Just a post informing the accuracy of fail2ban when doing what is suppose to do.
For those concerned about safety, if things are properly configured, it is (almost) safe.
Just got an email informing that an IP was banned while trying to access SSH with user root and after, with user admin
The info on the email is quite detailed:
Code
Hi,
The IP 139.19.117.197 has just been banned by Fail2Ban after
5 attempts against ssh.
Here is more information about 139.19.117.197 :
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2023, American Registry for Internet Numbers, Ltd.
#
NetRange: 139.10.0.0 - 139.25.255.255
CIDR: 139.10.0.0/15, 139.16.0.0/13, 139.24.0.0/15, 139.12.0.0/14
NetName: RIPE-ERX-139-10-0-0
NetHandle: NET-139-10-0-0-1
Parent: NET139 (NET-139-0-0-0-0)
NetType: Early Registrations, Transferred to RIPE NCC
OriginAS:
Organization: RIPE Network Coordination Centre (RIPE)
RegDate: 2004-03-03
Updated: 2015-09-04
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
Ref: https://rdap.arin.net/registry/ip/139.10.0.0
ResourceLink: https://apps.db.ripe.net/search/query.html
ResourceLink: whois.ripe.net
OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
RegDate:
Updated: 2013-07-29
Ref: https://rdap.arin.net/registry/entity/RIPE
ReferralServer: whois://whois.ripe.net
ResourceLink: https://apps.db.ripe.net/search/query.html
OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName: Abuse Contact
OrgAbusePhone: +31205354444
OrgAbuseEmail: abuse@ripe.net
OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3850-ARIN
OrgTechHandle: RNO29-ARIN
OrgTechName: RIPE NCC Operations
OrgTechPhone: +31 20 535 4444
OrgTechEmail: hostmaster@ripe.net
OrgTechRef: https://rdap.arin.net/registry/entity/RNO29-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2023, American Registry for Internet Numbers, Ltd.
#
Found a referral to whois.ripe.net.
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See https://apps.db.ripe.net/docs/HTML-Terms-And-Conditions
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '139.19.0.0 - 139.19.255.255'
% Abuse contact for '139.19.0.0 - 139.19.255.255' is 'abuse@mpi-klsb.mpg.de'
inetnum: 139.19.0.0 - 139.19.255.255
netname: MPII-NET
org: ORG-MFI3-RIPE
descr: Max-Planck-Institut fuer Informatik, Saarbruecken
country: DE
admin-c: JH383-RIPE
tech-c: JH383-RIPE
status: LEGACY
mnt-by: DFN-LIR-MNT
mnt-irt: IRT-DFN-CERT
created: 1970-01-01T00:00:00Z
last-modified: 2019-12-04T13:05:44Z
source: RIPE
organisation: ORG-MFI3-RIPE
org-name: Max-Planck-Institut fuer Informatik
org-type: OTHER
address: Campus E1 4
address: 66123 Saarbruecken
address: Germany
admin-c: JH383-RIPE
tech-c: JH383-RIPE
abuse-c: MIA80-RIPE
mnt-ref: DFN-LIR-MNT
mnt-by: DFN-LIR-MNT
created: 2017-04-10T13:47:53Z
last-modified: 2017-04-10T13:47:53Z
source: RIPE # Filtered
person: Joerg Herrmann
address: Max-Planck-Institut fuer Informatik
address: Campus E1 4
address: 66123 Saarbruecken
address: Germany
phone: +49 681 9325 5801
fax-no: +49 681 9325 5801
nic-hdl: JH383-RIPE
mnt-by: DFN-NTFY
created: 1970-01-01T00:00:00Z
last-modified: 2017-04-10T13:47:53Z
source: RIPE # Filtered
% Information related to '139.19.0.0/16AS680'
route: 139.19.0.0/16
origin: AS680
mnt-by: DFN-MNT
created: 2016-11-30T12:23:27Z
last-modified: 2016-11-30T12:23:27Z
source: RIPE
descr: MPII-139-19
% This query was served by the RIPE Database Query Service version 1.109 (ABERDEEN)
Lines containing failures of 139.19.117.197 (max 1000)
Dec 13 15:29:50 panela sshd[1150298]: error: maximum authentication attempts exceeded for root from 139.19.117.197 port 44584 ssh2 [preauth]
Dec 13 15:29:50 panela sshd[1150298]: Disconnecting authenticating user root 139.19.117.197 port 44584: Too many authentication failures [preauth]
Dec 13 15:29:51 panela sshd[1150301]: error: maximum authentication attempts exceeded for root from 139.19.117.197 port 44588 ssh2 [preauth]
Dec 13 15:29:51 panela sshd[1150301]: Disconnecting authenticating user root 139.19.117.197 port 44588: Too many authentication failures [preauth]
Dec 13 15:29:52 panela sshd[1150304]: error: maximum authentication attempts exceeded for root from 139.19.117.197 port 44604 ssh2 [preauth]
Dec 13 15:29:52 panela sshd[1150304]: Disconnecting authenticating user root 139.19.117.197 port 44604: Too many authentication failures [preauth]
Dec 13 15:29:52 panela sshd[1150306]: error: maximum authentication attempts exceeded for root from 139.19.117.197 port 44612 ssh2 [preauth]
Dec 13 15:29:52 panela sshd[1150306]: Disconnecting authenticating user root 139.19.117.197 port 44612: Too many authentication failures [preauth]
Dec 13 15:29:53 panela sshd[1150328]: error: maximum authentication attempts exceeded for root from 139.19.117.197 port 44622 ssh2 [preauth]
Dec 13 15:29:53 panela sshd[1150328]: Disconnecting authenticating user root 139.19.117.197 port 44622: Too many authentication failures [preauth]
Dec 13 15:29:54 panela sshd[1150350]: error: maximum authentication attempts exceeded for root from 139.19.117.197 port 44638 ssh2 [preauth]
Dec 13 15:29:54 panela sshd[1150350]: Disconnecting authenticating user root 139.19.117.197 port 44638: Too many authentication failures [preauth]
Dec 13 15:29:55 panela sshd[1150362]: error: maximum authentication attempts exceeded for root from 139.19.117.197 port 44640 ssh2 [preauth]
Dec 13 15:29:55 panela sshd[1150362]: Disconnecting authenticating user root 139.19.117.197 port 44640: Too many authentication failures [preauth]
Dec 13 15:29:56 panela sshd[1150365]: error: maximum authentication attempts exceeded for root from 139.19.117.197 port 44646 ssh2 [preauth]
Dec 13 15:29:56 panela sshd[1150365]: Disconnecting authenticating user root 139.19.117.197 port 44646: Too many authentication failures [preauth]
Dec 13 15:29:56 panela sshd[1150367]: Connection closed by authenticating user root 139.19.117.197 port 44654 [preauth]
Dec 14 10:11:33 panela sshd[1185380]: User admin from 139.19.117.197 not allowed because none of user's groups are listed in AllowGroups
Dec 14 10:11:33 panela sshd[1185380]: error: maximum authentication attempts exceeded for invalid user admin from 139.19.117.197 port 56004 ssh2 [preauth]
Dec 14 10:11:33 panela sshd[1185380]: Disconnecting invalid user admin 139.19.117.197 port 56004: Too many authentication failures [preauth]
Dec 14 10:11:33 panela sshd[1185383]: User admin from 139.19.117.197 not allowed because none of user's groups are listed in AllowGroups
Dec 14 10:11:34 panela sshd[1185383]: error: maximum authentication attempts exceeded for invalid user admin from 139.19.117.197 port 56016 ssh2 [preauth]
Dec 14 10:11:34 panela sshd[1185383]: Disconnecting invalid user admin 139.19.117.197 port 56016: Too many authentication failures [preauth]
Dec 14 10:11:34 panela sshd[1185385]: User admin from 139.19.117.197 not allowed because none of user's groups are listed in AllowGroups
Dec 14 10:11:34 panela sshd[1185385]: error: maximum authentication attempts exceeded for invalid user admin from 139.19.117.197 port 56022 ssh2 [preauth]
Dec 14 10:11:34 panela sshd[1185385]: Disconnecting invalid user admin 139.19.117.197 port 56022: Too many authentication failures [preauth]
Dec 14 10:11:35 panela sshd[1185426]: User admin from 139.19.117.197 not allowed because none of user's groups are listed in AllowGroups
Regards,
Fail2Ban
Alles anzeigen
What I didn't like was the fact that my SSH port is non-conventional so, how the heck was it found? (NOTE: rethorical question, )
After this, I just changed the port to another one.