Hallo
endlich hab ich es hingekriegt, mein fail2ban auf meinem Ubuntu 12.04 root Server richtig einzustellen, es hatte mich immer genervt im Logwatch Protokoll massenhaft Einträge zu lesen von abgelehnten Loginversuchen (ich lasse nur public key auth., die probieren es aber mit Keyboard/password auth.).
Bei 3 Fehlversuchen wird 10 Minuten gesperrt. Auch die Meldung, wenn versucht wird über Passworteingabe einzudringen, hab ich gemäß der Anleitung von benblogt in die /etc/fail2ban/filter.d/sshd.conf aufgenommen:
Allerdings lese ich jetzt (im Benachrichtigungsmail von fail2ban) z.B. Folgendes:
Kann es sein, dass die Autoschwachmaten, die da versuchen einzudringen, einfach automatisch warten bis es wieder geht und dann weiter machen? Dass die also ihre Skripte runter rattern, das dauert dann halt wg. den jeweils 10 Minuten Sperren einfach nur viel länger?
Dann ist damit ja gar nichts gewonnen!
Oder kann man das noch anders handeln?
Kann ich mit fail2ban evtl. progressiv sperren, also nach 3 falschen Versuchen 10 Minuten, nach weiteren 3 Fehlversuchen 1 h usw?
Danke für evtl. Klärungen
franc
endlich hab ich es hingekriegt, mein fail2ban auf meinem Ubuntu 12.04 root Server richtig einzustellen, es hatte mich immer genervt im Logwatch Protokoll massenhaft Einträge zu lesen von abgelehnten Loginversuchen (ich lasse nur public key auth., die probieren es aber mit Keyboard/password auth.).
Bei 3 Fehlversuchen wird 10 Minuten gesperrt. Auch die Meldung, wenn versucht wird über Passworteingabe einzudringen, hab ich gemäß der Anleitung von benblogt in die /etc/fail2ban/filter.d/sshd.conf aufgenommen:
Code:
^%(__prefix_line)sReceived disconnect from <HOST>: .* Bye Bye \[preauth\]\s*$
^%(__prefix_line)sReceived disconnect from <HOST>: .* Goodbye \[preauth\]\s*$
^%(__prefix_line)sReceived disconnect from <HOST>: .* No supported authentication methods available \[preauth\]*\s*$
Allerdings lese ich jetzt (im Benachrichtigungsmail von fail2ban) z.B. Folgendes:
Code:
The IP 210.167.20.26 has just been banned by Fail2Ban after
2 attempts against ssh.
Here is more information about 210.167.20.26:
[ JPNIC database provides information regarding IP address and ASN. Its use ]
[ is restricted to network administration purposes. For further information, ]
[ use 'whois -h whois.nic.ad.jp help'. To only display English output, ]
[ add '/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'. ]
Network Information:
a. [Network Number] 210.167.20.0/23
b. [Network Name] ENETS
g. [Organization] eNet Solutions Co.,Ltd
m. [Administrative Contact] SK11338JP
n. [Technical Contact] SK11338JP
p. [Nameserver] ns5.enets.jp
p. [Nameserver] ns1.htcn.ne.jp
[Assigned Date] 2013/06/25
[Return Date]
[Last Update] 2013/10/30 10:17:04(JST)
Less Specific Info.
----------
Hokuriku Telecommunication Network Co.Ltd.
[Allocation] 210.167.16.0/20
More Specific Info.
----------
No match!!
Lines containing IP:210.167.20.26 in /var/log/auth.log
Jan 5 23:32:51 example sshd[25536]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 6 01:04:54 example sshd[26510]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 6 02:37:16 example sshd[27309]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 6 04:09:28 example sshd[28199]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 6 05:41:52 example sshd[29327]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 6 07:14:04 example sshd[30837]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 6 08:46:22 example sshd[31678]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 6 10:18:29 example sshd[32681]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 6 11:50:41 example sshd[1127]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 6 13:22:46 example sshd[2319]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 6 14:54:55 example sshd[3318]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 6 16:27:12 example sshd[4975]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 6 17:59:13 example sshd[6317]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 6 19:31:31 example sshd[7245]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 6 21:03:40 example sshd[8117]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 6 22:35:48 example sshd[9264]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 7 00:08:14 example sshd[10297]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 7 01:40:18 example sshd[11150]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 7 03:12:21 example sshd[12007]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 7 04:44:20 example sshd[13367]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 7 06:16:17 example sshd[14232]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 7 07:48:13 example sshd[15739]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 7 09:20:12 example sshd[16701]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 7 10:52:04 example sshd[17831]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 7 12:23:57 example sshd[19507]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 7 13:56:06 example sshd[20896]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 7 15:28:14 example sshd[22333]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 7 17:00:23 example sshd[24264]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 7 18:32:33 example sshd[25436]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 7 20:04:17 example sshd[26514]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 7 21:36:10 example sshd[27874]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 7 23:08:13 example sshd[29162]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 8 00:40:23 example sshd[30247]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 8 02:12:38 example sshd[31278]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 8 03:44:31 example sshd[310]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 8 05:16:38 example sshd[1539]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 8 06:48:44 example sshd[2719]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 8 08:20:46 example sshd[4842]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 8 09:52:55 example sshd[6066]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 8 11:25:01 example sshd[7647]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 8 12:57:10 example sshd[9165]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 8 14:29:19 example sshd[11032]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 8 16:01:15 example sshd[12773]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 8 17:33:25 example sshd[14066]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 8 19:05:40 example sshd[15264]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 8 20:37:41 example sshd[16403]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 8 22:09:43 example sshd[17655]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 8 23:41:44 example sshd[19997]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 9 01:13:50 example sshd[21167]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 9 02:46:06 example sshd[22173]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 9 04:18:25 example sshd[23298]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 9 05:50:29 example sshd[24304]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 9 18:48:12 example sshd[3041]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 9 20:20:20 example sshd[4071]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 9 21:52:32 example sshd[5047]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 9 23:24:51 example sshd[6141]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 10 00:57:01 example sshd[8709]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 10 02:29:08 example sshd[12628]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 10 04:01:12 example sshd[13552]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 10 05:33:24 example sshd[14528]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Jan 10 07:05:51 example sshd[15999]: Received disconnect from 210.167.20.26: 11: Bye Bye [preauth]
Kann es sein, dass die Autoschwachmaten, die da versuchen einzudringen, einfach automatisch warten bis es wieder geht und dann weiter machen? Dass die also ihre Skripte runter rattern, das dauert dann halt wg. den jeweils 10 Minuten Sperren einfach nur viel länger?
Dann ist damit ja gar nichts gewonnen!
Oder kann man das noch anders handeln?
Kann ich mit fail2ban evtl. progressiv sperren, also nach 3 falschen Versuchen 10 Minuten, nach weiteren 3 Fehlversuchen 1 h usw?
Danke für evtl. Klärungen
franc