Bonjour, il m'arrive un truc étrange, alors que j'ai demandé dans fail2ban de bloquer les IP qui font plus de trois tentatives
Certains arrivent quand même à continuer à tester les logins sur le port 22
Ci joint le log, quoi faire ?
Aug 22 18:31:42 sshd[14008]: Invalid user teamspeak from 85.214.64.145
Aug 22 18:31:45 sshd[14008]: Failed password for invalid user teamspeak from 85.214.64.145 port 33857 ssh2
Aug 22 18:56:57 sshd[15125]: Invalid user ts3 from 85.214.64.145
Aug 22 18:56:59 sshd[15125]: Failed password for invalid user ts3 from 85.214.64.145 port 37418 ssh2
Aug 22 19:21:57 sshd[16473]: Invalid user nagios from 85.214.64.145
Aug 22 19:21:59 sshd[16473]: Failed password for invalid user nagios from 85.214.64.145 port 40988 ssh2
Aug 22 19:46:58 sshd[17596]: Invalid user redmine from 85.214.64.145
Aug 22 19:47:00 sshd[17596]: Failed password for invalid user redmine from 85.214.64.145 port 44525 ssh2
Aug 22 20:12:01 sshd[18976]: Invalid user oracle from 85.214.64.145
Aug 22 20:12:03 sshd[18976]: Failed password for invalid user oracle from 85.214.64.145 port 48054 ssh2
Aug 22 20:37:13 sshd[20136]: Invalid user git from 85.214.64.145
Aug 22 20:37:15 sshd[20136]: Failed password for invalid user git from 85.214.64.145 port 51548 ssh2
Aug 22 21:02:16 sshd[21367]: Invalid user postgres from 85.214.64.145
Aug 22 21:02:18 sshd[21367]: Failed password for invalid user postgres from 85.214.64.145 port 55057 ssh2
Aug 22 21:27:21 sshd[22608]: Invalid user zabbix from 85.214.64.145
Aug 22 21:27:22 sshd[22608]: Failed password for invalid user zabbix from 85.214.64.145 port 58618 ssh2
Aug 22 21:52:50 sshd[23729]: Invalid user bugzilla from 85.214.64.145
Aug 22 21:52:51 sshd[23729]: Failed password for invalid user bugzilla from 85.214.64.145 port 33877 ssh2
Aug 22 22:18:01 sshd[25080]: Invalid user git from 85.214.64.145
Aug 22 22:18:02 sshd[25080]: Failed password for invalid user git from 85.214.64.145 port 37383 ssh2
Aug 23 08:41:17 sshd[23499]: Invalid user zabbix from 85.214.64.145
Aug 23 08:41:20 sshd[23499]: Failed password for invalid user zabbix from 85.214.64.145 port 40133 ssh2
Aug 23 09:06:33 sshd[24840]: Invalid user bugzilla from 85.214.64.145
Aug 23 09:06:35 sshd[24840]: Failed password for invalid user bugzilla from 85.214.64.145 port 43673 ssh2
Aug 23 09:31:36 sshd[25962]: Invalid user git from 85.214.64.145
Aug 23 09:31:38 sshd[25962]: Failed password for invalid user git from 85.214.64.145 port 47192 ssh2
Aug 23 09:56:39 sshd[27080]: Invalid user confluence from 85.214.64.145
Aug 23 09:56:41 sshd[27080]: Failed password for invalid user confluence from 85.214.64.145 port 50761 ssh2
Aug 23 10:21:44 sshd[28431]: Invalid user eggdrop from 85.214.64.145
Aug 23 10:21:46 sshd[28431]: Failed password for invalid user eggdrop from 85.214.64.145 port 54296 ssh2
Aug 23 10:46:53 sshd[29548]: Invalid user test from 85.214.64.145
Aug 23 10:46:55 sshd[29548]: Failed password for invalid user test from 85.214.64.145 port 57681 ssh2
Aug 23 11:11:54 sshd[30907]: Invalid user git from 85.214.64.145
Aug 23 11:11:56 sshd[30907]: Failed password for invalid user git from 85.214.64.145 port 32816 ssh2
Aug 23 11:36:59 sshd[32021]: Invalid user minecraft from 85.214.64.145
Aug 23 11:37:01 sshd[32021]: Failed password for invalid user minecraft from 85.214.64.145 port 36131 ssh2
Aug 23 12:02:06 sshd[1062]: Invalid user teamspeak from 85.214.64.145
Aug 23 12:02:08 sshd[1062]: Failed password for invalid user teamspeak from 85.214.64.145 port 39510 ssh2
Aug 23 12:27:29 sshd[2344]: Invalid user eggdrop from 85.214.64.145
Aug 23 12:27:31 sshd[2344]: Failed password for invalid user eggdrop from 85.214.64.145 port 42888 ssh2
Aug 23 12:52:48 sshd[3486]: Invalid user git from 85.214.64.145
Aug 23 12:52:50 sshd[3486]: Failed password for invalid user git from 85.214.64.145 port 46184 ssh2
Aug 23 13:17:52 sshd[4837]: Invalid user icinga from 85.214.64.145
Aug 23 13:17:55 sshd[4837]: Failed password for invalid user icinga from 85.214.64.145 port 49541 ssh2
Aug 23 13:42:57 sshd[5959]: Invalid user jboss from 85.214.64.145
Aug 23 13:42:59 sshd[5959]: Failed password for invalid user jboss from 85.214.64.145 port 52954 ssh2
Aug 23 14:08:08 sshd[7337]: Invalid user jenkins from 85.214.64.145
Aug 23 14:08:10 sshd[7337]: Failed password for invalid user jenkins from 85.214.64.145 port 56361 ssh2
Aug 23 14:33:12 sshd[8457]: Invalid user mantis from 85.214.64.145
Aug 23 14:33:14 sshd[8457]: Failed password for invalid user mantis from 85.214.64.145 port 59726 ssh2
Aug 23 14:58:17 sshd[9602]: Invalid user mc from 85.214.64.145
Aug 23 14:58:19 sshd[9602]: Failed password for invalid user mc from 85.214.64.145 port 34856 ssh2
Aug 23 15:23:25 sshd[10949]: Invalid user minecraft from 85.214.64.145
Aug 23 15:23:27 sshd[10949]: Failed password for invalid user minecraft from 85.214.64.145 port 38171 ssh2
Aug 23 15:48:32 sshd[12095]: Invalid user git from 85.214.64.145
Aug 23 15:48:35 sshd[12095]: Failed password for invalid user git from 85.214.64.145 port 41475 ssh2
Aug 23 16:13:23 sshd[13447]: Invalid user git from 85.214.64.145
Aug 23 16:13:25 sshd[13447]: Failed password for invalid user git from 85.214.64.145 port 59831 ssh2
Aug 23 16:13:31 sshd[13449]: Invalid user murmur from 85.214.64.145
5 réponses
voici mes regles
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400
# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]
enabled = true
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 3
[xinetd-fail]
enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
[ssh-ddos]
enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
#
# HTTP servers
#Personnellement j'ai changer le port dans mes configurations ça ajoute une couche de protection.
Hum si tu regarde bien les logs il n'attaque pas par le port 22.
Exemple :
Aug 22 18:31:42 sshd[14008]: Invalid user teamspeak from 85.214.64.145
Aug 22 18:31:45 sshd[14008]: Failed password for invalid user teamspeak from 85.214.64.145 port 33857 ssh2La connexion est tenté depuis le port 33857 et non 22, en gros il faut interdire l'accès via ssh sauf au port 22 mais ça je te conseil de le faire via iptable ;)
Le port 22 ... je conseil plutôt de changer le port que de laissé celui par default.
sinon un peu de lecture sur la sécurité serveur