I have problem with brute force monitor in direct admin. Every minute i get info like this:
15705610210001 52.187.17.107 123 1 sshd4 Oct 8 20:56:24 server sshd[10817]: Failed password for invalid user 123 from 52.187.17.107 port 40775 ssh2
15705610210000 176.31.253.55 Titanic123 1 sshd4 Oct 8 20:56:02 server sshd[10808]: Failed password for invalid user Titanic123 from 176.31.253.55 port 35368 ssh2
15705609610001 45.125.65.34 internet 1 exim2 2019-10-08 20:55:18 login authenticator failed for (User) [45.125.65.34]: 535 Incorrect authentication data (set_id=internet)
15705609610000 80.211.180.23 qazWSX 1 sshd4 Oct 8 20:55:21 server sshd[10799]: Failed password for invalid user qazWSX from 80.211.180.23 port 40812 ssh2
15705609010000 138.197.89.212 root 1 sshd5 Oct 8 20:54:15 server sshd[10784]: Failed password for root from 138.197.89.212 port 33528 ssh2
15705608410001 51.254.99.208 root 1 sshd5 Oct 8 20:53:56 server sshd[10776]: Failed password for root from 51.254.99.208 port 42610 ssh2
15705608410000 194.182.86.133 root 1 sshd5 Oct 8 20:53:31 server sshd[10770]: Failed password for root from 194.182.86.133 port 38058 ssh2
15705607810002 45.125.65.58 market 1 exim2 2019-10-08 20:52:50 login authenticator failed for (User) [45.125.65.58]: 535 Incorrect authentication data (set_id=market)
I have installed fail2ban and CSF . CSF should automatic block with BFM.
My port ssh is changed. My port directadmin is changed.
In ssh config: MaxAuthTries 3 MaxSessions 5
In CSF: IGNORE_ALLOW = "1"
Allow port: tcp in 2109, 9009, 53, 80,443,20,21,25,110,143,587,993,995,3306 tcp out 2109, 9009, 80, 113, 443, 20,21,25,110,3306 udp in 53,20,21 udp out 53,113,123,20,21
CC_DENY: CN,IN,RU,VN,AR,TR,LV,BY,JP,EC,MY,TW,KR
LF_SSHD etc. set 3.
How can i secure and eliminate this brute force attack?
fail2ban log:
2019-10-08 21:01:29,037 fail2ban.actions [1487]: NOTICE [sshd] 194.182.86.133 already banned
2019-10-08 21:01:30,385 fail2ban.filter [1487]: INFO [sshd] Found 194.182.86.133
2019-10-08 21:01:37,604 fail2ban.filter [1487]: INFO [sshd] Found 110.49.70.240
2019-10-08 21:01:38,045 fail2ban.actions [1487]: NOTICE [sshd] Ban 110.49.70.240
2019-10-08 21:01:38,151 fail2ban.action [1487]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stdout: b''
2019-10-08 21:01:38,151 fail2ban.action [1487]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stderr: b''
2019-10-08 21:01:38,151 fail2ban.action [1487]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- returned 1
2019-10-08 21:01:38,151 fail2ban.CommandAction [1487]: ERROR Invariant check failed. Trying to restore a sane environment
2019-10-08 21:01:38,256 fail2ban.action [1487]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports ssh,2109,sftp -j f2b-sshd iptables -w -F f2b-sshd iptables -w -X f2b-sshd -- stdout: b''
2019-10-08 21:01:38,257 fail2ban.action [1487]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports ssh,2109,sftp -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd -- stderr: b"iptables v1.6.0: Couldn't load target f2b-sshd':No such file or directory\n\nTry
iptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"
2019-10-08 21:01:38,257 fail2ban.action [1487]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports ssh,2109,sftp -j f2b-sshd iptables -w -F f2b-sshd iptables -w -X f2b-sshd -- returned 1
2019-10-08 21:01:38,257 fail2ban.actions [1487]: ERROR Failed to execute ban jail 'sshd' action 'iptables-multiport' info 'CallingMap({'matches': 'Oct 8 19:29:42 server sshd[5972]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.49.70.240 user=root\nOct 8
19:29:43 server sshd[5972]: Failed password for root from 110.49.70.240 port 31718 ssh2\nOct 8 21:01:37 server sshd[19799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.49.70.240 user=root', 'ipjailfailures': . at 0x7f858c6379d8>, 'failures': 3, 'ipmatches': . at 0x7f858d696510>, 'ip': '110.49.70.240', 'time': 1570561298.0458193, 'ipfailures': . at 0x7f858c637510>, 'ipjailmatches': . at 0x7f858c637620>})': Error stopping action
2019-10-08 21:01:39,734 fail2ban.filter [1487]: INFO [sshd] Found 110.49.70.240