Fail2ban for the uninitiated.

Examining log files in detail.

Lets look at your ssh log file for example. Each time someone tries to access your server using ssh they have to enter a user name and password combination to gain access. When they hit enter the server tries to authenticate the information provided, weather or not the attempt is successful a log entry is written. If the attempt is by a hacker what you will see in the logs is something like the log entries listed below.

ssh
May 27 09:58:16 yourserver sshd[11785]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.51.52.132 user=root
May 27 09:58:18 yourserver sshd[11785]: Failed password for root from 210.51.52.132 port 52191 ssh2
May 27 09:58:21 yourserver sshd[11787]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.51.52.132 user=root
May 27 09:58:23 yourserver sshd[11787]: Failed password for root from 210.51.52.132 port 52596 ssh2
May 27 09:58:26 yourserver sshd[11790]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.51.52.132 user=root
May 27 09:58:27 yourserver sshd[11790]: Failed password for root from 210.51.52.132 port 52824 ssh2
May 27 09:58:30 yourserver sshd[11792]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.51.52.132 user=root
May 27 09:58:32 yourserver sshd[11792]: Failed password for root from 210.51.52.132 port 53029 ssh2

Above you can see 4 separate hack attempts. Each attempt starts with the date, your server name and the program writing to the log, in this case sshd “May 27 09:58:16 yourserver sshd”. Not all logs follow this pattern exactly, but most are very similar. In the case of ssh there are two lines per log entry and each line begins with the date.

The real clue to this section of the logs reporting hack attempt are the phrases  “authentication failure” and “Failed password for root”. All importantly sshd reports that the IP Address is “210.51.52.132” which is the IP Address where the hack attempt is coming from. In other words the IP Address is the numbers assigned to the hackers internet connection. With that information in hand fail2ban can tell Iptables or Shorewall firewalls to block that IP Address from accessing or even connecting to your server for a period of time.

Banning these IP Addresses will reduce the amount of traffic to your website however like with the unruly school students in the example above you really don’t want these visitors because their sole purpose is to do harm to your site or server.

About 

Allan has a life time background in sales and more than thirty years experience in programming, and server configuration. Which makes Allan extremely well equipped to understand your needs for any application or web site. Contact Allan to develop an application or web site for your business or for you personally.

Leave a Reply