[tor-relays] significant rise in fail2ban alerts for ssh abuse

Dirk tor-relay.dirk at o.banes.ch
Thu Aug 10 19:34:53 UTC 2017 

Dear all,

we receive a significant rise of ssh login abuse mails which reach us
and unfortunately our providers.
By significant I mean an amount that starts flooding our abuse inbox.

All abuse emails are structured the same way and point to Fail2Ban as
originator.

Do we have just bad luck and someone uses our severs to brute force all
of SSH out there OR is there a new Fail2Ban or Linux distribution
release which fosters or enables this fail2ban abuse mails be default ?

As far as I know the functionality of Fail2Ban is old. If there would be
a Linux distribution which enables this I would like to talk to the
maintainer and let him know that he at least
tries to read the correct abuse entry from ripe instead of bothering our
provider as well.

For a limited time we will now reject port 22. But really do not like
this solution. I would rather like to find out the source of this rise
in numbers.

best regards

Dirk

Example 1 ----
Dear Sir/Madam,

We have detected abuse from the IP address 1.1.1.x, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.

Log lines are given below, but please ask if you require any further information.

(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)

Note: Local timezone is +0300 (MSK)
Aug  6 08:35:23 srv sshd[3534]: Invalid user admin from 1.1.1.x
Aug  6 08:35:25 srv sshd[3534]: Failed password for invalid user admin from 1.1.1.x port 50789 ssh2
Aug  6 08:35:25 srv sshd[3534]: Connection closed by 1.1.1.x [preauth]
Aug  6 12:26:03 srv sshd[28169]: Invalid user admin from 1.1.1.x
Aug  6 12:26:05 srv sshd[28169]: Failed password for invalid user admin from 1.1.1.x port 35677 ssh2
Aug  6 12:26:06 srv sshd[28169]: Connection closed by 1.1.1.x [preauth]


Example 2 ----
Dear Sir/Madam,

We have detected abuse from the IP address 1.1.1.x, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.

Log lines are given below, but please ask if you require any further information.

(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)

Note: Local timezone is +0200 (CEST)
Aug  7 17:41:14 vps3xxx sshd[32746]: Invalid user admin from 1.1.1.x
Aug  7 17:41:14 vps3xxx sshd[32746]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.1.1.x
Aug  7 17:41:16 vps3xxx sshd[32746]: Failed password for invalid user admin from 1.1.1.x port 60497 ssh2
Aug  7 17:41:16 vps3xxx sshd[32746]: Connection closed by 1.1.1.x port 60497 [preauth]

More information about the tor-relays mailing list