I have problem with brute force monitor in direct admin.
Every minute i get info like this:
15705610210001 52.187.17.107 123 1 sshd4 Oct 8 20:56:24 server sshd[10817]: Failed password for invalid user 123 from 52.187.17.107 port 40775 ssh2
15705610210000 176.31.253.55 Titanic123 1 sshd4 Oct 8 20:56:02 server sshd[10808]: Failed password for invalid user Titanic123 from 176.31.253.55 port 35368 ssh2
15705609610001 45.125.65.34 internet 1 exim2 2019-10-08 20:55:18 login authenticator failed for (User) [45.125.65.34]: 535 Incorrect authentication data (set_id=internet)
15705609610000 80.211.180.23 qazWSX 1 sshd4 Oct 8 20:55:21 server sshd[10799]: Failed password for invalid user qazWSX from 80.211.180.23 port 40812 ssh2
15705609010000 138.197.89.212 root 1 sshd5 Oct 8 20:54:15 server sshd[10784]: Failed password for root from 138.197.89.212 port 33528 ssh2
15705608410001 51.254.99.208 root 1 sshd5 Oct 8 20:53:56 server sshd[10776]: Failed password for root from 51.254.99.208 port 42610 ssh2
15705608410000 194.182.86.133 root 1 sshd5 Oct 8 20:53:31 server sshd[10770]: Failed password for root from 194.182.86.133 port 38058 ssh2
15705607810002 45.125.65.58 market 1 exim2 2019-10-08 20:52:50 login authenticator failed for (User) [45.125.65.58]: 535 Incorrect authentication data (set_id=market)
I have installed fail2ban and CSF .
CSF should automatic block with BFM.
My port ssh is changed.
My port directadmin is changed.
In ssh config:
MaxAuthTries 3
MaxSessions 5
In CSF:
IGNORE_ALLOW = "1"
Allow port:
tcp in 2109, 9009, 53, 80,443,20,21,25,110,143,587,993,995,3306
tcp out 2109, 9009, 80, 113, 443, 20,21,25,110,3306
udp in 53,20,21
udp out 53,113,123,20,21
CC_DENY: CN,IN,RU,VN,AR,TR,LV,BY,JP,EC,MY,TW,KR
LF_SSHD etc. set 3.
How can i secure and eliminate this brute force attack?
fail2ban log:
2019-10-08 21:01:29,037 fail2ban.actions [1487]: NOTICE [sshd] 194.182.86.133 already banned
2019-10-08 21:01:30,385 fail2ban.filter [1487]: INFO [sshd] Found 194.182.86.133
2019-10-08 21:01:37,604 fail2ban.filter [1487]: INFO [sshd] Found 110.49.70.240
2019-10-08 21:01:38,045 fail2ban.actions [1487]: NOTICE [sshd] Ban 110.49.70.240
2019-10-08 21:01:38,151 fail2ban.action [1487]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' — stdout: b''
2019-10-08 21:01:38,151 fail2ban.action [1487]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' — stderr: b''
2019-10-08 21:01:38,151 fail2ban.action [1487]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' — returned 1
2019-10-08 21:01:38,151 fail2ban.CommandAction [1487]: ERROR Invariant check failed. Trying to restore a sane environment
2019-10-08 21:01:38,256 fail2ban.action [1487]: ERROR iptables -w -D INPUT -p tcp -m multiport –dports ssh,2109,sftp -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd — stdout: b''
2019-10-08 21:01:38,257 fail2ban.action [1487]: ERROR iptables -w -D INPUT -p tcp -m multiport –dports ssh,2109,sftp -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd — stderr: b"iptables v1.6.0: Couldn't load target f2b-sshd':No such file or directory\n\nTryiptables -h' or 'iptables –help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
2019-10-08 21:01:38,257 fail2ban.action [1487]: ERROR iptables -w -D INPUT -p tcp -m multiport –dports ssh,2109,sftp -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd — returned 1
2019-10-08 21:01:38,257 fail2ban.actions [1487]: ERROR Failed to execute ban jail 'sshd' action 'iptables-multiport' info 'CallingMap({'matches': 'Oct 8 19:29:42 server sshd[5972]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.49.70.240 user=root\nOct 8
19:29:43 server sshd[5972]: Failed password for root from 110.49.70.240 port 31718 ssh2\nOct 8 21:01:37 server sshd[19799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.49.70.240 user=root', 'ipjailfailures': . at 0x7f858c6379d8>, 'failures': 3, 'ipmatches': . at 0x7f858d696510>, 'ip': '110.49.70.240', 'time': 1570561298.0458193, 'ipfailures': . at 0x7f858c637510>, 'ipjailmatches': . at 0x7f858c637620>})': Error stopping action
2019-10-08 21:01:39,734 fail2ban.filter [1487]: INFO [sshd] Found 110.49.70.240
Best Answer
Honestly, there is little you can do to stop these attacks if your ssh server is port forwarded. Just ensure you have a strong password and do not use common usernames. Also, as you can see, Fail2Ban is also protecting your server's SSH from brute Force attacks. It also appears that IPTables or Fail2Ban may be broken and isn't banning ips properly.