Hi, Actually no I think these are source ports.
This is some sort of parallel DoS attack? regards Steven Jones B.Eng (Hons) Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 ________________________________________ From: Steven Jones <[email protected]> Sent: Wednesday, 17 December 2014 8:47 a.m. To: Charles Bradshaw Cc: [email protected] Subject: Re: [Fail2ban-users] Someone somehow bypassing fail2ban? duh I should have seen the port....bangs head against wall. regards Steven Jones B.Eng (Hons) Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 ________________________________________ From: Charles Bradshaw <[email protected]> Sent: Tuesday, 16 December 2014 10:05 p.m. To: Steven Jones Cc: [email protected] Subject: Re: [Fail2ban-users] Someone somehow bypassing fail2ban? You're ssh attacks are not blocked because they on ports other than the one used by sshd! Fail2ban blocks the default port 22 unless you modify the jail. How is ssh seeing attempts on high number ports? These should all be closed by your firewall/router. In fact your firewall should be configured to block everything except those ports you specifically allow. On Mon, 2014-12-15 at 19:46 +0000, Steven Jones wrote: > Hi, > > I seem to have some brute force root attacks beating fail2ban, > > Just as a selection, these are clearly more than 5 failures, hundreds get > through over night, > > Have I missed a setting? or something else? > > ====== > 8><------- > Dec 16 08:28:58 vuwuniconnect01 sshd[3065]: Failed password for root from > 23.97.163.146 port 1105 ssh2 > Dec 16 08:28:59 vuwuniconnect01 sshd[3065]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:29:01 vuwuniconnect01 sshd[3068]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:29:04 vuwuniconnect01 sshd[3068]: Failed password for root from > 23.97.163.146 port 1128 ssh2 > Dec 16 08:29:04 vuwuniconnect01 sshd[3068]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:29:08 vuwuniconnect01 sshd[3071]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:29:10 vuwuniconnect01 sshd[3071]: Failed password for root from > 23.97.163.146 port 1129 ssh2 > Dec 16 08:29:13 vuwuniconnect01 sshd[3075]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:29:15 vuwuniconnect01 sshd[3075]: Failed password for root from > 23.97.163.146 port 1024 ssh2 > Dec 16 08:29:15 vuwuniconnect01 sshd[3075]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:29:18 vuwuniconnect01 sshd[3078]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:29:20 vuwuniconnect01 sshd[3078]: Failed password for root from > 23.97.163.146 port 1080 ssh2 > Dec 16 08:29:20 vuwuniconnect01 sshd[3078]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:29:23 vuwuniconnect01 sshd[3089]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:29:25 vuwuniconnect01 sshd[3089]: Failed password for root from > 23.97.163.146 port 1128 ssh2 > Dec 16 08:29:25 vuwuniconnect01 sshd[3089]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:29:28 vuwuniconnect01 sshd[3092]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:29:30 vuwuniconnect01 sshd[3092]: Failed password for root from > 23.97.163.146 port 1104 ssh2 > Dec 16 08:29:30 vuwuniconnect01 sshd[3092]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:29:33 vuwuniconnect01 sshd[3095]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:29:35 vuwuniconnect01 sshd[3095]: Failed password for root from > 23.97.163.146 port 1081 ssh2 > Dec 16 08:29:35 vuwuniconnect01 sshd[3095]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:29:37 vuwuniconnect01 sshd[3098]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:29:40 vuwuniconnect01 sshd[3098]: Failed password for root from > 23.97.163.146 port 1040 ssh2 > Dec 16 08:29:40 vuwuniconnect01 sshd[3098]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:29:43 vuwuniconnect01 sshd[3101]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:29:45 vuwuniconnect01 sshd[3101]: Failed password for root from > 23.97.163.146 port 1105 ssh2 > Dec 16 08:29:46 vuwuniconnect01 sshd[3101]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:29:49 vuwuniconnect01 sshd[3104]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:29:51 vuwuniconnect01 sshd[3104]: Failed password for root from > 23.97.163.146 port 1176 ssh2 > Dec 16 08:29:51 vuwuniconnect01 sshd[3104]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:29:54 vuwuniconnect01 sshd[3107]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:29:56 vuwuniconnect01 sshd[3107]: Failed password for root from > 23.97.163.146 port 1144 ssh2 > Dec 16 08:29:57 vuwuniconnect01 sshd[3107]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:29:59 vuwuniconnect01 sshd[3110]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:30:01 vuwuniconnect01 sshd[3110]: Failed password for root from > 23.97.163.146 port 1040 ssh2 > Dec 16 08:30:01 vuwuniconnect01 sshd[3110]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:30:04 vuwuniconnect01 sshd[3118]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:30:06 vuwuniconnect01 sshd[3118]: Failed password for root from > 23.97.163.146 port 1168 ssh2 > Dec 16 08:30:06 vuwuniconnect01 sshd[3118]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:30:09 vuwuniconnect01 sshd[3121]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:30:11 vuwuniconnect01 sshd[3121]: Failed password for root from > 23.97.163.146 port 1176 ssh2 > Dec 16 08:30:11 vuwuniconnect01 sshd[3121]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:30:13 vuwuniconnect01 sshd[3124]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:30:16 vuwuniconnect01 sshd[3124]: Failed password for root from > 23.97.163.146 port 1024 ssh2 > Dec 16 08:30:16 vuwuniconnect01 sshd[3124]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:30:19 vuwuniconnect01 sshd[3127]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:30:21 vuwuniconnect01 sshd[3127]: Failed password for root from > 23.97.163.146 port 1144 ssh2 > Dec 16 08:30:21 vuwuniconnect01 sshd[3127]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:30:24 vuwuniconnect01 sshd[3139]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:30:26 vuwuniconnect01 sshd[3139]: Failed password for root from > 23.97.163.146 port 1120 ssh2 > Dec 16 08:30:26 vuwuniconnect01 sshd[3139]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:30:29 vuwuniconnect01 sshd[3142]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:30:31 vuwuniconnect01 sshd[3142]: Failed password for root from > 23.97.163.146 port 1176 ssh2 > Dec 16 08:30:31 vuwuniconnect01 sshd[3142]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:30:34 vuwuniconnect01 sshd[3145]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:30:36 vuwuniconnect01 sshd[3145]: Failed password for root from > 23.97.163.146 port 1145 ssh2 > Dec 16 08:30:37 vuwuniconnect01 sshd[3145]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:30:39 vuwuniconnect01 sshd[3311]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:30:41 vuwuniconnect01 sshd[3311]: Failed password for root from > 23.97.163.146 port 1040 ssh2 > Dec 16 08:30:42 vuwuniconnect01 sshd[3311]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:30:44 vuwuniconnect01 sshd[3715]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:30:46 vuwuniconnect01 sshd[3715]: Failed password for root from > 23.97.163.146 port 1136 ssh2 > Dec 16 08:30:47 vuwuniconnect01 sshd[3715]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:30:49 vuwuniconnect01 sshd[3718]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:30:52 vuwuniconnect01 sshd[3718]: Failed password for root from > 23.97.163.146 port 1144 ssh2 > Dec 16 08:30:52 vuwuniconnect01 sshd[3718]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:30:55 vuwuniconnect01 sshd[3721]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:30:57 vuwuniconnect01 sshd[3721]: Failed password for root from > 23.97.163.146 port 1048 ssh2 > Dec 16 08:30:57 vuwuniconnect01 sshd[3721]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:31:00 vuwuniconnect01 sshd[3724]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:31:02 vuwuniconnect01 sshd[3724]: Failed password for root from > 23.97.163.146 port 1024 ssh2 > Dec 16 08:31:03 vuwuniconnect01 sshd[3724]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:31:05 vuwuniconnect01 sshd[3727]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:31:07 vuwuniconnect01 sshd[3727]: Failed password for root from > 23.97.163.146 port 1168 ssh2 > Dec 16 08:31:08 vuwuniconnect01 sshd[3727]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:31:10 vuwuniconnect01 sshd[3730]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:31:12 vuwuniconnect01 sshd[3730]: Failed password for root from > 23.97.163.146 port 1136 ssh2 > Dec 16 08:31:13 vuwuniconnect01 sshd[3730]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > Dec 16 08:31:15 vuwuniconnect01 sshd[3814]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=23.97.163.146 user=root > Dec 16 08:31:17 vuwuniconnect01 sshd[3814]: Failed password for root from > 23.97.163.146 port 1032 ssh2 > Dec 16 08:31:18 vuwuniconnect01 sshd[3814]: Received disconnect from > 23.97.163.146: 11: Bye Bye [preauth] > ========= > > regards > > Steven Jones > > B.Eng (Hons) > > Technical Specialist - Linux RHCE > > Victoria University ITS, > > Level 8 Rankin Brown Building, > > Wellington, NZ > > 6012 > > 0064 4 463 6272 > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
