Hello, after installing ClearOS 7 I have seen so many attempts to login to my site via SSH and console. So I decided to do the following secure things:
Move ssh port to a non standard.
Install fail2ban to ban attempts to SSH and FTP.
By the way I have seen that I am not being able to block attempts to console login fails. I am trying the following regex for fail2ban:
Failed login attempt by invalid user .* from <HOST>
The log entries are like follow: Failed login attempt by invalid user dbuser from 134.255.235.33
By the way fail2ban seems to no recognize them. Any idea?
Also I would like to know why snort is not blocking those attemps, it seams to do nothing at all.
Move ssh port to a non standard.
Install fail2ban to ban attempts to SSH and FTP.
By the way I have seen that I am not being able to block attempts to console login fails. I am trying the following regex for fail2ban:
Failed login attempt by invalid user .* from <HOST>
The log entries are like follow: Failed login attempt by invalid user dbuser from 134.255.235.33
By the way fail2ban seems to no recognize them. Any idea?
Also I would like to know why snort is not blocking those attemps, it seams to do nothing at all.
Share this post:
Responses (6)
-
Accepted Answer
Is that the full error line?
Try:
Also what happens if the user is valid?^%(__prefix_line)sFailed login attempt by invalid user \S+ from <HOST>
What happens if the login fails from a valid user?
Have you seen the fail2ban-regex command for testing regex's?
Any reason you need ssh open at all? Can you connect by VPN instead and then ssh as if you're on the LAN? -
Accepted Answer
I tried with the fail2ban-regex and i get missed. I am trying with the last log report line (just 1 line).
I tried with an online python regex tester and i get it as ok.
I have not tried with a valid user yet, I get only tries with invalid users at the moment.
This also fails:
fail2ban-regex "Failed login attempt by invalid user dbuser from 134.255.235.33" "^%(__prefix_line)sFailed login attempt by invalid user \S+ from <HOST>"
This one isnt working either:
Failed [-/\w]+ for .* from <HOST>
-
Accepted Answer
-
Accepted Answer
Can you post a few full lines from your log? Your fail2ban-regex will fail as you are not testing the whole line as it would appear in the log. Having said that I am also struggling to make even a simple match with your test string.
Same VPN comment for ssh applies to the webconfig. Why do you need it open and can't you use a VPN to access it? -
Accepted Answer
Nick Howitt wrote:
Can you post a few full lines from your log? Your fail2ban-regex will fail as you are not testing the whole line as it would appear in the log. Having said that I am also struggling to make even a simple match with your test string.
Same VPN comment for ssh applies to the webconfig. Why do you need it open and can't you use a VPN to access it?
Well, I am trying to find the lines on the log file and now I can't find them. Seems that all login tries to web console in logfile (not in console) are different. This is extracted from logfile, just tried to login with bad user right now.
Feb 16 10:11:52 metuskale app-passwd: pam_unix(system-auth-ac:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=public
Feb 16 10:10:25 metuskale app-passwd: pam_unix(system-auth-ac:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=test
There is one with good user and one with bad user.
As you can see there is no IP address here so no point to use fail2ban...
About VPN, yeah I think I will close port 81 to WAN and let only from LAN. How can I do it to block only from WAN side?
EDIT: already blocked incoming connections to port 81 from WAN side.
I will now test all other services being banned with fail2ban.
Thank you very much. -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »