is iptables broken on my raspberry-pi? how to fix?
0
I am getting some person(s) trying to brute force my ssh, from multiple ip addresses (small sample) :
May 22 19:50:02 rpi sshd[1272]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:04 rpi sshd[1272]: Failed password for root from 58.218.205.84 port 50690 ssh2
May 22 19:50:06 rpi sshd[1272]: Failed password for root from 58.218.205.84 port 50690 ssh2
May 22 19:50:08 rpi sshd[1272]: Failed password for root from 58.218.205.84 port 50690 ssh2
May 22 19:50:09 rpi sshd[1272]: Received disconnect from 58.218.205.84: 11: [preauth]
May 22 19:50:09 rpi sshd[1272]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:10 rpi sshd[1276]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:13 rpi sshd[1276]: Failed password for root from 58.218.205.84 port 58560 ssh2
May 22 19:50:15 rpi sshd[1276]: Failed password for root from 58.218.205.84 port 58560 ssh2
May 22 19:50:17 rpi sshd[1276]: Failed password for root from 58.218.205.84 port 58560 ssh2
May 22 19:50:18 rpi sshd[1276]: Received disconnect from 58.218.205.84: 11: [preauth]
May 22 19:50:18 rpi sshd[1276]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:24 rpi sshd[1280]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:27 rpi sshd[1280]: Failed password for root from 58.218.205.84 port 34793 ssh2
May 22 19:50:29 rpi sshd[1280]: Failed password for root from 58.218.205.84 port 34793 ssh2
May 22 19:50:31 rpi sshd[1280]: Failed password for root from 58.218.205.84 port 34793 ssh2
May 22 19:50:31 rpi sshd[1280]: Received disconnect from 58.218.205.84: 11: [preauth]
May 22 19:50:31 rpi sshd[1280]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
So I installed fail2ban, however its not working. The config for it is :
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision$
#
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 192.168.1.0/24
bantime = 600
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = auto
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
#
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
#
# Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
#
# JAILS
#
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
[dropbear]
enabled = false
port = ssh
filter = sshd
logpath = /var/log/dropbear
maxretry = 6
# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]
enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
[ssh-ddos]
enabled = false
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
#
# HTTP servers
#
[apache]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-noscript]
enabled = false
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-overflows]
enabled = false
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
#
# FTP servers
#
[vsftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6
[proftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[pure-ftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = pure-ftpd
logpath = /var/log/auth.log
maxretry = 6
[wuftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6
#
# Mail servers
#
[postfix]
enabled = false
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
[couriersmtp]
enabled = false
port = smtp,ssmtp
filter = couriersmtp
logpath = /var/log/mail.log
#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#
[courierauth]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log
[sasl]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.log
[dovecot]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log
# DNS Servers
# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
#
# in your named.conf to provide proper logging
# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled = false
#port = domain,953
#protocol = udp
#filter = named-refused
#logpath = /var/log/named/security.log
[named-refused-tcp]
enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log
I have not changed anything inside except the local ips that it should ignore. So, after 4000 login attempts today, the ip has not been banned once, since the logs clearly show the person(s) is able to retry multiple times a minute still.
So I did sudo iptables -L and got :
libkmod: ERROR ../libkmod/libkmod.c:554 kmod_search_moddep: could not open moddep file '/lib/modules/3.18.7-v7+/modules.dep.bin'
iptables v1.4.14: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Hmm. I also checked the fail2ban log cat /var/log/fail2ban.log and got :
2015-05-22 12:05:43,083 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2015-05-22 12:05:43,086 fail2ban.jail : INFO Creating new jail 'ssh'
2015-05-22 12:05:43,088 fail2ban.jail : INFO Jail 'ssh' uses poller
2015-05-22 12:05:43,166 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2015-05-22 12:05:43,169 fail2ban.filter : INFO Set maxRetry = 6
2015-05-22 12:05:43,173 fail2ban.filter : INFO Set findtime = 600
2015-05-22 12:05:43,176 fail2ban.actions: INFO Set banTime = 600
2015-05-22 12:05:43,385 fail2ban.jail : INFO Jail 'ssh' started
2015-05-22 12:05:43,467 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 300
2015-05-22 19:42:34,799 fail2ban.server : INFO Stopping all jails
2015-05-22 19:42:35,753 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 300
2015-05-22 19:42:35,754 fail2ban.jail : INFO Jail 'ssh' stopped
2015-05-22 19:42:35,763 fail2ban.server : INFO Exiting Fail2ban
2015-05-22 19:42:37,686 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2015-05-22 19:42:37,689 fail2ban.jail : INFO Creating new jail 'ssh'
2015-05-22 19:42:37,695 fail2ban.jail : INFO Jail 'ssh' uses Gamin
2015-05-22 19:42:37,824 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2015-05-22 19:42:37,827 fail2ban.filter : INFO Set maxRetry = 6
2015-05-22 19:42:37,834 fail2ban.filter : INFO Set findtime = 600
2015-05-22 19:42:37,837 fail2ban.actions: INFO Set banTime = 600
2015-05-22 19:42:38,053 fail2ban.jail : INFO Jail 'ssh' started
2015-05-22 19:42:38,126 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 300
I also checked fail2ban-regex against the auth.log, and it said over 4000 matches.
What is going on, is iptables broken in raspian? How to fix?
ssh logs firewall authentication fail2ban
asked May 22 '15 at 20:07
sprocket12sprocket12
1891111
bumped to the homepage by Community♦ 29 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
0
I am getting some person(s) trying to brute force my ssh, from multiple ip addresses (small sample) :
May 22 19:50:02 rpi sshd[1272]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:04 rpi sshd[1272]: Failed password for root from 58.218.205.84 port 50690 ssh2
May 22 19:50:06 rpi sshd[1272]: Failed password for root from 58.218.205.84 port 50690 ssh2
May 22 19:50:08 rpi sshd[1272]: Failed password for root from 58.218.205.84 port 50690 ssh2
May 22 19:50:09 rpi sshd[1272]: Received disconnect from 58.218.205.84: 11: [preauth]
May 22 19:50:09 rpi sshd[1272]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:10 rpi sshd[1276]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:13 rpi sshd[1276]: Failed password for root from 58.218.205.84 port 58560 ssh2
May 22 19:50:15 rpi sshd[1276]: Failed password for root from 58.218.205.84 port 58560 ssh2
May 22 19:50:17 rpi sshd[1276]: Failed password for root from 58.218.205.84 port 58560 ssh2
May 22 19:50:18 rpi sshd[1276]: Received disconnect from 58.218.205.84: 11: [preauth]
May 22 19:50:18 rpi sshd[1276]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:24 rpi sshd[1280]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:27 rpi sshd[1280]: Failed password for root from 58.218.205.84 port 34793 ssh2
May 22 19:50:29 rpi sshd[1280]: Failed password for root from 58.218.205.84 port 34793 ssh2
May 22 19:50:31 rpi sshd[1280]: Failed password for root from 58.218.205.84 port 34793 ssh2
May 22 19:50:31 rpi sshd[1280]: Received disconnect from 58.218.205.84: 11: [preauth]
May 22 19:50:31 rpi sshd[1280]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
So I installed fail2ban, however its not working. The config for it is :
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision$
#
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 192.168.1.0/24
bantime = 600
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = auto
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
#
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
#
# Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
#
# JAILS
#
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
[dropbear]
enabled = false
port = ssh
filter = sshd
logpath = /var/log/dropbear
maxretry = 6
# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]
enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
[ssh-ddos]
enabled = false
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
#
# HTTP servers
#
[apache]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-noscript]
enabled = false
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-overflows]
enabled = false
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
#
# FTP servers
#
[vsftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6
[proftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[pure-ftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = pure-ftpd
logpath = /var/log/auth.log
maxretry = 6
[wuftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6
#
# Mail servers
#
[postfix]
enabled = false
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
[couriersmtp]
enabled = false
port = smtp,ssmtp
filter = couriersmtp
logpath = /var/log/mail.log
#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#
[courierauth]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log
[sasl]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.log
[dovecot]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log
# DNS Servers
# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
#
# in your named.conf to provide proper logging
# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled = false
#port = domain,953
#protocol = udp
#filter = named-refused
#logpath = /var/log/named/security.log
[named-refused-tcp]
enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log
I have not changed anything inside except the local ips that it should ignore. So, after 4000 login attempts today, the ip has not been banned once, since the logs clearly show the person(s) is able to retry multiple times a minute still.
So I did sudo iptables -L and got :
libkmod: ERROR ../libkmod/libkmod.c:554 kmod_search_moddep: could not open moddep file '/lib/modules/3.18.7-v7+/modules.dep.bin'
iptables v1.4.14: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Hmm. I also checked the fail2ban log cat /var/log/fail2ban.log and got :
2015-05-22 12:05:43,083 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2015-05-22 12:05:43,086 fail2ban.jail : INFO Creating new jail 'ssh'
2015-05-22 12:05:43,088 fail2ban.jail : INFO Jail 'ssh' uses poller
2015-05-22 12:05:43,166 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2015-05-22 12:05:43,169 fail2ban.filter : INFO Set maxRetry = 6
2015-05-22 12:05:43,173 fail2ban.filter : INFO Set findtime = 600
2015-05-22 12:05:43,176 fail2ban.actions: INFO Set banTime = 600
2015-05-22 12:05:43,385 fail2ban.jail : INFO Jail 'ssh' started
2015-05-22 12:05:43,467 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 300
2015-05-22 19:42:34,799 fail2ban.server : INFO Stopping all jails
2015-05-22 19:42:35,753 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 300
2015-05-22 19:42:35,754 fail2ban.jail : INFO Jail 'ssh' stopped
2015-05-22 19:42:35,763 fail2ban.server : INFO Exiting Fail2ban
2015-05-22 19:42:37,686 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2015-05-22 19:42:37,689 fail2ban.jail : INFO Creating new jail 'ssh'
2015-05-22 19:42:37,695 fail2ban.jail : INFO Jail 'ssh' uses Gamin
2015-05-22 19:42:37,824 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2015-05-22 19:42:37,827 fail2ban.filter : INFO Set maxRetry = 6
2015-05-22 19:42:37,834 fail2ban.filter : INFO Set findtime = 600
2015-05-22 19:42:37,837 fail2ban.actions: INFO Set banTime = 600
2015-05-22 19:42:38,053 fail2ban.jail : INFO Jail 'ssh' started
2015-05-22 19:42:38,126 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 300
I also checked fail2ban-regex against the auth.log, and it said over 4000 matches.
What is going on, is iptables broken in raspian? How to fix?
ssh logs firewall authentication fail2ban
asked May 22 '15 at 20:07
sprocket12sprocket12
1891111
bumped to the homepage by Community♦ 29 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
1
Not a direct answer to your question, but try moving ssh to a non-standard port. You'll see a lot less scans there.
– lcd047
May 22 '15 at 20:12
add a comment |
0
0
0
I am getting some person(s) trying to brute force my ssh, from multiple ip addresses (small sample) :
May 22 19:50:02 rpi sshd[1272]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:04 rpi sshd[1272]: Failed password for root from 58.218.205.84 port 50690 ssh2
May 22 19:50:06 rpi sshd[1272]: Failed password for root from 58.218.205.84 port 50690 ssh2
May 22 19:50:08 rpi sshd[1272]: Failed password for root from 58.218.205.84 port 50690 ssh2
May 22 19:50:09 rpi sshd[1272]: Received disconnect from 58.218.205.84: 11: [preauth]
May 22 19:50:09 rpi sshd[1272]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:10 rpi sshd[1276]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:13 rpi sshd[1276]: Failed password for root from 58.218.205.84 port 58560 ssh2
May 22 19:50:15 rpi sshd[1276]: Failed password for root from 58.218.205.84 port 58560 ssh2
May 22 19:50:17 rpi sshd[1276]: Failed password for root from 58.218.205.84 port 58560 ssh2
May 22 19:50:18 rpi sshd[1276]: Received disconnect from 58.218.205.84: 11: [preauth]
May 22 19:50:18 rpi sshd[1276]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:24 rpi sshd[1280]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:27 rpi sshd[1280]: Failed password for root from 58.218.205.84 port 34793 ssh2
May 22 19:50:29 rpi sshd[1280]: Failed password for root from 58.218.205.84 port 34793 ssh2
May 22 19:50:31 rpi sshd[1280]: Failed password for root from 58.218.205.84 port 34793 ssh2
May 22 19:50:31 rpi sshd[1280]: Received disconnect from 58.218.205.84: 11: [preauth]
May 22 19:50:31 rpi sshd[1280]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
So I installed fail2ban, however its not working. The config for it is :
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision$
#
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 192.168.1.0/24
bantime = 600
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = auto
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
#
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
#
# Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
#
# JAILS
#
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
[dropbear]
enabled = false
port = ssh
filter = sshd
logpath = /var/log/dropbear
maxretry = 6
# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]
enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
[ssh-ddos]
enabled = false
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
#
# HTTP servers
#
[apache]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-noscript]
enabled = false
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-overflows]
enabled = false
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
#
# FTP servers
#
[vsftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6
[proftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[pure-ftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = pure-ftpd
logpath = /var/log/auth.log
maxretry = 6
[wuftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6
#
# Mail servers
#
[postfix]
enabled = false
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
[couriersmtp]
enabled = false
port = smtp,ssmtp
filter = couriersmtp
logpath = /var/log/mail.log
#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#
[courierauth]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log
[sasl]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.log
[dovecot]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log
# DNS Servers
# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
#
# in your named.conf to provide proper logging
# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled = false
#port = domain,953
#protocol = udp
#filter = named-refused
#logpath = /var/log/named/security.log
[named-refused-tcp]
enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log
I have not changed anything inside except the local ips that it should ignore. So, after 4000 login attempts today, the ip has not been banned once, since the logs clearly show the person(s) is able to retry multiple times a minute still.
So I did sudo iptables -L and got :
libkmod: ERROR ../libkmod/libkmod.c:554 kmod_search_moddep: could not open moddep file '/lib/modules/3.18.7-v7+/modules.dep.bin'
iptables v1.4.14: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Hmm. I also checked the fail2ban log cat /var/log/fail2ban.log and got :
2015-05-22 12:05:43,083 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2015-05-22 12:05:43,086 fail2ban.jail : INFO Creating new jail 'ssh'
2015-05-22 12:05:43,088 fail2ban.jail : INFO Jail 'ssh' uses poller
2015-05-22 12:05:43,166 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2015-05-22 12:05:43,169 fail2ban.filter : INFO Set maxRetry = 6
2015-05-22 12:05:43,173 fail2ban.filter : INFO Set findtime = 600
2015-05-22 12:05:43,176 fail2ban.actions: INFO Set banTime = 600
2015-05-22 12:05:43,385 fail2ban.jail : INFO Jail 'ssh' started
2015-05-22 12:05:43,467 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 300
2015-05-22 19:42:34,799 fail2ban.server : INFO Stopping all jails
2015-05-22 19:42:35,753 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 300
2015-05-22 19:42:35,754 fail2ban.jail : INFO Jail 'ssh' stopped
2015-05-22 19:42:35,763 fail2ban.server : INFO Exiting Fail2ban
2015-05-22 19:42:37,686 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2015-05-22 19:42:37,689 fail2ban.jail : INFO Creating new jail 'ssh'
2015-05-22 19:42:37,695 fail2ban.jail : INFO Jail 'ssh' uses Gamin
2015-05-22 19:42:37,824 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2015-05-22 19:42:37,827 fail2ban.filter : INFO Set maxRetry = 6
2015-05-22 19:42:37,834 fail2ban.filter : INFO Set findtime = 600
2015-05-22 19:42:37,837 fail2ban.actions: INFO Set banTime = 600
2015-05-22 19:42:38,053 fail2ban.jail : INFO Jail 'ssh' started
2015-05-22 19:42:38,126 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 300
I also checked fail2ban-regex against the auth.log, and it said over 4000 matches.
What is going on, is iptables broken in raspian? How to fix?
ssh logs firewall authentication fail2ban
asked May 22 '15 at 20:07
sprocket12sprocket12
1891111
I am getting some person(s) trying to brute force my ssh, from multiple ip addresses (small sample) :
May 22 19:50:02 rpi sshd[1272]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:04 rpi sshd[1272]: Failed password for root from 58.218.205.84 port 50690 ssh2
May 22 19:50:06 rpi sshd[1272]: Failed password for root from 58.218.205.84 port 50690 ssh2
May 22 19:50:08 rpi sshd[1272]: Failed password for root from 58.218.205.84 port 50690 ssh2
May 22 19:50:09 rpi sshd[1272]: Received disconnect from 58.218.205.84: 11: [preauth]
May 22 19:50:09 rpi sshd[1272]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:10 rpi sshd[1276]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:13 rpi sshd[1276]: Failed password for root from 58.218.205.84 port 58560 ssh2
May 22 19:50:15 rpi sshd[1276]: Failed password for root from 58.218.205.84 port 58560 ssh2
May 22 19:50:17 rpi sshd[1276]: Failed password for root from 58.218.205.84 port 58560 ssh2
May 22 19:50:18 rpi sshd[1276]: Received disconnect from 58.218.205.84: 11: [preauth]
May 22 19:50:18 rpi sshd[1276]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:24 rpi sshd[1280]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
May 22 19:50:27 rpi sshd[1280]: Failed password for root from 58.218.205.84 port 34793 ssh2
May 22 19:50:29 rpi sshd[1280]: Failed password for root from 58.218.205.84 port 34793 ssh2
May 22 19:50:31 rpi sshd[1280]: Failed password for root from 58.218.205.84 port 34793 ssh2
May 22 19:50:31 rpi sshd[1280]: Received disconnect from 58.218.205.84: 11: [preauth]
May 22 19:50:31 rpi sshd[1280]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.205.84 user=root
So I installed fail2ban, however its not working. The config for it is :
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision$
#
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 192.168.1.0/24
bantime = 600
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = auto
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
#
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
#
# Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
#
# JAILS
#
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
[dropbear]
enabled = false
port = ssh
filter = sshd
logpath = /var/log/dropbear
maxretry = 6
# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]
enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
[ssh-ddos]
enabled = false
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
#
# HTTP servers
#
[apache]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-noscript]
enabled = false
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-overflows]
enabled = false
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
#
# FTP servers
#
[vsftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6
[proftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[pure-ftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = pure-ftpd
logpath = /var/log/auth.log
maxretry = 6
[wuftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6
#
# Mail servers
#
[postfix]
enabled = false
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
[couriersmtp]
enabled = false
port = smtp,ssmtp
filter = couriersmtp
logpath = /var/log/mail.log
#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#
[courierauth]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log
[sasl]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.log
[dovecot]
enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log
# DNS Servers
# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
#
# in your named.conf to provide proper logging
# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled = false
#port = domain,953
#protocol = udp
#filter = named-refused
#logpath = /var/log/named/security.log
[named-refused-tcp]
enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log
I have not changed anything inside except the local ips that it should ignore. So, after 4000 login attempts today, the ip has not been banned once, since the logs clearly show the person(s) is able to retry multiple times a minute still.
So I did sudo iptables -L and got :
libkmod: ERROR ../libkmod/libkmod.c:554 kmod_search_moddep: could not open moddep file '/lib/modules/3.18.7-v7+/modules.dep.bin'
iptables v1.4.14: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Hmm. I also checked the fail2ban log cat /var/log/fail2ban.log and got :
2015-05-22 12:05:43,083 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2015-05-22 12:05:43,086 fail2ban.jail : INFO Creating new jail 'ssh'
2015-05-22 12:05:43,088 fail2ban.jail : INFO Jail 'ssh' uses poller
2015-05-22 12:05:43,166 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2015-05-22 12:05:43,169 fail2ban.filter : INFO Set maxRetry = 6
2015-05-22 12:05:43,173 fail2ban.filter : INFO Set findtime = 600
2015-05-22 12:05:43,176 fail2ban.actions: INFO Set banTime = 600
2015-05-22 12:05:43,385 fail2ban.jail : INFO Jail 'ssh' started
2015-05-22 12:05:43,467 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 300
2015-05-22 19:42:34,799 fail2ban.server : INFO Stopping all jails
2015-05-22 19:42:35,753 fail2ban.actions.action: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh
iptables -F fail2ban-ssh
iptables -X fail2ban-ssh returned 300
2015-05-22 19:42:35,754 fail2ban.jail : INFO Jail 'ssh' stopped
2015-05-22 19:42:35,763 fail2ban.server : INFO Exiting Fail2ban
2015-05-22 19:42:37,686 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2015-05-22 19:42:37,689 fail2ban.jail : INFO Creating new jail 'ssh'
2015-05-22 19:42:37,695 fail2ban.jail : INFO Jail 'ssh' uses Gamin
2015-05-22 19:42:37,824 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2015-05-22 19:42:37,827 fail2ban.filter : INFO Set maxRetry = 6
2015-05-22 19:42:37,834 fail2ban.filter : INFO Set findtime = 600
2015-05-22 19:42:37,837 fail2ban.actions: INFO Set banTime = 600
2015-05-22 19:42:38,053 fail2ban.jail : INFO Jail 'ssh' started
2015-05-22 19:42:38,126 fail2ban.actions.action: ERROR iptables -N fail2ban-ssh
iptables -A fail2ban-ssh -j RETURN
iptables -I INPUT -p tcp -m multiport --dports ssh -j fail2ban-ssh returned 300
I also checked fail2ban-regex against the auth.log, and it said over 4000 matches.
What is going on, is iptables broken in raspian? How to fix?
ssh logs firewall authentication fail2ban
ssh logs firewall authentication fail2ban
asked May 22 '15 at 20:07
sprocket12sprocket12
1891111
asked May 22 '15 at 20:07
sprocket12sprocket12
1891111
asked May 22 '15 at 20:07
sprocket12sprocket12
1891111
asked May 22 '15 at 20:07
sprocket12sprocket12
1891111
asked May 22 '15 at 20:07
sprocket12sprocket12
1891111
1891111
bumped to the homepage by Community♦ 29 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 29 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
1
Not a direct answer to your question, but try moving ssh to a non-standard port. You'll see a lot less scans there.
– lcd047
May 22 '15 at 20:12
add a comment |
1
Not a direct answer to your question, but try moving ssh to a non-standard port. You'll see a lot less scans there.
– lcd047
May 22 '15 at 20:12
1
1
Not a direct answer to your question, but try moving ssh to a non-standard port. You'll see a lot less scans there.
– lcd047
May 22 '15 at 20:12
Not a direct answer to your question, but try moving ssh to a non-standard port. You'll see a lot less scans there.
– lcd047
May 22 '15 at 20:12
add a comment |
1 Answer
1
active
oldest
votes
0
I found the fix for it, just do :
sudo rpi-update
That updated the firmware, the kernel version, and whatever else was needed to make iptables work, now my fail2ban is working fine.
answered May 23 '15 at 22:59
sprocket12sprocket12
1891111
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f205118%2fis-iptables-broken-on-my-raspberry-pi-how-to-fix%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
0
I found the fix for it, just do :
sudo rpi-update
That updated the firmware, the kernel version, and whatever else was needed to make iptables work, now my fail2ban is working fine.
answered May 23 '15 at 22:59
sprocket12sprocket12
1891111
add a comment |
0
I found the fix for it, just do :
sudo rpi-update
That updated the firmware, the kernel version, and whatever else was needed to make iptables work, now my fail2ban is working fine.
answered May 23 '15 at 22:59
sprocket12sprocket12
1891111
add a comment |
0
0
0
I found the fix for it, just do :
sudo rpi-update
That updated the firmware, the kernel version, and whatever else was needed to make iptables work, now my fail2ban is working fine.
answered May 23 '15 at 22:59
sprocket12sprocket12
1891111
I found the fix for it, just do :
sudo rpi-update
That updated the firmware, the kernel version, and whatever else was needed to make iptables work, now my fail2ban is working fine.
answered May 23 '15 at 22:59
sprocket12sprocket12
1891111
answered May 23 '15 at 22:59
sprocket12sprocket12
1891111
answered May 23 '15 at 22:59
sprocket12sprocket12
1891111
answered May 23 '15 at 22:59
sprocket12sprocket12
1891111
1891111
add a comment |
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f205118%2fis-iptables-broken-on-my-raspberry-pi-how-to-fix%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Not a direct answer to your question, but try moving ssh to a non-standard port. You'll see a lot less scans there.
– lcd047
May 22 '15 at 20:12