My server has fail2ban installed.
“Fail2ban scans log files (e.g. `/var/log/apache/error_log`) and bans IPs that show the malicious signs – too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).”
Ever since I installed fail2ban, it showed no activity. Until now. Weird!
https://alexschroeder.ch/pics/15538247161_b9e7e00bc1_o.png
Is this due to the Shellshock vulnerability? First public disclosure 2014-09-24, activity starting 2014-10-06. It’s weird, though. I thought Shellshock would involve bash scripts as CGI scripts, called via Apache but these failures are ordinary SSH login attempts as seen on _var_log/auth.log:
Oct 13 11:49:38 alexschroeder sshd[6860]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.56.33 user=root Oct 13 11:49:40 alexschroeder sshd[6860]: Failed password for root from 222.186.56.33 port 3462 ssh2 Oct 13 11:49:43 alexschroeder sshd[6860]: Failed password for root from 222.186.56.33 port 3462 ssh2 Oct 13 11:49:45 alexschroeder sshd[6860]: Failed password for root from 222.186.56.33 port 3462 ssh2 Oct 13 11:49:45 alexschroeder sshd[6860]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.56.33 user=root Oct 13 11:49:50 alexschroeder sshd[6864]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.56.33 user=root Oct 13 11:49:51 alexschroeder sshd[6864]: Failed password for root from 222.186.56.33 port 4067 ssh2 Oct 13 11:49:54 alexschroeder sshd[6864]: Failed password for root from 222.186.56.33 port 4067 ssh2 Oct 13 11:49:56 alexschroeder sshd[6864]: Failed password for root from 222.186.56.33 port 4067 ssh2 Oct 13 11:49:56 alexschroeder sshd[6864]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.56.33 user=root
#Web #fail2ban
