Se você der uma olhada neste tutorial, você verá um tempo limite consistente com o que está vendo, intitulado: Fail2ban - Rackspace Knowledge Center .
trechos
Let's test fail2ban to make sure it behaves the way we want it to. We'll do that by failing a few ssh logins.
We'll use two machines: The server we want to protect and another machine to act as the attacker.
- Attacking machine's IP: 123.45.67.89
- The server's IP: 98.76.54.32
To run the test, simply get on the attacking machine and try to ssh to your server five times. For example:
$ ssh [email protected]
With the sixth try (assuming you have ssh's maxretry set to 5) your connection should time out if you try to ssh in again.
NOTA: esta última frase é o que você está vendo!
Você também pode configurar fail2ban
para enviar um e-mail semelhante a este:
If you have fail2ban set to send you email check to see if you got a message like this one:
From fail2ban@ITSecurity Thu Jul 16 04:59:24 2009 Subject: [Fail2Ban] ssh: banned 123.45.67.89 Hi, The ip 123.45.67.89 has just been banned by Fail2Ban after 5 attempts against ssh. Here are more information about 123.45.67.89: {whois info} Lines containing IP:123.45.67.89 in /var/log/auth.log Jul 16 04:59:16 example.com sshd[10390]: Failed password for root from 123.45.67.89 port 46023 ssh2 Jul 16 04:59:18 example.com sshd[10390]: Failed password for root from 123.45.67.89 port 46023 ssh2 Jul 16 04:59:20 example.com sshd[10390]: Failed password for root from 123.45.67.89 port 46023 ssh2 Jul 16 04:59:21 example.comsshd[10394]: reverse mapping checking getaddrinfo for 123.45.67.89.example.com [123.45.67.89] failed - POSSIBLE BREAK-IN ATTEMPT! Jul 16 04:59:22 example.com sshd[10394]: Failed password for root from 123.45.67.89 port 46024 ssh2 Regards, Fail2Ban
Provavelmente, a melhor indicação de que fail2ban
funcionou foi a existência de uma nova regra iptables
que agora está bloqueando o endereço IP de ataque.
Por exemplo:
iptables -L
Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP all -- 208-78-96-200.realinfosec.com anywhere