OVH Community, your new community space.

Incoming Traffic (SSH Brute Force?)


MicroChip123
14-08-2010, 12:46
Code:
Status
|- Number of jail:      2
`- Jail list:           ssh-ddos, ssh
done pam
Myatu
14-08-2010, 12:36
Missed the rate limit bit, sorry. You can turn it to yes, but you don't have to (I have to in my case, because I use LDAP authentication as well).

Now, you did mention Debian... there's a little bug in v0.8.3 (Debian default; check with "fail2ban-server -V") that can cause some filters not to work when another filter was enabled. Fail2ban v0.8.4 does not seem to suffer from this (Ubuntu default). So double check if the filter is actually enabled with "fail2ban-client status".
MicroChip123
14-08-2010, 12:24
Should i change UsePam to yes?

I all ready have a rate limit on iptables (see first post)

i have now set fail2ban ssh-ddos to true
Myatu
14-08-2010, 12:12
OIC, you've got UsePam disabled. Hence no "sshd:auth" entries.

I do get a fair bit of brute-force attempts, which seems to be the norm rather than an exception - not often at 1 Mbps though, but it does happen. Fail2ban has a ssh-ddos filter as well, but you can also implement that with iptables by simply putting in a last-seen limit on port 22. Say, 5 connections per IP, per minute or so. That could discourage the bombardment as well...
MicroChip123
14-08-2010, 12:04
The only cron jobs i have are php5 and things like that.

these are the only changes i have made to the default
and logging is the same as yours.

Code:
Port #####
PermitRootLogin no
X11Forwarding no
UsePAM no
UseDNS no
AllowUsers XXXXXXXXX
Just banned another load of ips
and here is another ovh one
91.121.209.207 ns364628.ovh.net
Myatu
14-08-2010, 11:50
Apparently you do have cron jobs Check /etc/cron.d, /etc/cron.daily, etc.

I'm running Debian & Ubuntu and Fail2ban works well on those, just curious to know why there's no "sshd:auth" in your log files? In sshd_config I have logging set to:

Code:
# Logging
SyslogFacility AUTH
LogLevel INFO
Are you using something other than PAM, btw?
MicroChip123
14-08-2010, 11:39
Quote Originally Posted by Myatu
This was a cron job (cron:session).
Fail2ban works well. With the above log entry, it automatically gets banned for a period and I get a nice e-mail that includes a Whois record (so I know the above fellow was using some Kazakh dial up provider, along with the abuse@ e-mail address should the need arise).
I have no cron jobs.

Tried fail2ban it did nothing.


also in the auth.log file i get " [ "sshd:auth" not found ]"

I am using debian btw.
Myatu
14-08-2010, 11:25
Quote Originally Posted by MicroChip123
Code:
Aug 14 09:25:01  CRON[5393]: pam_unix(cron:session): session closed for user root by (uid=0)
Aug 14 09:25:01  CRON[5392]: pam_unix(cron:session): session closed for user root
This was a cron job (cron:session). Look for sshd:auth instead, like these:

Code:
Aug 13 08:33:04 bethany sshd[2558]: Did not receive identification string from 92.46.113.188
Aug 13 08:33:52 bethany sshd[2559]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=92.46.113.188  user=root
Aug 13 08:33:54 bethany sshd[2559]: Failed password for root from 92.46.113.188 port 43019 ssh2
Aug 13 08:34:53 bethany sshd[2604]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=92.46.113.188  user=root
Aug 13 08:34:55 bethany sshd[2604]: Failed password for root from 92.46.113.188 port 45860 ssh2
Aug 13 08:35:28 bethany sshd[2657]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=92.46.113.188  user=root
Aug 13 08:35:30 bethany sshd[2657]: Failed password for root from 92.46.113.188 port 49092 ssh2
Is there anyway i can find the ips and then ban them?
Fail2ban works well. With the above log entry, it automatically gets banned for a period and I get a nice e-mail that includes a Whois record (so I know the above fellow was using some Kazakh dial up provider, along with the abuse@ e-mail address should the need arise).
MicroChip123
14-08-2010, 10:09
1Mbit/s

I have loads of bandwidth.

edit: just coded a program to go though the syslog file and make a list of all the ips that iptable run has banned then do a ip to hostname lookup for each of them then make a permanent ip tables ban.

Most are from Taiwan, China or Russia.

There are a few ovh servers as well there.
94.23.61.15 rps7688.ovh.net
94.23.222.5 ks306414.kimsufi.com
91.121.13.222 ks23522.kimsufi.com
layman
14-08-2010, 10:08
1Mbyte/s or 1Mbit/s ?

Maybe you ran out of Bandwidth due to the recent screw ups by OVH where they are counting internal traffic as external, and thus your speed has been dropped to 10Mbit/s
MicroChip123
14-08-2010, 08:42
Yesterday around 7am my incoming traffic went to 1Mbps which is not normal for my server.

after looking in the auth.log i found loads of things like this

Code:
Aug 14 09:25:01  CRON[5393]: pam_unix(cron:session): session closed for user root by (uid=0)
Aug 14 09:25:01  CRON[5392]: pam_unix(cron:session): session closed for user root
Thinking it was a ssh brute force for root (which is disabled anyway) i stuck this in to iptables which is should rate limit to 6 connections per minute.

Code:
sudo iptables -I INPUT -p tcp --dport SSHportHere -i eth0 -m state --state NEW -m recent \
  --set

sudo iptables -I INPUT -p tcp --dport SSHportHere -i eth0 -m state --state NEW -m recent \
  --update --seconds 60 --hitcount 6 -j DROP
The incoming traffic is still at 1Mbps.

Is there anyway i can find the ips and then ban them?