Robert G. (Doc) Savage wrote:
I'm trying to contend with global SSH brute force attacks with fail2ban.
Apparently I have one or more settings/permissions wrong. Iptables is
not being updated despite waves of attacks, and I'm not getting any
e-mail warnings. Suggestions anybody?
--Doc Savage
Fairview Heights, IL
I've made the following changes to /etc/fail2ban.conf:
background = true
bantime = -1
ignoreip = 192.168.1.1/24
[MAIL] notification
enabled = true
Here is a sample entry from /var/log/secure for an attack on user
'nagios':
May 3 08:41:20 lion sshd[30068]: reverse mapping checking getaddrinfo for
51.82.66.200.in-addr.arpa failed - POSSIBLE BREAK-IN ATTEMPT!
May 3 08:41:20 lion sshd[30068]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=200.66.82.51 user=nagios
May 3 08:41:22 lion sshd[30068]: Failed password for nagios from 200.66.82.51
port 35501 ssh2
May 3 08:41:22 lion sshd[30069]: Received disconnect from 200.66.82.51: 11:
Bye Bye
I am curious.
I only manage small networks, with little expected ssh traffic. I use
iptables to limit the number of connexion attempts per hour to two or so.
I find I block 90% or so of bad ssh connexions, nothing short of a
distributed attach can home to enumerate passwords, and I don't have
enough bandwidth for anyone to make a realistic attempt to guess a password.
I get messages like yours above,. but not enough to trouble me. I don't
expect every to get none, but on the other hand it's possible someone
might need to connect some time without a key, and maybe get the
password wrong in the process of trying to use it.
I'm sure that there are good reasons my method won't work, but I'd like
to know some of them, just in case.
How many ssh connexions do you expect?
How many are you receiving?
Here are my relevant rules:
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
state NEW limit: avg 5/hour burst 5 LOG flags 0 level 4 prefix
`SSH connexion '
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
state NEW limit: avg 5/hour burst 5
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
LOG flags 0 level 4 prefix `SSH connexion attack dropped '
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Before these, there are rules for sites explicitly allowed, so these
rules apply to the rest of the world. Would something of this kind help
you? I would think a limit well above your expected rate (or, like me,
some rules to permit approved locations) might help.
--
Cheers
John
-- spambait
1aaaa...@coco.merseine.nu z1aaaa...@coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
_______________________________________________
rhelv5-list mailing list
rhelv5-list@redhat.com
https://www.redhat.com/mailman/listinfo/rhelv5-list
