Bug 712701

Summary:

Fail2Ban inconsistently banning

Product:

[Fedora] Fedora

Reporter:

Erik Squires <erik_squires>

Component:

fail2ban

Assignee:

Axel Thimm <axel.thimm>

Status:

CLOSED EOL

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

CC:

axel.thimm, frollic, jonathan.underwood, steven.chapel, toby, urkedal, vonsch

Target Milestone:

---

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Clones:

1183955 (view as bug list)

Environment:

Last Closed:

2015-02-17 13:47:00 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Attachments:

Description	Flags
copy of /var/log/secure	none

Description Erik Squires 2011-06-12 14:58:22 UTC

Description of problem:
Using default sshd.conf filters, Fail2Ban soemtimes bans and sometimes does not ban an address.  


Version-Release number of selected component (if applicable):

0.8.4-27
How reproducible:
30% of the time. 

Steps to Reproduce:
1.  Configure Fail2Ban for SSHD per instructiosn.  SSHD is enabled out of the box.
2.  Resolve SELinux alerts, or set backend=gamin in jail.conf (both work the same for the purposes of this report)
3.  Watch your /var/log/secure entries.  (see enclosed sample. in this case, 217.149.194.173 was never banned.  fail2ban-regex finds all of these entries though. 
  
Actual results:
Fail2Ban sometimes bans, and sometimes does not ban SSH break in attempts

Expected results:
Fail2Ban should always ban break in attempts that exceed the configuration settings.

Additional info:

fail2ban-regex finds all the entries. 

From Jail.conf:
[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban]
logpath  = /var/log/secure
maxretry = 5

Comment 1 Steve Chapel 2011-08-18 10:25:13 UTC

I have the same problem using fail2ban 0.8.4-27 on Fedora 15. Nearly every day I see hundreds of SSH login attempts because fail2ban is not banning some IPs.

Comment 2 Fedora End Of Life 2013-04-03 13:47:18 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19

Comment 3 Adam Tkac 2013-12-03 14:38:17 UTC

Is this issue still reproducible for you with the latest fail2ban? If yes, can you please attach your /var/log/secure with log entries which indicate break-in-attempt and aren't banned? Thank you in advance.

Comment 4 frollic nilsson 2014-02-03 08:35:44 UTC

I've got fail2ban-0.8.11-2 installed, and it seems to miss/trigger
log entries with:

pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root


I'm new to f2b, but it seems the regex in the sshd.conf doesn't match the output of /var/log/secure

[root@atlantis log]# cat secure | grep 81.215.12.106
Feb  2 21:43:46 atlantis sshd[16001]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:43:49 atlantis sshd[16001]: Failed password for root from 81.215.12.106 port 63032 ssh2
Feb  2 21:43:50 atlantis sshd[16001]: Received disconnect from 81.215.12.106: 11:  [preauth]
Feb  2 21:43:56 atlantis sshd[16005]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:43:56 atlantis sshd[16007]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:43:56 atlantis sshd[16004]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:43:56 atlantis sshd[16008]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:43:56 atlantis sshd[16006]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:43:56 atlantis sshd[16009]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:43:56 atlantis sshd[16010]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:43:56 atlantis sshd[16013]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:43:56 atlantis sshd[16014]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:43:57 atlantis sshd[16005]: Failed password for root from 81.215.12.106 port 63365 ssh2
Feb  2 21:43:58 atlantis sshd[16007]: Failed password for root from 81.215.12.106 port 63368 ssh2
Feb  2 21:43:58 atlantis sshd[16004]: Failed password for root from 81.215.12.106 port 63364 ssh2
Feb  2 21:43:58 atlantis sshd[16003]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:43:58 atlantis sshd[16008]: Failed password for root from 81.215.12.106 port 63369 ssh2
Feb  2 21:43:58 atlantis sshd[16006]: Failed password for root from 81.215.12.106 port 63366 ssh2
Feb  2 21:43:58 atlantis sshd[16009]: Failed password for root from 81.215.12.106 port 63361 ssh2
Feb  2 21:43:58 atlantis sshd[16010]: Failed password for root from 81.215.12.106 port 63363 ssh2
Feb  2 21:43:58 atlantis sshd[16013]: Failed password for root from 81.215.12.106 port 63367 ssh2
Feb  2 21:43:58 atlantis sshd[16014]: Failed password for root from 81.215.12.106 port 63370 ssh2
Feb  2 21:44:00 atlantis sshd[16003]: Failed password for root from 81.215.12.106 port 63362 ssh2
Feb  2 21:44:01 atlantis sshd[16005]: Failed password for root from 81.215.12.106 port 63365 ssh2
Feb  2 21:44:01 atlantis sshd[16007]: Failed password for root from 81.215.12.106 port 63368 ssh2
Feb  2 21:44:01 atlantis sshd[16004]: Failed password for root from 81.215.12.106 port 63364 ssh2
Feb  2 21:44:01 atlantis sshd[16008]: Failed password for root from 81.215.12.106 port 63369 ssh2
Feb  2 21:44:01 atlantis sshd[16006]: Failed password for root from 81.215.12.106 port 63366 ssh2
Feb  2 21:44:01 atlantis sshd[16010]: Failed password for root from 81.215.12.106 port 63363 ssh2
Feb  2 21:44:01 atlantis sshd[16009]: Failed password for root from 81.215.12.106 port 63361 ssh2
Feb  2 21:44:01 atlantis sshd[16013]: Failed password for root from 81.215.12.106 port 63367 ssh2
Feb  2 21:44:02 atlantis sshd[16014]: Failed password for root from 81.215.12.106 port 63370 ssh2
Feb  2 21:44:03 atlantis sshd[16003]: Failed password for root from 81.215.12.106 port 63362 ssh2
Feb  2 21:44:04 atlantis sshd[16005]: Failed password for root from 81.215.12.106 port 63365 ssh2
Feb  2 21:44:04 atlantis sshd[16007]: Failed password for root from 81.215.12.106 port 63368 ssh2
Feb  2 21:44:04 atlantis sshd[16004]: Failed password for root from 81.215.12.106 port 63364 ssh2
Feb  2 21:44:04 atlantis sshd[16008]: Failed password for root from 81.215.12.106 port 63369 ssh2
Feb  2 21:44:04 atlantis sshd[16006]: Failed password for root from 81.215.12.106 port 63366 ssh2
Feb  2 21:44:04 atlantis sshd[16009]: Failed password for root from 81.215.12.106 port 63361 ssh2
Feb  2 21:44:04 atlantis sshd[16010]: Failed password for root from 81.215.12.106 port 63363 ssh2
Feb  2 21:44:04 atlantis sshd[16013]: Failed password for root from 81.215.12.106 port 63367 ssh2
Feb  2 21:44:05 atlantis sshd[16014]: Failed password for root from 81.215.12.106 port 63370 ssh2
Feb  2 21:44:06 atlantis sshd[16003]: Failed password for root from 81.215.12.106 port 63362 ssh2
Feb  2 21:44:07 atlantis sshd[16005]: Failed password for root from 81.215.12.106 port 63365 ssh2
Feb  2 21:44:07 atlantis sshd[16007]: Failed password for root from 81.215.12.106 port 63368 ssh2
Feb  2 21:44:07 atlantis sshd[16004]: Failed password for root from 81.215.12.106 port 63364 ssh2
Feb  2 21:44:07 atlantis sshd[16008]: Failed password for root from 81.215.12.106 port 63369 ssh2
Feb  2 21:44:07 atlantis sshd[16009]: Failed password for root from 81.215.12.106 port 63361 ssh2
Feb  2 21:44:07 atlantis sshd[16010]: Failed password for root from 81.215.12.106 port 63363 ssh2
Feb  2 21:44:07 atlantis sshd[16006]: Failed password for root from 81.215.12.106 port 63366 ssh2
Feb  2 21:44:07 atlantis sshd[16013]: Failed password for root from 81.215.12.106 port 63367 ssh2
Feb  2 21:44:09 atlantis sshd[16003]: Failed password for root from 81.215.12.106 port 63362 ssh2
Feb  2 21:44:09 atlantis sshd[16014]: Failed password for root from 81.215.12.106 port 63370 ssh2
Feb  2 21:44:10 atlantis sshd[16005]: Failed password for root from 81.215.12.106 port 63365 ssh2
Feb  2 21:44:11 atlantis sshd[16007]: Failed password for root from 81.215.12.106 port 63368 ssh2
Feb  2 21:44:11 atlantis sshd[16009]: Failed password for root from 81.215.12.106 port 63361 ssh2
Feb  2 21:44:11 atlantis sshd[16010]: Failed password for root from 81.215.12.106 port 63363 ssh2
Feb  2 21:44:11 atlantis sshd[16004]: Failed password for root from 81.215.12.106 port 63364 ssh2
Feb  2 21:44:11 atlantis sshd[16006]: Failed password for root from 81.215.12.106 port 63366 ssh2
Feb  2 21:44:11 atlantis sshd[16008]: Failed password for root from 81.215.12.106 port 63369 ssh2
Feb  2 21:44:12 atlantis sshd[16013]: Failed password for root from 81.215.12.106 port 63367 ssh2
Feb  2 21:44:13 atlantis sshd[16003]: Failed password for root from 81.215.12.106 port 63362 ssh2
Feb  2 21:44:13 atlantis sshd[16014]: Failed password for root from 81.215.12.106 port 63370 ssh2
Feb  2 21:44:14 atlantis sshd[16005]: Failed password for root from 81.215.12.106 port 63365 ssh2
Feb  2 21:44:14 atlantis sshd[16005]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:44:14 atlantis sshd[16007]: Failed password for root from 81.215.12.106 port 63368 ssh2
Feb  2 21:44:14 atlantis sshd[16007]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:44:14 atlantis sshd[16009]: Failed password for root from 81.215.12.106 port 63361 ssh2
Feb  2 21:44:14 atlantis sshd[16009]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:44:14 atlantis sshd[16010]: Failed password for root from 81.215.12.106 port 63363 ssh2
Feb  2 21:44:14 atlantis sshd[16010]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:44:14 atlantis sshd[16004]: Failed password for root from 81.215.12.106 port 63364 ssh2
Feb  2 21:44:14 atlantis sshd[16004]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:44:14 atlantis sshd[16006]: Failed password for root from 81.215.12.106 port 63366 ssh2
Feb  2 21:44:14 atlantis sshd[16006]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:44:15 atlantis sshd[16008]: Failed password for root from 81.215.12.106 port 63369 ssh2
Feb  2 21:44:15 atlantis sshd[16008]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:44:15 atlantis sshd[16013]: Failed password for root from 81.215.12.106 port 63367 ssh2
Feb  2 21:44:15 atlantis sshd[16013]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:44:16 atlantis sshd[16003]: Failed password for root from 81.215.12.106 port 63362 ssh2
Feb  2 21:44:16 atlantis sshd[16003]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
Feb  2 21:44:16 atlantis sshd[16014]: Failed password for root from 81.215.12.106 port 63370 ssh2
Feb  2 21:44:16 atlantis sshd[16014]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root

Comment 5 frollic nilsson 2014-02-03 08:47:15 UTC

[root@atlantis filter.d]# fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf --print-all-missed

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/sshd.conf
Use         log file : /var/log/secure


Results
=======

Failregex: 131 total
|-  #) [# of hits] regular expression
|   3) [123] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Failed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ (?:[\da-f]{2}:){15}[\da-f]{2}(, client user ".*", client host ".*")?))?\s*$
|   5) [8] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*[iI](?:llegal|nvalid) user .* from <HOST>\s*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [274] MONTH Day Hour:Minute:Second
`-

Lines: 274 lines, 0 ignored, 131 matched, 143 missed
|- Missed line(s):
|  Feb  2 03:59:01 atlantis sshd[25739]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=187.174.116.245  user=root
|  Feb  2 03:59:03 atlantis sshd[25739]: Received disconnect from 187.174.116.245: 11: Bye Bye [preauth]
|  Feb  2 03:59:05 atlantis sshd[25756]: input_userauth_request: invalid user jack [preauth]
|  Feb  2 03:59:05 atlantis sshd[25756]: pam_unix(sshd:auth): check pass; user unknown
|  Feb  2 03:59:05 atlantis sshd[25756]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=187.174.116.245
|  Feb  2 03:59:07 atlantis sshd[25756]: Received disconnect from 187.174.116.245: 11: Bye Bye [preauth]
|  Feb  2 03:59:08 atlantis sshd[25758]: input_userauth_request: invalid user ibsadmin [preauth]
|  Feb  2 03:59:08 atlantis sshd[25758]: pam_unix(sshd:auth): check pass; user unknown
|  Feb  2 03:59:08 atlantis sshd[25758]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=187.174.116.245
|  Feb  2 03:59:10 atlantis sshd[25758]: Received disconnect from 187.174.116.245: 11: Bye Bye [preauth]
|  Feb  2 04:13:22 atlantis sshd[26176]: input_userauth_request: invalid user test [preauth]
|  Feb  2 04:13:22 atlantis sshd[26176]: pam_unix(sshd:auth): check pass; user unknown
|  Feb  2 04:13:22 atlantis sshd[26176]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.85.90.245
|  Feb  2 04:13:24 atlantis sshd[26176]: Received disconnect from 222.85.90.245: 11: Bye Bye [preauth]
|  Feb  2 04:13:28 atlantis sshd[26182]: input_userauth_request: invalid user test [preauth]
|  Feb  2 04:13:28 atlantis sshd[26182]: pam_unix(sshd:auth): check pass; user unknown
|  Feb  2 04:13:28 atlantis sshd[26182]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.85.90.245
|  Feb  2 04:13:30 atlantis sshd[26182]: Received disconnect from 222.85.90.245: 11: Bye Bye [preauth]
|  Feb  2 07:19:21 atlantis sshd[30536]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.71  user=root
|  Feb  2 07:19:35 atlantis sshd[30536]: Disconnecting: Too many authentication failures for root [preauth]
|  Feb  2 07:19:35 atlantis sshd[30536]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.71  user=root
|  Feb  2 07:19:35 atlantis sshd[30536]: PAM service(sshd) ignoring max retries; 6 > 3
|  Feb  2 08:15:50 atlantis sshd[31716]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.147.70.122  user=root
|  Feb  2 08:16:04 atlantis sshd[31716]: Disconnecting: Too many authentication failures for root [preauth]
|  Feb  2 08:16:04 atlantis sshd[31716]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.147.70.122  user=root
|  Feb  2 08:16:04 atlantis sshd[31716]: PAM service(sshd) ignoring max retries; 6 > 3
|  Feb  2 10:09:47 atlantis sshd[1634]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.2.22.131  user=root
|  Feb  2 10:10:01 atlantis sshd[1634]: Disconnecting: Too many authentication failures for root [preauth]
|  Feb  2 10:10:01 atlantis sshd[1634]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.2.22.131  user=root
|  Feb  2 10:10:01 atlantis sshd[1634]: PAM service(sshd) ignoring max retries; 6 > 3
|  Feb  2 11:32:58 atlantis sshd[3357]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.21  user=root
|  Feb  2 11:33:13 atlantis sshd[3357]: Disconnecting: Too many authentication failures for root [preauth]
|  Feb  2 11:33:13 atlantis sshd[3357]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.21  user=root
|  Feb  2 11:33:13 atlantis sshd[3357]: PAM service(sshd) ignoring max retries; 6 > 3
|  Feb  2 12:04:06 atlantis sshd[4017]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.2.22.144  user=root
|  Feb  2 12:04:22 atlantis sshd[4017]: Disconnecting: Too many authentication failures for root [preauth]
|  Feb  2 12:04:22 atlantis sshd[4017]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.2.22.144  user=root
|  Feb  2 12:04:22 atlantis sshd[4017]: PAM service(sshd) ignoring max retries; 6 > 3
|  Feb  2 13:25:33 atlantis sshd[5709]: Did not receive identification string from 198.20.99.130
|  Feb  2 13:27:48 atlantis sshd[5751]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.248.143.169  user=root
|  Feb  2 13:27:50 atlantis sshd[5751]: Received disconnect from 203.248.143.169: 11: Bye Bye [preauth]
|  Feb  2 13:27:53 atlantis sshd[5753]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.248.143.169  user=root
|  Feb  2 13:27:55 atlantis sshd[5753]: Received disconnect from 203.248.143.169: 11: Bye Bye [preauth]
|  Feb  2 13:27:58 atlantis sshd[5755]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.248.143.169  user=root
|  Feb  2 13:28:00 atlantis sshd[5755]: Received disconnect from 203.248.143.169: 11: Bye Bye [preauth]
|  Feb  2 13:28:02 atlantis sshd[5771]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=203.248.143.169  user=root
|  Feb  2 13:28:04 atlantis sshd[5771]: Received disconnect from 203.248.143.169: 11: Bye Bye [preauth]
|  Feb  2 14:32:32 atlantis sshd[7110]: Did not receive identification string from 162.248.244.4
|  Feb  2 16:25:04 atlantis sshd[9413]: Did not receive identification string from 182.73.175.234
|  Feb  2 16:44:26 atlantis sshd[9787]: Accepted password for frollic from 192.168.10.4 port 49397 ssh2
|  Feb  2 16:44:26 atlantis sshd[9787]: pam_unix(sshd:session): session opened for user frollic by (uid=0)
|  Feb  2 16:47:00 atlantis sshd[9787]: pam_unix(sshd:session): session closed for user frollic
|  Feb  2 18:06:18 atlantis sshd[11464]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.11.76.49  user=root
|  Feb  2 18:06:24 atlantis sshd[11464]: Connection closed by 121.11.76.49 [preauth]
|  Feb  2 18:06:24 atlantis sshd[11464]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.11.76.49  user=root
|  Feb  2 19:42:25 atlantis sshd[13391]: Did not receive identification string from 124.173.121.124
|  Feb  2 20:25:11 atlantis sshd[14260]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=64.76.58.153  user=root
|  Feb  2 20:25:14 atlantis sshd[14260]: Received disconnect from 64.76.58.153: 11: Bye Bye [preauth]
|  Feb  2 20:25:15 atlantis sshd[14262]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=64.76.58.153  user=root
|  Feb  2 20:25:17 atlantis sshd[14262]: Received disconnect from 64.76.58.153: 11: Bye Bye [preauth]
|  Feb  2 20:25:18 atlantis sshd[14264]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=64.76.58.153  user=root
|  Feb  2 20:25:21 atlantis sshd[14264]: Received disconnect from 64.76.58.153: 11: Bye Bye [preauth]
|  Feb  2 20:25:22 atlantis sshd[14266]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=64.76.58.153  user=root
|  Feb  2 20:25:24 atlantis sshd[14266]: Received disconnect from 64.76.58.153: 11: Bye Bye [preauth]
|  Feb  2 20:37:19 atlantis sshd[14602]: Accepted password for frollic from 192.168.10.85 port 49992 ssh2
|  Feb  2 20:37:19 atlantis sshd[14602]: pam_unix(sshd:session): session opened for user frollic by (uid=0)
|  Feb  2 21:16:18 atlantis sshd[15413]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.173.121.124  user=root
|  Feb  2 21:16:40 atlantis sshd[15413]: Disconnecting: Too many authentication failures for root [preauth]
|  Feb  2 21:16:40 atlantis sshd[15413]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.173.121.124  user=root
|  Feb  2 21:16:45 atlantis sshd[15439]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.173.121.124  user=root
|  Feb  2 21:16:47 atlantis sshd[15439]: Connection closed by 124.173.121.124 [preauth]
|  Feb  2 21:43:46 atlantis sshd[16001]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:43:50 atlantis sshd[16001]: Received disconnect from 81.215.12.106: 11:  [preauth]
|  Feb  2 21:43:56 atlantis sshd[16005]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:43:56 atlantis sshd[16007]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:43:56 atlantis sshd[16004]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:43:56 atlantis sshd[16008]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:43:56 atlantis sshd[16006]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:43:56 atlantis sshd[16009]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:43:56 atlantis sshd[16010]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:43:56 atlantis sshd[16013]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:43:56 atlantis sshd[16014]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:43:58 atlantis sshd[16003]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:44:14 atlantis sshd[16005]: Disconnecting: Too many authentication failures for root [preauth]
|  Feb  2 21:44:14 atlantis sshd[16005]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:44:14 atlantis sshd[16005]: PAM service(sshd) ignoring max retries; 6 > 3
|  Feb  2 21:44:14 atlantis sshd[16007]: Disconnecting: Too many authentication failures for root [preauth]
|  Feb  2 21:44:14 atlantis sshd[16007]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:44:14 atlantis sshd[16007]: PAM service(sshd) ignoring max retries; 6 > 3
|  Feb  2 21:44:14 atlantis sshd[16009]: Disconnecting: Too many authentication failures for root [preauth]
|  Feb  2 21:44:14 atlantis sshd[16009]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:44:14 atlantis sshd[16009]: PAM service(sshd) ignoring max retries; 6 > 3
|  Feb  2 21:44:14 atlantis sshd[16010]: Disconnecting: Too many authentication failures for root [preauth]
|  Feb  2 21:44:14 atlantis sshd[16010]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:44:14 atlantis sshd[16010]: PAM service(sshd) ignoring max retries; 6 > 3
|  Feb  2 21:44:14 atlantis sshd[16004]: Disconnecting: Too many authentication failures for root [preauth]
|  Feb  2 21:44:14 atlantis sshd[16004]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:44:14 atlantis sshd[16004]: PAM service(sshd) ignoring max retries; 6 > 3
|  Feb  2 21:44:14 atlantis sshd[16006]: Disconnecting: Too many authentication failures for root [preauth]
|  Feb  2 21:44:14 atlantis sshd[16006]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:44:14 atlantis sshd[16006]: PAM service(sshd) ignoring max retries; 6 > 3
|  Feb  2 21:44:15 atlantis sshd[16008]: Disconnecting: Too many authentication failures for root [preauth]
|  Feb  2 21:44:15 atlantis sshd[16008]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:44:15 atlantis sshd[16008]: PAM service(sshd) ignoring max retries; 6 > 3
|  Feb  2 21:44:15 atlantis sshd[16013]: Disconnecting: Too many authentication failures for root [preauth]
|  Feb  2 21:44:15 atlantis sshd[16013]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:44:15 atlantis sshd[16013]: PAM service(sshd) ignoring max retries; 6 > 3
|  Feb  2 21:44:16 atlantis sshd[16003]: Disconnecting: Too many authentication failures for root [preauth]
|  Feb  2 21:44:16 atlantis sshd[16003]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:44:16 atlantis sshd[16003]: PAM service(sshd) ignoring max retries; 6 > 3
|  Feb  2 21:44:16 atlantis sshd[16014]: Disconnecting: Too many authentication failures for root [preauth]
|  Feb  2 21:44:16 atlantis sshd[16014]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.215.12.106  user=root
|  Feb  2 21:44:16 atlantis sshd[16014]: PAM service(sshd) ignoring max retries; 6 > 3
|  Feb  2 22:16:39 atlantis sshd[14602]: pam_unix(sshd:session): session closed for user frollic
|  Feb  3 00:22:24 atlantis sshd[19375]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.75  user=root
|  Feb  3 00:22:40 atlantis sshd[19375]: Disconnecting: Too many authentication failures for root [preauth]
|  Feb  3 00:22:40 atlantis sshd[19375]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.62.75  user=root
|  Feb  3 00:22:40 atlantis sshd[19375]: PAM service(sshd) ignoring max retries; 6 > 3
|  Feb  3 01:14:19 atlantis sshd[20468]: Did not receive identification string from 50.57.118.200
|  Feb  3 01:14:45 atlantis sshd[20469]: input_userauth_request: invalid user default [preauth]
|  Feb  3 01:14:45 atlantis sshd[20469]: pam_unix(sshd:auth): check pass; user unknown
|  Feb  3 01:14:45 atlantis sshd[20469]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.57.118.200
|  Feb  3 01:14:47 atlantis sshd[20469]: Connection closed by 50.57.118.200 [preauth]
|  Feb  3 01:14:47 atlantis sshd[20471]: input_userauth_request: invalid user admin [preauth]
|  Feb  3 01:14:47 atlantis sshd[20471]: pam_unix(sshd:auth): check pass; user unknown
|  Feb  3 01:14:47 atlantis sshd[20471]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=50.57.118.200
|  Feb  3 01:14:50 atlantis sshd[20471]: Connection closed by 50.57.118.200 [preauth]
|  Feb  3 07:46:25 atlantis sshd[28957]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.11.76.49  user=root
|  Feb  3 07:46:30 atlantis sshd[28957]: Connection closed by 121.11.76.49 [preauth]
|  Feb  3 07:46:30 atlantis sshd[28957]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.11.76.49  user=root
|  Feb  3 08:56:44 atlantis sshd[30353]: Accepted password for frollic from 131.165.63.132 port 23733 ssh2
|  Feb  3 08:56:44 atlantis sshd[30353]: pam_unix(sshd:session): session opened for user frollic by (uid=0)
|  Feb  3 08:56:46 atlantis su: pam_unix(su-l:session): session opened for user root by frollic(uid=1000)
|  Feb  3 09:28:41 atlantis sshd[31075]: pam_unix(sshd:auth): authentication fa lure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.245.211.219  user=root
|  Feb  3 09:28:43 atlantis sshd[31075]: Received disconnect from 172.245.211.2 9: 11: Bye Bye [preauth]
|  Feb  3 09:28:44 atlantis sshd[31077]: input_userauth_request: invalid user g t [preauth]
|  Feb  3 09:28:44 atlantis sshd[31077]: pam_unix(sshd:auth): check pass; user  nknown
|  Feb  3 09:28:44 atlantis sshd[31077]: pam_unix(sshd:auth): authentication fa lure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.245.211.219
|  Feb  3 09:28:45 atlantis sshd[31077]: Received disconnect from 172.245.211.2 9: 11: Bye Bye [preauth]
|  Feb  3 09:28:46 atlantis sshd[31079]: input_userauth_request: invalid user g t [preauth]
|  Feb  3 09:28:46 atlantis sshd[31079]: pam_unix(sshd:auth): check pass; user  nknown
|  Feb  3 09:28:46 atlantis sshd[31079]: pam_unix(sshd:auth): authentication fa lure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.245.211.219
|  Feb  3 09:28:49 atlantis sshd[31079]: Received disconnect from 172.245.211.2 9: 11: Bye Bye [preauth]
`-
[root@atlantis filter.d]#


I'm also attaching a copy of the /var/log/secure the above test was ran on.

Comment 6 frollic nilsson 2014-02-03 08:48:02 UTC

Created attachment 858453 [details]
copy of /var/log/secure

Comment 7 Fedora End Of Life 2015-01-09 16:41:42 UTC

This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 8 Fedora End Of Life 2015-02-17 13:47:00 UTC

Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.