec 16 08:30:47 vuwuniconnect01 sshd[3715]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:30:49 vuwuniconnect01 sshd[3718]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:30:52 vuwuniconnect01 sshd[3718]: Failed password for root from 
> 23.97.163.146 port 1144 ssh2
> Dec 16 08:30:52 vuwuniconnect01 sshd[3718]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:30:55 vuwuniconnect01 sshd[3721]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:30:57 vuwuniconnect01 sshd[3721]: Failed password for root from 
> 23.97.163.146 port 1048 ssh2
> Dec 16 08:30:57 vuwuniconnect01 sshd[3721]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:31:00 vuwuniconnect01 sshd[3724]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:31:02 vuwuniconnect01 sshd[3724]: Failed password for root from 
> 23.97.163.146 port 1024 ssh2
> Dec 16 08:31:03 vuwuniconnect01 sshd[3724]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:31:05 vuwuniconnect01 sshd[3727]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:31:07 vuwuniconnect01 sshd[3727]: Failed password for root from 
> 23.97.163.146 port 1168 ssh2
> Dec 16 08:31:08 vuwuniconnect01 sshd[3727]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:31:10 vuwuniconnect01 sshd[3730]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:31:12 vuwuniconnect01 sshd[3730]: Failed password for root from 
> 23.97.163.146 port 1136 ssh2
> Dec 16 08:31:13 vuwuniconnect01 sshd[3730]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> Dec 16 08:31:15 vuwuniconnect01 sshd[3814]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=23.97.163.146  user=root
> Dec 16 08:31:17 vuwuniconnect01 sshd[3814]: Failed password for root from 
> 23.97.163.146 port 1032 ssh2
> Dec 16 08:31:18 vuwuniconnect01 sshd[3814]: Received disconnect from 
> 23.97.163.146: 11: Bye Bye [preauth]
> =========
>
> regards
>
> Steven Jones
>
> B.Eng (Hons)
>
> Technical Specialist - Linux RHCE
>
> Victoria University ITS,
>
> Level 8 Rankin Brown Building,
>
> Wellington, NZ
>
> 6012
>
> 0064 4 463 6272
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users



------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Someone somehow bypassing fail2ban?

Reply via email to