Mar 25 2009

Fail2Ban – be gone ssh attackers

If you run an ssh server on the standard port (22), you probably know this picture as well:

$ tail /var/log/auth.log
Mar 17 22:51:45 www sshd[19865]: Invalid user sales from 219.142.74.17
Mar 17 22:51:49 www sshd[19867]: Invalid user recruit from 219.142.74.17
Mar 17 22:51:58 www sshd[19871]: Invalid user office from 219.142.74.17
Mar 17 22:52:02 www sshd[19873]: Invalid user samba from 219.142.74.17
Mar 17 22:52:06 www sshd[19875]: Invalid user tomcat from 219.142.74.17
Mar 17 22:52:10 www sshd[19877]: Invalid user webadmin from 219.142.74.17
Mar 17 22:52:14 www sshd[19879]: Invalid user spam from 219.142.74.17
Mar 17 22:52:19 www sshd[19881]: Invalid user virus from 219.142.74.17
Mar 17 22:52:24 www sshd[19883]: Invalid user cyrus from 219.142.74.17
$

That’s a dictionary-attack. Some bot or script-kiddie on host 219.142.74.17 (that’s in China by the way) tries to guess username/password combinations in order to get access to the system. Most often they look for weak combos that stupid sysadmins setup. This guy above attempted around 200 usernames and passwords within a few minutes (and did not find one that worked).

I finally got tired of all those messages and installed fail2ban in order to stop those attacks. Fail2ban can be configured to monitor a wide range of log-files and dynamically adjust firewall-rules when certain conditions are detected. I don’t run ipfw or iptables on my system, but I do use the FreeBSD builtin tcp-wrapper. Applications that are aware of tcp-wrapper will consult /etc/hosts.allow and /etc/hosts.deny before they grant access to a resource.

I configured fail2ban on my system to monitor /var/log/auth.log and ban any attacker for an hour. Works like a charm:

$ tail /var/log/auth.log
Mar 25 08:38:07 www sshd[95884]: Did not receive identification string from 76.111.41.105
Mar 25 08:41:59 www sshd[96287]: Invalid user admin from 76.111.41.105
Mar 25 08:42:01 www sshd[96289]: User root from 76.111.41.105 not allowed because not listed in AllowUsers
Mar 25 08:42:04 www sshd[96291]: Invalid user stud from 76.111.41.105
Mar 25 08:42:06 www sshd[96296]: Invalid user trash from 76.111.41.105
Mar 25 08:42:06 www sshd[96312]: refused connect from c-76-111-41-105.hsd1.ga.comcast.net (76.111.41.105)
 
$ tail /var/log/fail2ban.log
2009-03-24 12:33:37,483 fail2ban.actions: WARNING [ssh-tcpwrapper] Ban 81.195.73.218
2009-03-24 12:43:38,205 fail2ban.actions: WARNING [ssh-tcpwrapper] Unban 81.195.73.218
2009-03-25 08:42:05,529 fail2ban.actions: WARNING [ssh-tcpwrapper] Ban 76.111.41.105
2009-03-25 09:42:05,780 fail2ban.actions: WARNING [ssh-tcpwrapper] Unban 76.111.41.105

Leave a Comment

One Response to “Fail2Ban – be gone ssh attackers”

Leave a Reply



This entry was posted on Wednesday, March 25th, 2009 at 9:39 am. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.