iptables, audit.log & Brute force detection

JeffPaetkau

• November 13, 2014 13:41

Hi, On my server I have iptables setup so ssh (on port 22) only allows connections from a limited set of IP's (tested such that when I comment out my IP I can't connect). However, I notice in audit.log thousands of messages like: type=USER_AUTH msg=audit(1415905373.817:1993316): user pid=28071 uid=0 auid=0 ses=29944 msg='op=PAM:authentication acct="root" exe="/usr/sbin/sshd" hostname=192.126.120.93 addr=192.126.120.93 terminal=ssh res=failed' and in the messages log hundreds of: Nov 13 08:30:02 host PAM-hulk[22289]: Brute force detection active: 580 LOGIN DENIED -- TOO MANY FAILURES -- IP TEMP BANNED also aureport reports: Number of logins: 6 Number of failed logins: 6835 Number of authentications: 12 Number of failed authentications: 41589 Does anyone have any ideas on why these invalid attempts are not being blocked by iptables? Thanks for any insight. Jeff Paetkau

• 

  24x7server

  • November 14, 2014 13:33

  Hello, I will suggest you enable host access control for the SSH and allow your ip's in Brute force databases so that you will not get any issues for SSH and WHM login.

  0
• 

  Infopro

  • November 14, 2014 13:39

  On my server I have iptables setup so ssh (on port 22) only allows connections from a limited set of IP's
  Change port number to something else. You should find the docs useful I think: How to Secure SSH - cPanel Documentation

  0
• 

  JeffPaetkau

  • November 14, 2014 17:36

  Hi, Thanks. those are both good suggestions. However, they don't really answer my question which is: why am I seeing these messages at all if iptables is blocking port 22? Jeff

  0

Please sign in to leave a comment.