Contenu | Rechercher | Menus

Annonce

Si vous avez des soucis pour rester connecté, déconnectez-vous puis reconnectez-vous depuis ce lien en cochant la case
Me connecter automatiquement lors de mes prochaines visites.

À propos de l'équipe du forum.

#1 Le 11/12/2022, à 10:54

chinois02

Bruteforce sur serveur SSH fail2ban en échec...

Bonjour,
Hier le fichier de mon serveur auth-log faisait 10mo avec une alerte mel à la clef du dit serveur me demandant de verifier si fail2ban était actif.
Il l'était!

Voici la tête du log (extrait)

Dec 11 08:24:18 forgeat sshd[804838]: Received disconnect from 192.241.157.126 port 36514:11: Bye Bye [preauth]
Dec 11 08:24:18 forgeat sshd[804838]: Disconnected from invalid user ronni 192.241.157.126 port 36514 [preauth]
Dec 11 08:24:32 forgeat sshd[804841]: Connection from 188.166.96.132 port 52146 on 192.168.0.44 port 22 rdomain ""
Dec 11 08:24:33 forgeat sshd[804841]: Invalid user oracle from 188.166.96.132 port 52146
Dec 11 08:24:33 forgeat sshd[804841]: pam_unix(sshd:auth): check pass; user unknown
Dec 11 08:24:33 forgeat sshd[804841]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=188.166.96.132 
Dec 11 08:24:35 forgeat sshd[804841]: Failed password for invalid user oracle from 188.166.96.132 port 52146 ssh2
Dec 11 08:24:37 forgeat sshd[804841]: Received disconnect from 188.166.96.132 port 52146:11: Bye Bye [preauth]
Dec 11 08:24:37 forgeat sshd[804841]: Disconnected from invalid user oracle 188.166.96.132 port 52146 [preauth]
Dec 11 08:24:51 forgeat sshd[804844]: Connection from 143.198.133.36 port 56552 on 192.168.0.44 port 22 rdomain ""
Dec 11 08:24:52 forgeat sshd[804844]: Invalid user rheal from 143.198.133.36 port 56552
Dec 11 08:24:52 forgeat sshd[804844]: pam_unix(sshd:auth): check pass; user unknown
Dec 11 08:24:52 forgeat sshd[804844]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=143.198.133.36 
Dec 11 08:24:53 forgeat sshd[804844]: Failed password for invalid user rheal from 143.198.133.36 port 56552 ssh2
Dec 11 08:24:53 forgeat sshd[804844]: Received disconnect from 143.198.133.36 port 56552:11: Bye Bye [preauth]
Dec 11 08:24:53 forgeat sshd[804844]: Disconnected from invalid user rheal 143.198.133.36 port 56552 [preauth]
Dec 11 08:25:12 forgeat sshd[804848]: Connection from 5.56.132.123 port 59614 on 192.168.0.44 port 22 rdomain ""
Dec 11 08:25:12 forgeat sshd[804848]: Invalid user correo from 5.56.132.123 port 59614
Dec 11 08:25:12 forgeat sshd[804848]: pam_unix(sshd:auth): check pass; user unknown
Dec 11 08:25:12 forgeat sshd[804848]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=5.56.132.123 
Dec 11 08:25:14 forgeat sshd[804848]: Failed password for invalid user correo from 5.56.132.123 port 59614 ssh2
Dec 11 08:25:15 forgeat sshd[804848]: Received disconnect from 5.56.132.123 port 59614:11: Bye Bye [preauth]
Dec 11 08:25:15 forgeat sshd[804848]: Disconnected from invalid user correo 5.56.132.123 port 59614 [preauth]
Dec 11 08:26:00 forgeat sshd[804851]: Connection from 161.0.153.88 port 35145 on 192.168.0.44 port 22 rdomain ""
Dec 11 08:26:03 forgeat sshd[804851]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=161.0.153.88  user=admin
Dec 11 08:26:03 forgeat sshd[804851]: pam_ldap(sshd:auth): Authentication failure; user=admin
Dec 11 08:26:05 forgeat sshd[804851]: Failed password for admin from 161.0.153.88 port 35145 ssh2
Dec 11 08:26:07 forgeat sshd[804851]: Connection closed by authenticating user admin 161.0.153.88 port 35145 [preauth]
Dec 11 08:26:08 forgeat sshd[804855]: Connection from 176.215.255.242 port 49971 on 192.168.0.44 port 22 rdomain ""
Dec 11 08:26:10 forgeat sshd[804855]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=176.215.255.242  user=admin
Dec 11 08:26:10 forgeat sshd[804855]: pam_ldap(sshd:auth): Authentication failure; user=admin
Dec 11 08:26:11 forgeat sshd[804855]: Failed password for admin from 176.215.255.242 port 49971 ssh2
Dec 11 08:26:12 forgeat sshd[804855]: Connection closed by authenticating user admin 176.215.255.242 port 49971 [preauth]
Dec 11 08:26:26 forgeat sshd[804857]: Connection from 159.65.154.92 port 52248 on 192.168.0.44 port 22 rdomain ""
Dec 11 08:26:28 forgeat sshd[804857]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=159.65.154.92  user=root
Dec 11 08:26:30 forgeat sshd[804857]: Failed password for root from 159.65.154.92 port 52248 ssh2
Dec 11 08:26:31 forgeat sshd[804857]: Received disconnect from 159.65.154.92 port 52248:11: Bye Bye [preauth]
Dec 11 08:26:31 forgeat sshd[804857]: Disconnected from authenticating user root 159.65.154.92 port 52248 [preauth]
Dec 11 08:27:00 forgeat sshd[804861]: Connection from 188.166.96.132 port 52320 on 192.168.0.44 port 22 rdomain ""
Dec 11 08:27:00 forgeat sshd[804861]: Invalid user cacti from 188.166.96.132 port 52320
Dec 11 08:27:00 forgeat sshd[804861]: pam_unix(sshd:auth): check pass; user unknown
Dec 11 08:27:00 forgeat sshd[804861]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=188.166.96.132 
Dec 11 08:27:03 forgeat sshd[804861]: Failed password for invalid user cacti from 188.166.96.132 port 52320 ssh2
Dec 11 08:27:03 forgeat sshd[804861]: Received disconnect from 188.166.96.132 port 52320:11: Bye Bye [preauth]
Dec 11 08:27:03 forgeat sshd[804861]: Disconnected from invalid user cacti 188.166.96.132 port 52320 [preauth]
Dec 11 08:27:23 forgeat sshd[804864]: Connection from 118.70.169.150 port 50665 on 192.168.0.44 port 22 rdomain ""
Dec 11 08:27:25 forgeat sshd[804864]: Invalid user sarath from 118.70.169.150 port 50665
Dec 11 08:27:25 forgeat sshd[804864]: pam_unix(sshd:auth): check pass; user unknown
Dec 11 08:27:25 forgeat sshd[804864]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.70.169.150 
Dec 11 08:27:27 forgeat sshd[804864]: Failed password for invalid user sarath from 118.70.169.150 port 50665 ssh2
Dec 11 08:27:28 forgeat sshd[804864]: Received disconnect from 118.70.169.150 port 50665:11: Bye Bye [preauth]
Dec 11 08:27:28 forgeat sshd[804864]: Disconnected from invalid user sarath 118.70.169.150 port 50665 [preauth]
Dec 11 08:27:56 forgeat sshd[804880]: Connection from 143.198.133.36 port 35520 on 192.168.0.44 port 22 rdomain ""
Dec 11 08:27:57 forgeat sshd[804880]: Invalid user martin from 143.198.133.36 port 35520
Dec 11 08:27:57 forgeat sshd[804880]: pam_unix(sshd:auth): check pass; user unknown
Dec 11 08:27:57 forgeat sshd[804880]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=143.198.133.36 
Dec 11 08:27:59 forgeat sshd[804880]: Failed password for invalid user martin from 143.198.133.36 port 35520 ssh2
Dec 11 08:28:01 forgeat sshd[804880]: Received disconnect from 143.198.133.36 port 35520:11: Bye Bye [preauth]
Dec 11 08:28:01 forgeat sshd[804880]: Disconnected from invalid user martin 143.198.133.36 port 35520 [preauth]
Dec 11 08:28:24 forgeat sshd[804883]: Connection from 192.241.157.126 port 52526 on 192.168.0.44 port 22 rdomain ""
Dec 11 08:28:25 forgeat sshd[804883]: User games from 192.241.157.126 not allowed because none of user's groups are listed in AllowGroups
Dec 11 08:28:25 forgeat sshd[804883]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.157.126  user=games
Dec 11 08:28:27 forgeat sshd[804883]: Failed password for invalid user games from 192.241.157.126 port 52526 ssh2
Dec 11 08:28:28 forgeat sshd[804883]: Received disconnect from 192.241.157.126 port 52526:11: Bye Bye [preauth]
Dec 11 08:28:28 forgeat sshd[804883]: Disconnected from invalid user games 192.241.157.126 port 52526 [preauth]
Dec 11 08:28:47 forgeat sshd[804888]: Connection from 5.56.132.123 port 56768 on 192.168.0.44 port 22 rdomain ""
Dec 11 08:28:48 forgeat sshd[804888]: Invalid user concept from 5.56.132.123 port 56768
Dec 11 08:28:48 forgeat sshd[804888]: pam_unix(sshd:auth): check pass; user unknown
Dec 11 08:28:48 forgeat sshd[804888]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=5.56.132.123 
Dec 11 08:28:50 forgeat sshd[804888]: Failed password for invalid user concept from 5.56.132.123 port 56768 ssh2
Dec 11 08:28:51 forgeat sshd[804888]: Received disconnect from 5.56.132.123 port 56768:11: Bye Bye [preauth]
Dec 11 08:28:51 forgeat sshd[804888]: Disconnected from invalid user concept 5.56.132.123 port 56768 [preauth]
Dec 11 08:28:57 forgeat sshd[804891]: Connection from 179.60.147.157 port 24036 on 192.168.0.44 port 22 rdomain ""
Dec 11 08:29:10 forgeat sshd[804891]: Invalid user user from 179.60.147.157 port 24036
Dec 11 08:29:10 forgeat sshd[804891]: pam_unix(sshd:auth): check pass; user unknown
Dec 11 08:29:10 forgeat sshd[804891]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=179.60.147.157 
Dec 11 08:29:12 forgeat sshd[804891]: Failed password for invalid user user from 179.60.147.157 port 24036 ssh2
Dec 11 08:29:15 forgeat sshd[804891]: Connection closed by invalid user user 179.60.147.157 port 24036 [preauth]
Dec 11 08:29:26 forgeat sshd[804894]: Connection from 188.166.96.132 port 52494 on 192.168.0.44 port 22 rdomain ""
Dec 11 08:29:26 forgeat sshd[804894]: Invalid user csr1dev from 188.166.96.132 port 52494
Dec 11 08:29:26 forgeat sshd[804894]: pam_unix(sshd:auth): check pass; user unknown
Dec 11 08:29:26 forgeat sshd[804894]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=188.166.96.132 
Dec 11 08:29:28 forgeat sshd[804894]: Failed password for invalid user csr1dev from 188.166.96.132 port 52494 ssh2
Dec 11 08:29:28 forgeat sshd[804894]: Received disconnect from 188.166.96.132 port 52494:11: Bye Bye [preauth]
Dec 11 08:29:28 forgeat sshd[804894]: Disconnected from invalid user csr1dev 188.166.96.132 port 52494 [preauth]
Dec 11 08:29:40 forgeat sshd[804897]: Connection from 159.65.154.92 port 55662 on 192.168.0.44 port 22 rdomain ""
Dec 11 08:29:41 forgeat sshd[804897]: Invalid user oracle from 159.65.154.92 port 55662
Dec 11 08:29:41 forgeat sshd[804897]: pam_unix(sshd:auth): check pass; user unknown
Dec 11 08:29:41 forgeat sshd[804897]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=159.65.154.92 
Dec 11 08:29:43 forgeat sshd[804897]: Failed password for invalid user oracle from 159.65.154.92 port 55662 ssh2

En effet ce n'est jamais la même IP qui attaque smile et tous les mots d'un dictionnaire de mots de passe vont y passer! (on voit du martin, du csr1dev...)
Bref, vous pouvez faire l'objet d'une attaque coordonnée sur votre petit serveur perso il faut faire gaffe aux mots de passe.

Dernière modification par chinois02 (Le 11/12/2022, à 10:55)


N'importe qui peut voir ce que tu sembles être; quelques rares seulement peuvent tâter ce que tu est. Et ces derniers n'osent contredire l'opinion du grand nombre, renforcés par toute la majesté de l'État. Machiavel-Le Prince.

Hors ligne

#2 Le 11/12/2022, à 11:13

matrix-bx

Re : Bruteforce sur serveur SSH fail2ban en échec...

Salut,
c'est parfois la même ip, mais ça change pas grand chose.
Choses que je ferai pour être tranquille.
Port != 22
PermitRootLogin prohibit-password (ou no)
PasswordAuthentication no
AllowUsers user1 user2 ...


Utilisations des balises de mises en formes.

Hors ligne