Re: [opensuse] Possible SSH attacker?
Il 21/08/2015 19:41, Greg Freemyer ha scritto:
On Fri, Aug 21, 2015 at 3:52 PM, Marco Calistri <marco.calistri@yahoo.com.br <mailto:marco.calistri@yahoo.com.br>> wrote:
Il 21/08/2015 12:44, Greg Freemyer ha scritto:
On Fri, Aug 21, 2015 at 11:23 AM, Lew Wolfgang <wolfgang@sweet-haven.com <mailto:wolfgang@sweet-haven.com>> wrote:
On 08/21/2015 07:32 AM, Marco Calistri wrote:
Hello,
I'm monitoring the /var/log/messages and I noticed this kind of warning (there are many similar):
2015-08-21T11:16:05.451779-03:00 linux-turion64 kernel: [ 9894.977105 <tel:%5B%209894.977105>] audit: type=2404 audit(1440166565.450:788): pid=4260 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5] direction=? spid=4260 suid=0 exe="/usr/sbin/sshd" hostname=? addr=125.121.146.24 <tel:125.121.146.24> terminal=? res=success'
Have I to be worried?
I'm not familiar with that particular message, but the fact that 125.121.146.24 <tel:125.121.146.24> is in China would make me very nervous! It's also blackholed by spamhaus. Do the other warnings reference the same IP?
Are you running sshd? Are you seeing any "sshd" entries in /var/log/messages?
Regards, Lew
I'm not aware of that specific message either, but failed ssh connections from malicious IPs is so common it isn't worth mentioning.
I use fail2ban to scan my logs and look for failed SSH login attempts. On first detection it blocks that IP for some hours. Then after 3 temporary blocks it does a permanent block.
Currently I have 114 IPs in my permanent ban list. (I inadvertently wiped it out a few months back.)
I think most of the failed attempt try to login as root. I also have all root ssh access disabled.
Greg
Greg,
Interesting!
This app., fail2ban is it difficult to setup?
Thanks also to point out the important detail about ssh root access, I will give a check to my ssh configuration.
It is most probable my laptop is being attacked from a lot of days or even months and I had not yet noticed it!
Regards,
-- Marco Calistri opensuse 13.2 (Harlequin) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org <mailto:opensuse%2Bunsubscribe@opensuse.org> To contact the owner, e-mail: opensuse+owner@opensuse.org <mailto:opensuse%2Bowner@opensuse.org>
You should start a new thread, but it is not hard to use. Unfortunately I don't think it can be setup via YaST.
I have a newer fail2ban release installed from OBS (fail2ban-0.9.2). It is easier to setup I think. The below may only apply to that version:
It uses an override file /etc/fail2ban/jail.local. Here's mine:
========================> jail.local <================
# Fail2Ban jail base specification file #
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
# The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 <http://127.0.0.1/8>
# # ACTIONS #
# Some options used for actions
# Destination email address used solely for the interpolations in # jail.{conf,local,d/*} configuration files.
destemail = "put your email address here"
[sshd] enabled = true action = %(action_)s
[sshd-ddos] enabled = true action = %(action_mw)s
# Added by GAF (Greg Freemyer) from a v8.x recipe [ssh-repeater] enabled = true filter = sshd action = %(action_mw)s logpath = %(sshd_log)s maxretry = 21 findtime = 31536000 bantime = 31536000
===============================================================
I deleted my email address. Also I deleted my IPs from the "ignoreip" line above. You should add any static IPs you use so your don't disable your own access inadvertently.
Note [ssh-repeater] is not part of the base install, so I also have to have:an extra action file:
======== /etc/fail2ban/action.d/iptables-repeater.conf # Fail2ban configuration file # # Author: Phil Hagen <phil@identityvector.com <mailto:phil@identityvector.com>> # # This file is NOT part of openSUSE default. It was added by GAF (Greg Freemyer) #
[Definition]
# Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = iptables -N fail2ban-REPEAT-ssh iptables -A fail2ban-REPEAT-ssh -j RETURN iptables -I INPUT -j fail2ban-REPEAT-ssh # set up from the static file cat /etc/fail2ban/ip.blocklist.ssh |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-REPEAT-ssh 1 -s $IP -j DROP; done
# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D INPUT -j fail2ban-REPEAT-ssh iptables -F fail2ban-REPEAT-ssh iptables -X fail2ban-REPEAT-ssh
# Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L INPUT | grep -q fail2ban-REPEAT-ssh
# Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionban = iptables -I fail2ban-REPEAT-ssh 1 -s <ip> -j DROP # also put into the static file to re-populate after a restart ! grep -Fq <ip> /etc/fail2ban/ip.blocklist.ssh && echo "<ip> # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): auto-add for repeat offender"
/etc/fail2ban/ip.blocklist.ssh
# Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionunban = /bin/true
[Init]
# Defaut name of the chain # name = REPEAT ============================================================================================
It seems to be working fine.
Greg
Thanks for the details Greg, I will think about it despite I have not a 24/24 online system. Regards, -- Marco Calistri opensuse 13.2 (Harlequin) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hello. I have reduced the number of attacks to 0 by running ssh through an hidden tor service: HiddenServicePort 22 10.200.1.1:22 in /etc/tor/torrc. 10.200.1.1 is a dedicated vnet, 127.0.0.1 would be also OK however this way it is possible to distinguish betw local and remote accesses. The clients are Linux and Android apps enabled to use a socks server (or I use torify) Additionally any SSH access do require a publickey and a password: RSAAuthentication yes PubkeyAuthentication yes AuthenticationMethods publickey,keyboard-interactive in /etc/ssh/sshd_config. (this requires that private/public keys are generated, etc etc as described in the ssh(d) doc) This way, unless someone will get somehow your ssh publickey, the .onion service name and also the password, the risk is minimized (not 0... ;-) ) Have a nice day Marco Il 22. 08. 15 19:40, Marco Calistri ha scritto:
Il 21/08/2015 19:41, Greg Freemyer ha scritto:
On Fri, Aug 21, 2015 at 3:52 PM, Marco Calistri <marco.calistri@yahoo.com.br <mailto:marco.calistri@yahoo.com.br>> wrote:
Il 21/08/2015 12:44, Greg Freemyer ha scritto:
On Fri, Aug 21, 2015 at 11:23 AM, Lew Wolfgang <wolfgang@sweet-haven.com <mailto:wolfgang@sweet-haven.com>> wrote:
On 08/21/2015 07:32 AM, Marco Calistri wrote:
Hello,
I'm monitoring the /var/log/messages and I noticed this kind of warning (there are many similar):
2015-08-21T11:16:05.451779-03:00 linux-turion64 kernel: [ 9894.977105 <tel:%5B%209894.977105>] audit: type=2404 audit(1440166565.450:788): pid=4260 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5] direction=? spid=4260 suid=0 exe="/usr/sbin/sshd" hostname=? addr=125.121.146.24 <tel:125.121.146.24> terminal=? res=success'
Have I to be worried?
I'm not familiar with that particular message, but the fact that 125.121.146.24 <tel:125.121.146.24> is in China would make me very nervous! It's also blackholed by spamhaus. Do the other warnings reference the same IP?
Are you running sshd? Are you seeing any "sshd" entries in /var/log/messages?
Regards, Lew
I'm not aware of that specific message either, but failed ssh connections from malicious IPs is so common it isn't worth mentioning.
I use fail2ban to scan my logs and look for failed SSH login attempts. On first detection it blocks that IP for some hours. Then after 3 temporary blocks it does a permanent block.
Currently I have 114 IPs in my permanent ban list. (I inadvertently wiped it out a few months back.)
I think most of the failed attempt try to login as root. I also have all root ssh access disabled.
Greg
Greg,
Interesting!
This app., fail2ban is it difficult to setup?
Thanks also to point out the important detail about ssh root access, I will give a check to my ssh configuration.
It is most probable my laptop is being attacked from a lot of days or even months and I had not yet noticed it!
Regards,
-- Marco Calistri opensuse 13.2 (Harlequin) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org <mailto:opensuse%2Bunsubscribe@opensuse.org> To contact the owner, e-mail: opensuse+owner@opensuse.org <mailto:opensuse%2Bowner@opensuse.org>
You should start a new thread, but it is not hard to use. Unfortunately I don't think it can be setup via YaST.
I have a newer fail2ban release installed from OBS (fail2ban-0.9.2). It is easier to setup I think. The below may only apply to that version:
It uses an override file /etc/fail2ban/jail.local. Here's mine:
========================> jail.local <================
# Fail2Ban jail base specification file #
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
# The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 <http://127.0.0.1/8>
# # ACTIONS #
# Some options used for actions
# Destination email address used solely for the interpolations in # jail.{conf,local,d/*} configuration files.
destemail = "put your email address here"
[sshd] enabled = true action = %(action_)s
[sshd-ddos] enabled = true action = %(action_mw)s
# Added by GAF (Greg Freemyer) from a v8.x recipe [ssh-repeater] enabled = true filter = sshd action = %(action_mw)s logpath = %(sshd_log)s maxretry = 21 findtime = 31536000 bantime = 31536000
===============================================================
I deleted my email address. Also I deleted my IPs from the "ignoreip" line above. You should add any static IPs you use so your don't disable your own access inadvertently.
Note [ssh-repeater] is not part of the base install, so I also have to have:an extra action file:
======== /etc/fail2ban/action.d/iptables-repeater.conf # Fail2ban configuration file # # Author: Phil Hagen <phil@identityvector.com <mailto:phil@identityvector.com>> # # This file is NOT part of openSUSE default. It was added by GAF (Greg Freemyer) #
[Definition]
# Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = iptables -N fail2ban-REPEAT-ssh iptables -A fail2ban-REPEAT-ssh -j RETURN iptables -I INPUT -j fail2ban-REPEAT-ssh # set up from the static file cat /etc/fail2ban/ip.blocklist.ssh |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-REPEAT-ssh 1 -s $IP -j DROP; done
# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D INPUT -j fail2ban-REPEAT-ssh iptables -F fail2ban-REPEAT-ssh iptables -X fail2ban-REPEAT-ssh
# Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L INPUT | grep -q fail2ban-REPEAT-ssh
# Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionban = iptables -I fail2ban-REPEAT-ssh 1 -s <ip> -j DROP # also put into the static file to re-populate after a restart ! grep -Fq <ip> /etc/fail2ban/ip.blocklist.ssh && echo "<ip> # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): auto-add for repeat offender"
/etc/fail2ban/ip.blocklist.ssh # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionunban = /bin/true
[Init]
# Defaut name of the chain # name = REPEAT ============================================================================================
It seems to be working fine.
Greg
Thanks for the details Greg,
I will think about it despite I have not a 24/24 online system.
Regards,
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Il 23/08/2015 09:44, Marco ha scritto:
Hello.
I have reduced the number of attacks to 0 by running ssh through an hidden tor service:
HiddenServicePort 22 10.200.1.1:22
in /etc/tor/torrc. 10.200.1.1 is a dedicated vnet, 127.0.0.1 would be also OK however this way it is possible to distinguish betw local and remote accesses. The clients are Linux and Android apps enabled to use a socks server (or I use torify)
Additionally any SSH access do require a publickey and a password:
RSAAuthentication yes PubkeyAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
in /etc/ssh/sshd_config. (this requires that private/public keys are generated, etc etc as described in the ssh(d) doc)
This way, unless someone will get somehow your ssh publickey, the .onion service name and also the password, the risk is minimized (not 0... ;-) )
Have a nice day
Marco
Il 22. 08. 15 19:40, Marco Calistri ha scritto:
Il 21/08/2015 19:41, Greg Freemyer ha scritto:
On Fri, Aug 21, 2015 at 3:52 PM, Marco Calistri <marco.calistri@yahoo.com.br <mailto:marco.calistri@yahoo.com.br>> wrote:
Il 21/08/2015 12:44, Greg Freemyer ha scritto:
On Fri, Aug 21, 2015 at 11:23 AM, Lew Wolfgang <wolfgang@sweet-haven.com <mailto:wolfgang@sweet-haven.com>> wrote:
On 08/21/2015 07:32 AM, Marco Calistri wrote:
Hello,
I'm monitoring the /var/log/messages and I noticed this kind of warning (there are many similar):
2015-08-21T11:16:05.451779-03:00 linux-turion64 kernel: [ 9894.977105 <tel:%5B%209894.977105>] audit: type=2404 audit(1440166565.450:788): pid=4260 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5] direction=? spid=4260 suid=0 exe="/usr/sbin/sshd" hostname=? addr=125.121.146.24 <tel:125.121.146.24> terminal=? res=success'
Have I to be worried?
I'm not familiar with that particular message, but the fact that 125.121.146.24 <tel:125.121.146.24> is in China would make me very nervous! It's also blackholed by spamhaus. Do the other warnings reference the same IP?
Are you running sshd? Are you seeing any "sshd" entries in /var/log/messages?
Regards, Lew
I'm not aware of that specific message either, but failed ssh connections from malicious IPs is so common it isn't worth mentioning.
I use fail2ban to scan my logs and look for failed SSH login attempts. On first detection it blocks that IP for some hours. Then after 3 temporary blocks it does a permanent block.
Currently I have 114 IPs in my permanent ban list. (I inadvertently wiped it out a few months back.)
I think most of the failed attempt try to login as root. I also have all root ssh access disabled.
Greg
Greg,
Interesting!
This app., fail2ban is it difficult to setup?
Thanks also to point out the important detail about ssh root access, I will give a check to my ssh configuration.
It is most probable my laptop is being attacked from a lot of days or even months and I had not yet noticed it!
Regards,
-- Marco Calistri opensuse 13.2 (Harlequin) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org <mailto:opensuse%2Bunsubscribe@opensuse.org> To contact the owner, e-mail: opensuse+owner@opensuse.org <mailto:opensuse%2Bowner@opensuse.org>
You should start a new thread, but it is not hard to use. Unfortunately I don't think it can be setup via YaST.
I have a newer fail2ban release installed from OBS (fail2ban-0.9.2). It is easier to setup I think. The below may only apply to that version:
It uses an override file /etc/fail2ban/jail.local. Here's mine:
========================> jail.local <================
# Fail2Ban jail base specification file #
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
# The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 <http://127.0.0.1/8>
# # ACTIONS #
# Some options used for actions
# Destination email address used solely for the interpolations in # jail.{conf,local,d/*} configuration files.
destemail = "put your email address here"
[sshd] enabled = true action = %(action_)s
[sshd-ddos] enabled = true action = %(action_mw)s
# Added by GAF (Greg Freemyer) from a v8.x recipe [ssh-repeater] enabled = true filter = sshd action = %(action_mw)s logpath = %(sshd_log)s maxretry = 21 findtime = 31536000 bantime = 31536000
===============================================================
I deleted my email address. Also I deleted my IPs from the "ignoreip" line above. You should add any static IPs you use so your don't disable your own access inadvertently.
Note [ssh-repeater] is not part of the base install, so I also have to have:an extra action file:
======== /etc/fail2ban/action.d/iptables-repeater.conf # Fail2ban configuration file # # Author: Phil Hagen <phil@identityvector.com <mailto:phil@identityvector.com>> # # This file is NOT part of openSUSE default. It was added by GAF (Greg Freemyer) #
[Definition]
# Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = iptables -N fail2ban-REPEAT-ssh iptables -A fail2ban-REPEAT-ssh -j RETURN iptables -I INPUT -j fail2ban-REPEAT-ssh # set up from the static file cat /etc/fail2ban/ip.blocklist.ssh |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-REPEAT-ssh 1 -s $IP -j DROP; done
# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D INPUT -j fail2ban-REPEAT-ssh iptables -F fail2ban-REPEAT-ssh iptables -X fail2ban-REPEAT-ssh
# Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L INPUT | grep -q fail2ban-REPEAT-ssh
# Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionban = iptables -I fail2ban-REPEAT-ssh 1 -s <ip> -j DROP # also put into the static file to re-populate after a restart ! grep -Fq <ip> /etc/fail2ban/ip.blocklist.ssh && echo "<ip> # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): auto-add for repeat offender"
/etc/fail2ban/ip.blocklist.ssh # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionunban = /bin/true
[Init]
# Defaut name of the chain # name = REPEAT ============================================================================================
It seems to be working fine.
Greg
Thanks for the details Greg,
I will think about it despite I have not a 24/24 online system.
Regards,
Thanks (Grazie) Marco for your report! Cheers, -- Marco Calistri opensuse 13.2 (Tumbleweed) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Marco Calistri <marco.calistri@yahoo.com.br> [08-23-15 10:03]:
Il 23/08/2015 09:44, Marco ha scritto:
Hello.
I have reduced the number of attacks to 0 by running ssh through an hidden tor service:
HiddenServicePort 22 10.200.1.1:22
in /etc/tor/torrc. 10.200.1.1 is a dedicated vnet, 127.0.0.1 would be also OK however this way it is possible to distinguish betw local and remote accesses. The clients are Linux and Android apps enabled to use a socks server (or I use torify)
Additionally any SSH access do require a publickey and a password:
RSAAuthentication yes PubkeyAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
in /etc/ssh/sshd_config. (this requires that private/public keys are generated, etc etc as described in the ssh(d) doc)
This way, unless someone will get somehow your ssh publickey, the .onion service name and also the password, the risk is minimized (not 0... ;-) )
Have a nice day
Marco
Il 22. 08. 15 19:40, Marco Calistri ha scritto:
Il 21/08/2015 19:41, Greg Freemyer ha scritto:
On Fri, Aug 21, 2015 at 3:52 PM, Marco Calistri <marco.calistri@yahoo.com.br <mailto:marco.calistri@yahoo.com.br>> wrote:
Il 21/08/2015 12:44, Greg Freemyer ha scritto:
On Fri, Aug 21, 2015 at 11:23 AM, Lew Wolfgang <wolfgang@sweet-haven.com <mailto:wolfgang@sweet-haven.com>> wrote:
On 08/21/2015 07:32 AM, Marco Calistri wrote:
Hello,
I'm monitoring the /var/log/messages and I noticed this kind of warning (there are many similar):
2015-08-21T11:16:05.451779-03:00 linux-turion64 kernel: [ 9894.977105 <tel:%5B%209894.977105>] audit: type=2404 audit(1440166565.450:788): pid=4260 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5] direction=? spid=4260 suid=0 exe="/usr/sbin/sshd" hostname=? addr=125.121.146.24 <tel:125.121.146.24> terminal=? res=success'
Have I to be worried?
I'm not familiar with that particular message, but the fact that 125.121.146.24 <tel:125.121.146.24> is in China would make me very nervous! It's also blackholed by spamhaus. Do the other warnings reference the same IP?
Are you running sshd? Are you seeing any "sshd" entries in /var/log/messages?
Regards, Lew
I'm not aware of that specific message either, but failed ssh connections from malicious IPs is so common it isn't worth mentioning.
I use fail2ban to scan my logs and look for failed SSH login attempts. On first detection it blocks that IP for some hours. Then after 3 temporary blocks it does a permanent block.
Currently I have 114 IPs in my permanent ban list. (I inadvertently wiped it out a few months back.)
I think most of the failed attempt try to login as root. I also have all root ssh access disabled.
Greg
Greg,
Interesting!
This app., fail2ban is it difficult to setup?
Thanks also to point out the important detail about ssh root access, I will give a check to my ssh configuration.
It is most probable my laptop is being attacked from a lot of days or even months and I had not yet noticed it!
Regards,
-- Marco Calistri opensuse 13.2 (Harlequin) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org <mailto:opensuse%2Bunsubscribe@opensuse.org> To contact the owner, e-mail: opensuse+owner@opensuse.org <mailto:opensuse%2Bowner@opensuse.org>
You should start a new thread, but it is not hard to use. Unfortunately I don't think it can be setup via YaST.
I have a newer fail2ban release installed from OBS (fail2ban-0.9.2). It is easier to setup I think. The below may only apply to that version:
It uses an override file /etc/fail2ban/jail.local. Here's mine:
========================> jail.local <================
# Fail2Ban jail base specification file #
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
# The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 <http://127.0.0.1/8>
# # ACTIONS #
# Some options used for actions
# Destination email address used solely for the interpolations in # jail.{conf,local,d/*} configuration files.
destemail = "put your email address here"
[sshd] enabled = true action = %(action_)s
[sshd-ddos] enabled = true action = %(action_mw)s
# Added by GAF (Greg Freemyer) from a v8.x recipe [ssh-repeater] enabled = true filter = sshd action = %(action_mw)s logpath = %(sshd_log)s maxretry = 21 findtime = 31536000 bantime = 31536000
===============================================================
I deleted my email address. Also I deleted my IPs from the "ignoreip" line above. You should add any static IPs you use so your don't disable your own access inadvertently.
Note [ssh-repeater] is not part of the base install, so I also have to have:an extra action file:
======== /etc/fail2ban/action.d/iptables-repeater.conf # Fail2ban configuration file # # Author: Phil Hagen <phil@identityvector.com <mailto:phil@identityvector.com>> # # This file is NOT part of openSUSE default. It was added by GAF (Greg Freemyer) #
[Definition]
# Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = iptables -N fail2ban-REPEAT-ssh iptables -A fail2ban-REPEAT-ssh -j RETURN iptables -I INPUT -j fail2ban-REPEAT-ssh # set up from the static file cat /etc/fail2ban/ip.blocklist.ssh |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-REPEAT-ssh 1 -s $IP -j DROP; done
# Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = iptables -D INPUT -j fail2ban-REPEAT-ssh iptables -F fail2ban-REPEAT-ssh iptables -X fail2ban-REPEAT-ssh
# Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = iptables -n -L INPUT | grep -q fail2ban-REPEAT-ssh
# Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionban = iptables -I fail2ban-REPEAT-ssh 1 -s <ip> -j DROP # also put into the static file to re-populate after a restart ! grep -Fq <ip> /etc/fail2ban/ip.blocklist.ssh && echo "<ip> # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): auto-add for repeat offender"
/etc/fail2ban/ip.blocklist.ssh # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionunban = /bin/true
[Init]
# Defaut name of the chain # name = REPEAT ============================================================================================
It seems to be working fine.
Greg
Thanks for the details Greg,
I will think about it despite I have not a 24/24 online system.
Regards,
Thanks (Grazie) Marco for your report!
Cheers,
-- Marco Calistri opensuse 13.2 (Tumbleweed) 64 bit - Kernel 4.1.5-2-desktop Gnome 3.16.2 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
You really, really, should consider trimming your quotes. tks, -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/23/2015 10:27 AM, Patrick Shanahan wrote:
You really, really, should consider trimming your quotes.
+1 -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Anton Aylward -
Marco -
Marco Calistri -
Patrick Shanahan