Question Fail2Ban log showing this

[Richard Follett]

my log showing these kind entries - are these all people trying to hack SSH & FTP ?

Is this a normal amount?

2017-05-25 08:12:20,788 fail2ban.filter [17575]: INFO [plesk-proftpd] Found 91.200.12.109
2017-05-25 08:12:20,789 fail2ban.filter [17575]: INFO [plesk-proftpd] Found 91.200.12.109
2017-05-25 08:12:20,790 fail2ban.filter [17575]: INFO [plesk-proftpd] Found 91.200.12.109
2017-05-25 08:12:21,574 fail2ban.actions [17575]: NOTICE [plesk-proftpd] Ban 91.200.12.109
2017-05-25 08:12:22,022 fail2ban.filter [17575]: INFO [plesk-proftpd] Found 91.200.12.109
2017-05-25 08:12:22,024 fail2ban.filter [17575]: INFO [plesk-proftpd] Found 91.200.12.109
2017-05-25 08:12:22,025 fail2ban.filter [17575]: INFO [plesk-proftpd] Found 91.200.12.109
2017-05-25 08:12:22,799 fail2ban.actions [17575]: NOTICE [plesk-proftpd] 91.200.12.109 already banned
2017-05-25 08:18:36,642 fail2ban.actions [17575]: NOTICE [ssh] Unban 91.197.232.107
2017-05-25 08:19:18,936 fail2ban.filter [17575]: INFO [ssh] Found 212.129.53.59
2017-05-25 08:19:18,944 fail2ban.filter [17575]: INFO [ssh] Found 212.129.53.59
2017-05-25 08:19:21,032 fail2ban.filter [17575]: INFO [ssh] Found 212.129.53.59
2017-05-25 08:19:21,036 fail2ban.filter [17575]: INFO [ssh] Found 212.129.53.59
2017-05-25 08:19:34,159 fail2ban.filter [17575]: INFO [ssh] Found 212.129.53.59
2017-05-25 08:19:34,929 fail2ban.actions [17575]: NOTICE [ssh] Ban 212.129.53.59
2017-05-25 08:19:37,439 fail2ban.filter [17575]: INFO [ssh] Found 212.129.53.59
2017-05-25 08:22:22,490 fail2ban.actions [17575]: NOTICE [plesk-proftpd] Unban 91.200.12.109
2017-05-25 08:29:35,844 fail2ban.actions [17575]: NOTICE [ssh] Unban 212.129.53.59
2017-05-25 08:31:15,435 fail2ban.filter [17575]: INFO [ssh] Found 139.162.122.110
2017-05-25 08:31:16,503 fail2ban.filter [17575]: INFO [ssh] Found 139.162.122.110
2017-05-25 08:34:01,802 fail2ban.filter [17575]: INFO [plesk-proftpd] Found 51.255.75.16
2017-05-25 08:34:26,916 fail2ban.filter [17575]: INFO [plesk-proftpd] Found 142.4.15.19
2017-05-25 08:34:41,119 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:43,225 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:43,231 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:46,339 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:46,341 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:46,347 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:47,421 fail2ban.actions [17575]: NOTICE [ssh] Ban 5.237.215.162
2017-05-25 08:34:47,542 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:47,543 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:48,633 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:50,742 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:50,745 fail2ban.filter [17575]: INFO [ssh] Found 5.237.215.162
2017-05-25 08:34:51,650 fail2ban.actions [17575]: NOTICE [ssh] 5.237.215.162 already banned
2017-05-25 08:44:48,339 fail2ban.actions [17575]: NOTICE [ssh] Unban 5.237.215.162

 

[SimonG]

It doesn't look unusual to me. Most linux servers suffer from large numbers of failed login attempts and Fail2Ban will deal with them.

If you haven't already done so you should consider activating the "recidive" jail. That will permanently block any repeat offenders.

 

[Richard Follett]

Thank you Simon - switched on with this filter:

[INCLUDES]
before = common.conf

[Definition]
_daemon = fail2ban\.actions\s*
_jailname = recidive
failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
ignoreregex =

[Init]
journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5