Ho un piccolo server che solo le porte aperte sono ssh, http e https. Ho fail2ban installato e configurato in modo che dopo 3 tentativi falliti qualcuno venga bloccato per 10 minuti (questo è il default credo).
il login root è disabilitato ma le persone che cercano di accedervi non vengono bloccate.
cat /var/log/messages | grep ssh
mostra come 50 di tali tentativi:
Jan 20 10:50:57 localhost sshd[28666]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57382;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:57 localhost sshd[28666]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57382;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:57 localhost sshd[28666]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57382;Name: root [preauth]
Jan 20 10:50:57 localhost sshd[28666]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:50:57 localhost sshd[28668]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57437;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:57 localhost sshd[28668]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57437;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:57 localhost sshd[28668]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57437;Name: root [preauth]
Jan 20 10:50:57 localhost sshd[28668]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:50:57 localhost sshd[28670]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57515;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:57 localhost sshd[28670]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57515;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:58 localhost sshd[28670]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57515;Name: root [preauth]
Jan 20 10:50:58 localhost sshd[28670]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Dopo questo ha provato un altro utente, Oracle, che nemmeno esiste:
Jan 20 10:50:58 localhost sshd[28672]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57584;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:58 localhost sshd[28672]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57584;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:58 localhost sshd[28672]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57584;Name: oracle [preauth]
Jan 20 10:50:58 localhost sshd[28672]: Invalid user oracle from 88.190.31.135
Jan 20 10:50:58 localhost sshd[28672]: input_userauth_request: invalid user oracle [preauth]
Jan 20 10:50:58 localhost sshd[28672]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 20 10:50:58 localhost sshd[28672]: pam_unix(sshd:auth): check pass; user unknown
Jan 20 10:50:58 localhost sshd[28672]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=sd-32510.dedibox.fr
Jan 20 10:51:00 localhost sshd[28672]: Failed password for invalid user oracle from 88.190.31.135 port 57584 ssh2
Jan 20 10:51:00 localhost sshd[28672]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:51:00 localhost sshd[28674]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-58021;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:51:00 localhost sshd[28674]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-58021;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:51:00 localhost sshd[28674]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-58021;Name: oracle [preauth]
Jan 20 10:51:00 localhost sshd[28674]: Invalid user oracle from 88.190.31.135
Jan 20 10:51:00 localhost sshd[28674]: input_userauth_request: invalid user oracle [preauth]
Jan 20 10:51:00 localhost sshd[28674]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 20 10:51:00 localhost sshd[28674]: pam_unix(sshd:auth): check pass; user unknown
Jan 20 10:51:00 localhost sshd[28674]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=sd-32510.dedibox.fr
Jan 20 10:51:02 localhost sshd[28674]: Failed password for invalid user oracle from 88.190.31.135 port 58021 ssh2
Jan 20 10:51:02 localhost sshd[28674]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:51:02 localhost sshd[28676]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-59203;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:51:02 localhost sshd[28676]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-59203;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:51:03 localhost sshd[28676]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-59203;Name: oracle [preauth]
Jan 20 10:51:03 localhost sshd[28676]: Invalid user oracle from 88.190.31.135
Jan 20 10:51:03 localhost sshd[28676]: input_userauth_request: invalid user oracle [preauth]
Jan 20 10:51:03 localhost sshd[28676]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 20 10:51:03 localhost sshd[28676]: pam_unix(sshd:auth): check pass; user unknown
Jan 20 10:51:03 localhost sshd[28676]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=sd-32510.dedibox.fr
Jan 20 10:51:04 localhost sshd[28676]: Failed password for invalid user oracle from 88.190.31.135 port 59203 ssh2
Jan 20 10:51:04 localhost sshd[28676]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:51:04 localhost sshd[28678]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-59651;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:51:04 localhost sshd[28678]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-59651;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Dopodiché: /var/log/fail2ban
2012-01-20 10:51:04,701 fail2ban.actions: WARNING [ssh-iptables] Ban 88.190.31.135
Mi chiedo perché questo non è accaduto mentre tentava di accedere al mio server con l'account di root? Scommetto che c'è un modo per cambiare il comportamento di fail2bans qui, ma come?
informazioni di sistema, se necessario: gentoo 3.2.0, openssh 5.9, iptables-1.4.12.1, fail2ban-0.8.6