Resolved Help with shutting down SSH

[David Jimenez]

After working to secure our web server and getting all our traffic flowing through Cloudflare, I have turned my attention to SSH. I looked at the logs in Virtuozzo and see almost a continuous attack on SSH such as:

Apr 13 13:43:01 03f98ae sshd[25853]: Failed password for root from 42.94.138.217 port 3986 ssh2
Apr 13 13:43:03 03f98ae sshd[25853]: Failed password for root from 42.94.138.217 port 3986 ssh2
Apr 13 13:43:05 03f98ae sshd[25853]: Failed password for root from 42.94.138.217 port 3986 ssh2
Apr 13 13:43:08 03f98ae sshd[25853]: Failed password for root from 42.94.138.217 port 3986 ssh2
Apr 13 13:43:10 03f98ae sshd[25853]: Failed password for root from 42.94.138.217 port 3986 ssh2
Apr 13 13:43:13 03f98ae sshd[25854]: Disconnecting: Too many authentication failures for root
Apr 13 13:43:13 03f98ae sshd[25853]: Failed password for root from 42.94.138.217 port 3986 ssh2
Apr 13 13:43:13 03f98ae sshd[25853]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.94.138.217 user=root
Apr 13 13:43:13 03f98ae sshd[25853]: PAM service(sshd) ignoring max retries; 6 > 3

So, I went to the Plesk Web Hosting Access and selected "Forbidden" for "Access to the server over SSH" but I am still seeing hack attempts in the Virtuozzo log.

Is there a different way to shut down SSH? I don't need it unless I have to update IP tables if Cloudflare adds new IP addresses.

 

[UFHH01]

Hi David Jimenez,

... and again, I have to ask you, WHY don't you use Fail2Ban, which will ban such intruders?

I can still recommend a digital ocean article here: => How To Use Port Knocking to Hide your SSH Daemon from Attackers on Ubuntu | DigitalOcean

If you desire to shutdown your SSH daemon ( sshd ) ( NOT recommended! ), I can still inform you, that EACH service/daemon on your server have START/STOP options.

 

[David Jimenez]

Hi David Jimenez,

... and again, I have to ask you, WHY don't you use Fail2Ban, which will ban such intruders?

I answered that in the original thread where you made that suggestion. Network Solutions set numiptent at 128, which is barely enough to get our iptables to work. If I add Fail2Ban or Plesk Firewall, we run out of that resource and the server becomes unstable. We asked NS to increase that resource and they said NO.

I will see if there is anything I can change to get Fail2Ban to work with our current setup.

 

[David Jimenez]

I was able to get Fail2Ban up and running. There were some new SSH hits after I started Fail2Ban, but nothing in the past hour.

Apr 13 17:10:41 03f98ae proftpd[30046]: 205.178.137.143 (208.100.26.232[208.100.26.232]) - USER ftp (Login failed): Incorrect password
Apr 13 17:25:30 03f98ae sshd[30196]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.19.144.220 user=root
Apr 13 17:25:32 03f98ae sshd[30196]: Failed password for root from 58.19.144.220 port 53787 ssh2
Apr 13 17:25:35 03f98ae sshd[30196]: Failed password for root from 58.19.144.220 port 53787 ssh2
Apr 13 17:25:37 03f98ae sshd[30196]: Failed password for root from 58.19.144.220 port 53787 ssh2
Apr 13 17:25:39 03f98ae sshd[30196]: Failed password for root from 58.19.144.220 port 53787 ssh2
Apr 13 17:25:41 03f98ae sshd[30196]: Failed password for root from 58.19.144.220 port 53787 ssh2

Is there anything I need to configure or does it just take some time for it to start working?

 

[UFHH01]

Hi David Jimenez,

pls. consider as well to use the RECIDIVE - jail, which is able to ban returning intruders for a longer time. Pls. modify it to a desired ban - time.
A FORUM SEARCH might help you, if you need further informations here: => Search Results for Query: "Fail2Ban" "recidive" | Plesk Forum

Is there anything I need to configure or does it just take some time for it to start working?

Pls. consider as well to VIEW banned intruders: => Home > Tools & Settings > IP Address Banning > (tab) Banned IP Addresses
... and don't forget to whitelist localhost and your server IP(s), to avoid issues/errors/problems.



Further informations on "How to use Fail2Ban" can be read in the Plesk documentation:

=> Protection Against Brute Force Attacks (Fail2Ban)​

... and pls. don't forget, that you now have a NEW log - file at "/var/log/fail2ban.log", which can help to investigate errors/issues/problems with Fail2Ban.

 

[David Jimenez]

All the jails are active:
plesk-apache

Active
plesk-apache-badbot

Active
plesk-courierimap

Active
plesk-panel

Active
plesk-postfix

Active
plesk-proftpd

Active
plesk-wordpress

Active
recidive

Active
ssh

Active

Both recidive and ssh have IP addresses in their respective jails. Whitelist handled. I see the log on Virtuozzo. Thanks.

P.S. Ignore the red X, they were green check marks until I hit save.

 

[David Jimenez]

Another question, is there some reason that an SSH attack should show up both in var/log/secure and var/log/fail2ban?

 

[UFHH01]

Hi David Jimenez,

is there some reason that an SSH attack should show up both in var/log/secure and var/log/fail2ban?

Sure. The redive jail for example doesn't look at your "secure" - log. It is invented to monitor your "fail2ban" - logs for previous banned users. You won't find the command "Ban HOST/IP" in your "secure" - log. To understand jails, pls. consider to have a look at the corresponding filters and their defined regex - expressions.

Example ( recidive - filter ):

[INCLUDES]
before = common.conf

[Definition]
_daemon = fail2ban\.actions\s*
_jailname = recidive
failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
ignoreregex =

[Init]
journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5

 

[David Jimenez]

Yes, I understand that Fail2Ban is looking at its own logs to find offenders. The question is would you expect a failed SSH attempt to show up in both the Fail2Ban log and the Secure log? If so, no problem. I just want to better understand what is being logged and by which system.

 

[UFHH01]

Hi David Jimenez,

EACH found match ( defined by regex - expressions in your active filters of the corresponding jails ) from your monitored logs will be logged in your fail2ban.log(s) and only this fail2ban - logs are relevant for an IP/HOST to be banned, depending to your "findtime", "retry" and "bantime" - settings of each jail.

 

[David Jimenez]

Actually, the default log that ssh jail is monitoring is /var/log/secure. That is why I was seeing Fail2Ban actions in its log and the activity in the secure log.