[tor-relays] significant rise in fail2ban alerts for ssh abuse

Ryru ryru at addere.ch
Mon Aug 14 16:57:55 UTC 2017 

Hi Drik, hi List

On 10.08.2017 21:34, Dirk wrote:
> As far as I know the functionality of Fail2Ban is old. If there would be
> a Linux distribution which enables this I would like to talk to the
> maintainer and let him know that he at least
> tries to read the correct abuse entry from ripe instead of bothering our
> provider as well.

I took a look into the Fail2ban source code[0] today. Although I now
have a better understanding of how Fail2ban works I can not really
provide the problem source.

  * The feature that causes abuse mails is called 'complain'[1].

  * Since Feb 2014 Fail2ban is using a web service called abusix.com[2]
to get abuse contacts. They run a DNS based abuse contact info service,
e.g.:
    Absuse Contact for example.com / 93.184.216.34 looks like this:
    $ dig +short TXT 34.216.184.93.abuse-contacts.abusix.org

  * As response they provide one abuse mail contact, which is in our
case always our ISPs abuse address. abusix.com in turn gets their
information from the RIPE API[3]. e.g.:
    curl
https://stat.ripe.net/data/abuse-contact-finder/data.json?resource=93.184.216.34

This answers the question of why Fail2ban is using our ISPs abuse
contact instead of only ours. It also answers the question how they get
this abuse contact.
But in all those samples the abuse notice was sent to our ISPs abuse
contact and to ours. So far I can not say why they use both contacts.
>From checking the source I can not find the whois lookup that would
parse our abuse contact out of our RIPE object record.

I also checked the commit history for the following keyword:
  abuse: last occurrence 19. Feb 2014
  whois: last occurrence 27. Mar 2015
  mail : nothing related in the last two years

My findings let me assume that Fail2ban itself is not necessary the
source of our problem (increasing 22/ssh abuse mails).

Possible other problem causer could be:
  * Fail2ban OS specific configuration files
  * a (new?) popular Fail2ban how-to-guide which promotes the 'complain'
configuration
  * Maybe neither of both changed something and we just had bad luck in
the past weeks?

Maybe someone else has real world experiences with Fail2ban and can help
us out here?

I posted all this to the list in the hope they will help someone else in
the future.

Regards
Pascal


[0] https://github.com/fail2ban/fail2ban
[1]
https://github.com/fail2ban/fail2ban/blob/0.11/config/action.d/complain.conf
[2]
https://github.com/fail2ban/fail2ban/commit/31f4ea59cb86fb91221778902b7e6776c53553f5
[3] https://github.com/fail2ban/fail2ban/issues/612

More information about the tor-relays mailing list