1

I have problem with brute force monitor in direct admin. Every minute i get info like this:

15705610210001 52.187.17.107 123 1 sshd4 Oct 8 20:56:24 server sshd[10817]: Failed password for invalid user 123 from 52.187.17.107 port 40775 ssh2

15705610210000 176.31.253.55 Titanic123 1 sshd4 Oct 8 20:56:02 server sshd[10808]: Failed password for invalid user Titanic123 from 176.31.253.55 port 35368 ssh2

15705609610001 45.125.65.34 internet 1 exim2 2019-10-08 20:55:18 login authenticator failed for (User) [45.125.65.34]: 535 Incorrect authentication data (set_id=internet)

15705609610000 80.211.180.23 qazWSX 1 sshd4 Oct 8 20:55:21 server sshd[10799]: Failed password for invalid user qazWSX from 80.211.180.23 port 40812 ssh2

15705609010000 138.197.89.212 root 1 sshd5 Oct 8 20:54:15 server sshd[10784]: Failed password for root from 138.197.89.212 port 33528 ssh2

15705608410001 51.254.99.208 root 1 sshd5 Oct 8 20:53:56 server sshd[10776]: Failed password for root from 51.254.99.208 port 42610 ssh2

15705608410000 194.182.86.133 root 1 sshd5 Oct 8 20:53:31 server sshd[10770]: Failed password for root from 194.182.86.133 port 38058 ssh2

15705607810002 45.125.65.58 market 1 exim2 2019-10-08 20:52:50 login authenticator failed for (User) [45.125.65.58]: 535 Incorrect authentication data (set_id=market)

I have installed fail2ban and CSF . CSF should automatic block with BFM.

My port ssh is changed. My port directadmin is changed.

In ssh config: MaxAuthTries 3 MaxSessions 5

In CSF: IGNORE_ALLOW = "1"

Allow port: tcp in 2109, 9009, 53, 80,443,20,21,25,110,143,587,993,995,3306 tcp out 2109, 9009, 80, 113, 443, 20,21,25,110,3306 udp in 53,20,21 udp out 53,113,123,20,21

CC_DENY: CN,IN,RU,VN,AR,TR,LV,BY,JP,EC,MY,TW,KR

LF_SSHD etc. set 3.

How can i secure and eliminate this brute force attack?

fail2ban log:

2019-10-08 21:01:29,037 fail2ban.actions [1487]: NOTICE [sshd] 194.182.86.133 already banned

2019-10-08 21:01:30,385 fail2ban.filter [1487]: INFO [sshd] Found 194.182.86.133

2019-10-08 21:01:37,604 fail2ban.filter [1487]: INFO [sshd] Found 110.49.70.240

2019-10-08 21:01:38,045 fail2ban.actions [1487]: NOTICE [sshd] Ban 110.49.70.240

2019-10-08 21:01:38,151 fail2ban.action [1487]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stdout: b''

2019-10-08 21:01:38,151 fail2ban.action [1487]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- stderr: b''

2019-10-08 21:01:38,151 fail2ban.action [1487]: ERROR iptables -w -n -L INPUT | grep -q 'f2b-sshd[ \t]' -- returned 1

2019-10-08 21:01:38,151 fail2ban.CommandAction [1487]: ERROR Invariant check failed. Trying to restore a sane environment

2019-10-08 21:01:38,256 fail2ban.action [1487]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports ssh,2109,sftp -j f2b-sshd iptables -w -F f2b-sshd iptables -w -X f2b-sshd -- stdout: b''

2019-10-08 21:01:38,257 fail2ban.action [1487]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports ssh,2109,sftp -j f2b-sshd iptables -w -F f2b-sshd iptables -w -X f2b-sshd -- stderr: b"iptables v1.6.0: Couldn't load target f2b-sshd':No such file or directory\n\nTryiptables -h' or 'iptables --help' for more information.\niptables: No chain/target/match by that name.\niptables: No chain/target/match by that name.\n"

2019-10-08 21:01:38,257 fail2ban.action [1487]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports ssh,2109,sftp -j f2b-sshd iptables -w -F f2b-sshd iptables -w -X f2b-sshd -- returned 1

2019-10-08 21:01:38,257 fail2ban.actions [1487]: ERROR Failed to execute ban jail 'sshd' action 'iptables-multiport' info 'CallingMap({'matches': 'Oct 8 19:29:42 server sshd[5972]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.49.70.240 user=root\nOct 8

19:29:43 server sshd[5972]: Failed password for root from 110.49.70.240 port 31718 ssh2\nOct 8 21:01:37 server sshd[19799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=110.49.70.240 user=root', 'ipjailfailures': . at 0x7f858c6379d8>, 'failures': 3, 'ipmatches': . at 0x7f858d696510>, 'ip': '110.49.70.240', 'time': 1570561298.0458193, 'ipfailures': . at 0x7f858c637510>, 'ipjailmatches': . at 0x7f858c637620>})': Error stopping action

2019-10-08 21:01:39,734 fail2ban.filter [1487]: INFO [sshd] Found 110.49.70.240

jedlu91
  • 11
  • 2

2 Answers2

1

Honestly, there is little you can do to stop these attacks if your ssh server is port forwarded. Just ensure you have a strong password and do not use common usernames. Also, as you can see, Fail2Ban is also protecting your server's SSH from brute Force attacks. It also appears that IPTables or Fail2Ban may be broken and isn't banning ips properly.

JosephWorks
  • 125
  • 5
0

If you see ERROR Invariant check failed. Trying to restore a sane environment or Couldn't load target 'f2b-sshd':No such file or directory, it can mean:

  • either fail2ban was unable to start the ban-action initially (or since v.0.10 on demand by first ban), for example by error in configuration, or multiport module is not allowed/installed in kernel, etc... see in fail2ban.log for errors by start of action;
  • or some external thing has removed or flushed fail2ban rules in-between (try to avoid such complete flush of rules/chains in iptables). If you have some service doing that, add dependencies to fail2ban or try to filter fail2ban chains (e. g. use iptables-save/iptables-restore for the chains with names starting with f2b-);
  • or you had changed port aliases used in iptables rules (ssh,sftp) after fail2ban's action is started (iptables rules got applied).
sebres
  • 940
  • 1
  • 5
  • 6