• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Resolved Help with shutting down SSH

David Jimenez

David Jimenez

Basic Pleskian
After working to secure our web server and getting all our traffic flowing through Cloudflare, I have turned my attention to SSH. I looked at the logs in Virtuozzo and see almost a continuous attack on SSH such as:

Apr 13 13:43:01 03f98ae sshd[25853]: Failed password for root from 42.94.138.217 port 3986 ssh2
Apr 13 13:43:03 03f98ae sshd[25853]: Failed password for root from 42.94.138.217 port 3986 ssh2
Apr 13 13:43:05 03f98ae sshd[25853]: Failed password for root from 42.94.138.217 port 3986 ssh2
Apr 13 13:43:08 03f98ae sshd[25853]: Failed password for root from 42.94.138.217 port 3986 ssh2
Apr 13 13:43:10 03f98ae sshd[25853]: Failed password for root from 42.94.138.217 port 3986 ssh2
Apr 13 13:43:13 03f98ae sshd[25854]: Disconnecting: Too many authentication failures for root
Apr 13 13:43:13 03f98ae sshd[25853]: Failed password for root from 42.94.138.217 port 3986 ssh2
Apr 13 13:43:13 03f98ae sshd[25853]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.94.138.217 user=root
Apr 13 13:43:13 03f98ae sshd[25853]: PAM service(sshd) ignoring max retries; 6 > 3

So, I went to the Plesk Web Hosting Access and selected "Forbidden" for "Access to the server over SSH" but I am still seeing hack attempts in the Virtuozzo log.

Is there a different way to shut down SSH? I don't need it unless I have to update IP tables if Cloudflare adds new IP addresses.
 
UFHH01 said:
Hi David Jimenez,

... and again, I have to ask you, WHY don't you use Fail2Ban, which will ban such intruders?
Click to expand...

I answered that in the original thread where you made that suggestion. Network Solutions set numiptent at 128, which is barely enough to get our iptables to work. If I add Fail2Ban or Plesk Firewall, we run out of that resource and the server becomes unstable. We asked NS to increase that resource and they said NO.

I will see if there is anything I can change to get Fail2Ban to work with our current setup.
 
I was able to get Fail2Ban up and running. There were some new SSH hits after I started Fail2Ban, but nothing in the past hour.

Apr 13 17:10:41 03f98ae proftpd[30046]: 205.178.137.143 (208.100.26.232[208.100.26.232]) - USER ftp (Login failed): Incorrect password
Apr 13 17:25:30 03f98ae sshd[30196]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.19.144.220 user=root
Apr 13 17:25:32 03f98ae sshd[30196]: Failed password for root from 58.19.144.220 port 53787 ssh2
Apr 13 17:25:35 03f98ae sshd[30196]: Failed password for root from 58.19.144.220 port 53787 ssh2
Apr 13 17:25:37 03f98ae sshd[30196]: Failed password for root from 58.19.144.220 port 53787 ssh2
Apr 13 17:25:39 03f98ae sshd[30196]: Failed password for root from 58.19.144.220 port 53787 ssh2
Apr 13 17:25:41 03f98ae sshd[30196]: Failed password for root from 58.19.144.220 port 53787 ssh2

Is there anything I need to configure or does it just take some time for it to start working?
 
Hi David Jimenez,

pls. consider as well to use the RECIDIVE - jail, which is able to ban returning intruders for a longer time. ;) Pls. modify it to a desired ban - time.
A FORUM SEARCH might help you, if you need further informations here: => Search Results for Query: "Fail2Ban" "recidive" | Plesk Forum

David Jimenez said:
Is there anything I need to configure or does it just take some time for it to start working?
Click to expand...
Pls. consider as well to VIEW banned intruders: => Home > Tools & Settings > IP Address Banning > (tab) Banned IP Addresses
... and don't forget to whitelist localhost and your server IP(s), to avoid issues/errors/problems. :)



Further informations on "How to use Fail2Ban" can be read in the Plesk documentation:


... and pls. don't forget, that you now have a NEW log - file at "/var/log/fail2ban.log", which can help to investigate errors/issues/problems with Fail2Ban.
 
All the jails are active:
plesk-apache
ok.png
Active
plesk-apache-badbot
ok.png
Active
plesk-courierimap
ok.png
Active
plesk-panel
ok.png
Active
plesk-postfix
ok.png
Active
plesk-proftpd
ok.png
Active
plesk-wordpress
ok.png
Active
recidive
ok.png
Active
ssh
ok.png
Active

Both recidive and ssh have IP addresses in their respective jails. Whitelist handled. I see the log on Virtuozzo. Thanks.

P.S. Ignore the red X, they were green check marks until I hit save.
 
Another question, is there some reason that an SSH attack should show up both in var/log/secure and var/log/fail2ban?
 
Hi David Jimenez,

David Jimenez said:
is there some reason that an SSH attack should show up both in var/log/secure and var/log/fail2ban?
Click to expand...
Sure. The redive jail for example doesn't look at your "secure" - log. It is invented to monitor your "fail2ban" - logs for previous banned users. You won't find the command "Ban HOST/IP" in your "secure" - log. ;) To understand jails, pls. consider to have a look at the corresponding filters and their defined regex - expressions.

Example ( recidive - filter ):
Code: 
[INCLUDES]
before = common.conf

[Definition]
_daemon = fail2ban\.actions\s*
_jailname = recidive
failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
ignoreregex =

[Init]
journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
 
Yes, I understand that Fail2Ban is looking at its own logs to find offenders. The question is would you expect a failed SSH attempt to show up in both the Fail2Ban log and the Secure log? If so, no problem. I just want to better understand what is being logged and by which system.
 
Hi David Jimenez,

EACH found match ( defined by regex - expressions in your active filters of the corresponding jails ) from your monitored logs will be logged in your fail2ban.log(s) and only this fail2ban - logs are relevant for an IP/HOST to be banned, depending to your "findtime", "retry" and "bantime" - settings of each jail.
 
Last edited by a moderator:
Actually, the default log that ssh jail is monitoring is /var/log/secure. That is why I was seeing Fail2Ban actions in its log and the activity in the secure log.
 
You must log in or register to reply here.

Similar threads

J
Resolved 25: Connection timed out - Almalinux 9.4 x86_64 | 18.0.61.1
Replies
2
Views
68
josemanuuxd
J
P
Issue fail2ban doesn't ban port scan
Replies
8
Views
3K
PeterKi
P
S
Resolved Can't access Plesk and can't start sw-cp-service
Replies
4
Views
2K
StefMG
S
A
Resolved Unable to start Apache
Replies
1
Views
1K
menderes
menderes
H
Issue fail2ban iptables error, ban doesn't work
Replies
1
Views
2K
hotwert
H
Back
Top