Oh yeah, if you ever open up your ssh-server to the interwebs, don’t forget to install a banner. Fail2ban is an excellent tool to prevent this and many other type of attacks:
Jul 11 09:48:45 beeserver sshd[24408]: input_userauth_request: invalid user mitesh [preauth]
Jul 11 09:48:45 beeserver sshd[24408]: Received disconnect from 124.160.194.27: 11: Bye Bye [preauth]
Jul 11 09:48:53 beeserver sshd[24412]: Invalid user webftp from 124.160.194.27
Jul 11 09:48:53 beeserver sshd[24412]: input_userauth_request: invalid user webftp [preauth]
Jul 11 09:48:53 beeserver sshd[24412]: Received disconnect from 124.160.194.27: 11: Bye Bye [preauth]
Jul 11 09:49:01 beeserver sshd[24417]: Invalid user yangjun from 124.160.194.27
Jul 11 09:49:01 beeserver sshd[24417]: input_userauth_request: invalid user yangjun [preauth]
Jul 11 09:49:01 beeserver sshd[24417]: Received disconnect from 124.160.194.27: 11: Bye Bye [preauth]
Jul 11 09:49:09 beeserver sshd[24421]: Invalid user zl from 124.160.194.27
Jul 11 09:49:09 beeserver sshd[24421]: input_userauth_request: invalid user zl [preauth]
Jul 11 09:49:09 beeserver sshd[24421]: Received disconnect from 124.160.194.27: 11: Bye Bye [preauth]
Jul 11 09:49:17 beeserver sshd[24425]: Invalid user zl from 124.160.194.27
Jul 11 09:49:17 beeserver sshd[24425]: input_userauth_request: invalid user zl [preauth]
Jul 11 09:49:18 beeserver sshd[24425]: Received disconnect from 124.160.194.27: 11: Bye Bye [preauth]
Jul 11 09:49:25 beeserver sshd[24429]: Invalid user dr from 124.160.194.27
Jul 11 09:49:25 beeserver sshd[24429]: input_userauth_request: invalid user dr [preauth]
Although the following attack (the interwebs says they’re trying to hack my public/private key. I say good luck, *click*. RSA >2k bits is really, really, really hard to crack at one try/second) usually isn’t detected by default:
Jul 12 01:04:24 beeserver sshd[25725]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Jul 12 01:04:25 beeserver sshd[25729]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Jul 12 01:04:26 beeserver sshd[25733]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Jul 12 01:04:28 beeserver sshd[25737]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Jul 12 01:04:29 beeserver sshd[25741]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Jul 12 01:04:30 beeserver sshd[25745]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Jul 12 01:04:32 beeserver sshd[25749]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Jul 12 01:04:33 beeserver sshd[25753]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Jul 12 01:04:34 beeserver sshd[25757]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Jul 12 01:04:35 beeserver sshd[25761]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Jul 12 01:04:37 beeserver sshd[25765]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Jul 12 01:04:38 beeserver sshd[25769]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Jul 12 01:04:39 beeserver sshd[25773]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Jul 12 01:04:41 beeserver sshd[25777]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Jul 12 01:04:42 beeserver sshd[25781]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Jul 12 01:04:43 beeserver sshd[25785]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Jul 12 01:04:45 beeserver sshd[25789]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Jul 12 01:04:46 beeserver sshd[25793]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Jul 12 01:04:47 beeserver sshd[25797]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Jul 12 01:04:49 beeserver sshd[25801]: Received disconnect from 74.208.154.206: 11: Bye Bye [preauth]
Therefore you should add another string to your failregexes in /etc/fail2ban/filter.d/sshd.conf
, just to be on the safe side.
^%(__prefix_line)sReceived disconnect from : 11: Bye Bye [preauth]s*$
La result:
2013-07-28 16:50:24,498 fail2ban.actions: WARNING [ssh] Ban 62.75.236.17
2013-07-28 23:42:33,860 fail2ban.actions: WARNING [ssh] Ban 88.190.236.3
2013-07-29 03:06:31,190 fail2ban.actions: WARNING [ssh] Ban 82.221.102.199
2013-07-29 16:02:56,630 fail2ban.actions: WARNING [ssh] Ban 50.22.225.203
So long, bye bye, zwaai zwaai! Unfortunately peanut butter, better luck on the next ssh server.
Juste the line I needed !
Thanks.
I’m new to fail2ban but the following line seems more appropriate :
^%(__prefix_line)sReceived disconnect from : 11: Bye Bye [preauth]s*$
hello, sometimes, they don’t uses the string “Bye Bye” as a disconnect reason. I saw “Thank you for playing”, but also whitespaces.