I'm sending the log files from my Rackspace Cloud Servers to loggly, as I described in a previous post. Take a look at this graph from the loggly dashboard:
Uh oh, something looks suspicious here. Clicking on that spike right after midnight shows the problem:
Someone is trying to break into my server by attacking ssh with many login attempts in a short period of time. Looks like I need to install fail2ban. fail2ban will keep an eye on my log files and set up iptables rules after a configurable number of failed attempts. It will also remove the rules after a specified period of time.
apt-get update
apt-get install fail2ban
Configure /etc/fail2ban/jail.local appropriately. On Ubuntu 11.04, this was changing the
[ssh]
logpath = /var/log/auth.log
to
[ssh]
logpath = /var/log/messages
And restart: service fail2ban restart I test it from a different server and it works:
From the original server you can see fail2ban added the iptables rule:
And after 5 minutes, I'm allowed back in:
I should see a big drop in login attempts over the next few days.
Run the following command to see failed login attempts:
cat /var/log/messages | grep 'Failed password'
And run this command to see when users have successfully logged in:
cat /var/log/secure | grep "sshd" | grep "session opened"
You can see where messages are being logged by looking at /etc/rsyslog.conf
This is for Ubuntu.
Posted by: Kevin Minnick | 01/16/2012 at 09:33 AM
kminnick@monitoring:~$ cat /etc/fail2ban/filter.d/nginx-noscript.conf
[Definition]
failregex = open\(\) "/\S*" failed.*client: ,.*
ignoreregex =
$ cat /etc/fail2ban/jail.local
[nginx]
enabled = true
port = http,https
filter = nginx-noscript
logpath = /var/log/nginx/error.log
maxretry = 3
Posted by: Kevin Minnick | 01/21/2012 at 05:20 PM