Dear all,
we receive a significant rise of ssh login abuse mails which reach us and unfortunately our providers. By significant I mean an amount that starts flooding our abuse inbox.
All abuse emails are structured the same way and point to Fail2Ban as originator.
Do we have just bad luck and someone uses our severs to brute force all of SSH out there OR is there a new Fail2Ban or Linux distribution release which fosters or enables this fail2ban abuse mails be default ?
As far as I know the functionality of Fail2Ban is old. If there would be a Linux distribution which enables this I would like to talk to the maintainer and let him know that he at least tries to read the correct abuse entry from ripe instead of bothering our provider as well.
For a limited time we will now reject port 22. But really do not like this solution. I would rather like to find out the source of this rise in numbers.
best regards
Dirk
Example 1 ---- Dear Sir/Madam,
We have detected abuse from the IP address 1.1.1.x, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.
Log lines are given below, but please ask if you require any further information.
(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)
Note: Local timezone is +0300 (MSK) Aug 6 08:35:23 srv sshd[3534]: Invalid user admin from 1.1.1.x Aug 6 08:35:25 srv sshd[3534]: Failed password for invalid user admin from 1.1.1.x port 50789 ssh2 Aug 6 08:35:25 srv sshd[3534]: Connection closed by 1.1.1.x [preauth] Aug 6 12:26:03 srv sshd[28169]: Invalid user admin from 1.1.1.x Aug 6 12:26:05 srv sshd[28169]: Failed password for invalid user admin from 1.1.1.x port 35677 ssh2 Aug 6 12:26:06 srv sshd[28169]: Connection closed by 1.1.1.x [preauth]
Example 2 ---- Dear Sir/Madam,
We have detected abuse from the IP address 1.1.1.x, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.
Log lines are given below, but please ask if you require any further information.
(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)
Note: Local timezone is +0200 (CEST) Aug 7 17:41:14 vps3xxx sshd[32746]: Invalid user admin from 1.1.1.x Aug 7 17:41:14 vps3xxx sshd[32746]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.1.1.x Aug 7 17:41:16 vps3xxx sshd[32746]: Failed password for invalid user admin from 1.1.1.x port 60497 ssh2 Aug 7 17:41:16 vps3xxx sshd[32746]: Connection closed by 1.1.1.x port 60497 [preauth]