While troubleshooting some initial configurations with my HAProxy setup, I noticed a few alarming things in my /var/log/auth.log.
Apr 17 07:17:00 hostname sshd[16969]: Failed password for invalid user admin from 14.160.56.206 port 20024 ssh2 Apr 17 08:23:55 hostname sshd[17206]: Failed password for invalid user hunter from 178.239.180.101 port 47259 ssh2
Apr 17 08:23:53 hostname sshd[17206]: Address 178.239.180.101 maps to host-101-180.239-178.enter.it, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Apr 17 08:44:28 hostname sshd[17325]: Address 113.160.158.43 maps to static.vdc.vn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Are people trying to compromise my site?? I never thought I would need anything like this, but I decided to install Fail2ban for some protection.
Fail2ban Installation And Configuration
The installation was simple as most Ubuntu thing are:
sudo apt-get install fail2ban
The default configuration was almost all I needed since it already came with ssh protection enabled, but I also wanted email notifications and ssh-ddos protection. The man page was helpful in explaining actions, filters, and jails.
In /etc/fail2ban/jail.d/01_ssh.conf, I configured the following for email notifications:
[ssh] destemail = christopher.baek@gmail.com action = %(action_mwl)s
In /etc/fail2ban/jail.d/02_ssh-ddos.conf, I configured the following to enable ssh-ddos protection and email notifications:
[ssh-ddos] enabled = true destemail = christopher.baek@gmail.com action = %(action_mwl)s
Testing
I actually started receiving email alerts almost immediately after I enabled Fail2ban, but for manual testing:
- List initial
iptablesrulesiptables -L
- Trigger Fail2ban by trying to connect via SSH incorrectly for
maxretrytimes withinfindtimeseconds (from the/etc/fail2ban/jail.confor overridden settings). - Hopefully further SSH attempts should be blocked for
bantimeseconds, but listingiptablesrules should show a new rule
Christopher Baek 