iptables, audit.log & Brute force detection

JeffPaetkau

Member
May 5, 2014
13
0
1
cPanel Access Level
Root Administrator
Hi,

On my server I have iptables setup so ssh (on port 22) only allows connections from a limited set of IP's (tested such that when I comment out my IP I can't connect). However, I notice in audit.log thousands of messages like:

type=USER_AUTH msg=audit(1415905373.817:1993316): user pid=28071 uid=0 auid=0 ses=29944 msg='op=PAM:authentication acct="root" exe="/usr/sbin/sshd" hostname=192.126.120.93 addr=192.126.120.93 terminal=ssh res=failed'

and in the messages log hundreds of:

Nov 13 08:30:02 host PAM-hulk[22289]: Brute force detection active: 580 LOGIN DENIED -- TOO MANY FAILURES -- IP TEMP BANNED

also aureport reports:

Number of logins: 6
Number of failed logins: 6835
Number of authentications: 12
Number of failed authentications: 41589

Does anyone have any ideas on why these invalid attempts are not being blocked by iptables?

Thanks for any insight.

Jeff Paetkau
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
97
78
India
cPanel Access Level
Root Administrator
Twitter

JeffPaetkau

Member
May 5, 2014
13
0
1
cPanel Access Level
Root Administrator
Hi,

Thanks. those are both good suggestions. However, they don't really answer my question which is: why am I seeing these messages at all if iptables is blocking port 22?

Jeff