Contenu | Rechercher | Menus

Annonce

Si vous avez des soucis pour rester connecté, déconnectez-vous puis reconnectez-vous depuis ce lien en cochant la case
Me connecter automatiquement lors de mes prochaines visites.

À propos de l'équipe du forum.

#1 Le 09/08/2022, à 10:04

Laurentf60

Virer une ip de hacker définitivement ?

Bonjour à tous,

j'ai un serveur dédié paramétré avec
ufw,
fail2ban (ban de 24 hrs après 3 tentatives),
Accés ssh est uniquement par clé (PermitRootLogin prohibit-password).

Depuis plusieurs semaines j'ai quotidiennement des tentatives d'accés par une ip (176.111.173.159) que je n'arrive pas à rejeter.

J'ai indiqué dans ufw la config suivante :

To                         Action      From
--                         ------      ----
Anywhere                   REJECT IN   176.111.173.159                     
Anywhere                   DENY IN     193.106.191.80            
Anywhere                   DENY IN     193.106.191.150                            
80                         ALLOW IN    Anywhere                  
443                        ALLOW IN    Anywhere                                                           
80 (v6)                    ALLOW IN    Anywhere (v6)             
443 (v6)                   ALLOW IN    Anywhere (v6)  

Dans fail2ban j'ai inclu cette ip dans le jail ssh
Et j'ai toujours des rapports de fail2ban quotidiens indiquant 2 à 3 tentatives par jour exemple :

Aug  9 03:29:44 ns3032808 sshd[5143]: Invalid user dg from 176.111.173.159 port 44652
Aug  9 03:29:44 ns3032808 sshd[5143]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=176.111.173.159
Aug  9 03:29:46 ns3032808 sshd[5143]: Failed password for invalid user dg from 176.111.173.159 port 44652 ssh2
Aug  9 03:29:51 ns3032808 sshd[5143]: Failed password for invalid user dg from 176.111.173.159 port 44652 ssh2
Aug  9 03:29:57 ns3032808 sshd[5143]: Failed password for invalid user dg from 176.111.173.159 port 44652 ssh2
Aug  9 03:30:00 ns3032808 sshd[5143]: Connection closed by invalid user dg 176.111.173.159 port 44652 [preauth]
Aug  9 03:30:00 ns3032808 sshd[5143]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=176.111.173.159
Aug  9 07:47:54 ns3032808 sshd[12808]: Invalid user if from 176.111.173.159 port 50076
Aug  9 07:47:54 ns3032808 sshd[12808]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=176.111.173.159
Aug  9 07:47:56 ns3032808 sshd[12808]: Failed password for invalid user if from 176.111.173.159 port 50076 ssh2

J'ai du rater un truc dans mes réglages ....
Donc comment virer cette ip DEFINITIVEMENT.

Merci d'avance pour vos réponses.

Hors ligne

#2 Le 09/08/2022, à 12:07

barzag

Re : Virer une ip de hacker définitivement ?

Votre hébergeur est cloudflare ?

Hors ligne

#3 Le 09/08/2022, à 19:27

Laurentf60

Re : Virer une ip de hacker définitivement ?

Non,
C'est un serveur dédié de chez OVH. (Ubuntu server 20.04).

Hors ligne

#4 Le 09/08/2022, à 20:03

lynn

Re : Virer une ip de hacker définitivement ?

Même si tu bannies l'i.p en question, ça l'empêchera pas d'essayer de se connecter. Tu ne verras juste plus les tentatives dans tes logs...
Juste pour aujourd'hui, j'ai ça dans mes log :

Aug  9 00:06:46 localhost sshd[1066646]: Disconnected from invalid user root 159.223.41.136 port 57790 [preauth]
Aug  9 00:07:53 localhost sshd[1068794]: Disconnected from invalid user root 78.85.33.152 port 50126 [preauth]
Aug  9 00:08:55 localhost sshd[1070772]: Disconnected from invalid user root 139.59.186.183 port 47558 [preauth]
Aug  9 00:09:08 localhost sshd[1071199]: Disconnected from invalid user stan 109.120.188.138 port 41030 [preauth]
Aug  9 00:51:29 localhost sshd[1152122]: Disconnected from invalid user root 178.128.55.198 port 51950 [preauth]
Aug  9 00:55:21 localhost sshd[1159521]: Disconnected from invalid user root 121.126.224.151 port 42806 [preauth]
Aug  9 01:07:57 localhost sshd[1183643]: Disconnected from 159.223.160.5 port 58276 [preauth]
Aug  9 01:10:50 localhost sshd[1189157]: Disconnected from invalid user root 212.48.154.214 port 28930 [preauth]
Aug  9 01:14:09 localhost sshd[1195473]: Disconnected from invalid user root 211.210.152.106 port 31950 [preauth]
Aug  9 01:17:48 localhost sshd[1202377]: Disconnected from invalid user consejo 138.68.17.3 port 43618 [preauth]
Aug  9 01:19:18 localhost sshd[1205250]: Disconnected from invalid user caja2 59.3.76.218 port 59686 [preauth]
Aug  9 01:20:09 localhost sshd[1206874]: Disconnected from invalid user adelia 185.25.116.36 port 47306 [preauth]
Aug  9 01:33:59 localhost sshd[1233291]: Disconnected from invalid user root 186.147.35.76 port 37623 [preauth]
Aug  9 02:14:06 localhost sshd[1309946]: Disconnected from invalid user root 192.3.253.7 port 47024 [preauth]
Aug  9 02:29:47 localhost sshd[1339827]: Disconnected from invalid user root 137.184.183.159 port 60586 [preauth]
Aug  9 02:34:09 localhost sshd[1348289]: Disconnected from 159.89.49.247 port 56136 [preauth]
Aug  9 02:51:30 localhost sshd[1381414]: Disconnected from invalid user zensite 14.161.50.120 port 35255 [preauth]
Aug  9 02:53:22 localhost sshd[1385023]: Disconnected from invalid user root 178.128.248.121 port 33590 [preauth]
Aug  9 02:55:17 localhost sshd[1388680]: Disconnected from invalid user root 43.154.33.235 port 46380 [preauth]
Aug  9 03:04:45 localhost sshd[1406825]: Disconnected from 159.223.155.125 port 50500 [preauth]
Aug  9 03:10:20 localhost sshd[1418787]: Disconnected from invalid user admin 94.181.217.250 port 50518 [preauth]
Aug  9 03:10:26 localhost sshd[1419012]: Disconnected from invalid user support 94.181.217.250 port 57064 [preauth]
Aug  9 03:10:32 localhost sshd[1419217]: Disconnected from invalid user admin 94.181.217.250 port 58486 [preauth]
Aug  9 03:10:38 localhost sshd[1419400]: Disconnected from invalid user pi 94.181.217.250 port 59717 [preauth]
Aug  9 03:10:44 localhost sshd[1419583]: Disconnected from invalid user admin 94.181.217.250 port 61027 [preauth]
Aug  9 03:10:50 localhost sshd[1419764]: Disconnected from invalid user admin 94.181.217.250 port 62318 [preauth]
Aug  9 03:10:56 localhost sshd[1419942]: Disconnected from invalid user admin 94.181.217.250 port 63581 [preauth]
Aug  9 03:11:03 localhost sshd[1420189]: Disconnected from invalid user guest 94.181.217.250 port 64797 [preauth]
Aug  9 03:11:09 localhost sshd[1420376]: Disconnected from invalid user guest 94.181.217.250 port 49451 [preauth]
Aug  9 03:11:15 localhost sshd[1420560]: Disconnected from invalid user test 94.181.217.250 port 50529 [preauth]
Aug  9 03:11:22 localhost sshd[1420829]: Disconnected from invalid user ubnt 94.181.217.250 port 51392 [preauth]
Aug  9 03:11:28 localhost sshd[1421013]: Disconnected from invalid user user 94.181.217.250 port 52114 [preauth]
Aug  9 03:11:35 localhost sshd[1421205]: Disconnected from invalid user root 94.181.217.250 port 52829 [preauth]
Aug  9 03:11:39 localhost sshd[1421377]: Disconnected from invalid user root 94.181.217.250 port 53390 [preauth]
Aug  9 03:11:45 localhost sshd[1421572]: Disconnected from invalid user root 94.181.217.250 port 54082 [preauth]
Aug  9 03:11:50 localhost sshd[1421712]: Disconnected from invalid user root 94.181.217.250 port 54582 [preauth]
Aug  9 03:11:55 localhost sshd[1421887]: Disconnected from invalid user ftp 94.181.217.250 port 55321 [preauth]
Aug  9 03:12:01 localhost sshd[1422063]: Disconnected from invalid user ftpuser 94.181.217.250 port 56005 [preauth]
Aug  9 03:12:07 localhost sshd[1422244]: Disconnected from invalid user operator 94.181.217.250 port 56847 [preauth]
Aug  9 03:12:13 localhost sshd[1422458]: Disconnected from invalid user osmc 94.181.217.250 port 57829 [preauth]
Aug  9 03:12:19 localhost sshd[1422660]: Disconnected from invalid user administrator 94.181.217.250 port 58679 [preauth]
Aug  9 03:12:26 localhost sshd[1422848]: Disconnected from invalid user user 94.181.217.250 port 59668 [preauth]
Aug  9 03:12:31 localhost sshd[1423024]: Disconnected from invalid user admin 94.181.217.250 port 52233 [preauth]
Aug  9 03:12:41 localhost sshd[1423308]: Disconnected from invalid user user 94.181.217.250 port 54229 [preauth]
Aug  9 03:12:47 localhost sshd[1423540]: Disconnected from invalid user user 94.181.217.250 port 55533 [preauth]
Aug  9 03:12:52 localhost sshd[1423723]: Disconnected from invalid user oracle 94.181.217.250 port 56601 [preauth]
Aug  9 03:12:58 localhost sshd[1423907]: Disconnected from invalid user oracle 94.181.217.250 port 57693 [preauth]
Aug  9 03:13:04 localhost sshd[1424083]: Disconnected from invalid user oracle 94.181.217.250 port 58665 [preauth]
Aug  9 03:13:07 localhost sshd[1424172]: Disconnected from invalid user root 23.111.252.55 port 45408 [preauth]
Aug  9 03:13:10 localhost sshd[1424258]: Disconnected from invalid user admin 94.181.217.250 port 59687 [preauth]
Aug  9 03:13:17 localhost sshd[1424424]: Disconnected from invalid user lcktiroot 43.133.6.118 port 57782 [preauth]
Aug  9 03:13:18 localhost sshd[1424487]: Disconnected from invalid user ftpuser 94.181.217.250 port 60702 [preauth]
Aug  9 03:13:26 localhost sshd[1424830]: Disconnected from invalid user root 94.181.217.250 port 61603 [preauth]
Aug  9 03:13:32 localhost sshd[1425017]: Disconnected from invalid user bailey 94.181.217.250 port 62315 [preauth]
Aug  9 03:13:39 localhost sshd[1425227]: Disconnected from invalid user test 94.181.217.250 port 63131 [preauth]
Aug  9 03:13:45 localhost sshd[1425409]: Disconnected from invalid user justin 94.181.217.250 port 63841 [preauth]
Aug  9 03:13:54 localhost sshd[1425667]: Disconnected from invalid user anthony 94.181.217.250 port 64793 [preauth]
Aug  9 03:13:59 localhost sshd[1425863]: Disconnected from invalid user 88888888 94.181.217.250 port 65413 [preauth]
Aug  9 03:14:05 localhost sshd[1426061]: Disconnected from invalid user 222222 94.181.217.250 port 49716 [preauth]
Aug  9 03:14:10 localhost sshd[1426225]: Disconnected from invalid user silver 94.181.217.250 port 50363 [preauth]
Aug  9 03:14:14 localhost sshd[1426332]: Disconnected from invalid user hammer 94.181.217.250 port 50784 [preauth]
Aug  9 03:14:20 localhost sshd[1426531]: Disconnected from invalid user gfhjkm 94.181.217.250 port 51472 [preauth]
Aug  9 03:14:27 localhost sshd[1426721]: Disconnected from invalid user 1234qwer 94.181.217.250 port 52315 [preauth]
Aug  9 03:14:32 localhost sshd[1426937]: Disconnected from invalid user diamond 94.181.217.250 port 53263 [preauth]
Aug  9 03:14:38 localhost sshd[1427127]: Disconnected from invalid user merlin 94.181.217.250 port 65001 [preauth]
Aug  9 03:14:44 localhost sshd[1427294]: Disconnected from invalid user fucker 94.181.217.250 port 49933 [preauth]
Aug  9 03:14:50 localhost sshd[1427479]: Disconnected from invalid user secret 94.181.217.250 port 51078 [preauth]
Aug  9 03:14:56 localhost sshd[1427655]: Disconnected from invalid user heather 94.181.217.250 port 52221 [preauth]
Aug  9 03:15:02 localhost sshd[1427821]: Disconnected from invalid user martin 94.181.217.250 port 53294 [preauth]
Aug  9 03:15:07 localhost sshd[1427972]: Disconnected from invalid user hello 94.181.217.250 port 53961 [preauth]
Aug  9 03:15:13 localhost sshd[1428179]: Disconnected from invalid user corvette 94.181.217.250 port 54743 [preauth]
Aug  9 03:15:20 localhost sshd[1428367]: Disconnected from invalid user william 94.181.217.250 port 55389 [preauth]
Aug  9 03:15:26 localhost sshd[1428605]: Disconnected from invalid user matrix 94.181.217.250 port 56110 [preauth]
Aug  9 03:15:32 localhost sshd[1428787]: Disconnected from invalid user taylor 94.181.217.250 port 54565 [preauth]
Aug  9 03:15:38 localhost sshd[1428958]: Disconnected from invalid user thunder 94.181.217.250 port 55748 [preauth]
Aug  9 03:15:44 localhost sshd[1429168]: Disconnected from invalid user austin 94.181.217.250 port 56742 [preauth]
Aug  9 03:15:50 localhost sshd[1429367]: Disconnected from invalid user dallas 94.181.217.250 port 57400 [preauth]
Aug  9 03:15:56 localhost sshd[1429544]: Disconnected from invalid user 987654321 94.181.217.250 port 58056 [preauth]
Aug  9 03:16:03 localhost sshd[1429772]: Disconnected from invalid user yankees 94.181.217.250 port 58948 [preauth]
Aug  9 03:16:07 localhost sshd[1429887]: Disconnected from invalid user access 94.181.217.250 port 59338 [preauth]
Aug  9 03:16:10 localhost sshd[1429995]: Disconnected from invalid user matthew 94.181.217.250 port 59740 [preauth]
Aug  9 03:16:17 localhost sshd[1430219]: Disconnected from invalid user biteme 94.181.217.250 port 60466 [preauth]
Aug  9 03:16:24 localhost sshd[1430446]: Disconnected from invalid user chelsea 94.181.217.250 port 61210 [preauth]
Aug  9 03:16:29 localhost sshd[1430616]: Disconnected from invalid user nicole 94.181.217.250 port 61878 [preauth]
Aug  9 03:16:36 localhost sshd[1430807]: Disconnected from invalid user 6969 94.181.217.250 port 62577 [preauth]
Aug  9 03:16:41 localhost sshd[1430969]: Disconnected from invalid user ashley 94.181.217.250 port 63254 [preauth]
Aug  9 03:16:47 localhost sshd[1431147]: Disconnected from invalid user love 94.181.217.250 port 63905 [preauth]
Aug  9 03:16:51 localhost sshd[1431323]: Disconnected from invalid user summer 94.181.217.250 port 61019 [preauth]
Aug  9 03:16:59 localhost sshd[1431574]: Disconnected from invalid user amanda 94.181.217.250 port 62890 [preauth]
Aug  9 03:17:05 localhost sshd[1431758]: Disconnected from invalid user cheese 94.181.217.250 port 64006 [preauth]
Aug  9 03:17:13 localhost sshd[1431992]: Disconnected from invalid user joshua 94.181.217.250 port 65069 [preauth]
Aug  9 03:17:20 localhost sshd[1432199]: Disconnected from invalid user princess 94.181.217.250 port 49367 [preauth]
Aug  9 03:17:26 localhost sshd[1432433]: Disconnected from invalid user ginger 94.181.217.250 port 50082 [preauth]
Aug  9 03:17:32 localhost sshd[1432650]: Disconnected from invalid user aaaaaa 94.181.217.250 port 50738 [preauth]
Aug  9 03:17:37 localhost sshd[1432827]: Disconnected from invalid user 159753 94.181.217.250 port 51352 [preauth]
Aug  9 03:17:42 localhost sshd[1432980]: Disconnected from invalid user maggie 94.181.217.250 port 51930 [preauth]
Aug  9 03:17:48 localhost sshd[1433163]: Disconnected from invalid user fuck 94.181.217.250 port 52579 [preauth]
Aug  9 03:17:54 localhost sshd[1433340]: Disconnected from invalid user pass 94.181.217.250 port 53242 [preauth]
Aug  9 03:18:01 localhost sshd[1433534]: Disconnected from invalid user 777777 94.181.217.250 port 53961 [preauth]
Aug  9 03:18:06 localhost sshd[1433729]: Disconnected from invalid user freedom 94.181.217.250 port 54545 [preauth]
Aug  9 03:18:10 localhost sshd[1433816]: Disconnected from invalid user jnarvaez 118.200.42.47 port 39296 [preauth]
Aug  9 03:18:12 localhost sshd[1433925]: Disconnected from invalid user 131313 94.181.217.250 port 55218 [preauth]
Aug  9 03:18:18 localhost sshd[1434122]: Disconnected from invalid user 11111111 94.181.217.250 port 55883 [preauth]
Aug  9 03:18:25 localhost sshd[1434335]: Disconnected from invalid user 555555 94.181.217.250 port 56635 [preauth]
Aug  9 03:18:31 localhost sshd[1434526]: Disconnected from invalid user zxcvbn 94.181.217.250 port 57308 [preauth]
Aug  9 03:18:37 localhost sshd[1434729]: Disconnected from invalid user 1111 94.181.217.250 port 57919 [preauth]
Aug  9 03:18:44 localhost sshd[1434951]: Disconnected from invalid user pepper 94.181.217.250 port 58666 [preauth]
Aug  9 03:18:50 localhost sshd[1435135]: Disconnected from invalid user jessica 94.181.217.250 port 59328 [preauth]
Aug  9 03:18:56 localhost sshd[1435312]: Disconnected from invalid user michelle 94.181.217.250 port 59987 [preauth]
Aug  9 03:19:01 localhost sshd[1435475]: Disconnected from invalid user computer 94.181.217.250 port 60542 [preauth]
Aug  9 03:19:07 localhost sshd[1435660]: Disconnected from invalid user asshole 94.181.217.250 port 61181 [preauth]
Aug  9 03:19:14 localhost sshd[1435912]: Disconnected from invalid user george 94.181.217.250 port 61957 [preauth]
Aug  9 03:19:21 localhost sshd[1436116]: Disconnected from invalid user 112233 94.181.217.250 port 62609 [preauth]
Aug  9 03:19:27 localhost sshd[1436361]: Disconnected from invalid user klaster 94.181.217.250 port 63329 [preauth]
Aug  9 03:19:33 localhost sshd[1436550]: Disconnected from invalid user starwars 94.181.217.250 port 63992 [preauth]
Aug  9 03:19:39 localhost sshd[1436724]: Disconnected from invalid user daniel 94.181.217.250 port 64659 [preauth]
Aug  9 03:19:43 localhost sshd[1436855]: Disconnected from invalid user ranger 94.181.217.250 port 65124 [preauth]
Aug  9 03:19:50 localhost sshd[1437082]: Disconnected from invalid user hockey 94.181.217.250 port 49411 [preauth]
Aug  9 03:19:55 localhost sshd[1437253]: Disconnected from invalid user thomas 94.181.217.250 port 49981 [preauth]
Aug  9 03:20:01 localhost sshd[1437438]: Disconnected from invalid user robert 94.181.217.250 port 50644 [preauth]
Aug  9 03:20:07 localhost sshd[1437620]: Disconnected from invalid user charlie 94.181.217.250 port 51304 [preauth]
Aug  9 03:20:13 localhost sshd[1437787]: Disconnected from invalid user 2000 94.181.217.250 port 51933 [preauth]
Aug  9 03:20:19 localhost sshd[1437973]: Disconnected from invalid user fuckme 94.181.217.250 port 52528 [preauth]
Aug  9 03:20:25 localhost sshd[1438202]: Disconnected from invalid user iloveyou 94.181.217.250 port 53222 [preauth]
Aug  9 03:20:32 localhost sshd[1438418]: Disconnected from invalid user sunshine 94.181.217.250 port 53893 [preauth]
Aug  9 03:20:37 localhost sshd[1438578]: Disconnected from invalid user tigger 94.181.217.250 port 54454 [preauth]
Aug  9 03:20:42 localhost sshd[1438729]: Disconnected from invalid user andrew 94.181.217.250 port 54991 [preauth]
Aug  9 03:20:48 localhost sshd[1438920]: Disconnected from invalid user batman 94.181.217.250 port 55673 [preauth]
Aug  9 03:20:54 localhost sshd[1439109]: Disconnected from invalid user harley 94.181.217.250 port 56419 [preauth]
Aug  9 03:21:00 localhost sshd[1439330]: Disconnected from invalid user soccer 94.181.217.250 port 57042 [preauth]
Aug  9 03:21:07 localhost sshd[1439539]: Disconnected from invalid user buster 94.181.217.250 port 57714 [preauth]
Aug  9 03:21:10 localhost sshd[1439634]: Disconnected from invalid user hunter 94.181.217.250 port 58115 [preauth]
Aug  9 03:21:16 localhost sshd[1439813]: Disconnected from invalid user asdfgh 94.181.217.250 port 65127 [preauth]
Aug  9 03:21:23 localhost sshd[1440023]: Disconnected from invalid user zxcvbnm 94.181.217.250 port 49941 [preauth]
Aug  9 03:21:29 localhost sshd[1440252]: Disconnected from invalid user jennifer 94.181.217.250 port 51414 [preauth]
Aug  9 03:21:35 localhost sshd[1440467]: Disconnected from invalid user jordan 94.181.217.250 port 52573 [preauth]
Aug  9 03:21:41 localhost sshd[1440672]: Disconnected from invalid user trustno1 94.181.217.250 port 53939 [preauth]
Aug  9 03:21:47 localhost sshd[1440833]: Disconnected from invalid user killer 94.181.217.250 port 55179 [preauth]
Aug  9 03:21:55 localhost sshd[1441078]: Disconnected from invalid user 123qwe 94.181.217.250 port 56790 [preauth]
Aug  9 03:22:01 localhost sshd[1441262]: Disconnected from invalid user qazwsx 94.181.217.250 port 58303 [preauth]
Aug  9 03:22:07 localhost sshd[1441445]: Disconnected from invalid user 000000 94.181.217.250 port 58911 [preauth]
Aug  9 03:22:10 localhost sshd[1441593]: Disconnected from invalid user 121212 94.181.217.250 port 59286 [preauth]
Aug  9 03:22:17 localhost sshd[1441804]: Disconnected from invalid user fuckyou 94.181.217.250 port 60095 [preauth]
Aug  9 03:22:20 localhost sshd[1441913]: Disconnected from invalid user 7777777 94.181.217.250 port 60452 [preauth]
Aug  9 03:22:27 localhost sshd[1442112]: Disconnected from invalid user 1qaz2wsx 94.181.217.250 port 61099 [preauth]
Aug  9 03:22:33 localhost sshd[1442294]: Disconnected from invalid user superman 94.181.217.250 port 61885 [preauth]
Aug  9 03:22:39 localhost sshd[1442473]: Disconnected from invalid user pussy 94.181.217.250 port 62509 [preauth]
Aug  9 03:22:45 localhost sshd[1442698]: Disconnected from invalid user 654321 94.181.217.250 port 63170 [preauth]
Aug  9 03:22:51 localhost sshd[1442894]: Disconnected from invalid user michael 94.181.217.250 port 63915 [preauth]
Aug  9 03:22:57 localhost sshd[1443073]: Disconnected from invalid user 1234567890 94.181.217.250 port 64626 [preauth]
Aug  9 03:23:03 localhost sshd[1443260]: Disconnected from invalid user mustang 94.181.217.250 port 49268 [preauth]
Aug  9 03:23:06 localhost sshd[1443360]: Disconnected from invalid user 123321 94.181.217.250 port 49785 [preauth]
Aug  9 03:23:13 localhost sshd[1443549]: Disconnected from invalid user qwertyuiop 94.181.217.250 port 50629 [preauth]
Aug  9 03:23:21 localhost sshd[1443837]: Disconnected from invalid user 666666 94.181.217.250 port 54090 [preauth]
Aug  9 03:23:27 localhost sshd[1444038]: Disconnected from invalid user master 94.181.217.250 port 54920 [preauth]
Aug  9 03:23:30 localhost sshd[1444160]: Disconnected from invalid user shadow 94.181.217.250 port 55369 [preauth]
Aug  9 03:23:36 localhost sshd[1444348]: Disconnected from invalid user 696969 94.181.217.250 port 56338 [preauth]
Aug  9 03:23:43 localhost sshd[1444544]: Disconnected from invalid user letmein 94.181.217.250 port 57248 [preauth]
Aug  9 03:23:48 localhost sshd[1444721]: Disconnected from invalid user monkey 94.181.217.250 port 58130 [preauth]
Aug  9 03:23:54 localhost sshd[1444941]: Disconnected from invalid user football 94.181.217.250 port 59392 [preauth]
Aug  9 03:24:00 localhost sshd[1445132]: Disconnected from invalid user abc123 94.181.217.250 port 60695 [preauth]
Aug  9 03:24:06 localhost sshd[1445302]: Disconnected from invalid user baseball 94.181.217.250 port 61945 [preauth]
Aug  9 03:24:10 localhost sshd[1445446]: Disconnected from invalid user 123123 94.181.217.250 port 63000 [preauth]
Aug  9 03:24:16 localhost sshd[1445623]: Disconnected from invalid user dragon 94.181.217.250 port 64344 [preauth]
Aug  9 03:24:20 localhost sshd[1445742]: Disconnected from invalid user 1234567 94.181.217.250 port 65063 [preauth]
Aug  9 03:24:26 localhost sshd[1445931]: Disconnected from invalid user 111111 94.181.217.250 port 49632 [preauth]
Aug  9 03:24:32 localhost sshd[1446147]: Disconnected from invalid user 1234 94.181.217.250 port 50775 [preauth]
Aug  9 03:24:40 localhost sshd[1446404]: Disconnected from invalid user qwerty 94.181.217.250 port 51959 [preauth]
Aug  9 03:24:44 localhost sshd[1446523]: Disconnected from invalid user 12345678 94.181.217.250 port 52356 [preauth]
Aug  9 03:24:50 localhost sshd[1446700]: Disconnected from invalid user 123456 94.181.217.250 port 53088 [preauth]
Aug  9 03:24:56 localhost sshd[1446870]: Disconnected from invalid user password 94.181.217.250 port 53829 [preauth]
Aug  9 03:42:14 localhost sshd[1479883]: Disconnected from invalid user caaot 103.116.45.174 port 40418 [preauth]
Aug  9 03:46:52 localhost sshd[1488752]: Disconnected from invalid user root 159.203.173.53 port 48000 [preauth]
Aug  9 04:17:37 localhost sshd[1547436]: Disconnected from invalid user 1234 38.91.100.8 port 60322 [preauth]
Aug  9 04:27:37 localhost sshd[1566493]: Disconnected from invalid user root 218.208.81.146 port 48126 [preauth]
Aug  9 04:30:14 localhost sshd[1571499]: Disconnected from invalid user root 94.180.57.15 port 60338 [preauth]
Aug  9 04:31:34 localhost sshd[1574022]: Disconnected from invalid user root 159.89.205.198 port 53308 [preauth]
Aug  9 04:33:24 localhost sshd[1577550]: Disconnected from invalid user root 137.184.113.110 port 33542 [preauth]
Aug  9 04:36:07 localhost sshd[1582725]: Disconnected from invalid user root 195.19.103.13 port 49954 [preauth]
Aug  9 04:47:39 localhost sshd[1604782]: Disconnected from invalid user root 157.245.44.120 port 47666 [preauth]
Aug  9 04:48:06 localhost sshd[1605570]: Disconnected from invalid user root 66.249.155.244 port 48884 [preauth]
Aug  9 04:51:59 localhost sshd[1612983]: Disconnected from invalid user gnjoroge 159.89.172.207 port 37078 [preauth]
Aug  9 05:31:33 localhost sshd[1688492]: Disconnected from invalid user root 194.59.165.125 port 46194 [preauth]
Aug  9 05:35:31 localhost sshd[1696040]: Disconnected from invalid user root 128.199.1.140 port 44714 [preauth]
Aug  9 05:37:10 localhost sshd[1699225]: Disconnected from invalid user root 37.139.1.197 port 43270 [preauth]
Aug  9 05:37:47 localhost sshd[1700385]: Disconnected from invalid user root 213.6.118.170 port 53382 [preauth]
Aug  9 05:38:55 localhost sshd[1702536]: Disconnected from invalid user root 23.247.33.61 port 33412 [preauth]
Aug  9 05:38:57 localhost sshd[1702598]: Disconnected from invalid user root 187.105.40.231 port 45884 [preauth]
Aug  9 06:04:39 localhost sshd[1752406]: Disconnected from invalid user root 103.183.113.89 port 55602 [preauth]
Aug  9 06:35:03 localhost sshd[1823208]: Disconnected from invalid user root 61.177.173.27 port 62243 [preauth]
Aug  9 06:41:37 localhost sshd[1835865]: Disconnected from invalid user root 161.10.247.113 port 23233 [preauth]
Aug  9 06:47:02 localhost sshd[1846263]: Disconnected from invalid user root 134.17.17.131 port 31998 [preauth]
Aug  9 06:55:59 localhost sshd[1863347]: Disconnected from invalid user root 187.18.108.73 port 54399 [preauth]
Aug  9 07:00:35 localhost sshd[1872188]: Disconnected from invalid user acitu 167.71.160.75 port 54514 [preauth]
Aug  9 07:06:10 localhost sshd[1882718]: Disconnected from invalid user root 223.197.188.206 port 52456 [preauth]
Aug  9 07:06:33 localhost sshd[1883433]: Disconnected from invalid user kerapetse 117.52.173.97 port 34802 [preauth]
Aug  9 07:07:01 localhost sshd[1884351]: Disconnected from invalid user newuser 201.47.5.123 port 55252 [preauth]
Aug  9 07:38:36 localhost sshd[1944976]: Disconnected from invalid user root 114.108.150.156 port 53228 [preauth]
Aug  9 07:40:16 localhost sshd[1948310]: Disconnected from invalid user root 159.89.162.18 port 36948 [preauth]
Aug  9 07:41:56 localhost sshd[1951628]: Disconnected from invalid user tesla 51.91.151.44 port 53720 [preauth]
Aug  9 07:45:51 localhost sshd[1959266]: Disconnected from invalid user rohitd 181.53.251.199 port 55162 [preauth]
Aug  9 07:46:31 localhost sshd[1960525]: Disconnected from invalid user root 97.74.81.53 port 36598 [preauth]
Aug  9 08:12:08 localhost sshd[1985185]: Disconnected from invalid user admin 195.3.222.18 port 38054 [preauth]
Aug  9 08:12:09 localhost sshd[1985187]: Disconnected from invalid user admin 195.3.222.18 port 40332 [preauth]
Aug  9 08:12:09 localhost sshd[1985189]: Disconnected from invalid user ubnt 195.3.222.18 port 42718 [preauth]
Aug  9 08:12:09 localhost sshd[1985191]: Disconnected from invalid user admin 195.3.222.18 port 45044 [preauth]
Aug  9 08:12:10 localhost sshd[1985193]: Disconnected from invalid user root 195.3.222.18 port 46930 [preauth]
Aug  9 08:12:10 localhost sshd[1985195]: Disconnected from invalid user root 195.3.222.18 port 49194 [preauth]
Aug  9 08:12:10 localhost sshd[1985197]: Disconnected from invalid user support 195.3.222.18 port 52006 [preauth]
Aug  9 08:12:10 localhost sshd[1985199]: Disconnected from invalid user root 195.3.222.18 port 55094 [preauth]
Aug  9 08:12:11 localhost sshd[1985201]: Disconnected from invalid user admin 195.3.222.18 port 57892 [preauth]
Aug  9 08:12:11 localhost sshd[1985203]: Disconnected from invalid user root 195.3.222.18 port 60618 [preauth]
Aug  9 08:12:11 localhost sshd[1985205]: Disconnected from invalid user admin 195.3.222.18 port 34802 [preauth]
Aug  9 08:12:12 localhost sshd[1985207]: Disconnected from invalid user telnet 195.3.222.18 port 37706 [preauth]
Aug  9 08:12:12 localhost sshd[1985209]: Disconnected from invalid user user 195.3.222.18 port 40540 [preauth]
Aug  9 08:12:12 localhost sshd[1985211]: Disconnected from invalid user root 195.3.222.18 port 43318 [preauth]
Aug  9 08:12:13 localhost sshd[1985213]: Disconnected from invalid user administrator 195.3.222.18 port 45580 [preauth]
Aug  9 08:12:13 localhost sshd[1985215]: Disconnected from invalid user Admin 195.3.222.18 port 47580 [preauth]
Aug  9 08:12:13 localhost sshd[1985217]: Disconnected from invalid user mos 195.3.222.18 port 49886 [preauth]
Aug  9 08:12:13 localhost sshd[1985219]: Disconnected from invalid user root 195.3.222.18 port 52128 [preauth]
Aug  9 08:12:14 localhost sshd[1985221]: Disconnected from invalid user guest 195.3.222.18 port 54554 [preauth]
Aug  9 08:12:14 localhost sshd[1985223]: Disconnected from invalid user Admin 195.3.222.18 port 56428 [preauth]
Aug  9 08:12:14 localhost sshd[1985225]: Disconnected from invalid user user 195.3.222.18 port 58064 [preauth]
Aug  9 08:12:15 localhost sshd[1985227]: Disconnected from invalid user Admin 195.3.222.18 port 59826 [preauth]
Aug  9 08:12:15 localhost sshd[1985229]: Disconnected from invalid user root 195.3.222.18 port 34222 [preauth]
Aug  9 08:12:15 localhost sshd[1985231]: Disconnected from invalid user admin 195.3.222.18 port 36842 [preauth]
Aug  9 08:12:16 localhost sshd[1985233]: Disconnected from invalid user root 195.3.222.18 port 39394 [preauth]
Aug  9 08:12:16 localhost sshd[1985235]: Disconnected from invalid user root 195.3.222.18 port 42466 [preauth]
Aug  9 08:12:16 localhost sshd[1985237]: Disconnected from invalid user user 195.3.222.18 port 45104 [preauth]
Aug  9 08:12:17 localhost sshd[1985239]: Disconnected from invalid user admin 195.3.222.18 port 47842 [preauth]
Aug  9 08:12:17 localhost sshd[1985241]: Disconnected from invalid user user 195.3.222.18 port 50218 [preauth]
Aug  9 08:12:17 localhost sshd[1985244]: Disconnected from invalid user admin 195.3.222.18 port 52966 [preauth]
Aug  9 08:12:17 localhost sshd[1985246]: Disconnected from invalid user Admin 195.3.222.18 port 55482 [preauth]
Aug  9 08:15:14 localhost sshd[1985589]: Disconnected from 161.35.123.127 port 59142 [preauth]
Aug  9 08:43:08 localhost sshd[1989100]: Disconnected from invalid user root 201.123.14.45 port 53918 [preauth]
Aug  9 08:46:27 localhost sshd[1989543]: Disconnected from invalid user root 198.12.255.244 port 40214 [preauth]
Aug  9 08:56:55 localhost sshd[1990825]: Disconnected from invalid user root 177.229.134.50 port 9161 [preauth]
Aug  9 08:58:06 localhost sshd[1991022]: Disconnected from invalid user root 197.224.67.253 port 29824 [preauth]
Aug  9 09:07:19 localhost sshd[1992187]: Disconnected from invalid user root 178.128.43.209 port 37840 [preauth]
Aug  9 09:11:11 localhost sshd[1992692]: Disconnected from invalid user root 80.68.3.98 port 42766 [preauth]
Aug  9 09:16:48 localhost sshd[1993355]: Disconnected from invalid user pramod 68.183.64.230 port 45620 [preauth]
Aug  9 09:29:48 localhost sshd[1994977]: Disconnected from 159.223.157.53 port 58766 [preauth]
Aug  9 09:51:56 localhost sshd[1997691]: Disconnected from invalid user root 208.109.213.73 port 43672 [preauth]
Aug  9 09:56:10 localhost sshd[1998219]: Disconnected from invalid user root 43.159.146.168 port 41636 [preauth]
Aug  9 09:58:17 localhost sshd[1998453]: Disconnected from invalid user root 192.241.243.84 port 45956 [preauth]
Aug  9 10:07:28 localhost sshd[1999628]: Disconnected from invalid user root 213.55.79.194 port 51206 [preauth]
Aug  9 10:41:41 localhost sshd[2003887]: Disconnected from invalid user root 85.114.98.146 port 59182 [preauth]
Aug  9 10:43:42 localhost sshd[2004125]: Disconnected from invalid user root 103.133.57.242 port 44466 [preauth]
Aug  9 10:44:28 localhost sshd[2004198]: Disconnected from invalid user root 64.227.178.106 port 51246 [preauth]
Aug  9 10:55:50 localhost sshd[2005634]: Disconnected from invalid user root 64.227.44.140 port 38136 [preauth]
Aug  9 10:55:56 localhost sshd[2005638]: Disconnected from invalid user root 134.17.16.37 port 9167 [preauth]
Aug  9 11:19:53 localhost sshd[2008652]: Disconnected from invalid user root 209.14.68.151 port 40540 [preauth]
Aug  9 11:25:08 localhost sshd[2009272]: Disconnected from invalid user root 207.249.96.168 port 51954 [preauth]
Aug  9 11:26:02 localhost sshd[2009385]: Disconnected from invalid user root 174.138.24.231 port 59624 [preauth]
Aug  9 11:26:06 localhost sshd[2009424]: Disconnected from 147.182.182.236 port 59648 [preauth]
Aug  9 11:29:50 localhost sshd[2009921]: Disconnected from invalid user init 93.147.129.222 port 41336 [preauth]
Aug  9 11:30:54 localhost sshd[2010040]: Disconnected from invalid user root 65.108.242.24 port 44160 [preauth]
Aug  9 11:39:06 localhost sshd[2011049]: Disconnected from 75.119.139.188 port 40024 [preauth]
Aug  9 12:03:21 localhost sshd[2014081]: Disconnected from invalid user root 139.0.18.103 port 33467 [preauth]
Aug  9 12:33:30 localhost sshd[2017789]: Disconnected from invalid user root 38.91.100.8 port 54858 [preauth]
Aug  9 12:40:41 localhost sshd[2018638]: Disconnected from invalid user root 128.199.171.119 port 46430 [preauth]
Aug  9 12:40:43 localhost sshd[2018643]: Disconnected from invalid user harvey 143.110.179.67 port 37790 [preauth]
Aug  9 12:42:26 localhost sshd[2018863]: Disconnected from invalid user root 88.218.227.144 port 59364 [preauth]
Aug  9 13:06:02 localhost sshd[2021818]: Disconnected from invalid user root 45.183.193.1 port 33260 [preauth]
Aug  9 13:29:22 localhost sshd[2024702]: Disconnected from invalid user root 139.99.88.110 port 38398 [preauth]
Aug  9 13:54:35 localhost sshd[2027845]: Disconnected from invalid user root 178.62.119.235 port 40966 [preauth]
Aug  9 14:05:55 localhost sshd[2029258]: Disconnected from invalid user root 43.154.56.85 port 35326 [preauth]
Aug  9 14:20:24 localhost sshd[2031074]: Disconnected from 159.223.189.245 port 47626 [preauth]
Aug  9 14:36:18 localhost sshd[2033018]: Disconnected from invalid user root 186.147.129.110 port 45510 [preauth]
Aug  9 14:39:45 localhost sshd[2033477]: Disconnected from invalid user root 157.230.36.91 port 57466 [preauth]
Aug  9 15:24:14 localhost sshd[2039000]: Disconnected from invalid user root 94.139.166.33 port 39454 [preauth]
Aug  9 15:32:36 localhost sshd[2040049]: Disconnected from invalid user root 178.46.171.90 port 48808 [preauth]
Aug  9 15:54:03 localhost sshd[2042641]: Disconnected from invalid user root 2.138.229.44 port 47227 [preauth]
Aug  9 15:56:36 localhost sshd[2043006]: Disconnected from invalid user root 188.166.235.32 port 53148 [preauth]
Aug  9 15:57:34 localhost sshd[2043094]: Disconnected from invalid user root 103.46.238.142 port 42870 [preauth]
Aug  9 15:58:01 localhost sshd[2043158]: Disconnected from invalid user root 194.44.152.76 port 44026 [preauth]
Aug  9 15:58:04 localhost sshd[2043160]: Disconnected from invalid user root 205.185.113.140 port 56660 [preauth]
Aug  9 15:58:27 localhost sshd[2043215]: Disconnected from invalid user root1 174.138.6.45 port 51292 [preauth]
Aug  9 16:04:00 localhost sshd[2043982]: Disconnected from invalid user megaplazaceiba 45.119.9.158 port 50420 [preauth]
Aug  9 16:06:18 localhost sshd[2044274]: Disconnected from invalid user root 212.33.250.241 port 42842 [preauth]
Aug  9 16:15:15 localhost sshd[2045405]: Disconnected from invalid user test 23.224.230.158 port 59476 [preauth]
Aug  9 16:37:10 localhost sshd[2048127]: Disconnected from invalid user root 35.200.141.182 port 33374 [preauth]
Aug  9 16:42:03 localhost sshd[2057034]: Disconnected from invalid user root 24.188.213.50 port 32944 [preauth]
Aug  9 16:45:21 localhost sshd[2063354]: Disconnected from invalid user root 101.127.251.2 port 38418 [preauth]
Aug  9 16:45:45 localhost sshd[2064226]: Disconnected from invalid user admin 95.215.96.100 port 49482 [preauth]
Aug  9 16:50:55 localhost sshd[2074764]: Disconnected from invalid user root 43.129.190.39 port 43090 [preauth]
Aug  9 16:51:29 localhost sshd[2076045]: Disconnected from invalid user root 177.37.71.40 port 42822 [preauth]
Aug  9 16:52:06 localhost sshd[2077886]: Disconnected from invalid user root 164.92.158.12 port 38516 [preauth]
Aug  9 17:01:05 localhost sshd[2096782]: Disconnected from invalid user namgyal 43.130.7.75 port 55274 [preauth]
Aug  9 17:18:45 localhost sshd[2132199]: Disconnected from invalid user root 61.177.173.28 port 33579 [preauth]
Aug  9 17:24:27 localhost sshd[2143509]: Disconnected from invalid user vpn 218.208.81.146 port 42400 [preauth]
Aug  9 17:30:27 localhost sshd[2155178]: Disconnected from invalid user root 177.184.133.130 port 45850 [preauth]
Aug  9 17:30:28 localhost sshd[2155230]: Disconnected from invalid user root 23.94.207.178 port 52126 [preauth]
Aug  9 17:31:00 localhost sshd[2156187]: Disconnected from invalid user root 222.124.214.10 port 56122 [preauth]
Aug  9 17:32:10 localhost sshd[2158058]: Disconnected from invalid user root 60.249.214.6 port 51155 [preauth]
Aug  9 17:32:39 localhost sshd[2159328]: Disconnected from invalid user guest 43.134.126.50 port 35582 [preauth]
Aug  9 17:48:24 localhost sshd[2189246]: Disconnected from invalid user root 52.183.141.32 port 44094 [preauth]
Aug  9 18:12:27 localhost sshd[2235275]: Disconnected from invalid user root 191.102.254.241 port 49949 [preauth]
Aug  9 18:13:36 localhost sshd[2237554]: Disconnected from 159.223.160.5 port 40414 [preauth]
Aug  9 19:27:40 localhost sshd[2379244]: Disconnected from invalid user root 146.59.87.96 port 41296 [preauth]
Aug  9 19:53:24 localhost sshd[2428306]: Disconnected from invalid user ronald 212.33.198.55 port 38772 [preauth]
Aug  9 20:15:30 localhost sshd[2470545]: Disconnected from invalid user root 157.230.246.109 port 54678 [preauth]
Aug  9 20:19:13 localhost sshd[2477605]: Disconnected from invalid user root 114.113.233.159 port 37883 [preauth]
Aug  9 20:20:19 localhost sshd[2479678]: Disconnected from invalid user root 182.93.83.243 port 39564 [preauth]
Aug  9 20:23:29 localhost sshd[2485926]: Disconnected from invalid user root 201.0.45.133 port 48694 [preauth]
Aug  9 20:25:19 localhost sshd[2489426]: Disconnected from invalid user root 181.30.28.71 port 34142 [preauth]
Aug  9 20:25:39 localhost sshd[2490490]: Disconnected from invalid user shekhar 51.250.79.55 port 49304 [preauth]
Aug  9 20:27:37 localhost sshd[2494273]: Disconnected from invalid user root 177.221.220.130 port 40412 [preauth]
Aug  9 20:28:44 localhost sshd[2496399]: Disconnected from invalid user root 154.221.18.237 port 54654 [preauth]
Aug  9 20:29:14 localhost sshd[2497415]: Disconnected from invalid user root 88.150.140.208 port 55436 [preauth]
Aug  9 20:29:21 localhost sshd[2497623]: Disconnected from invalid user tssound 143.198.57.67 port 49068 [preauth]
Aug  9 20:32:08 localhost sshd[2502922]: Disconnected from invalid user admin 20.205.4.235 port 58692 [preauth]
Aug  9 20:45:35 localhost sshd[2528629]: Disconnected from invalid user samura 89.22.67.66 port 37758 [preauth]
Aug  9 20:46:28 localhost sshd[2530286]: Disconnected from invalid user root 65.21.249.112 port 42522 [preauth]
Aug  9 20:47:58 localhost sshd[2533130]: Disconnected from invalid user keer 173.201.188.226 port 39894 [preauth]
Aug  9 20:48:25 localhost sshd[2533961]: Disconnected from invalid user root 149.57.194.202 port 55970 [preauth]
Aug  9 20:50:00 localhost sshd[2537004]: Disconnected from authenticating user backup 114.252.40.99 port 34714 [preauth]
Aug  9 20:50:38 localhost sshd[2538215]: Disconnected from invalid user root 167.99.185.112 port 55024 [preauth]
Aug  9 20:55:15 localhost sshd[2547113]: Disconnected from invalid user root 20.239.190.150 port 50474 [preauth]

Faut bien que les bots s'amusent ! lol

Dernière modification par lynn (Le 10/08/2022, à 14:53)


«C'est pas parce qu'ils sont nombreux à avoir tort qu'ils ont raison!»

Coluche

Hors ligne

#5 Le 10/08/2022, à 12:20

Laurentf60

Re : Virer une ip de hacker définitivement ?

Merci Lynn,
J'en conclu donc que je vais continuer à lire chaque matin les tentatives de connexion de cette Ip.
Donc je n'ai pas besoin de trop m'inquieter .
Merci

Hors ligne

#6 Le 10/08/2022, à 12:39

barzag

Re : Virer une ip de hacker définitivement ?

Sinon tu peux bloquer l'IP directement sur le firewall d'OVH

Pour cela aller dans Cloud > IP ou bien Serveur dédié > IP, puis cliquer droit sur les 3 petits points à droite > créer le firewall. Ensuite activer le firewall. Configurer le firewall. Et là ajouter une règle. En général il suffit d’attribuer une priorité, de 0 à 19, l’action (refuser), le protocole, l’IP source (l’IP du hacker), laisser vide le port source et le port destination, ne pas toucher au reste et valider. Pour une IP, rajoutez une règle avec le protocole TCP, puis une autre avec le protocole UDP.

Et voilà!

Hors ligne

#7 Le 10/08/2022, à 13:43

bruno

Re : Virer une ip de hacker définitivement ?

Bonjour,

Sur le principe, cela ne sert a rien de bloquer cette IP en particulier. Tu en auras des milliers d'autres qui feront des tentatives d'accès par force brute sur ton service SSH.
Comme tu as configuré SSH pour un accès par clé uniquement ces tentatives sont forcément vouées à l'échec. Ce serait également le ac avec des mots de passe suffisamment forts. Et ton fail2ban n'est d'aucune utilité au niveau sécurité. On pourrait aussi discuter de la pertinence du pare-feu sur une machine où les services sont rigoureusement administrés.

Du point de vue technique, si tu avais réellement bloqué cette IP via des règles de pare-feu, tu n'observerais pas de tentative de connexion ssh dans les logs.
Il faudrait vérifier si UFW est bien actif :

sudo ufw status

si fail2ban est bien actif :

sudo systemctl status fail2ban
sudo fail2ban-client status

Et vérifier les IP bannies pour le « jail » ssh :

sudo fail2ban-client get sshd banip --with-time

Hors ligne

#8 Le 10/08/2022, à 15:43

Laurentf60

Re : Virer une ip de hacker définitivement ?

Bruno,
Merci pour ces explications.
de mon coté tout semble Ok

sudo ufw status

Active
contenant la ligne :

Anywhere                   REJECT      176.111.173.159 

Fail2ban => active

Et pour fail2ban-client jail ssh :

sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	195
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	1
   |- Total banned:	40
   `- Banned IP list:	176.111.173.159

mais malgré ses précautions cette fameuse ip revient chaque jour.
Elle n'est pas la seule...les autres IP sont des "touristes" de passage.

Encore merci à tous pour vos précisions.

Dernière modification par Laurentf60 (Le 10/08/2022, à 15:44)

Hors ligne

#9 Le 10/08/2022, à 16:48

bruno

Re : Virer une ip de hacker définitivement ?

Pour obtenir une aide efficace il vaut mieux donner les retours complets de toutes les commandes demandées.
Est-ce que tu as bien configuré fail2ban pour qu'il utilise ufw pour bloquer les IP (et non iptables ou nftables directement) ?
Si la durée du ban est de 24 heures c'est normal qu'elle réapparaisse chaque jour.

Hors ligne

#10 Le 10/08/2022, à 17:51

Zergy

Re : Virer une ip de hacker définitivement ?

Petit truc, mais changer le port de SSH permet aussi de réduire le nombre d'attaques.

Hors ligne

#11 Le 10/08/2022, à 18:24

lynn

Re : Virer une ip de hacker définitivement ?

Je ne pense pas que changer le port va réduire le nombre d'attaques. Passer par la porte du garage au lieu de passer par la porte d'entrée qui a été condamnée n'empêche personne de venir sonner/toquer à cette dernière, même si personne ne répond.

Tu as juste moins d'infos sur ce qui se passe sur ton système...


«C'est pas parce qu'ils sont nombreux à avoir tort qu'ils ont raison!»

Coluche

Hors ligne

#12 Le 10/08/2022, à 18:30

Zergy

Re : Virer une ip de hacker définitivement ?

lynn a écrit :

Je ne pense pas que changer le port va réduire le nombre d'attaques. Passer par la porte du garage au lieu de passer par la porte d'entrée qui a été condamnée n'empêche personne de venir sonner/toquer à cette dernière, même si personne ne répond.

Tu as juste moins d'infos sur ce qui se passe sur ton système...

Certains ne scan pas les ports au dessus de 1024, donc ça aide, bien entendu, il faudra modifier la configure de fail2ban en conséquence.

Hors ligne

#13 Le 10/08/2022, à 18:58

bruno

Re : Virer une ip de hacker définitivement ?

Petit truc, mais changer le port de SSH permet aussi de réduire le nombre d'attaques.

Non pas vraiment, cela réduit juste le bruit dans les logs. En tout cas ce n'est pas une mesure de sécurité.
Et j'ai déjà eu l'occasion d'expliquer qu'utiliser un port > 1024, donc non privilégié, diminue la sécurité.

Hors ligne

#14 Le 12/08/2022, à 11:00

Screen

Re : Virer une ip de hacker définitivement ?

Laurentf60 a écrit :

Bruno,
Merci pour ces explications.
de mon coté tout semble Ok

sudo ufw status

Active
contenant la ligne :

Anywhere                   REJECT      176.111.173.159 

Fail2ban => active

Et pour fail2ban-client jail ssh :

sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	195
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	1
   |- Total banned:	40
   `- Banned IP list:	176.111.173.159

mais malgré ses précautions cette fameuse ip revient chaque jour.
Elle n'est pas la seule...les autres IP sont des "touristes" de passage.

Encore merci à tous pour vos précisions.

la méthode radicale est de désactiver le mot de passe de ton ssh et authentification par clés,
une autre méthode radicale est de fermer le port  https://doc.ubuntu-fr.org/port-knocking  (et plus rien dans les logs.)

Hors ligne

#15 Le 12/08/2022, à 12:42

iznobe

Re : Virer une ip de hacker définitivement ?

Bonjour , @Screen :

Laurentf60 dans message #1 a écrit :

Bonjour à tous,

j'ai un serveur dédié paramétré avec
ufw,
fail2ban (ban de 24 hrs après 3 tentatives),
Accés ssh est uniquement par clé (PermitRootLogin prohibit-password).


retour utilisable de commande
MSI Z490A-pro , i7 10700 , 32 GB RAM .

Hors ligne

#16 Le 12/08/2022, à 14:28

MicP

Re : Virer une ip de hacker définitivement ?

Bonjour

J'interdirais l'accès depuis l'extérieur au compte root <=> pas d'accès au compte root par ssh même s'il s'agit d'un accès par clef.

Je créerai un compte utilisateur non privilégié dont l'accès ssh serait par clef
et c'est depuis ce compte utilisateur qu'il sera possible d'accéder aux privilèges du compte root.
Si le hacker arrive là, il ne pourra pas encore faire trop de dégâts.

Du coup, l'alerte ne serait à lancer qu'en cas d'accès réussi au compte utilisateur non privilégié
et que suite à cet accès, le hacker n'aura pas fait ce qu'il faut avant** de faire une tentative d'accès au compte root.

=======
** …fait ce qu'il faut avant…

Par exemple :
Il faudra que, juste avant de tenter d'accéder au compte root,
ce compte utilisateur non privilégié créé un fichier spécifique dans son propre répertoire personnel.

Et chaque ouverture d'un nouveau login shell du compte root commencerait par lancer un script qui vérifiera l'existence de ce nouveau fichier
et si ce fichier n'existe pas, il déconnectera le compte utilisateur qui vient juste de faire cette tentative d'accès.

De plus le shell de ce compte utilisateur non privilégié
sera retreint à seulement 2 commandes possibles : c'est celle qui permettra de créer ce fichier spécifique + celle qui permettra d'accéder aux privilèges du compte root,
toute autre tentative de lancer une commande se soldera par une déconnexion du compte.

Dernière modification par MicP (Le 12/08/2022, à 14:46)

Hors ligne

#17 Le 12/08/2022, à 14:30

Screen

Re : Virer une ip de hacker définitivement ?

iznobe a écrit :

Bonjour , @Screen :

Laurentf60 dans message #1 a écrit :

Bonjour à tous,

j'ai un serveur dédié paramétré avec
ufw,
fail2ban (ban de 24 hrs après 3 tentatives),
Accés ssh est uniquement par clé (PermitRootLogin prohibit-password).

c'est ça, la réponse était dans la question,

Hors ligne

#18 Le 22/10/2022, à 10:04

josuah

Re : Virer une ip de hacker définitivement ?

Bonjour,
Bien que le sujet date un peu, pour bloquer définitivement et si tu as un accès au système, le hosts.deny dans /etc/ fait très bien le job car il est conçu nativement pour cela, il suffit d'entrer l'ip et de redémarrer le service.

# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
#                  See the manual pages hosts_access(5) and hosts_options(5).
#
# Example:    ALL: some.host.name, .some.domain
#             ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID

C'est radical cool


"Car j'ai de chaque chose extrait la quintessence. Tu m'as donné ta boue et j'en ai fait de l'or" -- Baudelaire

Hors ligne