View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions Massive Brute Force attacks, Fail2Ban not banning IP's
Log in to Ask a Question

Massive Brute Force attacks, Fail2Ban not banning IP's

development

Suddenly for the past 2 days, my server is undergoing massive brutal force attacks. To encounter this, I have installed Fail2Ban and also have configured it.

When I check for its status, using the two commands it shows this:

Main contents of````
jail.local

"ignoreip" can be an IP address, a CIDR mask or a DNS host

ignoreip = 127.0.0.1
bantime = 600
maxretry = 3

"backend" specifies the backend used to get files modification. Available

options are "gamin", "polling" and "auto".

yoh: For some reason Debian shipped python-gamin didn't work as expected

This issue left ToDo, so polling is default backend for now

backend = auto

#

ACTIONS

#

Default banning action (e.g. iptables, iptables-new,

iptables-multiport, shorewall, etc) It is used to define

action_* variables. Can be overriden globally or per

section within jail.local file

banaction = iptables

email action. Since 0.8.1 upstream fail2ban uses sendmail

MTA for the mailing. Change mta configuration parameter to mail

if you want to revert to conventional 'mail'.

mta = sendmail

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

[ssh-ddos]

enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6

1.````
fail2ban-client status ssh

Status for the jail: ssh
-------------------------
|- filter
|  |- File list:        /var/log/auth.log
|  |- Currently failed: 0
|  `- Total failed:     0
`- action
   |- Currently banned: 0
   |  `- IP list:
   `- Total banned:     0

2.````
service fail2ban status

  • Status of authentication failure monitor * fail2ban is running
When I check the content of the````
 /var/log/fail2ban.log

file, it’s not catching any IP’s, still brutal force attacks are carried out in my site.

2014-07-10 07:53:06,880 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2014-07-10 07:53:06,881 fail2ban.jail   : INFO   Creating new jail 'ssh-ddos'
2014-07-10 07:53:06,881 fail2ban.jail   : INFO   Jail 'ssh-ddos' uses poller
2014-07-10 07:53:06,897 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2014-07-10 07:53:06,898 fail2ban.filter : INFO   Set maxRetry = 6
2014-07-10 07:53:06,898 fail2ban.filter : INFO   Set findtime = 600
2014-07-10 07:53:06,899 fail2ban.actions: INFO   Set banTime = 600
2014-07-10 07:53:06,905 fail2ban.jail   : INFO   Creating new jail 'ssh'
2014-07-10 07:53:06,905 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2014-07-10 07:53:06,906 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2014-07-10 07:53:06,906 fail2ban.filter : INFO   Set maxRetry = 6
2014-07-10 07:53:06,907 fail2ban.filter : INFO   Set findtime = 600
2014-07-10 07:53:06,908 fail2ban.actions: INFO   Set banTime = 600
2014-07-10 07:53:07,000 fail2ban.jail   : INFO   Jail 'ssh-ddos' started
2014-07-10 07:53:07,006 fail2ban.jail   : INFO   Jail 'ssh' started
2014-07-10 08:48:38,004 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh-ddos
iptables -F fail2ban-ssh-ddos
iptables -X fail2ban-ssh-ddos returned 100
2014-07-10 08:48:38,005 fail2ban.jail   : INFO   Jail 'ssh-ddos' stopped
2014-07-10 08:48:39,005 fail2ban.actions.action: ERROR  iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 100
2014-07-10 08:48:39,007 fail2ban.jail   : INFO   Jail 'ssh' stopped
2014-07-10 08:48:39,007 fail2ban.server : INFO   Exiting Fail2ban
2014-07-10 08:48:39,360 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2014-07-10 08:48:39,361 fail2ban.jail   : INFO   Creating new jail 'ssh-ddos'
2014-07-10 08:48:39,361 fail2ban.jail   : INFO   Jail 'ssh-ddos' uses poller
2014-07-10 08:48:39,376 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2014-07-10 08:48:39,377 fail2ban.filter : INFO   Set maxRetry = 6
2014-07-10 08:48:39,378 fail2ban.filter : INFO   Set findtime = 600
2014-07-10 08:48:39,378 fail2ban.actions: INFO   Set banTime = 600
2014-07-10 08:48:39,385 fail2ban.jail   : INFO   Creating new jail 'ssh'
2014-07-10 08:48:39,385 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2014-07-10 08:48:39,386 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2014-07-10 08:48:39,387 fail2ban.filter : INFO   Set maxRetry = 6
2014-07-10 08:48:39,388 fail2ban.filter : INFO   Set findtime = 600
2014-07-10 08:48:39,388 fail2ban.actions: INFO   Set banTime = 600
2014-07-10 08:48:39,473 fail2ban.jail   : INFO   Jail 'ssh-ddos' started
2014-07-10 08:48:39,479 fail2ban.jail   : INFO   Jail 'ssh' started

content of /var/log/auth.log is growing in big size and pasting partial contents below:

Jul  9 16:51:09 tserver sshd[7795]: Failed password for root from 66.51.128.42 port 49791 ssh2
Jul  9 16:51:10 tserver sshd[7799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.51.128.42.aebc.970.cipherkey.com  user=root
Jul  9 16:51:12 tserver sshd[7799]: Failed password for root from 66.51.128.42 port 65465 ssh2
Jul  9 16:51:14 tserver sshd[7802]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.51.128.42.aebc.970.cipherkey.com  user=root
Jul  9 16:51:15 tserver sshd[7802]: Failed password for root from 66.51.128.42 port 56994 ssh2
Jul  9 16:51:17 tserver sshd[7805]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.51.128.42.aebc.970.cipherkey.com  user=root
Jul  9 16:51:19 tserver sshd[7805]: Failed password for root from 66.51.128.42 port 62612 ssh2
Jul  9 16:51:20 tserver sshd[7808]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.51.128.42.aebc.970.cipherkey.com  user=root
Jul  9 16:51:23 tserver sshd[7808]: Failed password for root from 66.51.128.42 port 62267 ssh2
Jul  9 16:51:24 tserver sshd[7811]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.51.128.42.aebc.970.cipherkey.com  user=root
Jul  9 16:51:25 tserver sshd[7811]: Failed password for root from 66.51.128.42 port 64983 ssh2
Jul  9 16:51:27 tserver sshd[7814]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=66.51.128.42.aebc.970.cipherkey.com  user=root
Jul  9 16:51:29 tserver sshd[7814]: Failed password for root from 66.51.128.42 port 62258 ssh2
Jul  9 17:00:20 tserver CRON[7847]: pam_unix(cron:session): session closed for user smmsp
Jul  9 17:08:33 tserver sshd[7915]: Invalid user test from 94.79.33.21

For the past 2 days, my website is very slow and not accessible because of this issue, I am loosing my users and very much worried. Please help!

Thanks in advance.

3 Replies

Sorry forgot to add this one, I have working on my own startup and hosting my site at Linode (Ubuntu 10.04 LTS).

Are you sure that your site being slow is because of the brute force attempts? The log that you posted does not show anything particularly out of the ordinary, nor does it show enough attempts to cause any performance impact.

Guspav is right, getting a SSH login attempt every few seconds is perfectly normal for any publicly-accessible server. You'd have to get dozens of attempts per second to have any kind of performance impact.

Use a network monitoring tool like Nethogs (http://nethogs.sourceforge.net/) to see which processes on your system are consuming bandwidth.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct