ssh failed login attempts

murfMan · 2009-11-12 00:52:37

i noticed in my auth.log that i was getting alot of failed logins. anyone know how to auto ban an ip that that has more than a certain number of failed login attempts?

ewaller · 2009-11-12 01:10:58

pacman -Ss fail2ban

murfMan · 2009-11-12 01:41:46

thanks! i just installed it but how can i tell if this is working. i just tried to break into my own system and i wasn't banned after several attempts

i have no idea how to use this thing

Last edited by murfMan (2009-11-12 01:47:58)

kermana · 2009-11-12 01:50:59

Well there are a couple things you need to do after installation. Check out /etc/fail2ban/jail.conf, this is the file where you tell fail2ban what to look for and what to do. The file pretty much explains itself. I have the following section for ssh:

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=myEmail@address.com, sender=myEmail@address.com]
logpath  = /var/log/auth.log
maxretry = 5

I think I had to manually set the logpath and enabled sections the first time I installed. Also notice that it is configured to send me an email everytime it bans an ip. One more tip, don't forget to add it into your daemons list and actually start it

Edit: To see if it is working, you can also check the log file which is defined in /etc/fail2ban/fail2ban.conf. It should read something like this on start:

2009-11-09 22:16:37,905 fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
2009-11-09 22:16:37,906 fail2ban.jail   : INFO   Jail 'ssh-iptables' uses poller
2009-11-09 22:16:38,175 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2009-11-09 22:16:38,177 fail2ban.filter : INFO   Set maxRetry = 5
2009-11-09 22:16:38,182 fail2ban.filter : INFO   Set findtime = 600
2009-11-09 22:16:38,184 fail2ban.actions: INFO   Set banTime = 600

Last edited by kermana (2009-11-12 02:06:13)

murfMan · 2009-11-12 02:41:22

sweet works great! but i can't seem to get the sendmail to work. is sendmail able to send to a gmail account? or is it just local mail? i have postfix installed.

Last edited by murfMan (2009-11-12 02:44:16)

kermana · 2009-11-12 02:44:58

did you check the mail.log file? it should give you an idea why the mail is rejected. I think it might be because of restrictions in /etc/postfix/main.cf . Here is what I have:

smtpd_sender_restrictions = permit_sasl_authenticated,
                            permit_mynetworks,
                            reject_non_fqdn_sender,
                            reject_unknown_sender_domain,
                            reject_sender_login_mismatch,
                            permit

...

mynetworks = 127.0.0.0/8

I think permit_mynetworks should allow you to send from localhost. But I suck in postfix configuration As far as I know, the sample above may be evil but I haven't seen any spam being relayed in the logs, so far so good. Also I use fail2ban to check for brute force attack on smtp too. Here is the part of jail.conf in case you would want it :
(note that I use sasl authentication as wiki explains)

[sasl-iptables]
enabled  = true
filter   = sasl
backend  = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois[name=sasl, dest=myEmail@addy.com]
logpath  = /var/log/mail.log

I get an avarage of 2 bans for ssh per day and once in a while someone smart tries to hack into smtp too ... So its a good idea to protect both.

Last edited by kermana (2009-11-12 03:00:14)

murfMan · 2009-11-12 03:16:11

do you have a port forwarded for smtp? i don't. but if i telnet into my mailserver i am able to send / receive
mail

kermana · 2009-11-12 03:32:26

Well, I have this setup on a dedicated server a few hundered kilometers away with its own domain. It is not behind a firewall like a home router so portforwarding is not an issue (or even an option) for me. I have iptables setup as a firewall solution. From what I understand you have it in your home network ? If it is in your home network, many email services like gmail, as far as I know, try to resolve your ip to a domain, if it doesn't get a proper domain resolving to that ip they reject the mail. I believe they do this to prevent spam from badly configured mail servers.

Last edited by kermana (2009-11-12 03:36:14)

murfMan · 2009-11-12 03:33:36

i can receive mail in my gmail account from postfix using telnet ... but not sendmail. yes, this server is on my local network

Last edited by murfMan (2009-11-12 03:33:58)

ataraxia · 2009-11-12 03:34:40

For a different, and much simpler, way of handling this, you can change the port sshd listens on. Smart bad guys can still find it, but it stops 99% of all the script kiddies and other zombie attackers. Since I did this 6 months ago I haven't seen a single attack.

kermana · 2009-11-12 03:38:48

Well, I really don't know what the mail problem might be then

murfMan · 2009-11-12 03:53:33

i got it working thank you for all the help.

Arch Linux

#1 2009-11-12 00:52:37

ssh failed login attempts

#2 2009-11-12 01:10:58

Re: ssh failed login attempts

#3 2009-11-12 01:41:46

Re: ssh failed login attempts

#4 2009-11-12 01:50:59

Re: ssh failed login attempts

#5 2009-11-12 02:41:22

Re: ssh failed login attempts

#6 2009-11-12 02:44:58

Re: ssh failed login attempts

#7 2009-11-12 03:16:11

Re: ssh failed login attempts

#8 2009-11-12 03:32:26

Re: ssh failed login attempts

#9 2009-11-12 03:33:36

Re: ssh failed login attempts

#10 2009-11-12 03:34:40

Re: ssh failed login attempts

#11 2009-11-12 03:38:48

Re: ssh failed login attempts

#12 2009-11-12 03:53:33

Re: ssh failed login attempts

Board footer