You haven’t answered if any rules are being added to the firewall by fail2ban. You need to figure that out.
I’m not familiar with firewallcmd-rich-rules but it sounds like a reasonable thing to use. Anything that works with firewalld/firewallcmd should be fine. rich rules allow more specific rules to be added.
Hi Joe
This is what I just saw
All of them end saying input rejected and unreachable
is that ok?
I’m not sure what firewall rules to apply like I said before mine say as below
# the firewalld actions as the default actions. You can remove this package
# (along with the empty fail2ban meta-package) if you do not use firewalld
[DEFAULT]
banaction = firewallcmd-rich-rules
banaction_allports = firewallcmd-rich-rules
I was looking all over the forum and saw that member called janderk (Jul 200) used this:
banaction = firewallcmd-ipset[actiontype="<multiport>"]
banaction_allports = firewallcmd-ipset[actiontype="<allports>"]
Should I change mine to that?
or Perhaps you can give me something I can add or replace mine with
Thanks
Regards
ASM
Yeah, that looks fine. It looks like it’s working fine.
I’m confused by the “already seen”, but I guess maybe it’s stuff that was banned and then unbanned, and they just keep coming back after the ban, presumably to be banned again after a time.
Then again, I’m only seeing ssh. Is that the only service/port you see in the firewall rules?
Hi Joe
Yes they ALL say the same
port port="ssh" protocol="tcp" reject type="icmp-port-unreachable"
Should I leave things as they are? or is there anything that would improve things?
Last few days below:
16/8
Last failed login: Fri Aug 16 21:23:50 CEST 2024 from 117.185.38.2 on ssh:notty
There were 755 failed login attempts since the last successful login.
Last login: Wed Aug 14 22:10:40 2024 from 185.238.220.152
----------------------------------------------------------------------------
18/8
Last failed login: Sun Aug 18 16:22:22 CEST 2024 from 175.125.95.234 on ssh:notty
There were 744 failed login attempts since the last successful login.
Last login: Fri Aug 16 22:44:25 2024 from 185.238.220.152
----------------------------------------------------------------------
18/8 CHANGED EVERY PASSWORD TO VERY COMPLEX ONES
Last failed login: Sun Aug 18 17:55:11 CEST 2024 from 212.132.118.198 on ssh:notty
There were 27 failed login attempts since the last successful login.
Last login: Sun Aug 18 16:22:50 2024 from 185.238.220.152
-------------------------------------------------------------------------------
19/8
Last failed login: Mon Aug 19 19:32:35 CEST 2024 from 185.147.125.227 on ssh:notty
There were 334 failed login attempts since the last successful login.
Last login: Sun Aug 18 17:59:53 2024 from 185.238.220.152
----------------------------------------------------------------------
Please let me know
Thanks
ASM
I don’t know what you’re trying to get with the failed logins stuff? Are you asking if it’s normal to have a bunch of failed logins? Absolutely. There’s no way to have a server on the public internet without attackers hitting it hundreds or thousands of times a day.
Oh OK
Maybe I shouldn’t do anything about the failed logins huh?
Then I guess I should not be concerned any more…
Thanks so much Joe and to all that have helped
Regards
ASM
Well on ssh I always use keys login only
That’s an excellent choice for security. Disabling passwords and requiring a key for logins is about the single best thing you can do for security. (And, multi-factor auth provides some of the same benefits for web-based apps like Webmin. Webmin also has certificate authentication, but it’s pretty tricky and I’m not sure what the browser support looks like these days.
Absolutely!
Though, when that’s not an option, it’s best to use highly complex password paired with 2FA for SSH.
Also
+ the options mentioned above. (2FA, SSH Keys)Though, when that’s not an option, it’s best to use highly complex password paired with 2FA for SSH and fail2ban enabled.
In case that is not obvious to a newbie.
maybe set up the Google Authenticator as 2FA?
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.