|
Fail2ban Log
Hi all,
Just wondering if anyone can tell me why it might appear my router is attempting to log into my desktop repeatedly? Could it be something more sinister? Here is a small selection of log. Code:
2013-01-05 15:29:19,048 fail2ban.actions: WARNING [ssh] Ban 192.168.0.1 |
Check your /var/log/secure or equivalent for failed logins instead?
|
Hrm, don't seem to have anything that matches that or anything close, which I hope is a good sign?
|
Forgot to tell you the obvious: to also check your routers access logs ;-p If its logs are clean, or if it isn't the type of router that would allow one to telnet or SSH (or whatever else method) into and SSH to your machine anyway, then your jail.conf settings should have the routers IP in the "ignoreip" directive. I wonder though what you modified because jail.conf only lists /var/log/secure for the ssh-iptables jail and filter.d/sshd.conf only looks at SSH daemon messages and for a few "failregex"es...
|
I just seen that it logs to '/var/log/auth.log'
Though have to say I'm a little confused: I used Sparkleshare which is what the user 'storage' is used for , but certainly my crappy router does not use that. 'Storage' also has failed logins. Code:
Jan 6 09:47:33 desktop sshd[27851]: Set /proc/self/oom_score_adj to 0 |
Well you could get the same entries by doing LAN machine -> external address -> router NAT -> other LAN machine. If you know exactly which SSH accounts are allowed and if they all use pubkey auth you could add your routers IP to jail.conf.
|
Hi, I think that's what's happening as I have sparkleshare setup to work when I'm out and about too.
How would I add a second address to the jail.conf file please? Currently has 127.0.0.1/8 there, so just need to add the router's address. |
Temporarily:
Code:
fail2ban-client set ssh-iptables addignoreip 192.168.0.1Code:
sed -i "s|^ignoreip.=.*$|\0 192.168.0.1|" /etc/fail2ban/jail.conf |
| All times are GMT -5. The time now is 02:49 PM. |