Eu instalei o fail2ban com as configurações padrão porque há um monte de bots tentando fazer login como root no meu servidor. Eu instalei mas nada mudou, eu verifiquei a lista de IPs do fail2ban e não há nada lá.
É assim que meu log seguro se parece:
May 19 09:11:25 localhost sshd[6080]: Failed password for root from 43.255.188.160 port 52111 ssh2
May 19 09:11:25 localhost unix_chkpwd[6083]: password check failed for user (root)
May 19 09:11:25 localhost sshd[6080]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:28 localhost sshd[6080]: Failed password for root from 43.255.188.160 port 52111 ssh2
May 19 09:11:28 localhost unix_chkpwd[6084]: password check failed for user (root)
May 19 09:11:28 localhost sshd[6080]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:29 localhost sshd[6080]: Failed password for root from 43.255.188.160 port 52111 ssh2
May 19 09:11:29 localhost sshd[6080]: Received disconnect from 43.255.188.160: 11: [preauth]
May 19 09:11:29 localhost sshd[6080]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.160 user=root
May 19 09:11:30 localhost unix_chkpwd[6087]: password check failed for user (root)
May 19 09:11:30 localhost sshd[6085]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.160 user=root
May 19 09:11:30 localhost sshd[6085]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:31 localhost sshd[6085]: Failed password for root from 43.255.188.160 port 39053 ssh2
May 19 09:11:31 localhost unix_chkpwd[6088]: password check failed for user (root)
May 19 09:11:31 localhost sshd[6085]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:33 localhost sshd[6085]: Failed password for root from 43.255.188.160 port 39053 ssh2
May 19 09:11:33 localhost unix_chkpwd[6089]: password check failed for user (root)
May 19 09:11:33 localhost sshd[6085]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:36 localhost sshd[6085]: Failed password for root from 43.255.188.160 port 39053 ssh2
May 19 09:11:36 localhost sshd[6085]: Received disconnect from 43.255.188.160: 11: [preauth]
May 19 09:11:36 localhost sshd[6085]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.160 user=root
May 19 09:11:36 localhost unix_chkpwd[6093]: password check failed for user (root)
May 19 09:11:36 localhost sshd[6091]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.160 user=root
May 19 09:11:36 localhost sshd[6091]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:38 localhost sshd[6091]: Failed password for root from 43.255.188.160 port 53516 ssh2
May 19 09:11:38 localhost unix_chkpwd[6094]: password check failed for user (root)
May 19 09:11:38 localhost sshd[6091]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:40 localhost sshd[6091]: Failed password for root from 43.255.188.160 port 53516 ssh2
May 19 09:11:40 localhost unix_chkpwd[6095]: password check failed for user (root)
May 19 09:11:40 localhost sshd[6091]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:42 localhost sshd[6091]: Failed password for root from 43.255.188.160 port 53516 ssh2
May 19 09:11:42 localhost sshd[6091]: Received disconnect from 43.255.188.160: 11: [preauth]
May 19 09:11:42 localhost sshd[6091]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.160 user=root
May 19 09:11:43 localhost unix_chkpwd[6098]: password check failed for user (root)
May 19 09:11:43 localhost sshd[6096]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.160 user=root
May 19 09:11:43 localhost sshd[6096]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:44 localhost sshd[6096]: Failed password for root from 43.255.188.160 port 40323 ssh2
May 19 09:11:44 localhost unix_chkpwd[6099]: password check failed for user (root)
May 19 09:11:44 localhost sshd[6096]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 19 09:11:46 localhost sshd[6096]: Failed password for root from 43.255.188.160 port 40323 ssh2
May 19 09:11:46 localhost unix_chkpwd[6100]: password check failed for user (root)
May 19 09:11:46 localhost sshd[6096]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Ativei o fail2ban (aqui diz que já está em execução)
fail2ban-client start
ERROR Server already running
e o status desde ontem:
fail2ban-client status
Status
|- Number of jail: 0
'- Jail list:
Existe algo que não estou fazendo que não esteja habilitando o fail2ban?
Como alguém apontou e eu acho que é uma boa prática ter essa diretiva PermitRootLogin no em sshd_config apenas no caso.
Eu tinha uma seção ssh no meu jail local, mas agora vejo que estava faltando uma seção ssh-iptables para adicionar regras ao iptables e agora funciona:
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = 5