Recently I saw a port scan on my ubuntu server.
The log lines in auth.log look like this:
Jul 2 01:14:30 host12907 sshd[14010]: Failed password for root from 64.225.102.51 port 41676 ssh2
Jul 2 01:14:30 host12907 sshd[14011]: Failed password for root from 64.225.102.51 port 41696 ssh2
Jul 2 01:14:30 host12907 sshd[14032]: Failed password for root from 64.225.102.51 port 42768 ssh2
Jul 2 01:14:30 host12907 sshd[14008]: Failed password for root from 64.225.102.51 port 41610 ssh2
Jul 2 01:14:30 host12907 sshd[14019]: Failed password for root from 64.225.102.51 port 41958 ssh2
Jul 2 01:14:30 host12907 sshd[14027]: Failed password for root from 64.225.102.51 port 42528 ssh2
Jul 2 01:14:30 host12907 sshd[14038]: Failed password for root from 64.225.102.51 port 43020 ssh2
Jul 2 01:14:30 host12907 sshd[14030]: Failed password for root from 64.225.102.51 port 42660 ssh2
Jul 2 01:14:30 host12907 sshd[14035]: Failed password for root from 64.225.102.51 port 42860 ssh2
Jul 2 01:14:31 host12907 sshd[14041]: Failed password for root from 64.225.102.51 port 43112 ssh2
Jul 2 01:14:31 host12907 sshd[14022]: Failed password for root from 64.225.102.51 port 42360 ssh2
Jul 2 01:14:31 host12907 sshd[14029]: Failed password for root from 64.225.102.51 port 42584 ssh2
I did check the fail2ban filter for sshd with:
fail2ban-regex --print-all-matched /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf and the lines were matched correctly.
Thus, it obviously is the ssh jail which doesn't block the scan as expected.
The current jail for ssh shows:
[ssh]
enabled = true
filter = sshd
action = iptables[name=ssh, port=ssh]
logpath = /var/log/auth.log
maxretry = 5
I suppose the action line in the sshd jail can be configured to not only ban failed attempts to the single actually configured sshd port, but to any port.
Alas, I don't know how to change the action line so that fail2ban sums up failed ssh attempts to any port in its maxretry counter.
How can I get the ssh jail to process failed attempts on all ports?
Would it work correctly if I leave out the port specification at all?
Or should the port specification just specify port=all?
Or should the jail specification look totally different?
I am reluctant to experiment with it because my server is a vServer and I am anxious to lock me out if I do something wrong.
The log lines in auth.log look like this:
Jul 2 01:14:30 host12907 sshd[14010]: Failed password for root from 64.225.102.51 port 41676 ssh2
Jul 2 01:14:30 host12907 sshd[14011]: Failed password for root from 64.225.102.51 port 41696 ssh2
Jul 2 01:14:30 host12907 sshd[14032]: Failed password for root from 64.225.102.51 port 42768 ssh2
Jul 2 01:14:30 host12907 sshd[14008]: Failed password for root from 64.225.102.51 port 41610 ssh2
Jul 2 01:14:30 host12907 sshd[14019]: Failed password for root from 64.225.102.51 port 41958 ssh2
Jul 2 01:14:30 host12907 sshd[14027]: Failed password for root from 64.225.102.51 port 42528 ssh2
Jul 2 01:14:30 host12907 sshd[14038]: Failed password for root from 64.225.102.51 port 43020 ssh2
Jul 2 01:14:30 host12907 sshd[14030]: Failed password for root from 64.225.102.51 port 42660 ssh2
Jul 2 01:14:30 host12907 sshd[14035]: Failed password for root from 64.225.102.51 port 42860 ssh2
Jul 2 01:14:31 host12907 sshd[14041]: Failed password for root from 64.225.102.51 port 43112 ssh2
Jul 2 01:14:31 host12907 sshd[14022]: Failed password for root from 64.225.102.51 port 42360 ssh2
Jul 2 01:14:31 host12907 sshd[14029]: Failed password for root from 64.225.102.51 port 42584 ssh2
I did check the fail2ban filter for sshd with:
fail2ban-regex --print-all-matched /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf and the lines were matched correctly.
Thus, it obviously is the ssh jail which doesn't block the scan as expected.
The current jail for ssh shows:
[ssh]
enabled = true
filter = sshd
action = iptables[name=ssh, port=ssh]
logpath = /var/log/auth.log
maxretry = 5
I suppose the action line in the sshd jail can be configured to not only ban failed attempts to the single actually configured sshd port, but to any port.
Alas, I don't know how to change the action line so that fail2ban sums up failed ssh attempts to any port in its maxretry counter.
How can I get the ssh jail to process failed attempts on all ports?
Would it work correctly if I leave out the port specification at all?
Or should the port specification just specify port=all?
Or should the jail specification look totally different?
I am reluctant to experiment with it because my server is a vServer and I am anxious to lock me out if I do something wrong.