Tengo un pequeño servidor que solo abre puertos son ssh, http y https. He instalado y configurado fail2ban para que, después de 3 intentos fallidos, alguien quede bloqueado durante 10 minutos (creo que es el error).
el inicio de sesión raíz está deshabilitado, pero las personas que intentan acceder a él no se bloquean.
cat /var/log/messages | grep ssh
muestra como 50 intentos de este tipo:
Jan 20 10:50:57 localhost sshd[28666]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57382;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:57 localhost sshd[28666]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57382;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:57 localhost sshd[28666]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57382;Name: root [preauth]
Jan 20 10:50:57 localhost sshd[28666]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:50:57 localhost sshd[28668]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57437;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:57 localhost sshd[28668]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57437;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:57 localhost sshd[28668]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57437;Name: root [preauth]
Jan 20 10:50:57 localhost sshd[28668]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:50:57 localhost sshd[28670]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57515;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:57 localhost sshd[28670]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57515;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:58 localhost sshd[28670]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57515;Name: root [preauth]
Jan 20 10:50:58 localhost sshd[28670]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Después de esto, probó con otro usuario, Oracle, que ni siquiera existe:
Jan 20 10:50:58 localhost sshd[28672]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-57584;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:50:58 localhost sshd[28672]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-57584;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:50:58 localhost sshd[28672]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-57584;Name: oracle [preauth]
Jan 20 10:50:58 localhost sshd[28672]: Invalid user oracle from 88.190.31.135
Jan 20 10:50:58 localhost sshd[28672]: input_userauth_request: invalid user oracle [preauth]
Jan 20 10:50:58 localhost sshd[28672]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 20 10:50:58 localhost sshd[28672]: pam_unix(sshd:auth): check pass; user unknown
Jan 20 10:50:58 localhost sshd[28672]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=sd-32510.dedibox.fr
Jan 20 10:51:00 localhost sshd[28672]: Failed password for invalid user oracle from 88.190.31.135 port 57584 ssh2
Jan 20 10:51:00 localhost sshd[28672]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:51:00 localhost sshd[28674]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-58021;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:51:00 localhost sshd[28674]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-58021;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:51:00 localhost sshd[28674]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-58021;Name: oracle [preauth]
Jan 20 10:51:00 localhost sshd[28674]: Invalid user oracle from 88.190.31.135
Jan 20 10:51:00 localhost sshd[28674]: input_userauth_request: invalid user oracle [preauth]
Jan 20 10:51:00 localhost sshd[28674]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 20 10:51:00 localhost sshd[28674]: pam_unix(sshd:auth): check pass; user unknown
Jan 20 10:51:00 localhost sshd[28674]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=sd-32510.dedibox.fr
Jan 20 10:51:02 localhost sshd[28674]: Failed password for invalid user oracle from 88.190.31.135 port 58021 ssh2
Jan 20 10:51:02 localhost sshd[28674]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:51:02 localhost sshd[28676]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-59203;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:51:02 localhost sshd[28676]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-59203;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Jan 20 10:51:03 localhost sshd[28676]: SSH: Server;Ltype: Authname;Remote: 88.190.31.135-59203;Name: oracle [preauth]
Jan 20 10:51:03 localhost sshd[28676]: Invalid user oracle from 88.190.31.135
Jan 20 10:51:03 localhost sshd[28676]: input_userauth_request: invalid user oracle [preauth]
Jan 20 10:51:03 localhost sshd[28676]: pam_tally2(sshd:auth): pam_get_uid; no such user
Jan 20 10:51:03 localhost sshd[28676]: pam_unix(sshd:auth): check pass; user unknown
Jan 20 10:51:03 localhost sshd[28676]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=sd-32510.dedibox.fr
Jan 20 10:51:04 localhost sshd[28676]: Failed password for invalid user oracle from 88.190.31.135 port 59203 ssh2
Jan 20 10:51:04 localhost sshd[28676]: Received disconnect from 88.190.31.135: 11: Bye Bye [preauth]
Jan 20 10:51:04 localhost sshd[28678]: SSH: Server;Ltype: Version;Remote: 88.190.31.135-59651;Protocol: 2.0;Client: libssh-0.1
Jan 20 10:51:04 localhost sshd[28678]: SSH: Server;Ltype: Kex;Remote: 88.190.31.135-59651;Enc: aes128-cbc;MAC: hmac-sha1;Comp: none [preauth]
Después de eso: /var/log/fail2ban
2012-01-20 10:51:04,701 fail2ban.actions: WARNING [ssh-iptables] Ban 88.190.31.135
Me pregunto por qué no sucedió esto cuando intentó acceder a mi servidor con la cuenta raíz. Apuesto a que hay una manera de cambiar el comportamiento de fail2bans aquí, pero ¿cómo?
información del sistema, en caso necesario: gentoo 3.2.0, openssh 5.9, iptables-1.4.12.1, fail2ban-0.8.6