OVH Community, your new community space.

Aide pour la lecture des logs et compréhension d'une tentative d'intrusion


janus57
08/03/2015, 12h37
Bonjour,

Je ne vois pas le nom de l'utilisateur donc j'imagine que c'est une tentative de connexion par clés.
Est-ce qu'il cherche une clé faible afin d'obtenir une clef privée ?
Non pas forcément, ce genre de log me fait penser à des monitoring qui check qui SSH est encore en écoute et ferme la connnexion avant d'avoir amorcé le processus d’authentification.
Ici sachant que ce n'est pas une IP de monitoring c'est peut être tout simplement un mini DoS (des sites en lignes peuvent générer ce genre de logs si on test notre SSH).

Sinon faudrait tester avec une règle fail2ban du genre :
Code:
^%(__prefix_line)s. \[preauth\]\s*$
(je ne sais pas du tout si elle fonctionne et/ou est correcte....)
Ne pas tenir compte de cette règle !

EDIT :
Voici quelques règles qui devrais aider :
Code:
^%(__prefix_line)sReceived disconnect from : 11: Bye Bye\s*$
^%(__prefix_line)sReceived disconnect from : .* \[preauth\]\s*$
^%(__prefix_line)sConnection closed by  \[preauth\]\s*$
Cordialement, janus57

yves1fix
08/03/2015, 10h32
Bonjour

Je me permets de rebondir sur une attaque SSH lente (1 tentative toutes les 50 secondes)
non détectée car il n'y a pas les mots "Failed" ou "Invalid"

Code:
Mar  8 08:00:34 ksxxxxxxx sshd[5099]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-54093;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:00:34 ksxxxxxxx sshd[5099]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:01:24 ksxxxxxxx sshd[5187]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-37961;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:01:24 ksxxxxxxx sshd[5187]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:02:14 ksxxxxxxx sshd[5275]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-49986;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:02:15 ksxxxxxxx sshd[5275]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:03:05 ksxxxxxxx sshd[5363]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-33783;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:03:05 ksxxxxxxx sshd[5363]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:03:55 ksxxxxxxx sshd[5366]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-45866;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:03:55 ksxxxxxxx sshd[5366]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:04:45 ksxxxxxxx sshd[5452]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-57954;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:04:45 ksxxxxxxx sshd[5452]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:05:35 ksxxxxxxx sshd[5540]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-41771;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:05:35 ksxxxxxxx sshd[5540]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:06:26 ksxxxxxxx sshd[5589]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-53828;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:06:26 ksxxxxxxx sshd[5589]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:07:16 ksxxxxxxx sshd[5638]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-37621;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:07:16 ksxxxxxxx sshd[5638]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:08:06 ksxxxxxxx sshd[5687]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-49612;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:08:06 ksxxxxxxx sshd[5687]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:08:56 ksxxxxxxx sshd[5689]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-33422;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:08:56 ksxxxxxxx sshd[5689]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:09:47 ksxxxxxxx sshd[5736]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-45468;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:09:47 ksxxxxxxx sshd[5736]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:10:38 ksxxxxxxx sshd[5797]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-57574;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:10:38 ksxxxxxxx sshd[5797]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:11:28 ksxxxxxxx sshd[5846]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-41408;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:11:28 ksxxxxxxx sshd[5846]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:12:18 ksxxxxxxx sshd[5895]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-53432;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:12:18 ksxxxxxxx sshd[5895]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:13:08 ksxxxxxxx sshd[5944]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-37184;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:13:08 ksxxxxxxx sshd[5944]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:13:59 ksxxxxxxx sshd[5946]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-49288;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:13:59 ksxxxxxxx sshd[5946]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:14:49 ksxxxxxxx sshd[5993]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-33170;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:14:49 ksxxxxxxx sshd[5993]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:15:39 ksxxxxxxx sshd[6042]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-45227;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:15:40 ksxxxxxxx sshd[6042]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:16:30 ksxxxxxxx sshd[6091]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-57312;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:16:30 ksxxxxxxx sshd[6091]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:17:21 ksxxxxxxx sshd[6140]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-41110;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:17:21 ksxxxxxxx sshd[6140]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:18:11 ksxxxxxxx sshd[6189]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-53128;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:18:11 ksxxxxxxx sshd[6189]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:19:01 ksxxxxxxx sshd[6191]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-36942;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:19:01 ksxxxxxxx sshd[6191]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:19:51 ksxxxxxxx sshd[6238]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-48989;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:19:51 ksxxxxxxx sshd[6238]: Connection closed by 178.19.96.134 [preauth]
Mar  8 08:20:41 ksxxxxxxx sshd[6299]: SSH: Server;Ltype: Version;Remote: 178.19.96.134-32931;Protocol: 2.0;Client: libssh-0.2
Mar  8 08:20:41 ksxxxxxxx sshd[6299]: Connection closed by 178.19.96.134 [preauth]
Je ne vois pas le nom de l'utilisateur donc j'imagine que c'est une tentative de connexion par clés.
Est-ce qu'il cherche une clé faible afin d'obtenir une clef privée ?

Je n'ai pas trouvé d'exemple de règle pour fail2ban pour bloquer ce type d'attaque.
Quelqu'un aurait-il déjà cette règle en place ?
(Pour l'instant j'ai ajouté un simple DROP dans iptables).

Merci

foulweather
06/02/2015, 07h26
Merci à tous les deux pour vos explications et votre aide.

janus57
05/02/2015, 14h22
Bonjour,

1 - Faut-il déduire que 12 mots de passe ont été testés sur des ports différents ? Ensuite, ce sera "abc", 5 fois avec l'utilisateur "Admin", puis 2 fois "aaron", ensuite "ab" et "abby", etc..
non 12 pass ont été testé sur le port SSH avec l'utilisateurs "abc123" qui n'a pas bougé (du moins le port public, le port privé lui est "random").

2 - Pourquoi le nombre de tentatives varie-t-il selon les "users" ? et pourquoi l'ordre alphabètique n'est-il pas respecté ? Est-ce que cela suppose une intervention humaine et non plus programmée ?
La tentative d'intrusion va continuer pendant 3 jours jusqu'à la lettre F avec des mots de passe plutôt pauvres, issus semble-t-il d'un dictionnaire de mots de passe de type anglo-saxon. Le processus de la tentative me paraît plutôt lent.
Tout simplement car le programme de bruteforcing est lent pour ne pas éventuellement déclencher une protection pas assez restrictive, ce qui ici semble le cas vu qu'il n'a pas été banni.

3 - Un nmap révèle facilement sur quel port se trouve mon ssh. Pourquoi le programme pirate teste-t-il des ports différents ?
il teste toujours le même port (Cf 1-)

Le jours ou on pourra faire tourner SSH sur plusieurs dizaines/centaines de ports va falloir me le montrer car non seulement cela multiplie le risque par le nombre de port mais en plus c'est totalement idiot...

4 - Mon fail2ban est-il mal configuré ? N'aurait-il pas dû bloquer l'attaquant pendant une heure après 6 tentatives ?
Mon jail.local :
[ssh]
95 enabled = true
96 port = xxxx
97 filter = sshd
98 logpath = /var/log/auth.log
99 maxretry = 6
100 findtime = 3600
c'est quoi ces 95/96 etc... ??

Sinon comme dit par @BBR, si le port a été changé faut le donner à fail2ban, et sinon le "findtime" ce n'est pas le temps de ban mais le temps de recherche dans les logs, autant dire que là il suffit de bien spam votre SSH pour vous faire un DOS vu que plus il y aura de tentaives en 1H, plus votre fail2ban va travaillé, plus il va consommer de ressources jusqu'à saturation.

Je n'ai pas de serveur apache, simplement une seedbox. Je suis forcé de me connecter avec un mot de passe et non avec une clé car mon user ne peut pas être à 755 pour que tout fonctionne.
Si pas de apache le 755 il viens faire quoi ici ???

Par défaut un user créer en CMD ou même l'user "root" permet l'utilisation de clé RSA/DSA pour la connexion à SSH, sauf si on a touché à tous les droits au hasard et flingué les droits correcte du coup.

Cordialement, janus57

BBR
05/02/2015, 09h04
Je n'ai pas de serveur apache, simplement une seedbox. Je suis forcé de me connecter avec un mot de passe et non avec une clé car mon user ne peut pas être à 755 pour que tout fonctionne.
quel rapport avec le ssh ? ta seedbox fonctionne sur le port ssh ??

BBR
05/02/2015, 08h59
salut
Ce serait bien de mettre tes km de logs entre balises CODE ça éviterait d'avoir à scroller.
Dans jail.conf, tu peux augmenter ton bantime et limiter le nombre de tentatives, par défaut par exemple :
Code:
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 
# ajouter votre-ip-fixe si vous en avez une en séparant par un espace :  ignoreip = 127.0.0.1/8 votre_ip_fixe
# bannissement d'environ 15 jours par défaut
bantime  = 1296369 
maxretry = 3
Code:
[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 1
si tu as changé le port ssh, as-tu bloqué le port 22 dans ton firewall ?
si tu es le seul à te connecter en ssh et que cerise sur le gâteau tu as une ip fixe, tu n'autorises ton ssh qu'à cette ip et tu drop toutes les autres.

plus d'explications : http://www.how-to.ovh/viewtopic.php?f=10&t=19

foulweather
05/02/2015, 08h48
Bonjour,
J'ai connu une petite tentative d'intrusion. Le plus souvent elles viennent de Chine. Les services "abuse" des FAI chinois ne répondent pas ou leurs boîtes mails sont saturées. La semaine dernière c'était une IP française. J'ai pu contacter le service abuse d'Online qui m'a répondu. Apparemment le nécessaire a été fait. Cependant, j'aimerais mieux comprendre le fonctionnement d'un programme d'intrusion. Accessoirement, j'aimerais aussi savoir pourquoi Fail2ban n'a pas mieux réagi. Voici d'abord un extrait d'auth.log et ensuite mes questions.
Jan 28 18:13:02 tbr CRON[1979]: pam_unix(cron:session): session closed for user root
Jan 28 18:14:01 tbr CRON[2027]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:14:01 tbr CRON[2027]: pam_unix(cron:session): session closed for user root
Jan 28 18:15:01 tbr CRON[2070]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:15:01 tbr CRON[2070]: pam_unix(cron:session): session closed for user root
Jan 28 18:15:27 tbr sshd[2113]: Invalid user 123abc from 62.210.177.88
Jan 28 18:15:27 tbr sshd[2113]: input_userauth_request: invalid user 123abc [preauth]
Jan 28 18:15:27 tbr sshd[2113]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:15:27 tbr sshd[2113]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:15:29 tbr sshd[2113]: Failed password for invalid user 123abc from 62.210.177.88 port 43893 ssh2
Jan 28 18:15:29 tbr sshd[2113]: Received disconnect from 62.210.177.88: 11: Bye Bye [preauth]
Jan 28 18:16:01 tbr CRON[2115]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:16:02 tbr CRON[2115]: pam_unix(cron:session): session closed for user root
Jan 28 18:16:55 tbr sshd[2159]: Invalid user 123abc from 62.210.177.88
Jan 28 18:16:55 tbr sshd[2159]: input_userauth_request: invalid user 123abc [preauth]
Jan 28 18:16:55 tbr sshd[2159]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:16:55 tbr sshd[2159]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:16:57 tbr sshd[2159]: Failed password for invalid user 123abc from 62.210.177.88 port 36586 ssh2
Jan 28 18:16:57 tbr sshd[2159]: Received disconnect from 62.210.177.88: 11: Bye Bye [preauth]
Jan 28 18:17:01 tbr CRON[2162]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:17:01 tbr CRON[2161]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:17:01 tbr CRON[2162]: pam_unix(cron:session): session closed for user root
Jan 28 18:17:01 tbr CRON[2161]: pam_unix(cron:session): session closed for user root
Jan 28 18:18:01 tbr CRON[2207]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:18:01 tbr CRON[2207]: pam_unix(cron:session): session closed for user root
Jan 28 18:18:25 tbr sshd[2251]: Invalid user 123abc from 62.210.177.88
Jan 28 18:18:25 tbr sshd[2251]: input_userauth_request: invalid user 123abc [preauth]
Jan 28 18:18:25 tbr sshd[2251]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:18:25 tbr sshd[2251]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:18:27 tbr sshd[2251]: Failed password for invalid user 123abc from 62.210.177.88 port 57485 ssh2
Jan 28 18:18:27 tbr sshd[2251]: Received disconnect from 62.210.177.88: 11: Bye Bye [preauth]
Jan 28 18:19:01 tbr CRON[2253]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:19:02 tbr CRON[2253]: pam_unix(cron:session): session closed for user root
Jan 28 18:19:55 tbr sshd[2296]: Invalid user 123abc from 62.210.177.88
Jan 28 18:19:55 tbr sshd[2296]: input_userauth_request: invalid user 123abc [preauth]
Jan 28 18:19:55 tbr sshd[2296]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:19:55 tbr sshd[2296]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:19:57 tbr sshd[2296]: Failed password for invalid user 123abc from 62.210.177.88 port 50212 ssh2
Jan 28 18:19:57 tbr sshd[2296]: Received disconnect from 62.210.177.88: 11: Bye Bye [preauth]
Jan 28 18:20:01 tbr CRON[2298]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:20:01 tbr CRON[2298]: pam_unix(cron:session): session closed for user root
Jan 28 18:21:01 tbr CRON[2341]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:21:02 tbr CRON[2341]: pam_unix(cron:session): session closed for user root
Jan 28 18:21:24 tbr sshd[2384]: Invalid user 123abc from 62.210.177.88
Jan 28 18:21:24 tbr sshd[2384]: input_userauth_request: invalid user 123abc [preauth]
Jan 28 18:21:24 tbr sshd[2384]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:21:24 tbr sshd[2384]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:21:27 tbr sshd[2384]: Failed password for invalid user 123abc from 62.210.177.88 port 42876 ssh2
Jan 28 18:21:27 tbr sshd[2384]: Received disconnect from 62.210.177.88: 11: Bye Bye [preauth]
Jan 28 18:22:01 tbr CRON[2386]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:22:01 tbr CRON[2386]: pam_unix(cron:session): session closed for user root
Jan 28 18:22:54 tbr sshd[2429]: Invalid user 123abc from 62.210.177.88
Jan 28 18:22:54 tbr sshd[2429]: input_userauth_request: invalid user 123abc [preauth]
Jan 28 18:22:54 tbr sshd[2429]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:22:54 tbr sshd[2429]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:22:57 tbr sshd[2429]: Failed password for invalid user 123abc from 62.210.177.88 port 35569 ssh2
Jan 28 18:22:57 tbr sshd[2429]: Received disconnect from 62.210.177.88: 11: Bye Bye [preauth]
Jan 28 18:23:01 tbr CRON[2431]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:23:01 tbr CRON[2431]: pam_unix(cron:session): session closed for user root
Jan 28 18:24:01 tbr CRON[2474]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:24:02 tbr CRON[2474]: pam_unix(cron:session): session closed for user root
Jan 28 18:24:24 tbr sshd[2517]: Invalid user 123abc from 62.210.177.88
Jan 28 18:24:24 tbr sshd[2517]: input_userauth_request: invalid user 123abc [preauth]
Jan 28 18:24:24 tbr sshd[2517]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:24:24 tbr sshd[2517]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:24:25 tbr sshd[2517]: Failed password for invalid user 123abc from 62.210.177.88 port 56462 ssh2
Jan 28 18:24:25 tbr sshd[2517]: Received disconnect from 62.210.177.88: 11: Bye Bye [preauth]
Jan 28 18:25:01 tbr CRON[2519]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:25:01 tbr CRON[2519]: pam_unix(cron:session): session closed for user root
Jan 28 18:25:54 tbr sshd[2562]: Invalid user 123abc from 62.210.177.88
Jan 28 18:25:54 tbr sshd[2562]: input_userauth_request: invalid user 123abc [preauth]
Jan 28 18:25:54 tbr sshd[2562]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:25:54 tbr sshd[2562]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:25:56 tbr sshd[2562]: Failed password for invalid user 123abc from 62.210.177.88 port 49159 ssh2
Jan 28 18:25:56 tbr sshd[2562]: Received disconnect from 62.210.177.88: 11: Bye Bye [preauth]
Jan 28 18:26:01 tbr CRON[2564]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:26:01 tbr CRON[2564]: pam_unix(cron:session): session closed for user root
Jan 28 18:27:01 tbr CRON[2607]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:27:02 tbr CRON[2607]: pam_unix(cron:session): session closed for user root
Jan 28 18:27:23 tbr sshd[2650]: Invalid user 123abc from 62.210.177.88
Jan 28 18:27:23 tbr sshd[2650]: input_userauth_request: invalid user 123abc [preauth]
Jan 28 18:27:23 tbr sshd[2650]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:27:23 tbr sshd[2650]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:27:26 tbr sshd[2650]: Failed password for invalid user 123abc from 62.210.177.88 port 41818 ssh2
Jan 28 18:27:26 tbr sshd[2650]: Received disconnect from 62.210.177.88: 11: Bye Bye [preauth]
Jan 28 18:28:01 tbr CRON[2652]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:28:01 tbr CRON[2652]: pam_unix(cron:session): session closed for user root
Jan 28 18:28:53 tbr sshd[2695]: Invalid user 123abc from 62.210.177.88
Jan 28 18:28:53 tbr sshd[2695]: input_userauth_request: invalid user 123abc [preauth]
Jan 28 18:28:53 tbr sshd[2695]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:28:53 tbr sshd[2695]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:28:54 tbr sshd[2695]: Failed password for invalid user 123abc from 62.210.177.88 port 34539 ssh2
Jan 28 18:28:54 tbr sshd[2695]: Received disconnect from 62.210.177.88: 11: Bye Bye [preauth]
Jan 28 18:29:01 tbr CRON[2697]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:29:01 tbr CRON[2697]: pam_unix(cron:session): session closed for user root
Jan 28 18:30:01 tbr CRON[2742]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:30:02 tbr CRON[2742]: pam_unix(cron:session): session closed for user root
Jan 28 18:30:23 tbr sshd[2785]: Invalid user 123abc from 62.210.177.88
Jan 28 18:30:23 tbr sshd[2785]: input_userauth_request: invalid user 123abc [preauth]
Jan 28 18:30:23 tbr sshd[2785]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:30:23 tbr sshd[2785]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:30:24 tbr sshd[2785]: Failed password for invalid user 123abc from 62.210.177.88 port 55449 ssh2
Jan 28 18:30:24 tbr sshd[2785]: Received disconnect from 62.210.177.88: 11: Bye Bye [preauth]
Jan 28 18:31:01 tbr CRON[2787]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:31:01 tbr CRON[2787]: pam_unix(cron:session): session closed for user root
Jan 28 18:31:54 tbr sshd[2830]: Invalid user 123abc from 62.210.177.88
Jan 28 18:31:54 tbr sshd[2830]: input_userauth_request: invalid user 123abc [preauth]
Jan 28 18:31:54 tbr sshd[2830]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:31:54 tbr sshd[2830]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:31:55 tbr sshd[2830]: Failed password for invalid user 123abc from 62.210.177.88 port 48147 ssh2
Jan 28 18:31:55 tbr sshd[2830]: Received disconnect from 62.210.177.88: 11: Bye Bye [preauth]
Jan 28 18:32:01 tbr CRON[2832]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:32:02 tbr CRON[2832]: pam_unix(cron:session): session closed for user root
Jan 28 18:33:01 tbr CRON[2875]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:33:01 tbr CRON[2875]: pam_unix(cron:session): session closed for user root
Jan 28 18:33:23 tbr sshd[2918]: Invalid user Admin from 62.210.177.88
Jan 28 18:33:23 tbr sshd[2918]: input_userauth_request: invalid user Admin [preauth]
Jan 28 18:33:23 tbr sshd[2918]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:33:23 tbr sshd[2918]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:33:26 tbr sshd[2918]: Failed password for invalid user Admin from 62.210.177.88 port 40809 ssh2
Jan 28 18:33:26 tbr sshd[2918]: Received disconnect from 62.210.177.88: 11: Bye Bye [preauth]
Jan 28 18:34:01 tbr CRON[2920]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:34:01 tbr CRON[2920]: pam_unix(cron:session): session closed for user root
Jan 28 18:34:53 tbr sshd[2963]: Invalid user Admin from 62.210.177.88
Jan 28 18:34:53 tbr sshd[2963]: input_userauth_request: invalid user Admin [preauth]
Jan 28 18:34:53 tbr sshd[2963]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:34:53 tbr sshd[2963]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:34:55 tbr sshd[2963]: Failed password for invalid user Admin from 62.210.177.88 port 33501 ssh2
Jan 28 18:34:55 tbr sshd[2963]: Received disconnect from 62.210.177.88: 11: Bye Bye [preauth]
Jan 28 18:35:01 tbr CRON[2965]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:35:02 tbr CRON[2965]: pam_unix(cron:session): session closed for user root
Jan 28 18:36:01 tbr CRON[3008]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:36:01 tbr CRON[3008]: pam_unix(cron:session): session closed for user root
Jan 28 18:36:23 tbr sshd[3051]: Invalid user Admin from 62.210.177.88
Jan 28 18:36:23 tbr sshd[3051]: input_userauth_request: invalid user Admin [preauth]
Jan 28 18:36:23 tbr sshd[3051]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:36:23 tbr sshd[3051]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:36:24 tbr sshd[3051]: Failed password for invalid user Admin from 62.210.177.88 port 54394 ssh2
Jan 28 18:36:24 tbr sshd[3051]: Received disconnect from 62.210.177.88: 11: Bye Bye [preauth]
Jan 28 18:37:01 tbr CRON[3053]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:37:01 tbr CRON[3053]: pam_unix(cron:session): session closed for user root
Jan 28 18:37:53 tbr sshd[3096]: Invalid user Admin from 62.210.177.88
Jan 28 18:37:53 tbr sshd[3096]: input_userauth_request: invalid user Admin [preauth]
Jan 28 18:37:53 tbr sshd[3096]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:37:53 tbr sshd[3096]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:37:54 tbr sshd[3096]: Failed password for invalid user Admin from 62.210.177.88 port 47085 ssh2
Jan 28 18:37:54 tbr sshd[3096]: Received disconnect from 62.210.177.88: 11: Bye Bye [preauth]
Jan 28 18:38:01 tbr CRON[3098]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:38:02 tbr CRON[3098]: pam_unix(cron:session): session closed for user root
Jan 28 18:39:01 tbr CRON[3141]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:39:01 tbr CRON[3141]: pam_unix(cron:session): session closed for user root
Jan 28 18:39:22 tbr sshd[3184]: Invalid user Admin from 62.210.177.88
Jan 28 18:39:22 tbr sshd[3184]: input_userauth_request: invalid user Admin [preauth]
Jan 28 18:39:22 tbr sshd[3184]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:39:22 tbr sshd[3184]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:39:25 tbr sshd[3184]: Failed password for invalid user Admin from 62.210.177.88 port 39790 ssh2
Jan 28 18:39:25 tbr sshd[3184]: Received disconnect from 62.210.177.88: 11: Bye Bye [preauth]
Jan 28 18:40:01 tbr CRON[3186]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:40:01 tbr CRON[3186]: pam_unix(cron:session): session closed for user root
Jan 28 18:40:52 tbr sshd[3229]: Invalid user Admin from 62.210.177.88
Jan 28 18:40:52 tbr sshd[3229]: input_userauth_request: invalid user Admin [preauth]
Jan 28 18:40:52 tbr sshd[3229]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:40:52 tbr sshd[3229]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:40:54 tbr sshd[3229]: Failed password for invalid user Admin from 62.210.177.88 port 60736 ssh2
Jan 28 18:40:55 tbr sshd[3229]: Received disconnect from 62.210.177.88: 11: Bye Bye [preauth]
Jan 28 18:41:01 tbr CRON[3231]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:41:02 tbr CRON[3231]: pam_unix(cron:session): session closed for user root
Jan 28 18:42:01 tbr CRON[3274]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:42:01 tbr CRON[3274]: pam_unix(cron:session): session closed for user root
Jan 28 18:42:22 tbr sshd[3319]: Invalid user aaron from 62.210.177.88
Jan 28 18:42:22 tbr sshd[3319]: input_userauth_request: invalid user aaron [preauth]
Jan 28 18:42:22 tbr sshd[3319]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:42:22 tbr sshd[3319]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:42:24 tbr sshd[3319]: Failed password for invalid user aaron from 62.210.177.88 port 53403 ssh2
Jan 28 18:42:24 tbr sshd[3319]: Received disconnect from 62.210.177.88: 11: Bye Bye [preauth]
Jan 28 18:43:01 tbr CRON[3321]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 28 18:43:02 tbr CRON[3321]: pam_unix(cron:session): session closed for user root
Jan 28 18:43:51 tbr sshd[3364]: Invalid user aaron from 62.210.177.88
Jan 28 18:43:51 tbr sshd[3364]: input_userauth_request: invalid user aaron [preauth]
Jan 28 18:43:51 tbr sshd[3364]: pam_unix(sshd:auth): check pass; user unknown
Jan 28 18:43:51 tbr sshd[3364]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-177-88.rev.poneytelecom.eu
Jan 28 18:43:53 tbr sshd[3364]: Failed password for invalid user aaron from 62.210.177.88 port 46108 ssh2
Ce que je comprends c'est que sous Debian "pam_unix" se connecte et se déconnecte en root une fois par minute via une planification CRON. Un post m'a appris que c'était du "real time monitoring" qui teste l'intégrité de mon système (https://www.ovh.com/fr/serveurs_dedies/rtm.xml).
Le 28 janvier à 18:15:27 un utilisateur non valide ("123abc") tente de se connecter 12 fois, mais il est déconnecté. Le port ssh2 change à chaque tentative.
1 - Faut-il déduire que 12 mots de passe ont été testés sur des ports différents ? Ensuite, ce sera "abc", 5 fois avec l'utilisateur "Admin", puis 2 fois "aaron", ensuite "ab" et "abby", etc..
2 - Pourquoi le nombre de tentatives varie-t-il selon les "users" ? et pourquoi l'ordre alphabètique n'est-il pas respecté ? Est-ce que cela suppose une intervention humaine et non plus programmée ?
La tentative d'intrusion va continuer pendant 3 jours jusqu'à la lettre F avec des mots de passe plutôt pauvres, issus semble-t-il d'un dictionnaire de mots de passe de type anglo-saxon. Le processus de la tentative me paraît plutôt lent.
3 - Un nmap révèle facilement sur quel port se trouve mon ssh. Pourquoi le programme pirate teste-t-il des ports différents ?
4 - Mon fail2ban est-il mal configuré ? N'aurait-il pas dû bloquer l'attaquant pendant une heure après 6 tentatives ?
Mon jail.local :
[ssh]
95 enabled = true
96 port = xxxx
97 filter = sshd
98 logpath = /var/log/auth.log
99 maxretry = 6
100 findtime = 3600

Je n'ai pas de serveur apache, simplement une seedbox. Je suis forcé de me connecter avec un mot de passe et non avec une clé car mon user ne peut pas être à 755 pour que tout fonctionne.