0

I installed and configured fail2ban on my VPS a couple days ago, since installed, it keeps sending me emails saying that an IP was banned after failed login attempts. Firewall is on and fail2ban is running, ban time is 1 hour, but apparently the ip is trying many times, and in different ports than SSH.

Here is part of the log: 

Sep 27 08:33:55 hero2 sshd[18529]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.67  user=root
Sep 27 08:33:57 hero2 sshd[18529]: Failed password for root from 43.229.53.67 port 22961 ssh2
Sep 27 08:34:01 hero2 sshd[18529]: message repeated 2 times: [ Failed password for root from 43.229.53.67 port 22961 ssh2]
Sep 27 08:34:02 hero2 sshd[18529]: Received disconnect from 43.229.53.67: 11:  [preauth]
Sep 27 08:34:02 hero2 sshd[18529]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.67  user=root
Sep 27 08:34:02 hero2 sshd[18531]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.67  user=root
Sep 27 08:34:04 hero2 sshd[18531]: Failed password for root from 43.229.53.67 port 43817 ssh2
Sep 27 08:34:08 hero2 sshd[18531]: message repeated 2 times: [ Failed password for root from 43.229.53.67 port 43817 ssh2]
Sep 27 08:34:08 hero2 sshd[18531]: Received disconnect from 43.229.53.67: 11:  [preauth]
Sep 27 08:34:08 hero2 sshd[18531]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.67  user=root
Sep 27 08:34:09 hero2 sshd[18533]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.67  user=root
Sep 27 08:34:11 hero2 sshd[18533]: Failed password for root from 43.229.53.67 port 62808 ssh2
Sep 27 08:34:15 hero2 sshd[18533]: message repeated 2 times: [ Failed password for root from 43.229.53.67 port 62808 ssh2]
Sep 27 08:34:15 hero2 sshd[18533]: Received disconnect from 43.229.53.67: 11:  [preauth]
Sep 27 08:34:15 hero2 sshd[18533]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.67  user=root
Sep 27 08:34:16 hero2 sshd[18535]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.67  user=root
Sep 27 08:34:18 hero2 sshd[18535]: Failed password for root from 43.229.53.67 port 26821 ssh2
Sep 27 08:34:22 hero2 sshd[18535]: message repeated 2 times: [ Failed password for root from 43.229.53.67 port 26821 ssh2]
Sep 27 08:34:22 hero2 sshd[18535]: Received disconnect from 43.229.53.67: 11:  [preauth]
Sep 27 08:34:22 hero2 sshd[18535]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.67  user=root
Sep 27 08:34:23 hero2 sshd[18537]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.229.53.67  user=root
Sep 27 08:34:25 hero2 sshd[18537]: Failed password for root from 43.229.53.67 port 46038 ssh2
Sep 27 08:34:29 hero2 sshd[18537]: message repeated 2 times: [ Failed password for root from 43

From what I see, it's all coming from the same IP, it's attempting many times and on different ports (shoudn't my firewall block all ports except ssh?). Also, root is disabled.

Is someone trying to brute force my VPS? What can I do to stop it?

sigmaxf
  • 643
  • 7
  • 17

3 Answers3

4

Get used to it.

If you've disabled root logins and are running fail2ban, you've already taken some sensible precautions. Personally, I always restrict access to a specific group of users and disable password authentication.

Manually adding blocks to the firewall for every host which tries to brute force your sshd is not a viable strategy.

symcbean
  • 18,625
  • 1
  • 41
  • 75
1

Is someone trying to brute force my VPS? What can I do to stop it?

Very likely. If they're using a static address you can block it using iptables:

# iptables -A INPUT -s IP_ADDRESS -j DROP

Note that the attacker may change his machine(VPS) and then try launching the attacks again. Then you would also have to add the new address to the list of blocked addresses. It's overall safer to use a good password.

Edit #1:

To block a host with ufw use:

# ufw deny from 207.46.232.182

For a range of hosts use a subnet mask:

# ufw deny from 207.46.232.182/24
Sebi
  • 1,391
  • 10
  • 16
  • I'm using ufw for firewall.. will that work using the iptables command? I'm not using password, just key, and do you think it would be a good idea to change the default SSH port? – sigmaxf Oct 03 '15 at 23:42
  • See the edited answer – Sebi Oct 04 '15 at 09:01
0

Yes, someone does, but don't take it personal. The moment you connect a server to the internet, it will be targeted by such attacks.

There are lots of criminals which run bots which connect to arbitrary IP addresses, look for an SSH demon and try to brute-force it. The goal is to find a system set up by an inexperienced admin who configured their server to allow remote root login with a weak password and no client-sided certificate. When they find such a server, they want to use it for criminal activity (hosting malware and phishing sites, sending spam, performing DDOS attacks, etc., etc.).

When you set up a complex enough password and configured fail2ban to block these attempts, you already did enough to thwart these fully automatized attacks.

Philipp
  • 49,384
  • 8
  • 129
  • 160