Forums

metuskale
metuskale
Offline
Resolved
0 votes
Hello, after installing ClearOS 7 I have seen so many attempts to login to my site via SSH and console. So I decided to do the following secure things:

Move ssh port to a non standard.
Install fail2ban to ban attempts to SSH and FTP.

By the way I have seen that I am not being able to block attempts to console login fails. I am trying the following regex for fail2ban:

Failed login attempt by invalid user .* from <HOST>

The log entries are like follow: Failed login attempt by invalid user dbuser from 134.255.235.33

By the way fail2ban seems to no recognize them. Any idea?

Also I would like to know why snort is not blocking those attemps, it seams to do nothing at all.
Monday, February 15 2016, 09:02 PM
Share this post:
Responses (6)
  • Accepted Answer

    Monday, February 15 2016, 10:28 PM - #Permalink
    Resolved
    0 votes
    Is that the full error line?

    Try:
    ^%(__prefix_line)sFailed login attempt by invalid user \S+ from <HOST>
    Also what happens if the user is valid?

    What happens if the login fails from a valid user?

    Have you seen the fail2ban-regex command for testing regex's?

    Any reason you need ssh open at all? Can you connect by VPN instead and then ssh as if you're on the LAN?
    The reply is currently minimized Show
  • Accepted Answer

    metuskale
    metuskale
    Offline
    Monday, February 15 2016, 10:56 PM - #Permalink
    Resolved
    0 votes
    I tried with the fail2ban-regex and i get missed. I am trying with the last log report line (just 1 line).
    I tried with an online python regex tester and i get it as ok.

    I have not tried with a valid user yet, I get only tries with invalid users at the moment.

    This also fails:
    fail2ban-regex "Failed login attempt by invalid user dbuser from 134.255.235.33" "^%(__prefix_line)sFailed login attempt by invalid user \S+ from <HOST>"


    This one isnt working either:
    Failed [-/\w]+ for .* from <HOST>
    The reply is currently minimized Show
  • Accepted Answer

    metuskale
    metuskale
    Offline
    Monday, February 15 2016, 10:59 PM - #Permalink
    Resolved
    0 votes
    SSH is not the problem now, once the port was changed I got no more SSH tries. Now I only get web console tries, this is why I am trying to block that IPs.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, February 16 2016, 08:09 AM - #Permalink
    Resolved
    0 votes
    Can you post a few full lines from your log? Your fail2ban-regex will fail as you are not testing the whole line as it would appear in the log. Having said that I am also struggling to make even a simple match with your test string.

    Same VPN comment for ssh applies to the webconfig. Why do you need it open and can't you use a VPN to access it?
    The reply is currently minimized Show
  • Accepted Answer

    metuskale
    metuskale
    Offline
    Tuesday, February 16 2016, 09:27 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    Can you post a few full lines from your log? Your fail2ban-regex will fail as you are not testing the whole line as it would appear in the log. Having said that I am also struggling to make even a simple match with your test string.

    Same VPN comment for ssh applies to the webconfig. Why do you need it open and can't you use a VPN to access it?


    Well, I am trying to find the lines on the log file and now I can't find them. Seems that all login tries to web console in logfile (not in console) are different. This is extracted from logfile, just tried to login with bad user right now.

    Feb 16 10:11:52 metuskale app-passwd: pam_unix(system-auth-ac:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=public
    Feb 16 10:10:25 metuskale app-passwd: pam_unix(system-auth-ac:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=test

    There is one with good user and one with bad user.

    As you can see there is no IP address here so no point to use fail2ban...

    About VPN, yeah I think I will close port 81 to WAN and let only from LAN. How can I do it to block only from WAN side?
    EDIT: already blocked incoming connections to port 81 from WAN side.

    I will now test all other services being banned with fail2ban.

    Thank you very much.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, February 16 2016, 02:37 PM - #Permalink
    Resolved
    0 votes
    I'm struggling to get a filter to work on the line you posted. When you get some proper data, please post back with it.

    As you've seen, you can't use fail2ban on log files which don't carry IP addresses.
    The reply is currently minimized Show
Your Reply