Find the answer to your Linux question:
Results 1 to 7 of 7
I recently checked my /etc/hosts.deny file and found there were hundreds of entries of the form ALL: <ip address> presumably added by fail2ban. However, I already had ALL: all in ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2012
    Posts
    4

    fail2ban responding to attacks even though all hosts are blocked


    I recently checked my /etc/hosts.deny file and found there were hundreds of entries of the form
    ALL: <ip address>
    presumably added by fail2ban. However, I already had
    ALL: all
    in /etc/hosts.deny, and only
    sshd: avs-workstation.avs-net avs-laptop.avs-net
    (two hostnames which resolve to IP addresses on my local network).

    So a few questions about this:
    1) If I am blocking all but two local hosts, why are any attacks getting far enough for fail2ban to detect them in the log files
    2) If I have ALL: all in /etc/hosts.deny, is there any point running fail2ban at all?
    3) How have these attacks got through my router when I haven't set up port forwarding?

    Thanks in advance,
    Xander

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    i was having similar trouble w/tcp_wrappers (/etc/hosts.allow|deny) recently, as well. i tried various things but could not figure it out, so I can't help you w/this. but if I were you, I'd implement a quick/simple firewall using iptables to stop the attacks (i.e., drop/reject the packets) before they even get to the application layer. examples of how to do that abound on the internet.

    as to how the attacks are getting through your firewall - you don't have to have port forwarding set up if your router is already allowing in your ssh port (22, presumably). i found out that mine (provided by Verizon FIOS) was, by default.

    you can do a scan of your public ip address and see what is open, e.g.:

    Code:
    nmap -n <your_public_ip_address>

  3. #3
    Just Joined!
    Join Date
    Jun 2012
    Posts
    4
    Yes, I am meaning to setup something with iptables, but haven't yet had the time...

    you don't have to have port forwarding set up if your router is already allowing in your ssh port
    That's the thing: I'm running ssh on a nonstandard port... I'm still not sure if they're actual attacks or some bug with fail2ban.

    Well thanks for the reply anyway - I guess I'll just disabled sshd until I have a chance to configure the firewall.

  4. #4
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Quote Originally Posted by Xander314 View Post
    Yes, I am meaning to setup something with iptables, but haven't yet had the time...


    That's the thing: I'm running ssh on a nonstandard port... I'm still not sure if they're actual attacks or some bug with fail2ban.

    Well thanks for the reply anyway - I guess I'll just disabled sshd until I have a chance to configure the firewall.
    in the mean time, if you really need ssh running, you can use the AllowUsers keyword in the sshd_config file to permit only the users you specify to log in via ssh. also, you should have the PermitRootLogin to be false, of course.

    you could also set up SSH keys (public/private key pairs) and disable password logins (set PasswordAuthentication to no) and required PubkeyAuthentication to log in. That way, only users that have first shared their public key with your server (in a secure fashion) are able to log in.

    but in the end, yes, set up iptables.

  5. #5
    Just Joined!
    Join Date
    Jun 2012
    Posts
    4
    That's the strange thing - all of those options are already set. No root logins, only pubkey authentication allowed and for AllowUsers I just have alex@avs-laptop. Maybe this is a bug in fail2ban?

  6. #6
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    if those options are set, then you are good to go as far as ssh itself is concerned. if fail2ban is still
    detecting bad login attempts (i think it just reads /var/log/secure), then they are getting thru
    tcp_wrappers somehow. that is not the fault of fail2ban, it is tcp_wrappers, as you suspected.

  7. #7
    Just Joined!
    Join Date
    Jun 2012
    Posts
    4
    I think I finally realised what was going on... I had denyhosts running as well, and I had enabled the sharing of blocked IPs. So presumably all the blocked addresses were being shared by other denyhosts users, which explains why they never showed up in my own secure log. Thanks again for your time!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •