Recently, I found that there are many ssh attack in the auth.log.
1 2 3 4 5 6 7 8 9 10
$ cat /var/log/auth.log | grep ssh2
... Jan 1 01:20:49 app sshd: Failed password for root from 22.214.171.124 port 16421 ssh2 Jan 1 01:27:22 app sshd: Failed password for invalid user snort from 126.96.36.199 port 33773 ssh2 Jan 1 01:58:52 app sshd: Failed password for invalid user admin from 188.8.131.52 port 53758 ssh2 Jan 1 01:59:01 app sshd: Failed password for invalid user admin from 184.108.40.206 port 42785 ssh2 Jan 1 02:05:25 app sshd: Failed password for invalid user vmail from 220.127.116.11 port 60876 ssh2 Jan 1 02:08:04 app sshd: Failed password for invalid user test9 from 18.104.22.168 port 55094 ssh2 Jan 1 02:10:52 app sshd: Failed password for invalid user oracle from 22.214.171.124 port 49413 ssh2
So I decided to use fail2ban with iptables to limit this part of ip address to access.
Check The Iptables
1 2 3 4 5 6 7 8 9 10
$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 1850K packets, 353M bytes) pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1786K packets, 571M bytes) pkts bytes target prot opt in out source destination
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic # You could modify this to only allow certain traffic -A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT
# Allows SSH connections # The --dport number is the same as in /etc/ssh/sshd_config -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allows Mysql connections -A INPUT -p tcp --dport 3306 -j ACCEPT
# Now you should read up on iptables rules and consider whether ssh access # for everyone is really desired. Most likely you will only allow access from certain IPs.
# Allow ping # note that blocking other types of icmp packets is considered a bad idea by some # remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp: # https://security.stackexchange.com/questions/22711 -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
### Continuous access in 600 seconds findtime = 600
### Entry wrong password 2 times. maxretry = 2
### Block access for 1 days. bantime = 36000000
backend = polling ... # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section #action = %(action_)s