Hi,
On my server I have iptables setup so ssh (on port 22) only allows connections from a limited set of IP's (tested such that when I comment out my IP I can't connect). However, I notice in audit.log thousands of messages like:
type=USER_AUTH msg=audit(1415905373.817:1993316): user pid=28071 uid=0 auid=0 ses=29944 msg='op=PAM:authentication acct="root" exe="/usr/sbin/sshd" hostname=192.126.120.93 addr=192.126.120.93 terminal=ssh res=failed'
and in the messages log hundreds of:
Nov 13 08:30:02 host PAM-hulk[22289]: Brute force detection active: 580 LOGIN DENIED -- TOO MANY FAILURES -- IP TEMP BANNED
also aureport reports:
Number of logins: 6
Number of failed logins: 6835
Number of authentications: 12
Number of failed authentications: 41589
Does anyone have any ideas on why these invalid attempts are not being blocked by iptables?
Thanks for any insight.
Jeff Paetkau
On my server I have iptables setup so ssh (on port 22) only allows connections from a limited set of IP's (tested such that when I comment out my IP I can't connect). However, I notice in audit.log thousands of messages like:
type=USER_AUTH msg=audit(1415905373.817:1993316): user pid=28071 uid=0 auid=0 ses=29944 msg='op=PAM:authentication acct="root" exe="/usr/sbin/sshd" hostname=192.126.120.93 addr=192.126.120.93 terminal=ssh res=failed'
and in the messages log hundreds of:
Nov 13 08:30:02 host PAM-hulk[22289]: Brute force detection active: 580 LOGIN DENIED -- TOO MANY FAILURES -- IP TEMP BANNED
also aureport reports:
Number of logins: 6
Number of failed logins: 6835
Number of authentications: 12
Number of failed authentications: 41589
Does anyone have any ideas on why these invalid attempts are not being blocked by iptables?
Thanks for any insight.
Jeff Paetkau
