2014-10-15 fail2ban

My server has fail2ban installed.

=> fail2ban

“Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs – too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).”

Ever since I installed fail2ban, it showed no activity. Until now. Weird!

=> https://alexschroeder.ch/pics/15538247161_b9e7e00bc1_o.png

Is this due to the Shellshock vulnerability? First public disclosure 2014-09-24, activity starting 2014-10-06. It’s weird, though. I thought Shellshock would involve bash scripts as CGI scripts, called via Apache but these failures are ordinary SSH login attempts as seen on _var_log/auth.log:

=> Shellshock

Oct 13 11:49:38 alexschroeder sshd[6860]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.56.33  user=root
Oct 13 11:49:40 alexschroeder sshd[6860]: Failed password for root from 222.186.56.33 port 3462 ssh2
Oct 13 11:49:43 alexschroeder sshd[6860]: Failed password for root from 222.186.56.33 port 3462 ssh2
Oct 13 11:49:45 alexschroeder sshd[6860]: Failed password for root from 222.186.56.33 port 3462 ssh2
Oct 13 11:49:45 alexschroeder sshd[6860]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.56.33  user=root
Oct 13 11:49:50 alexschroeder sshd[6864]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.56.33  user=root
Oct 13 11:49:51 alexschroeder sshd[6864]: Failed password for root from 222.186.56.33 port 4067 ssh2
Oct 13 11:49:54 alexschroeder sshd[6864]: Failed password for root from 222.186.56.33 port 4067 ssh2
Oct 13 11:49:56 alexschroeder sshd[6864]: Failed password for root from 222.186.56.33 port 4067 ssh2
Oct 13 11:49:56 alexschroeder sshd[6864]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.56.33  user=root

​#Web ​#fail2ban

Proxy Information
Original URL
gemini://alexschroeder.ch/2014-10-15_fail2ban
Status Code
Success (20)
Meta
text/gemini
Capsule Response Time
162.657359 milliseconds
Gemini-to-HTML Time
0.337711 milliseconds

This content has been proxied by September (3851b).