Fail2ban Log

NotAComputerGuy · 01-10-2013, 12:34 PM

Hi all,

Just wondering if anyone can tell me why it might appear my router is attempting to log into my desktop repeatedly? Could it be something more sinister?

Here is a small selection of log.

Code:

2013-01-05 15:29:19,048 fail2ban.actions: WARNING [ssh] Ban 192.168.0.1
2013-01-05 15:39:19,672 fail2ban.actions: WARNING [ssh] Unban 192.168.0.1
2013-01-05 16:13:18,752 fail2ban.actions: WARNING [ssh] Ban 192.168.0.1
2013-01-05 16:23:19,383 fail2ban.actions: WARNING [ssh] Unban 192.168.0.1
2013-01-05 16:32:07,867 fail2ban.actions: WARNING [ssh] Ban 192.168.0.1
2013-01-05 16:42:08,389 fail2ban.actions: WARNING [ssh] Unban 192.168.0.1
2013-01-05 17:24:18,524 fail2ban.actions: WARNING [ssh] Ban 192.168.0.1
2013-01-05 17:34:19,055 fail2ban.actions: WARNING [ssh] Unban 192.168.0.1
2013-01-05 17:54:03,125 fail2ban.actions: WARNING [ssh] Ban 192.168.0.1
2013-01-05 18:04:03,795 fail2ban.actions: WARNING [ssh] Unban 192.168.0.1

Thanks

unSpawn · 01-10-2013, 12:49 PM

Check your /var/log/secure or equivalent for failed logins instead?

NotAComputerGuy · 01-10-2013, 02:52 PM

Hrm, don't seem to have anything that matches that or anything close, which I hope is a good sign?

unSpawn · 01-10-2013, 03:07 PM

Forgot to tell you the obvious: to also check your routers access logs ;-p If its logs are clean, or if it isn't the type of router that would allow one to telnet or SSH (or whatever else method) into and SSH to your machine anyway, then your jail.conf settings should have the routers IP in the "ignoreip" directive. I wonder though what you modified because jail.conf only lists /var/log/secure for the ssh-iptables jail and filter.d/sshd.conf only looks at SSH daemon messages and for a few "failregex"es...

NotAComputerGuy · 01-10-2013, 03:18 PM

I just seen that it logs to '/var/log/auth.log'

Though have to say I'm a little confused: I used Sparkleshare which is what the user 'storage' is used for , but certainly my crappy router does not use that. 'Storage' also has failed logins.

Code:

Jan  6 09:47:33 desktop sshd[27851]: Set /proc/self/oom_score_adj to 0
Jan  6 09:47:33 desktop sshd[27851]: Connection from 192.168.0.1 port 51306
Jan  6 09:47:33 desktop sshd[27851]: Found matching RSA key: 
Jan  6 09:47:33 desktop sshd[27851]: Postponed publickey for storage from 192.168.0.1 port 51306 ssh2 [preauth]
Jan  6 09:47:33 desktop sshd[27851]: Found matching RSA key: 
Jan  6 09:47:33 desktop sshd[27851]: Accepted publickey for storage from 192.168.0.1 port 51306 ssh2
Jan  6 09:47:33 desktop sshd[27851]: User child is on pid 27853
Jan  6 09:47:33 desktop sshd[27853]: Connection closed by 192.168.0.1
Jan  6 09:47:33 desktop sshd[27853]: Transferred: sent 2648, received 2760 bytes
Jan  6 09:47:33 desktop sshd[27853]: Closing connection to 192.168.0.1 port 51306

unSpawn · 01-10-2013, 04:07 PM

Well you could get the same entries by doing LAN machine -> external address -> router NAT -> other LAN machine. If you know exactly which SSH accounts are allowed and if they all use pubkey auth you could add your routers IP to jail.conf.

NotAComputerGuy · 01-10-2013, 04:38 PM

Hi, I think that's what's happening as I have sparkleshare setup to work when I'm out and about too.

How would I add a second address to the jail.conf file please? Currently has 127.0.0.1/8 there, so just need to add the router's address.

unSpawn · 01-10-2013, 07:17 PM

Temporarily:

Code:

fail2ban-client set ssh-iptables addignoreip 192.168.0.1

permanently:

Code:

sed -i "s|^ignoreip.=.*$|\0 192.168.0.1|" /etc/fail2ban/jail.conf
fail2ban-client reload