I set up fail2ban on my SuSE 10 Linux box which we use as an Internet gateway and for connection sharing and we are getting IP Addresses banned every day.

Now I'm getting something new. The logs for the last two days have entries as follows : -

Error in PAM authentication:
Authentication failure for root from 1-1-4-27a.vhe.sth.bostream.se : 1 Time(s)
Authentication failure for root from 100.170.broadband2.iol.cz : 1 Time(s)
Authentication failure for root from 103.21.202.62.fix.bluewin.ch : 1 Time(s)
Authentication failure for root from 116.228.7.233 : 2 Time(s)
Authentication failure for root from 116.39.30.124 : 2 Time(s)
Authentication failure for root from 118.218-119-85.cust.rackboost.net : 7 Time(s)
Authentication failure for root from 200141223106.user.veloxzone.com.br : 1 Time(s)
Authentication failure for root from 201-016-168-017.xf-static.ctbcnetsuper.com.br : 1 Time(s)
Authentication failure for root from 201-251-61-108.static.speedy.com.ar : 4 Time(s)
Authentication failure for root from 201-26-169-3.dial-up.telesp.net.br : 1 Time(s)
Authentication failure for root from 201-26-172-213.dial-up.telesp.net.br : 1 Time(s)
Authentication failure for root from 87-126-111-187.btc-net.bg : 2 Time(s)
Authentication failure for root from 87.241.8.203 : 3 Time(s)
Authentication failure for root from 87.255.246.1 : 3 Time(s)
Authentication failure for root from 88-196-206-58-dsl.hps.estpak.ee : 2 Time(s)
Authentication failure for root from 88-199-28-3.tktelekom.pl : 3 Time(s)
Authentication failure for root from 89-96-108-166.ip12.fastwebnet.it : 1 Time(s)
Authentication failure for root from 89-96-172-100.ip13.fastwebnet.it : 1 Time(s)
Authentication failure for root from biz2002.ncsrv.de : 1 Time(s)
Authentication failure for root from bno-84-242-66-10.karneval.cz : 8 Time(s)
Authentication failure for root from bxn69.internetdsl.tpnet.pl : 3 Time(s)
Authentication failure for root from c-68-58-136-68.hsd1.in.comcast.net : 2 Time(s)
Authentication failure for root from c-71-63-229-140.hsd1.mn.comcast.net : 4 Time(s)
Authentication failure for root from c-98-216-36-125.hsd1.ma.comcast.net : 1 Time(s)
Authentication failure for root from c90678d3.static.spo.virtua.com.br : 4 Time(s)
Authentication failure for root from chello080108099253.4.11.vie.surfer.at : 2 Time(s)
Authentication failure for root from chello084114015179.14.vie.surfer.at : 10 Time(s)
Authentication failure for root from cherkasov.iitp.ru : 1 Time(s)
Authentication failure for root from cm217084.red83-165.mundo-r.com : 5 Time(s)
Authentication failure for root from cni1.cbinf.com : 2 Time(s)
Authentication failure for root from coloc82-044.singnet.com.sg : 4 Time(s)
Authentication failure for root from cornelia.regengedanken.de : 2 Time(s)
Authentication failure for root from correo.bldelpacifico.com.pe : 1 Time(s)
Authentication failure for root from correo.rufinocoop.com.ar : 2 Time(s)
Authentication failure for root from cpe-121-223-228-249.static.vic.bigpond.net.au : 2 Time(s)
Authentication failure for root from cpe001217e403b3-cm000f9fa6157c.cpe.net.cable.rogers.com : 3 Time(s)
Authentication failure for root from customer-200-79-25-39.uninet.net.mx : 3 Time(s)
Authentication failure for root from d-pl2-deec.uc.pt : 1 Time(s)
Authentication failure for root from d5-1025.ncsrv.de : 2 Time(s)
Authentication failure for root from d51530a95.access.telenet.be : 8 Time(s)
Authentication failure for root from dialbs-213-023-175-198.static.arcor-ip.net : 4 Time(s)
Authentication failure for root from dsl-217-155-184-54.zen.co.uk : 3 Time(s)
Authentication failure for root from dsl-240-125-173.telkomadsl.co.za : 2 Time(s)
Authentication failure for root from dsl51b6f1f1.fixip.t-online.hu : 1 Time(s)
Authentication failure for root from dsl51b7d83e.fixip.t-online.hu : 3 Time(s)
Authentication failure for root from dum11.internetdsl.tpnet.pl : 2 Time(s)
Authentication failure for root from dzu194.internetdsl.tpnet.pl : 2 Time(s)
Authentication failure for root from e-wolff-reporting.de : 1 Time(s)
Authentication failure for root from e210255180014.ec-userreverse.dion.ne.jp : 6 Time(s)
Authentication failure for root from eba34.internetdsl.tpnet.pl : 5 Time(s)
Authentication failure for root from edunet-static-74.87-197-51.telecom.sk : 1 Time(s)
Authentication failure for root from eges.esstel.ru : 1 Time(s)
Authentication failure for root from ehk54.internetdsl.tpnet.pl : 1 Time(s)
Authentication failure for root from eigl.netbox.cz : 1 Time(s)
Authentication failure for root from em.asiban.ro : 5 Time(s)
Authentication failure for root from ex216126.uac63.hknet.com : 3 Time(s)
Authentication failure for root from fenyiro.hu : 5 Time(s)
Authentication failure for root from fire.eawr.madison.k12.il.us : 6 Time(s)
Authentication failure for root from firewall.gruposos.de : 2 Time(s)
Authentication failure for root from foghorn.delifarm.hu : 7 Time(s)
Authentication failure for root from foyer18rt.net1.nerim.net : 1 Time(s)
Authentication failure for root from fppm38.net2.nerim.net : 1 Time(s)
Authentication failure for root from fw.algoritmproject.ru : 2 Time(s)
Authentication failure for root from fw1.huddcoll.ac.uk : 1 Time(s)
Authentication failure for root from gate-dialog-simet.jgora.dialog.net.pl : 1 Time(s)
Authentication failure for root from gay130.internetdsl.tpnet.pl : 1 Time(s)
Authentication failure for root from gfh44.internetdsl.tpnet.pl : 1 Time(s)
Authentication failure for root from gfx146.internetdsl.tpnet.pl : 5 Time(s)
Authentication failure for root from grnetbox.noc.uoa.gr : 1 Time(s)
Authentication failure for root from gve82.internetdsl.tpnet.pl : 1 Time(s)
Authentication failure for root from gw.hondatrading-romania.ro : 1 Time(s)
Authentication failure for root from h13.155.39.162.static.ip.windstream.net : 1 Time(s)
Authentication failure for root from h209-17-191-42.gtcust.grouptelecom.net : 5 Time(s)
Authentication failure for root from h216-45-122-217.dynamic.platinum.ca : 2 Time(s)
Authentication failure for root from hagen.kdb.hr : 3 Time(s)
Authentication failure for root from hld182.internetdsl.tpnet.pl : 1 Time(s)
Authentication failure for root from hoh234.internetdsl.tpnet.pl : 3 Time(s)
Authentication failure for root from host-101.pl1211120-1.fiber.net : 1 Time(s)
Authentication failure for root from host-200-76-176-37.block.alestra.net.mx : 4 Time(s)
Authentication failure for root from host-202-22-140-206.static.lagoon.nc : 2 Time(s)
Authentication failure for root from host-90-188-155-248.pppoe.omsknet.ru : 3 Time(s)
Authentication failure for root from host.190.15.193.42.static.itcsa.net : 2 Time(s)
Authentication failure for root from host116-164.dissent.birch.net : 7 Time(s)
Authentication failure for root from host170-216-static.38-88-b.business.telecomitalia.it : 1 Time(s)
Authentication failure for root from host211-90-static.62-88-b.business.telecomitalia.it : 4 Time(s)
Authentication failure for root from host218-230-static.34-88-b.business.telecomitalia.it : 1 Time(s)
Authentication failure for root from host225-253-static.44-88-b.business.telecomitalia.it : 1 Time(s)
Authentication failure for root from host226-252-static.39-85-b.business.telecomitalia.it : 5 Time(s)
Authentication failure for root from host230-153-static.183-80-b.business.telecomitalia.it : 1 Time(s)
Authentication failure for root from host242-75-static.63-88-b.business.telecomitalia.it : 3 Time(s)
Authentication failure for root from host51-124-static.75-81-b.business.telecomitalia.it : 2 Time(s)
Authentication failure for root from host87-163-static.30-87-b.business.telecomitalia.it : 1 Time(s)
Authentication failure for root from host9-122-static.72-81-b.business.telecomitalia.it : 1 Time(s)
Authentication failure for root from hqm83.internetdsl.tpnet.pl : 1 Time(s)
Authentication failure for root from hydros.ibwpan.szczecin.pl : 4 Time(s)
Authentication failure for root from ify218.internetdsl.tpnet.pl : 1 Time(s)
Authentication failure for root from ij142.internetdsl.tpnet.pl : 1 Time(s)
Authentication failure for root from iki138.internetdsl.tpnet.pl : 5 Time(s)
Authentication failure for root from ip-150-152.sn2.eutelia.it : 3 Time(s)
Authentication failure for root from ip-89-102-37-220.karneval.cz : 2 Time(s)
Authentication failure for root from ip23.14.ded-srv.ptldor2.iinet.com : 5 Time(s)
Authentication failure for root from ip4da21987.direct-adsl.nl : 3 Time(s)
Authentication failure for root from ipb50.internetdsl.tpnet.pl : 1 Time(s)
Authentication failure for root from lns-bzn-48f-81-56-183-132.adsl.proxad.net : 5 Time(s)
Authentication failure for root from lnxweb002.globalweb.com.br : 7 Time(s)
Authentication failure for root from lputeaux-151-41-5-4.w217-128.abo.wanadoo.fr : 1 Time(s)
Authentication failure for root from mail.at.com.pe : 2 Time(s)
Authentication failure for root from mail.augustmack.com : 3 Time(s)
Authentication failure for root from mail.clinandes.cl : 6 Time(s)
Authentication failure for root from mail.complaser.com.br : 3 Time(s)
Authentication failure for root from mail.cooperativalehmann.com.ar : 8 Time(s)
Authentication failure for root from mail.egerfem.hu : 3 Time(s)
Authentication failure for root from mail.hierrobeco.com : 4 Time(s)
Authentication failure for root from mail.htl-leoben.at : 1 Time(s)
Authentication failure for root from mail.isinthe.us : 2 Time(s)
Authentication failure for root from mail.jocomvd.com.uy : 1 Time(s)
Authentication failure for root from mail.koncepta.si : 3 Time(s)
Authentication failure for root from mail.la-arch.com : 5 Time(s)
Authentication failure for root from mail.nemann.de : 5 Time(s)
Authentication failure for root from mail.planir.com.uy : 1 Time(s)
Authentication failure for root from mail.prak.cz : 7 Time(s)
Authentication failure for root from mail.remzestar.ru : 7 Time(s)
Authentication failure for root from mail.rubinion.de : 3 Time(s)
Authentication failure for root from mhp.continuum-books.com : 6 Time(s)
Authentication failure for root from mvx-200-196-50-26.mundivox.com : 4 Time(s)
Authentication failure for root from n219076222027.netvigator.com : 5 Time(s)
Authentication failure for root from net135-235.4web.pl : 3 Time(s)
Authentication failure for root from ns.draug.com : 2 Time(s)
Authentication failure for root from ns.pe3ny.net : 5 Time(s)
Authentication failure for root from ns.realtrade.lv : 8 Time(s)
Authentication failure for root from ns.umsieradz.pl : 1 Time(s)
Authentication failure for root from ns1.mor.com.br : 3 Time(s)
Authentication failure for root from ns2.yucreation.com : 1 Time(s)
Authentication failure for root from nskczn.siberia.net : 2 Time(s)
Authentication failure for root from orion.marata.com.br : 5 Time(s)
Authentication failure for root from p5098aecc.dip0.t-ipconnect.de : 4 Time(s)
Authentication failure for root from p50997bb3.dip0.t-ipconnect.de : 3 Time(s)
Authentication failure for root from p50997de0.dip0.t-ipconnect.de : 2 Time(s)
Authentication failure for root from p578b352f.dip0.t-ipconnect.de : 4 Time(s)
Authentication failure for root from p578b4f0b.dip0.t-ipconnect.de : 5 Time(s)
Authentication failure for root from p578b6102.dip0.t-ipconnect.de : 4 Time(s)
Authentication failure for root from pd907ee1e.dip0.t-ipconnect.de : 1 Time(s)
Authentication failure for root from pd95688a8.dip0.t-ipconnect.de : 1 Time(s)
Authentication failure for root from pd95b50ec.dip0.t-ipconnect.de : 1 Time(s)
Authentication failure for root from pd95b61a0.dip0.t-ipconnect.de : 2 Time(s)
Authentication failure for root from pd95b71b6.dip0.t-ipconnect.de : 2 Time(s)
Authentication failure for root from poczta.dls.pl : 2 Time(s)
Authentication failure for root from port-212-202-242-170.static.qsc.de : 3 Time(s)
Authentication failure for root from port-83-236-182-34.static.qsc.de : 2 Time(s)
Authentication failure for root from port-87-193-189-114.static.qsc.de : 1 Time(s)
Authentication failure for root from ppp-69-217-30-214.dsl.applwi.ameritech.net : 3 Time(s)
Authentication failure for root from ppp-82-135-84-46.dynamic.mnet-online.de : 1 Time(s)
Authentication failure for root from proxy.wiedemann.de : 1 Time(s)
Authentication failure for root from r200-40-211-250.static.adinet.com.uy : 3 Time(s)
Authentication failure for root from racmost.pbf.hr : 3 Time(s)
Authentication failure for root from rrcs-64-183-133-194.west.biz.rr.com : 2 Time(s)
Authentication failure for root from rrcs-97-76-164-202.se.biz.rr.com : 6 Time(s)
Authentication failure for root from s15243488.onlinehome-server.info : 2 Time(s)
Authentication failure for root from s5590851e.adsl.wanadoo.nl : 5 Time(s)
Authentication failure for root from sd-1125.dedibox.fr : 6 Time(s)
Authentication failure for root from server.cfin.cz : 1 Time(s)
Authentication failure for root from server20.enterprisewizard.com : 1 Time(s)
Authentication failure for root from sg025.multi-play.net.pl : 1 Time(s)
Authentication failure for root from si-exchange.star-island.com : 5 Time(s)
Authentication failure for root from softwinter.com : 5 Time(s)
Authentication failure for root from sopron.drehsden.hu : 1 Time(s)
Authentication failure for root from startowa.gda.pl : 6 Time(s)
Authentication failure for root from static-70-107-248-126.ny325.east.verizon.net : 2 Time(s)
Authentication failure for root from static-71-117-126-102.snloca.dsl-w.verizon.net : 2 Time(s)
Authentication failure for root from static-71-118-8-244.lsanca.dsl-w.verizon.net : 4 Time(s)
Authentication failure for root from static-71-119-17-26.lsanca.dsl-w.verizon.net : 2 Time(s)
Authentication failure for root from static-71-166-159-177.washdc.east.verizon.net : 5 Time(s)
Authentication failure for root from static-71-242-245-111.phlapa.east.verizon.net : 7 Time(s)
Authentication failure for root from static-72-66-191-175.ronkva.east.verizon.net : 1 Time(s)
Authentication failure for root from static-98-119-110-139.lsanca.dsl-w.verizon.net : 3 Time(s)
Authentication failure for root from static-adsl200-75-83-104.epm.net.co : 2 Time(s)
Authentication failure for root from static-dsl-226.213-160-165.telecom.sk : 1 Time(s)
Authentication failure for root from tm.84.52.138.103.dc.cust.static.telemach.net : 1 Time(s)
Authentication failure for root from tombs.force9.co.uk : 2 Time(s)
Authentication failure for root from tower.enerprom.ru : 2 Time(s)
Authentication failure for root from trismareperu.com : 4 Time(s)
Authentication failure for root from twe220.vtc.net : 3 Time(s)
Authentication failure for root from v1482.ncsrv.de : 1 Time(s)
Authentication failure for root from velosis.coprocenva.com.co : 4 Time(s)
Authentication failure for root from vps109.vpsdump.de : 1 Time(s)
Authentication failure for root from wda-sta-ac20.velocom.net.ar : 1 Time(s)
Authentication failure for root from worleyassociates.com : 1 Time(s)
Authentication failure for root from www.cfse.gov.pr : 4 Time(s)
Authentication failure for root from www.civilsocietyfund.or.ug : 1 Time(s)
Authentication failure for root from www.universalsmartcomp.com : 3 Time(s)
Authentication failure for root from yankees.system-liberty.com : 1 Time(s)
Authentication failure for root from zett.ilmenau.net : 2 Time(s)

Haven't had this before. Have I missed something in fail2ban? Have I set something up incorrectly or is there some other way of curbing these b****y would-be hackers?

I'm not very familiar with fail2ban, but it looks like what you're seeing is a distributed attack. (There are not excessive multiple attempts from a single IP, so there is nothing to ban.)

Now would be a good time to add to /etc/ssh/sshd_config: PermitRootLogin no

...and restart sshd.

Good advice. I've done that now. Let's see what happens in the next days.

Thanks

It's getting hammered now - today's log file has hundreds of the following sample : -

Illegal users from:
8.15.1.79 (8-15-1-79.ironpath.net): 2 times
dylan/keyboard-interactive/pam: 1 time
james/keyboard-interactive/pam: 1 time
12.163.86.236 (mhp.continuum-books.com): 2 times
dan/keyboard-interactive/pam: 1 time
test/keyboard-interactive/pam: 1 time
24.61.83.215 (c-24-61-83-215.hsd1.ma.comcast.net): 1 time
backup/keyboard-interactive/pam: 1 time
24.181.23.242 (24-181-23-242.static.gwnt.ga.charter.com): 1 time
eric/keyboard-interactive/pam: 1 time
41.207.199.95 (Adsl-41-207-199-95.aviso.ci): 1 time
sync/keyboard-interactive/pam: 1 time
58.26.48.162: 1 time
martin/keyboard-interactive/pam: 1 time
58.39.145.213: 2 times
julia/keyboard-interactive/pam: 1 time
stunnel/keyboard-interactive/pam: 1 time
58.77.117.97: 1 time
paul/keyboard-interactive/pam: 1 time
58.172.65.98: 1 time
security/keyboard-interactive/pam: 1 time
58.196.4.2: 2 times
justin/keyboard-interactive/pam: 1 time
peter/keyboard-interactive/pam: 1 time
58.223.242.246: 3 times
cheryl/keyboard-interactive/pam: 1 time
library/keyboard-interactive/pam: 1 time
web0/keyboard-interactive/pam: 1 time
59.6.185.34: 2 times
carol/keyboard-interactive/pam: 1 time
doug/keyboard-interactive/pam: 1 time

Also hundreds of this sample : -

Error in PAM authentication:
Authentication failure for admin from 10-136.206-83.static-ip.oleane.fr : 1 Time(s)
Authentication failure for admin from 116.39.30.124 : 1 Time(s)
Authentication failure for admin from 121.33.199.39 : 1 Time(s)

hundreds of these : -

User not known to the underlying authentication module for illegal user adam from 200.153.48.18 : 1 Time(s)
User not known to the underlying authentication module for illegal user adam from 85.21.182.2 : 1 Time(s)
User not known to the underlying authentication module for illegal user adam from 88-196-54-98-dsl.trt.estpak.ee : 1 Time(s)
User not known to the underlying authentication module for illegal user adam from 89-97-62-16.ip16.fastwebnet.it : 1 Time(s)
User not known to the underlying authentication module for illegal user adam from bxn69.internetdsl.tpnet.pl : 1 Time(s)
User not known to the underlying authentication module for illegal user adam from host87-101-static.28-79-b.business.telecomitalia.it : 1 Time(s)
User not known to the underlying authentication module for illegal user adrian from 118.218-119-85.cust.rackboost.net : 1 Time(s)

and finally hundreds of these : -

**Unmatched Entries**
PAM_NAM: User nancy unknown to the authentication module : 6 time(s)
PAM_NAM: User daemon unknown to the authentication module : 1 time(s)
PAM_NAM: User dan unknown to the authentication module : 7 time(s)

It isn't happening over SSH - not sure what they are trying to do or how

Are you sure about that? Post some full log entries. (I suspect they are attacking sshd.) What other services do you have listening to the outside world that require user authentication?

Please take a few minutes to read the following threads:

• http://daemonforums.org/showthread.php?t=74
• http://www.linuxquestions.org/questi...tempts-340366/

The first is a brief howto I put together for hardening sshd. The second is a long, thorough thread on folks' experiences with calming brute force attacks.

There are a lot of ways to paint this bikeshed, and everyone has his own opinion. I think from those two sources of information you should be able to piece together a sane approach for your situation.

Just about everything. We have 4 Virtual websites, a HelpDesk, an FTP Server, MySQL, Samba, SSH and Novell eDirectory which we use for file and print, iFolder, iPrint, NRM, iManager and we also use the same box (to a very limited extent for Internet Connection Sharing (2 PC's) and a Wireless connection

In the next couple of months, we'll be adding 3 more Linux boxes and then we can split some of the functionality off this one.

We are actually waiting for OES2 SP1 to be out of Beta.

I switched off SSH yesterday, I'll wait for a couple of days and check all the logs to see if it is still happening. I also switched off the FTP Server.

Well, one step at a time then. You can start by hardening sshd.

Also, familiarize yourself with iptables (or SFW2, if suse still uses that) so that you're restricting access to all those services appropriately at the IP level.

---

P.S. FWIW, I've seen a sharp uptick in distributed attacks against sshd on one of my servers in the midwestern US over the past four days (starting on Nov. 19th).

I switched off SSH for a couple of days and the attacks dropped dramatically. I also installed DenyHosts some time ago and currently have almost 5,000 Ip Addresses in that also.

I followed all the instructions in your TID on hardening SSH. I haven't yet implemented encryption. We DO have non-dictionary user names and >10 character case-Sensitive Alpha-Numeric passwords. We have always had that, but I haven't found a way to enforce it in Linux like you can with NMAS (Novell) or Windows. I have to beat up the users to make sure their passwords comply! Is there anything where I can specify length of password and number of alpha and number of upper / lower case and numeric chars in Linux?

In the past couple of days the number of attacks have dropped considerably, but I'm still getting new IP Addresses that in spite of fail2ban and DenyHosts get though and I'm getting entries like : -

cheryl/keyboard-interactive/pam: 1 time
library/keyboard-interactive/pam: 1 time
web0/keyboard-interactive/pam: 1 time

What is keyboard-interactive? Can it be blocked or is it needed? I haven't seen any reference to it in SuSE10 docs. can someone enlighten me as to what is is, if I need it and if now how can I block it?

I put together another guide on that here: http://daemonforums.org/showthread.php?t=1019

It covers both FreeBSD and Linux (CentOS, actually). For the Linux section, I explained how to do this with pam_cracklib, but you may find pam_passwdqc to be a little more friendly. (Just read the whole article and choose one of the two approaches.)

I believe it's referring to ChallengeResponseAuthentication. Using this with UsePAM is pretty standard.

However, if it is feasible for you to move to PubkeyAuthentication only then that is a very secure way to operate. (With the caveat that you can't enforce passphrase strength, but that is a whole other can of worms...)