Became Hot Network Question

occurred Jan 24 at 2:12

added 1447 characters in body

Source Link

edited Jan 23 at 21:52

173
5



=== From fail2ban log LATEST INFO:
2024-01-23 15:36:40,421 fail2ban.filter         [12663]: INFO    [sshd] Found 159.75.146.136 - 2024-01-23 15:36:40
2024-01-23 15:36:40,422 fail2ban.filter         [12663]: INFO    [sshd] Found 159.75.146.136 - 2024-01-23 15:36:40
2024-01-23 15:36:40,574 fail2ban.actions        [12663]: WARNING [sshd] 159.75.146.136 already banned



=== From auth log LATEST INGO:
Jan 23 15:36:40 racknerd-64d010 sshd[27856]: Invalid user ali from 159.75.146.136 port 50302
Jan 23 15:36:40 racknerd-64d010 sshd[27856]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 15:36:40 racknerd-64d010 sshd[27856]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=159.75.146.136 
Jan 23 15:36:42 racknerd-64d010 sshd[27856]: Failed password for invalid user ali from 159.75.146.136 port 50302 ssh2
Jan 23 15:36:43 racknerd-64d010 sshd[27856]: Received disconnect from 159.75.146.136 port 50302:11: Bye Bye [preauth]



===From IP Tables LATEST INGO:
    0     0 REJECT     all  --  *      *       159.75.164.110       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       159.75.146.136       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       159.75.127.125       0.0.0.0/0            reject-with icmp-port-unreachable



=== From fail2ban log LATEST INFO:
2024-01-23 15:36:40,421 fail2ban.filter         [12663]: INFO    [sshd] Found 159.75.146.136 - 2024-01-23 15:36:40
2024-01-23 15:36:40,422 fail2ban.filter         [12663]: INFO    [sshd] Found 159.75.146.136 - 2024-01-23 15:36:40
2024-01-23 15:36:40,574 fail2ban.actions        [12663]: WARNING [sshd] 159.75.146.136 already banned



=== From auth log LATEST INGO:
Jan 23 15:36:40 racknerd-64d010 sshd[27856]: Invalid user ali from 159.75.146.136 port 50302
Jan 23 15:36:40 racknerd-64d010 sshd[27856]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 15:36:40 racknerd-64d010 sshd[27856]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=159.75.146.136 
Jan 23 15:36:42 racknerd-64d010 sshd[27856]: Failed password for invalid user ali from 159.75.146.136 port 50302 ssh2
Jan 23 15:36:43 racknerd-64d010 sshd[27856]: Received disconnect from 159.75.146.136 port 50302:11: Bye Bye [preauth]



===From IP Tables LATEST INGO:
    0     0 REJECT     all  --  *      *       159.75.164.110       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       159.75.146.136       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       159.75.127.125       0.0.0.0/0            reject-with icmp-port-unreachable

Further formatting cleanup.

Source Link

edited Jan 23 at 19:28

Giacomo1968

56.1k
23
167
214

MY QUESTIONSMy questions:

Many thanks !

=== Here is fail2ban log, starting at 10:54:06

As example, there are 3 entries for 103.226.138.245

Here is fail2ban log, starting at 10:54:06. As example, there are 3 entries for 103.226.138.245:

=== Here is Auth log starting at 10:54:06

As example, there are several entries for 103.226.138.245

Here is Auth log starting at 10:54:06. As example, there are several entries for 103.226.138.245.

=== Here is result of ss -lntu scan.

I changed my ssh port to 63xxx (obscured)

Here is result of `ss -lntu` scan. I changed my ssh port to 63xxx (obscured):

=== Here are my entries in jail.local

Here are my entries in `jail.local`:

Thank you again.

MY QUESTIONS:

Many thanks !

=== Here is fail2ban log, starting at 10:54:06

As example, there are 3 entries for 103.226.138.245

=== Here is Auth log starting at 10:54:06

As example, there are several entries for 103.226.138.245

=== Here is result of ss -lntu scan.

I changed my ssh port to 63xxx (obscured)

=== Here are my entries in jail.local

Thank you again.

My questions:

Here is fail2ban log, starting at 10:54:06. As example, there are 3 entries for 103.226.138.245:

Here is Auth log starting at 10:54:06. As example, there are several entries for 103.226.138.245.

Here is result of `ss -lntu` scan. I changed my ssh port to 63xxx (obscured):

Here are my entries in `jail.local`:

deleted 12 characters in body

Source Link

edited Jan 23 at 18:15

grawity_u1686

465.3k
66
977
1.1k

As example: fail2ban.log shows 3 entries for IP 103.226.138.245 The 3rd entry says that the IP has already been banned.

fail2ban.log shows 3 entries for IP 103.226.138.245

The 3rd entry says that the IP has already been banned.

...

2024-01-23 2024-01-23 10:54:06,467 fail2ban.filter 2024-01-23 10:54:06,504 fail2ban.actions 2024-01-23 10:54:07,171 fail2ban.filter 2024-01-23 10:54:07,172 fail2ban.filter 2024-01-23 10:54:07,907 fail2ban.actions 2024-01-23 10:54:08,079 fail2ban.filter 2024-01-23 10:54:08,154 fail2ban.filter 2024-01-23 10:54:13,469 fail2ban.filter 2024-01-23 10:54:13,471 fail2ban.filter 2024-01-23 10:54:13,917 fail2ban.actions 2024-01-23 10:54:15,077 fail2ban.filter 2024-01-23 10:54:15,079 fail2ban.filter 2024-01-23 10:54:16,685 fail2ban.filter 2024-01-23 10:54:16,686 fail2ban.filter 2024-01-23 10:54:16,687 fail2ban.filter 2024-01-23 10:54:17,123 fail2ban.actions 2024-01-23 10:54:17,123 fail2ban.actions 2024-01-23 10:54:18,764 fail2ban.filter 2024-01-23 10:54:18,765 fail2ban.filter 2024-01-23 10:54:18,766 fail2ban.filter 2024-01-23 10:54:19,127 fail2ban.actions 2024-01-23 10:54:20,658 fail2ban.filter 2024-01-23 10:54:24,981 fail2ban.filter 2024-01-23 10:54:24,983 fail2ban.filter 2024-01-23 10:54:25,136 fail2ban.actions ... 10:54:06,466 fail2ban.filter [29045]: INFO [sshd] Found 139.59.92.218 - 2024-01-23 10:54:06 [29045]: INFO [sshd] Found 139.59.92.218 - 2024-01-23 10:54:06 [29045]: WARNING [sshd] 139.59.92.218 already banned [29045]: INFO [sshd] Found 103.226.138.245 - 2024-01-23 10:54:07 [29045]: INFO [sshd] Found 103.226.138.245 - 2024-01-23 10:54:07 [29045]: WARNING [sshd] 103.226.138.245 already banned [29045]: INFO [sshd] Found 139.59.92.218 - 2024-01-23 10:54:08 [29045]: INFO [sshd] Found 103.226.138.245 - 2024-01-23 10:54:08 [29045]: INFO [sshd] Found 130.61.35.0 - 2024-01-23 10:54:13 [29045]: INFO [sshd] Found 130.61.35.0 - 2024-01-23 10:54:13 [29045]: WARNING [sshd] 130.61.35.0 already banned [29045]: INFO [sshd] Found 130.61.35.0 - 2024-01-23 10:54:14 [29045]: INFO [sshd] Found 159.89.94.43 - 2024-01-23 10:54:15 [29045]: INFO [sshd] Found 206.189.229.70 - 2024-01-23 10:54:16 [29045]: INFO [sshd] Found 206.189.229.70 - 2024-01-23 10:54:16 [29045]: INFO [sshd] Found 159.89.94.43 - 2024-01-23 10:54:16 [29045]: WARNING [sshd] 206.189.229.70 already banned [29045]: WARNING [sshd] 159.89.94.43 already banned [29045]: INFO [sshd] Found 206.189.229.70 - 2024-01-23 10:54:18 [29045]: INFO [sshd] Found 103.86.180.10 - 2024-01-23 10:54:18 [29045]: INFO [sshd] Found 103.86.180.10 - 2024-01-23 10:54:18 [29045]: WARNING [sshd] 103.86.180.10 already banned [29045]: INFO [sshd] Found 103.86.180.10 - 2024-01-23 10:54:20 [29045]: INFO [sshd] Found 34.84.82.194 - 2024-01-23 10:54:24 [29045]: INFO [sshd] Found 34.84.82.194 - 2024-01-23 10:54:24 [29045]: WARNING [sshd] 34.84.82.194 already banned

...

2024-01-23 10:54:06,466 fail2ban.filter         [29045]: INFO    [sshd] Found 139.59.92.218 - 2024-01-23 10:54:06
2024-01-23 10:54:06,467 fail2ban.filter         [29045]: INFO    [sshd] Found 139.59.92.218 - 2024-01-23 10:54:06
2024-01-23 10:54:06,504 fail2ban.actions        [29045]: WARNING [sshd] 139.59.92.218 already banned
2024-01-23 10:54:07,171 fail2ban.filter         [29045]: INFO    [sshd] Found 103.226.138.245 - 2024-01-23 10:54:07
2024-01-23 10:54:07,172 fail2ban.filter         [29045]: INFO    [sshd] Found 103.226.138.245 - 2024-01-23 10:54:07
2024-01-23 10:54:07,907 fail2ban.actions        [29045]: WARNING [sshd] 103.226.138.245 already banned
2024-01-23 10:54:08,079 fail2ban.filter         [29045]: INFO    [sshd] Found 139.59.92.218 - 2024-01-23 10:54:08
2024-01-23 10:54:08,154 fail2ban.filter         [29045]: INFO    [sshd] Found 103.226.138.245 - 2024-01-23 10:54:08
2024-01-23 10:54:13,469 fail2ban.filter         [29045]: INFO    [sshd] Found 130.61.35.0 - 2024-01-23 10:54:13
2024-01-23 10:54:13,471 fail2ban.filter         [29045]: INFO    [sshd] Found 130.61.35.0 - 2024-01-23 10:54:13
2024-01-23 10:54:13,917 fail2ban.actions        [29045]: WARNING [sshd] 130.61.35.0 already banned
2024-01-23 10:54:15,077 fail2ban.filter         [29045]: INFO    [sshd] Found 130.61.35.0 - 2024-01-23 10:54:14
2024-01-23 10:54:15,079 fail2ban.filter         [29045]: INFO    [sshd] Found 159.89.94.43 - 2024-01-23 10:54:15
2024-01-23 10:54:16,685 fail2ban.filter         [29045]: INFO    [sshd] Found 206.189.229.70 - 2024-01-23 10:54:16
2024-01-23 10:54:16,686 fail2ban.filter         [29045]: INFO    [sshd] Found 206.189.229.70 - 2024-01-23 10:54:16
2024-01-23 10:54:16,687 fail2ban.filter         [29045]: INFO    [sshd] Found 159.89.94.43 - 2024-01-23 10:54:16
2024-01-23 10:54:17,123 fail2ban.actions        [29045]: WARNING [sshd] 206.189.229.70 already banned
2024-01-23 10:54:17,123 fail2ban.actions        [29045]: WARNING [sshd] 159.89.94.43 already banned
2024-01-23 10:54:18,764 fail2ban.filter         [29045]: INFO    [sshd] Found 206.189.229.70 - 2024-01-23 10:54:18
2024-01-23 10:54:18,765 fail2ban.filter         [29045]: INFO    [sshd] Found 103.86.180.10 - 2024-01-23 10:54:18
2024-01-23 10:54:18,766 fail2ban.filter         [29045]: INFO    [sshd] Found 103.86.180.10 - 2024-01-23 10:54:18
2024-01-23 10:54:19,127 fail2ban.actions        [29045]: WARNING [sshd] 103.86.180.10 already banned
2024-01-23 10:54:20,658 fail2ban.filter         [29045]: INFO    [sshd] Found 103.86.180.10 - 2024-01-23 10:54:20
2024-01-23 10:54:24,981 fail2ban.filter         [29045]: INFO    [sshd] Found 34.84.82.194 - 2024-01-23 10:54:24
2024-01-23 10:54:24,983 fail2ban.filter         [29045]: INFO    [sshd] Found 34.84.82.194 - 2024-01-23 10:54:24
2024-01-23 10:54:25,136 fail2ban.actions        [29045]: WARNING [sshd] 34.84.82.194 already banned

Jan 23 10:54:06 racknerd-64d010 sshd[11576]: Invalid user wangyongxin from 139.59.92.218 port 33490 Jan 23 10:54:06 racknerd-64d010 sshd[11576]: pam_unix(sshd:auth): check pass; user unknown Jan 23 10:54:06 racknerd-64d010 sshd[11576]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=139.59.92.218 Jan 23 10:54:07 racknerd-64d010 sshd[11583]: Invalid user sunaz from 103.226.138.245 port 51052 Jan 23 10:54:07 racknerd-64d010 sshd[11583]: pam_unix(sshd:auth): check pass; user unknown Jan 23 10:54:07 racknerd-64d010 sshd[11583]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.226.138.245 Jan 23 10:54:08 racknerd-64d010 sshd[11576]: Failed password for invalid user wangyongxin from 139.59.92.218 port 33490 ssh2 Jan 23 10:54:08 racknerd-64d010 sshd[11583]: Failed password for invalid user sunaz from 103.226.138.245 port 51052 ssh2 Jan 23 10:54:08 racknerd-64d010 sshd[11576]: Received disconnect from 139.59.92.218 port 33490:11: Bye Bye [preauth] Jan 23 10:54:08 racknerd-64d010 sshd[11576]: Disconnected from invalid user wangyongxin 139.59.92.218 port 33490 [preauth] Jan 23 10:54:08 racknerd-64d010 sshd[11583]: Received disconnect from 103.226.138.245 port 51052:11: Bye Bye [preauth] Jan 23 10:54:08 racknerd-64d010 sshd[11583]: Disconnected from invalid user sunaz 103.226.138.245 port 51052 [preauth] Jan 23 10:54:13 racknerd-64d010 sshd[11586]: Invalid user tosi from 130.61.35.0 port 57576 Jan 23 10:54:13 racknerd-64d010 sshd[11586]: pam_unix(sshd:auth): check pass; user unknown Jan 23 10:54:13 racknerd-64d010 sshd[11586]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=130.61.35.0 Jan 23 10:54:14 racknerd-64d010 sshd[11586]: Failed password for invalid user tosi from 130.61.35.0 port 57576 ssh2 Jan 23 10:54:14 racknerd-64d010 sshd[11586]: Received disconnect from 130.61.35.0 port 57576:11: Bye Bye [preauth] Jan 23 10:54:14 racknerd-64d010 sshd[11586]: Disconnected from invalid user tosi 130.61.35.0 port 57576 [preauth] Jan 23 10:54:15 racknerd-64d010 sshd[11588]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=159.89.94.43 user=root Jan 23 10:54:16 racknerd-64d010 sshd[11590]: Invalid user es_user from 206.189.229.70 port 37586 Jan 23 10:54:16 racknerd-64d010 sshd[11590]: pam_unix(sshd:auth): check pass; user unknown Jan 23 10:54:16 racknerd-64d010 sshd[11590]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=206.189.229.70 Jan 23 10:54:16 racknerd-64d010 sshd[11588]: Failed password for root from 159.89.94.43 port 60092 ssh2 Jan 23 10:54:17 racknerd-64d010 sshd[11588]: Received disconnect from 159.89.94.43 port 60092:11: Bye Bye [preauth] Jan 23 10:54:17 racknerd-64d010 sshd[11588]: Disconnected from authenticating user root 159.89.94.43 port 60092 [preauth] Jan 23 10:54:18 racknerd-64d010 sshd[11590]: Failed password for invalid user es_user from 206.189.229.70 port 37586 ssh2 Jan 23 10:54:18 racknerd-64d010 sshd[11592]: Invalid user mrmomeni from 103.86.180.10 port 37374 Jan 23 10:54:18 racknerd-64d010 sshd[11592]: pam_unix(sshd:auth): check pass; user unknown Jan 23 10:54:18 racknerd-64d010 sshd[11592]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.86.180.10 Jan 23 10:54:20 racknerd-64d010 sshd[11590]: Received disconnect from 206.189.229.70 port 37586:11: Bye Bye [preauth] Jan 23 10:54:20 racknerd-64d010 sshd[11590]: Disconnected from invalid user es_user 206.189.229.70 port 37586 [preauth] Jan 23 10:54:20 racknerd-64d010 sshd[11592]: Failed password for invalid user mrmomeni from 103.86.180.10 port 37374 ssh2 Jan 23 10:54:22 racknerd-64d010 sshd[11592]: Received disconnect from 103.86.180.10 port 37374:11: Bye Bye [preauth] Jan 23 10:54:22 racknerd-64d010 sshd[11592]: Disconnected from invalid user mrmomeni 103.86.180.10 port 37374 [preauth] Jan 23 10:54:24 racknerd-64d010 sshd[11594]: Invalid user fan1 from 34.84.82.194 port 53972 Jan 23 10:54:24 racknerd-64d010 sshd[11594]: pam_unix(sshd:auth): check pass; user unknown Jan 23 10:54:24 racknerd-64d010 sshd[11594]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=34.84.82.194 Jan 23 10:54:27 racknerd-64d010 sshd[11594]: Failed password for invalid user fan1 from 34.84.82.194 port 53972 ssh2 Jan 23 10:54:27 racknerd-64d010 sshd[11594]: Received disconnect from 34.84.82.194 port 53972:11: Bye Bye [preauth] Jan 23 10:54:27 racknerd-64d010 sshd[11594]: Disconnected from invalid user fan1 34.84.82.194 port 53972 [preauth] Jan 23 10:54:36 racknerd-64d010 sshd[11597]: Invalid user ckr from 43.135.163.185 port 48842 Jan 23 10:54:36 racknerd-64d010 sshd[11597]: pam_unix(sshd:auth): check pass; user unknown Jan 23 10:54:36 racknerd-64d010 sshd[11597]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.135.163.185 Jan 23 10:54:38 racknerd-64d010 sshd[11597]: Failed password for invalid user ckr from 43.135.163.185 port 48842 ssh2 Jan 23 10:54:39 racknerd-64d010 sshd[11597]: Received disconnect from 43.135.163.185 port 48842:11: Bye Bye [preauth] Jan 23 10:54:39 racknerd-64d010 sshd[11597]: Disconnected from invalid user ckr 43.135.163.185 port 48842 [preauth] Jan 23 10:54:44 racknerd-64d010 sshd[11599]: Invalid user scuser from 43.134.92.252 port 49834 Jan 23 10:54:44 racknerd-64d010 sshd[11599]: pam_unix(sshd:auth): check pass; user unknown Jan 23 10:54:44 racknerd-64d010 sshd[11599]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.134.92.252 Jan 23 10:54:46 racknerd-64d010 sshd[11599]: Failed password for invalid user scuser from 43.134.92.252 port 49834 ssh2 Jan 23 10:54:47 racknerd-64d010 sshd[11601]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.184.50.251 user=root Jan 23 10:54:48 racknerd-64d010 sshd[11599]: Received disconnect from 43.134.92.252 port 49834:11: Bye Bye [preauth] Jan 23 10:54:48 racknerd-64d010 sshd[11599]: Disconnected from invalid user scuser 43.134.92.252 port 49834 [preauth] Jan 23 10:54:49 racknerd-64d010 sshd[11601]: Failed password for root from 201.184.50.251 port 39546 ssh2 Jan 23 10:54:51 racknerd-64d010 sshd[11601]: Received disconnect from 201.184.50.251 port 39546:11: Bye Bye [preauth] Jan 23 10:54:51 racknerd-64d010 sshd[11601]: Disconnected from authenticating user root 201.184.50.251 port 39546 [preauth]

...

Jan 23 10:54:06 racknerd-64d010 sshd[11576]: Invalid user wangyongxin from 139.59.92.218 port 33490
Jan 23 10:54:06 racknerd-64d010 sshd[11576]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:06 racknerd-64d010 sshd[11576]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=139.59.92.218 
Jan 23 10:54:07 racknerd-64d010 sshd[11583]: Invalid user sunaz from 103.226.138.245 port 51052
Jan 23 10:54:07 racknerd-64d010 sshd[11583]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:07 racknerd-64d010 sshd[11583]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.226.138.245 
Jan 23 10:54:08 racknerd-64d010 sshd[11576]: Failed password for invalid user wangyongxin from 139.59.92.218 port 33490 ssh2
Jan 23 10:54:08 racknerd-64d010 sshd[11583]: Failed password for invalid user sunaz from 103.226.138.245 port 51052 ssh2
Jan 23 10:54:08 racknerd-64d010 sshd[11576]: Received disconnect from 139.59.92.218 port 33490:11: Bye Bye [preauth]
Jan 23 10:54:08 racknerd-64d010 sshd[11576]: Disconnected from invalid user wangyongxin 139.59.92.218 port 33490 [preauth]
Jan 23 10:54:08 racknerd-64d010 sshd[11583]: Received disconnect from 103.226.138.245 port 51052:11: Bye Bye [preauth]
Jan 23 10:54:08 racknerd-64d010 sshd[11583]: Disconnected from invalid user sunaz 103.226.138.245 port 51052 [preauth]
Jan 23 10:54:13 racknerd-64d010 sshd[11586]: Invalid user tosi from 130.61.35.0 port 57576
Jan 23 10:54:13 racknerd-64d010 sshd[11586]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:13 racknerd-64d010 sshd[11586]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=130.61.35.0 
Jan 23 10:54:14 racknerd-64d010 sshd[11586]: Failed password for invalid user tosi from 130.61.35.0 port 57576 ssh2
Jan 23 10:54:14 racknerd-64d010 sshd[11586]: Received disconnect from 130.61.35.0 port 57576:11: Bye Bye [preauth]
Jan 23 10:54:14 racknerd-64d010 sshd[11586]: Disconnected from invalid user tosi 130.61.35.0 port 57576 [preauth]
Jan 23 10:54:15 racknerd-64d010 sshd[11588]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=159.89.94.43  user=root
Jan 23 10:54:16 racknerd-64d010 sshd[11590]: Invalid user es_user from 206.189.229.70 port 37586
Jan 23 10:54:16 racknerd-64d010 sshd[11590]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:16 racknerd-64d010 sshd[11590]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=206.189.229.70 
Jan 23 10:54:16 racknerd-64d010 sshd[11588]: Failed password for root from 159.89.94.43 port 60092 ssh2
Jan 23 10:54:17 racknerd-64d010 sshd[11588]: Received disconnect from 159.89.94.43 port 60092:11: Bye Bye [preauth]
Jan 23 10:54:17 racknerd-64d010 sshd[11588]: Disconnected from authenticating user root 159.89.94.43 port 60092 [preauth]
Jan 23 10:54:18 racknerd-64d010 sshd[11590]: Failed password for invalid user es_user from 206.189.229.70 port 37586 ssh2
Jan 23 10:54:18 racknerd-64d010 sshd[11592]: Invalid user mrmomeni from 103.86.180.10 port 37374
Jan 23 10:54:18 racknerd-64d010 sshd[11592]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:18 racknerd-64d010 sshd[11592]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.86.180.10 
Jan 23 10:54:20 racknerd-64d010 sshd[11590]: Received disconnect from 206.189.229.70 port 37586:11: Bye Bye [preauth]
Jan 23 10:54:20 racknerd-64d010 sshd[11590]: Disconnected from invalid user es_user 206.189.229.70 port 37586 [preauth]
Jan 23 10:54:20 racknerd-64d010 sshd[11592]: Failed password for invalid user mrmomeni from 103.86.180.10 port 37374 ssh2
Jan 23 10:54:22 racknerd-64d010 sshd[11592]: Received disconnect from 103.86.180.10 port 37374:11: Bye Bye [preauth]
Jan 23 10:54:22 racknerd-64d010 sshd[11592]: Disconnected from invalid user mrmomeni 103.86.180.10 port 37374 [preauth]
Jan 23 10:54:24 racknerd-64d010 sshd[11594]: Invalid user fan1 from 34.84.82.194 port 53972
Jan 23 10:54:24 racknerd-64d010 sshd[11594]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:24 racknerd-64d010 sshd[11594]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=34.84.82.194 
Jan 23 10:54:27 racknerd-64d010 sshd[11594]: Failed password for invalid user fan1 from 34.84.82.194 port 53972 ssh2
Jan 23 10:54:27 racknerd-64d010 sshd[11594]: Received disconnect from 34.84.82.194 port 53972:11: Bye Bye [preauth]
Jan 23 10:54:27 racknerd-64d010 sshd[11594]: Disconnected from invalid user fan1 34.84.82.194 port 53972 [preauth]
Jan 23 10:54:36 racknerd-64d010 sshd[11597]: Invalid user ckr from 43.135.163.185 port 48842
Jan 23 10:54:36 racknerd-64d010 sshd[11597]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:36 racknerd-64d010 sshd[11597]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.135.163.185 
Jan 23 10:54:38 racknerd-64d010 sshd[11597]: Failed password for invalid user ckr from 43.135.163.185 port 48842 ssh2
Jan 23 10:54:39 racknerd-64d010 sshd[11597]: Received disconnect from 43.135.163.185 port 48842:11: Bye Bye [preauth]
Jan 23 10:54:39 racknerd-64d010 sshd[11597]: Disconnected from invalid user ckr 43.135.163.185 port 48842 [preauth]
Jan 23 10:54:44 racknerd-64d010 sshd[11599]: Invalid user scuser from 43.134.92.252 port 49834
Jan 23 10:54:44 racknerd-64d010 sshd[11599]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:44 racknerd-64d010 sshd[11599]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.134.92.252 
Jan 23 10:54:46 racknerd-64d010 sshd[11599]: Failed password for invalid user scuser from 43.134.92.252 port 49834 ssh2
Jan 23 10:54:47 racknerd-64d010 sshd[11601]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.184.50.251  user=root
Jan 23 10:54:48 racknerd-64d010 sshd[11599]: Received disconnect from 43.134.92.252 port 49834:11: Bye Bye [preauth]
Jan 23 10:54:48 racknerd-64d010 sshd[11599]: Disconnected from invalid user scuser 43.134.92.252 port 49834 [preauth]
Jan 23 10:54:49 racknerd-64d010 sshd[11601]: Failed password for root from 201.184.50.251 port 39546 ssh2
Jan 23 10:54:51 racknerd-64d010 sshd[11601]: Received disconnect from 201.184.50.251 port 39546:11: Bye Bye [preauth]
Jan 23 10:54:51 racknerd-64d010 sshd[11601]: Disconnected from authenticating user root 201.184.50.251 port 39546 [preauth]

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 5 127.0.0.1:61209 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:63xxx 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:8888 0.0.0.0:*
tcp LISTEN 0 128 [::]:63xxx [::]:*
tcp LISTEN 0 128 [::]:8888 [::]:*
...

...

Netid   State    Recv-Q   Send-Q     Local Address:Port      Peer Address:Port  
tcp     LISTEN   0        5              127.0.0.1:61209          0.0.0.0:*     
tcp     LISTEN   0        128              0.0.0.0:63xxx          0.0.0.0:*     
tcp     LISTEN   0        128              0.0.0.0:8888           0.0.0.0:*     
tcp     LISTEN   0        128                 [::]:63xxx             [::]:*     
tcp     LISTEN   0        128                 [::]:8888              [::]:*

[INCLUDES]

#before = paths-distro.conf before = paths-debian.conf

The DEFAULT allows a global definition of the options. They can be overridden

in each jail afterwards.

[DEFAULT]

MISCELLANEOUS OPTIONS

"ignorself" specifies whether the local resp. own IP addresses should be ignored

(default is true). Fail2ban will not ban a host which matches such addresses.

#ignorself = true

"ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban

will not ban a host which matches an address in this list. Several addresses

can be defined using space (and/or comma) separator.

ignoreip = 127.0.0.1/8 ::1 xxx.yyy.zzz.xxx

External command that will take an tagged arguments to ignore, e.g. ,

and return true if the IP is to be ignored. False otherwise.

ignorecommand = /path/to/command

ignorecommand =

"bantime" is the number of seconds that a host is banned.

bantime = 9000000

A host is banned if it has generated "maxretry" during the last "findtime"

seconds.

findtime = 7200

"maxretry" is the number of failures before a host get banned.

maxretry = 2

... ...

JAILS

SSH servers

[sshd]

To use more aggressive sshd modes set filter parameter "mode" in jail.local:

normal (default), ddos, extra or aggressive (combines all).

See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.

[INCLUDES]

#before = paths-distro.conf
before = paths-debian.conf

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "ignorself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses.
#ignorself = true

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1 xxx.yyy.zzz.xxx

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 9000000

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 7200

# "maxretry" is the number of failures before a host get banned.
maxretry = 2

#mode = normal enabled = true port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s ...

#
# JAILS
#

#
# SSH servers
#

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

As example: fail2ban.log shows 3 entries for IP 103.226.138.245 The 3rd entry says that the IP has already been banned.

...

2024-01-23 10:54:06,466 fail2ban.filter [29045]: INFO [sshd] Found 139.59.92.218 - 2024-01-23 10:54:06 2024-01-23 10:54:06,467 fail2ban.filter [29045]: INFO [sshd] Found 139.59.92.218 - 2024-01-23 10:54:06 2024-01-23 10:54:06,504 fail2ban.actions [29045]: WARNING [sshd] 139.59.92.218 already banned 2024-01-23 10:54:07,171 fail2ban.filter [29045]: INFO [sshd] Found 103.226.138.245 - 2024-01-23 10:54:07 2024-01-23 10:54:07,172 fail2ban.filter [29045]: INFO [sshd] Found 103.226.138.245 - 2024-01-23 10:54:07 2024-01-23 10:54:07,907 fail2ban.actions [29045]: WARNING [sshd] 103.226.138.245 already banned 2024-01-23 10:54:08,079 fail2ban.filter [29045]: INFO [sshd] Found 139.59.92.218 - 2024-01-23 10:54:08 2024-01-23 10:54:08,154 fail2ban.filter [29045]: INFO [sshd] Found 103.226.138.245 - 2024-01-23 10:54:08 2024-01-23 10:54:13,469 fail2ban.filter [29045]: INFO [sshd] Found 130.61.35.0 - 2024-01-23 10:54:13 2024-01-23 10:54:13,471 fail2ban.filter [29045]: INFO [sshd] Found 130.61.35.0 - 2024-01-23 10:54:13 2024-01-23 10:54:13,917 fail2ban.actions [29045]: WARNING [sshd] 130.61.35.0 already banned 2024-01-23 10:54:15,077 fail2ban.filter [29045]: INFO [sshd] Found 130.61.35.0 - 2024-01-23 10:54:14 2024-01-23 10:54:15,079 fail2ban.filter [29045]: INFO [sshd] Found 159.89.94.43 - 2024-01-23 10:54:15 2024-01-23 10:54:16,685 fail2ban.filter [29045]: INFO [sshd] Found 206.189.229.70 - 2024-01-23 10:54:16 2024-01-23 10:54:16,686 fail2ban.filter [29045]: INFO [sshd] Found 206.189.229.70 - 2024-01-23 10:54:16 2024-01-23 10:54:16,687 fail2ban.filter [29045]: INFO [sshd] Found 159.89.94.43 - 2024-01-23 10:54:16 2024-01-23 10:54:17,123 fail2ban.actions [29045]: WARNING [sshd] 206.189.229.70 already banned 2024-01-23 10:54:17,123 fail2ban.actions [29045]: WARNING [sshd] 159.89.94.43 already banned 2024-01-23 10:54:18,764 fail2ban.filter [29045]: INFO [sshd] Found 206.189.229.70 - 2024-01-23 10:54:18 2024-01-23 10:54:18,765 fail2ban.filter [29045]: INFO [sshd] Found 103.86.180.10 - 2024-01-23 10:54:18 2024-01-23 10:54:18,766 fail2ban.filter [29045]: INFO [sshd] Found 103.86.180.10 - 2024-01-23 10:54:18 2024-01-23 10:54:19,127 fail2ban.actions [29045]: WARNING [sshd] 103.86.180.10 already banned 2024-01-23 10:54:20,658 fail2ban.filter [29045]: INFO [sshd] Found 103.86.180.10 - 2024-01-23 10:54:20 2024-01-23 10:54:24,981 fail2ban.filter [29045]: INFO [sshd] Found 34.84.82.194 - 2024-01-23 10:54:24 2024-01-23 10:54:24,983 fail2ban.filter [29045]: INFO [sshd] Found 34.84.82.194 - 2024-01-23 10:54:24 2024-01-23 10:54:25,136 fail2ban.actions [29045]: WARNING [sshd] 34.84.82.194 already banned ...

...

Jan 23 10:54:06 racknerd-64d010 sshd[11576]: Invalid user wangyongxin from 139.59.92.218 port 33490 Jan 23 10:54:06 racknerd-64d010 sshd[11576]: pam_unix(sshd:auth): check pass; user unknown Jan 23 10:54:06 racknerd-64d010 sshd[11576]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=139.59.92.218 Jan 23 10:54:07 racknerd-64d010 sshd[11583]: Invalid user sunaz from 103.226.138.245 port 51052 Jan 23 10:54:07 racknerd-64d010 sshd[11583]: pam_unix(sshd:auth): check pass; user unknown Jan 23 10:54:07 racknerd-64d010 sshd[11583]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.226.138.245 Jan 23 10:54:08 racknerd-64d010 sshd[11576]: Failed password for invalid user wangyongxin from 139.59.92.218 port 33490 ssh2 Jan 23 10:54:08 racknerd-64d010 sshd[11583]: Failed password for invalid user sunaz from 103.226.138.245 port 51052 ssh2 Jan 23 10:54:08 racknerd-64d010 sshd[11576]: Received disconnect from 139.59.92.218 port 33490:11: Bye Bye [preauth] Jan 23 10:54:08 racknerd-64d010 sshd[11576]: Disconnected from invalid user wangyongxin 139.59.92.218 port 33490 [preauth] Jan 23 10:54:08 racknerd-64d010 sshd[11583]: Received disconnect from 103.226.138.245 port 51052:11: Bye Bye [preauth] Jan 23 10:54:08 racknerd-64d010 sshd[11583]: Disconnected from invalid user sunaz 103.226.138.245 port 51052 [preauth] Jan 23 10:54:13 racknerd-64d010 sshd[11586]: Invalid user tosi from 130.61.35.0 port 57576 Jan 23 10:54:13 racknerd-64d010 sshd[11586]: pam_unix(sshd:auth): check pass; user unknown Jan 23 10:54:13 racknerd-64d010 sshd[11586]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=130.61.35.0 Jan 23 10:54:14 racknerd-64d010 sshd[11586]: Failed password for invalid user tosi from 130.61.35.0 port 57576 ssh2 Jan 23 10:54:14 racknerd-64d010 sshd[11586]: Received disconnect from 130.61.35.0 port 57576:11: Bye Bye [preauth] Jan 23 10:54:14 racknerd-64d010 sshd[11586]: Disconnected from invalid user tosi 130.61.35.0 port 57576 [preauth] Jan 23 10:54:15 racknerd-64d010 sshd[11588]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=159.89.94.43 user=root Jan 23 10:54:16 racknerd-64d010 sshd[11590]: Invalid user es_user from 206.189.229.70 port 37586 Jan 23 10:54:16 racknerd-64d010 sshd[11590]: pam_unix(sshd:auth): check pass; user unknown Jan 23 10:54:16 racknerd-64d010 sshd[11590]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=206.189.229.70 Jan 23 10:54:16 racknerd-64d010 sshd[11588]: Failed password for root from 159.89.94.43 port 60092 ssh2 Jan 23 10:54:17 racknerd-64d010 sshd[11588]: Received disconnect from 159.89.94.43 port 60092:11: Bye Bye [preauth] Jan 23 10:54:17 racknerd-64d010 sshd[11588]: Disconnected from authenticating user root 159.89.94.43 port 60092 [preauth] Jan 23 10:54:18 racknerd-64d010 sshd[11590]: Failed password for invalid user es_user from 206.189.229.70 port 37586 ssh2 Jan 23 10:54:18 racknerd-64d010 sshd[11592]: Invalid user mrmomeni from 103.86.180.10 port 37374 Jan 23 10:54:18 racknerd-64d010 sshd[11592]: pam_unix(sshd:auth): check pass; user unknown Jan 23 10:54:18 racknerd-64d010 sshd[11592]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.86.180.10 Jan 23 10:54:20 racknerd-64d010 sshd[11590]: Received disconnect from 206.189.229.70 port 37586:11: Bye Bye [preauth] Jan 23 10:54:20 racknerd-64d010 sshd[11590]: Disconnected from invalid user es_user 206.189.229.70 port 37586 [preauth] Jan 23 10:54:20 racknerd-64d010 sshd[11592]: Failed password for invalid user mrmomeni from 103.86.180.10 port 37374 ssh2 Jan 23 10:54:22 racknerd-64d010 sshd[11592]: Received disconnect from 103.86.180.10 port 37374:11: Bye Bye [preauth] Jan 23 10:54:22 racknerd-64d010 sshd[11592]: Disconnected from invalid user mrmomeni 103.86.180.10 port 37374 [preauth] Jan 23 10:54:24 racknerd-64d010 sshd[11594]: Invalid user fan1 from 34.84.82.194 port 53972 Jan 23 10:54:24 racknerd-64d010 sshd[11594]: pam_unix(sshd:auth): check pass; user unknown Jan 23 10:54:24 racknerd-64d010 sshd[11594]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=34.84.82.194 Jan 23 10:54:27 racknerd-64d010 sshd[11594]: Failed password for invalid user fan1 from 34.84.82.194 port 53972 ssh2 Jan 23 10:54:27 racknerd-64d010 sshd[11594]: Received disconnect from 34.84.82.194 port 53972:11: Bye Bye [preauth] Jan 23 10:54:27 racknerd-64d010 sshd[11594]: Disconnected from invalid user fan1 34.84.82.194 port 53972 [preauth] Jan 23 10:54:36 racknerd-64d010 sshd[11597]: Invalid user ckr from 43.135.163.185 port 48842 Jan 23 10:54:36 racknerd-64d010 sshd[11597]: pam_unix(sshd:auth): check pass; user unknown Jan 23 10:54:36 racknerd-64d010 sshd[11597]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.135.163.185 Jan 23 10:54:38 racknerd-64d010 sshd[11597]: Failed password for invalid user ckr from 43.135.163.185 port 48842 ssh2 Jan 23 10:54:39 racknerd-64d010 sshd[11597]: Received disconnect from 43.135.163.185 port 48842:11: Bye Bye [preauth] Jan 23 10:54:39 racknerd-64d010 sshd[11597]: Disconnected from invalid user ckr 43.135.163.185 port 48842 [preauth] Jan 23 10:54:44 racknerd-64d010 sshd[11599]: Invalid user scuser from 43.134.92.252 port 49834 Jan 23 10:54:44 racknerd-64d010 sshd[11599]: pam_unix(sshd:auth): check pass; user unknown Jan 23 10:54:44 racknerd-64d010 sshd[11599]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.134.92.252 Jan 23 10:54:46 racknerd-64d010 sshd[11599]: Failed password for invalid user scuser from 43.134.92.252 port 49834 ssh2 Jan 23 10:54:47 racknerd-64d010 sshd[11601]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.184.50.251 user=root Jan 23 10:54:48 racknerd-64d010 sshd[11599]: Received disconnect from 43.134.92.252 port 49834:11: Bye Bye [preauth] Jan 23 10:54:48 racknerd-64d010 sshd[11599]: Disconnected from invalid user scuser 43.134.92.252 port 49834 [preauth] Jan 23 10:54:49 racknerd-64d010 sshd[11601]: Failed password for root from 201.184.50.251 port 39546 ssh2 Jan 23 10:54:51 racknerd-64d010 sshd[11601]: Received disconnect from 201.184.50.251 port 39546:11: Bye Bye [preauth] Jan 23 10:54:51 racknerd-64d010 sshd[11601]: Disconnected from authenticating user root 201.184.50.251 port 39546 [preauth]

...

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 5 127.0.0.1:61209 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:63xxx 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:8888 0.0.0.0:*
tcp LISTEN 0 128 [::]:63xxx [::]:*
tcp LISTEN 0 128 [::]:8888 [::]:*
...

...

[INCLUDES]

#before = paths-distro.conf before = paths-debian.conf

The DEFAULT allows a global definition of the options. They can be overridden

in each jail afterwards.

[DEFAULT]

MISCELLANEOUS OPTIONS

"ignorself" specifies whether the local resp. own IP addresses should be ignored

(default is true). Fail2ban will not ban a host which matches such addresses.

#ignorself = true

"ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban

will not ban a host which matches an address in this list. Several addresses

can be defined using space (and/or comma) separator.

ignoreip = 127.0.0.1/8 ::1 xxx.yyy.zzz.xxx

External command that will take an tagged arguments to ignore, e.g. ,

and return true if the IP is to be ignored. False otherwise.

ignorecommand = /path/to/command

ignorecommand =

"bantime" is the number of seconds that a host is banned.

bantime = 9000000

A host is banned if it has generated "maxretry" during the last "findtime"

seconds.

findtime = 7200

"maxretry" is the number of failures before a host get banned.

maxretry = 2

... ...

JAILS

SSH servers

[sshd]

To use more aggressive sshd modes set filter parameter "mode" in jail.local:

normal (default), ddos, extra or aggressive (combines all).

See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.

#mode = normal enabled = true port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s ...

As example:

fail2ban.log shows 3 entries for IP 103.226.138.245

The 3rd entry says that the IP has already been banned.

2024-01-23 10:54:06,466 fail2ban.filter         [29045]: INFO    [sshd] Found 139.59.92.218 - 2024-01-23 10:54:06
2024-01-23 10:54:06,467 fail2ban.filter         [29045]: INFO    [sshd] Found 139.59.92.218 - 2024-01-23 10:54:06
2024-01-23 10:54:06,504 fail2ban.actions        [29045]: WARNING [sshd] 139.59.92.218 already banned
2024-01-23 10:54:07,171 fail2ban.filter         [29045]: INFO    [sshd] Found 103.226.138.245 - 2024-01-23 10:54:07
2024-01-23 10:54:07,172 fail2ban.filter         [29045]: INFO    [sshd] Found 103.226.138.245 - 2024-01-23 10:54:07
2024-01-23 10:54:07,907 fail2ban.actions        [29045]: WARNING [sshd] 103.226.138.245 already banned
2024-01-23 10:54:08,079 fail2ban.filter         [29045]: INFO    [sshd] Found 139.59.92.218 - 2024-01-23 10:54:08
2024-01-23 10:54:08,154 fail2ban.filter         [29045]: INFO    [sshd] Found 103.226.138.245 - 2024-01-23 10:54:08
2024-01-23 10:54:13,469 fail2ban.filter         [29045]: INFO    [sshd] Found 130.61.35.0 - 2024-01-23 10:54:13
2024-01-23 10:54:13,471 fail2ban.filter         [29045]: INFO    [sshd] Found 130.61.35.0 - 2024-01-23 10:54:13
2024-01-23 10:54:13,917 fail2ban.actions        [29045]: WARNING [sshd] 130.61.35.0 already banned
2024-01-23 10:54:15,077 fail2ban.filter         [29045]: INFO    [sshd] Found 130.61.35.0 - 2024-01-23 10:54:14
2024-01-23 10:54:15,079 fail2ban.filter         [29045]: INFO    [sshd] Found 159.89.94.43 - 2024-01-23 10:54:15
2024-01-23 10:54:16,685 fail2ban.filter         [29045]: INFO    [sshd] Found 206.189.229.70 - 2024-01-23 10:54:16
2024-01-23 10:54:16,686 fail2ban.filter         [29045]: INFO    [sshd] Found 206.189.229.70 - 2024-01-23 10:54:16
2024-01-23 10:54:16,687 fail2ban.filter         [29045]: INFO    [sshd] Found 159.89.94.43 - 2024-01-23 10:54:16
2024-01-23 10:54:17,123 fail2ban.actions        [29045]: WARNING [sshd] 206.189.229.70 already banned
2024-01-23 10:54:17,123 fail2ban.actions        [29045]: WARNING [sshd] 159.89.94.43 already banned
2024-01-23 10:54:18,764 fail2ban.filter         [29045]: INFO    [sshd] Found 206.189.229.70 - 2024-01-23 10:54:18
2024-01-23 10:54:18,765 fail2ban.filter         [29045]: INFO    [sshd] Found 103.86.180.10 - 2024-01-23 10:54:18
2024-01-23 10:54:18,766 fail2ban.filter         [29045]: INFO    [sshd] Found 103.86.180.10 - 2024-01-23 10:54:18
2024-01-23 10:54:19,127 fail2ban.actions        [29045]: WARNING [sshd] 103.86.180.10 already banned
2024-01-23 10:54:20,658 fail2ban.filter         [29045]: INFO    [sshd] Found 103.86.180.10 - 2024-01-23 10:54:20
2024-01-23 10:54:24,981 fail2ban.filter         [29045]: INFO    [sshd] Found 34.84.82.194 - 2024-01-23 10:54:24
2024-01-23 10:54:24,983 fail2ban.filter         [29045]: INFO    [sshd] Found 34.84.82.194 - 2024-01-23 10:54:24
2024-01-23 10:54:25,136 fail2ban.actions        [29045]: WARNING [sshd] 34.84.82.194 already banned

Jan 23 10:54:06 racknerd-64d010 sshd[11576]: Invalid user wangyongxin from 139.59.92.218 port 33490
Jan 23 10:54:06 racknerd-64d010 sshd[11576]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:06 racknerd-64d010 sshd[11576]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=139.59.92.218 
Jan 23 10:54:07 racknerd-64d010 sshd[11583]: Invalid user sunaz from 103.226.138.245 port 51052
Jan 23 10:54:07 racknerd-64d010 sshd[11583]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:07 racknerd-64d010 sshd[11583]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.226.138.245 
Jan 23 10:54:08 racknerd-64d010 sshd[11576]: Failed password for invalid user wangyongxin from 139.59.92.218 port 33490 ssh2
Jan 23 10:54:08 racknerd-64d010 sshd[11583]: Failed password for invalid user sunaz from 103.226.138.245 port 51052 ssh2
Jan 23 10:54:08 racknerd-64d010 sshd[11576]: Received disconnect from 139.59.92.218 port 33490:11: Bye Bye [preauth]
Jan 23 10:54:08 racknerd-64d010 sshd[11576]: Disconnected from invalid user wangyongxin 139.59.92.218 port 33490 [preauth]
Jan 23 10:54:08 racknerd-64d010 sshd[11583]: Received disconnect from 103.226.138.245 port 51052:11: Bye Bye [preauth]
Jan 23 10:54:08 racknerd-64d010 sshd[11583]: Disconnected from invalid user sunaz 103.226.138.245 port 51052 [preauth]
Jan 23 10:54:13 racknerd-64d010 sshd[11586]: Invalid user tosi from 130.61.35.0 port 57576
Jan 23 10:54:13 racknerd-64d010 sshd[11586]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:13 racknerd-64d010 sshd[11586]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=130.61.35.0 
Jan 23 10:54:14 racknerd-64d010 sshd[11586]: Failed password for invalid user tosi from 130.61.35.0 port 57576 ssh2
Jan 23 10:54:14 racknerd-64d010 sshd[11586]: Received disconnect from 130.61.35.0 port 57576:11: Bye Bye [preauth]
Jan 23 10:54:14 racknerd-64d010 sshd[11586]: Disconnected from invalid user tosi 130.61.35.0 port 57576 [preauth]
Jan 23 10:54:15 racknerd-64d010 sshd[11588]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=159.89.94.43  user=root
Jan 23 10:54:16 racknerd-64d010 sshd[11590]: Invalid user es_user from 206.189.229.70 port 37586
Jan 23 10:54:16 racknerd-64d010 sshd[11590]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:16 racknerd-64d010 sshd[11590]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=206.189.229.70 
Jan 23 10:54:16 racknerd-64d010 sshd[11588]: Failed password for root from 159.89.94.43 port 60092 ssh2
Jan 23 10:54:17 racknerd-64d010 sshd[11588]: Received disconnect from 159.89.94.43 port 60092:11: Bye Bye [preauth]
Jan 23 10:54:17 racknerd-64d010 sshd[11588]: Disconnected from authenticating user root 159.89.94.43 port 60092 [preauth]
Jan 23 10:54:18 racknerd-64d010 sshd[11590]: Failed password for invalid user es_user from 206.189.229.70 port 37586 ssh2
Jan 23 10:54:18 racknerd-64d010 sshd[11592]: Invalid user mrmomeni from 103.86.180.10 port 37374
Jan 23 10:54:18 racknerd-64d010 sshd[11592]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:18 racknerd-64d010 sshd[11592]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.86.180.10 
Jan 23 10:54:20 racknerd-64d010 sshd[11590]: Received disconnect from 206.189.229.70 port 37586:11: Bye Bye [preauth]
Jan 23 10:54:20 racknerd-64d010 sshd[11590]: Disconnected from invalid user es_user 206.189.229.70 port 37586 [preauth]
Jan 23 10:54:20 racknerd-64d010 sshd[11592]: Failed password for invalid user mrmomeni from 103.86.180.10 port 37374 ssh2
Jan 23 10:54:22 racknerd-64d010 sshd[11592]: Received disconnect from 103.86.180.10 port 37374:11: Bye Bye [preauth]
Jan 23 10:54:22 racknerd-64d010 sshd[11592]: Disconnected from invalid user mrmomeni 103.86.180.10 port 37374 [preauth]
Jan 23 10:54:24 racknerd-64d010 sshd[11594]: Invalid user fan1 from 34.84.82.194 port 53972
Jan 23 10:54:24 racknerd-64d010 sshd[11594]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:24 racknerd-64d010 sshd[11594]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=34.84.82.194 
Jan 23 10:54:27 racknerd-64d010 sshd[11594]: Failed password for invalid user fan1 from 34.84.82.194 port 53972 ssh2
Jan 23 10:54:27 racknerd-64d010 sshd[11594]: Received disconnect from 34.84.82.194 port 53972:11: Bye Bye [preauth]
Jan 23 10:54:27 racknerd-64d010 sshd[11594]: Disconnected from invalid user fan1 34.84.82.194 port 53972 [preauth]
Jan 23 10:54:36 racknerd-64d010 sshd[11597]: Invalid user ckr from 43.135.163.185 port 48842
Jan 23 10:54:36 racknerd-64d010 sshd[11597]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:36 racknerd-64d010 sshd[11597]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.135.163.185 
Jan 23 10:54:38 racknerd-64d010 sshd[11597]: Failed password for invalid user ckr from 43.135.163.185 port 48842 ssh2
Jan 23 10:54:39 racknerd-64d010 sshd[11597]: Received disconnect from 43.135.163.185 port 48842:11: Bye Bye [preauth]
Jan 23 10:54:39 racknerd-64d010 sshd[11597]: Disconnected from invalid user ckr 43.135.163.185 port 48842 [preauth]
Jan 23 10:54:44 racknerd-64d010 sshd[11599]: Invalid user scuser from 43.134.92.252 port 49834
Jan 23 10:54:44 racknerd-64d010 sshd[11599]: pam_unix(sshd:auth): check pass; user unknown
Jan 23 10:54:44 racknerd-64d010 sshd[11599]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.134.92.252 
Jan 23 10:54:46 racknerd-64d010 sshd[11599]: Failed password for invalid user scuser from 43.134.92.252 port 49834 ssh2
Jan 23 10:54:47 racknerd-64d010 sshd[11601]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.184.50.251  user=root
Jan 23 10:54:48 racknerd-64d010 sshd[11599]: Received disconnect from 43.134.92.252 port 49834:11: Bye Bye [preauth]
Jan 23 10:54:48 racknerd-64d010 sshd[11599]: Disconnected from invalid user scuser 43.134.92.252 port 49834 [preauth]
Jan 23 10:54:49 racknerd-64d010 sshd[11601]: Failed password for root from 201.184.50.251 port 39546 ssh2
Jan 23 10:54:51 racknerd-64d010 sshd[11601]: Received disconnect from 201.184.50.251 port 39546:11: Bye Bye [preauth]
Jan 23 10:54:51 racknerd-64d010 sshd[11601]: Disconnected from authenticating user root 201.184.50.251 port 39546 [preauth]

Netid   State    Recv-Q   Send-Q     Local Address:Port      Peer Address:Port  
tcp     LISTEN   0        5              127.0.0.1:61209          0.0.0.0:*     
tcp     LISTEN   0        128              0.0.0.0:63xxx          0.0.0.0:*     
tcp     LISTEN   0        128              0.0.0.0:8888           0.0.0.0:*     
tcp     LISTEN   0        128                 [::]:63xxx             [::]:*     
tcp     LISTEN   0        128                 [::]:8888              [::]:*

[INCLUDES]

#before = paths-distro.conf
before = paths-debian.conf

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "ignorself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses.
#ignorself = true

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1 xxx.yyy.zzz.xxx

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime  = 9000000

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 7200

# "maxretry" is the number of failures before a host get banned.
maxretry = 2

#
# JAILS
#

#
# SSH servers
#

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

Source Link

asked Jan 23 at 18:11

xstack

173
5

Loading

Return to Question

Here is fail2ban log, starting at 10:54:06. As example, there are 3 entries for 103.226.138.245:

Here is Auth log starting at 10:54:06. As example, there are several entries for 103.226.138.245.

Here is result of ss -lntu scan. I changed my ssh port to 63xxx (obscured):

Here are my entries in jail.local:

Here is fail2ban log, starting at 10:54:06. As example, there are 3 entries for 103.226.138.245:

Here is Auth log starting at 10:54:06. As example, there are several entries for 103.226.138.245.

Here is result of ss -lntu scan. I changed my ssh port to 63xxx (obscured):

Here are my entries in jail.local:

The DEFAULT allows a global definition of the options. They can be overridden

in each jail afterwards.

MISCELLANEOUS OPTIONS

"ignorself" specifies whether the local resp. own IP addresses should be ignored

(default is true). Fail2ban will not ban a host which matches such addresses.

"ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban

will not ban a host which matches an address in this list. Several addresses

can be defined using space (and/or comma) separator.

External command that will take an tagged arguments to ignore, e.g. ,

and return true if the IP is to be ignored. False otherwise.

ignorecommand = /path/to/command

"bantime" is the number of seconds that a host is banned.

A host is banned if it has generated "maxretry" during the last "findtime"

seconds.

"maxretry" is the number of failures before a host get banned.

JAILS

SSH servers

To use more aggressive sshd modes set filter parameter "mode" in jail.local:

normal (default), ddos, extra or aggressive (combines all).

See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.

The DEFAULT allows a global definition of the options. They can be overridden

in each jail afterwards.

MISCELLANEOUS OPTIONS

"ignorself" specifies whether the local resp. own IP addresses should be ignored

(default is true). Fail2ban will not ban a host which matches such addresses.

"ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban

will not ban a host which matches an address in this list. Several addresses

can be defined using space (and/or comma) separator.

External command that will take an tagged arguments to ignore, e.g. ,

and return true if the IP is to be ignored. False otherwise.

ignorecommand = /path/to/command

"bantime" is the number of seconds that a host is banned.

A host is banned if it has generated "maxretry" during the last "findtime"

seconds.

"maxretry" is the number of failures before a host get banned.

JAILS

SSH servers

To use more aggressive sshd modes set filter parameter "mode" in jail.local:

normal (default), ddos, extra or aggressive (combines all).

See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.

Here is result of `ss -lntu` scan. I changed my ssh port to 63xxx (obscured):

Here are my entries in `jail.local`:

Here is result of `ss -lntu` scan. I changed my ssh port to 63xxx (obscured):

Here are my entries in `jail.local`: