Trying to understand why kernel attempts to authenticate a banned IP (Debian 10 VPS)

0 votes

1 answer

169 views

fail2ban

I have a Debian 10 server running on a VPS. The only software I installed are: tinyproxy (http proxy) and fail2ban I have included: - the results of port scan using nmap - my specific settings in the fail2ban jail.local file. - my specific settings in the fail2ban fail2ban.local file. - a sample of entires from auth log. - a sample of entires from fail2ban log. - my results from sample scan of IpTables. Problem Summary: - auth.log shows attempted entry by 192.241.141.43, almost every minute, all day long - fail2ban.log shows 192.241.141.43 is banned - Iptables shows 192.241.141.43 is banned I thought that based upon the IP being blocked, that the malicious user would NOT be able to attempt a login. Yet it seems that the kernel is indeed (pam_unix(sshd:auth)) allowing attempted logins. MY 2 QUESTIONS, Please: 1. Why does the kernel allow malicious users to even attempt login if they are banned? 2. Why does Iptables entry say "icmp" and not "tcp"? Yes I understand that a "ping" is an icmp packet, but I want to block tcp login attempts. Many thanks ! ### Results from nmap scan

# Nmap 7.80 scan initiated Sat Jan 27 15:25:04 2024 as: nmap -sS -oG out.txt 

107.174.156.124

Host: 107.174.156.124 (107-174-156-124-host.colocrossing.com)	
Status: 
Up
Host: 107.174.156.124 (107-174-156-124-host.colocrossing.com)	
Ports: 
139/filtered/tcp//netbios-ssn///, 
445/filtered/tcp//microsoft-ds///, 
8888/open/tcp//sun-answerbook///	
Ignored State: closed (997)

# Nmap done at Sat Jan 27 15:25:06 2024 
-- 1 IP address (1 host up) scanned in 2.20 seconds

--- ### Here are my entries in jail.local Please note that I have moved the SSHD port to 63xxx range. I have obscured the last 3 digits with xxx

#
# JAILS
#

#
# SSH servers
#

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
enabled = true
mode = aggressive
port = 63xxx
filter = sshd
logpath = /var/log/auth.log
bantime = 2000000
findtime = 7200
maxretry = 2
backend = %(sshd_backend)s
action = iptables-multiport[name=sshd, port="ssh", protocol=tcp]

### fail2ban.local

# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 2100000

### Sample Auth log As example, there are several attempts by 192.241.141.43 And this is repeated almost every minute !

Jan 27 15:54:55 racknerd-64d010 sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.241.141.43  user=root
Jan 27 15:54:57 racknerd-64d010 sshd: Failed password for root from 192.241.141.43 port 54798 ssh2
Jan 27 15:54:57 racknerd-64d010 sshd: Received disconnect from 192.241.141.43 port 54798:11: Bye Bye [preauth]
Jan 27 15:54:57 racknerd-64d010 sshd: Disconnected from authenticating user root 192.241.141.43 port 54798 [preauth]

### Sample of fail2ban As example, fail2ban says 192.241.141.43 is banned

2024-01-27 15:55:50,928 fail2ban.actions        : WARNING [sshd] 82.102.12.130 already banned
2024-01-27 15:55:50,929 fail2ban.actions        : WARNING [sshd] 192.241.141.43 already banned
2024-01-27 15:55:50,929 fail2ban.actions        : WARNING [sshd] 159.75.161.40 already banned

### Results from Iptables scan IP 192.241.141.43 is banned

0     0 REJECT     all  --  *      *       61.231.64.170        0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       192.241.141.43       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       104.250.34.177       0.0.0.0/0            reject-with icmp-port-unreachable

### Additional Info 1+2, Complete Rule Set Here is a link to the complete ruleset file. - iptables_o2.txt - auth_2024-01-27m_sample.txt === Additional Info Summary I am including a summary here that incorporates the critical input from Chris Davies. I am doing this so that folks who are reading this in the future, will know, clearly, what to add in their SSHD Jail section of their jail.local file. I am also including the single changed line of text from the fail2ban.local file - again, thanks Chris. === Here is jail.local

#
# JAILS
#

#
# SSH servers
#

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
enabled = true
mode = aggressive
port = 22
filter = sshd
logpath = /var/log/auth.log
bantime = 2000000
findtime = 7200
maxretry = 2
backend = %(sshd_backend)s
banaction_allports = iptables-allports
action_ap = %(banaction_allports)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action = %(action_ap)s

=== Here is fail2ban.local

# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 2100000

Asked by xstack (105 rep)

Jan 28, 2024, 03:45 PM
Last activity: Feb 2, 2024, 06:18 PM

Trying to understand why kernel attempts to authenticate a banned IP (Debian 10 VPS)

Related Questions