Hi,
My machine is exposed to the wild and I was seeing hundreds of connection attempts per day in my logs and in fail2ban.log.
All these nefarious activities ceased after upgrade to F40.
Question: Is there something fundamentally different in F40 connectivity? I can still connect from outside on pre-defined ports using ssh so my ISP is not blocking anything.
Thanks Frank
On Sun, Apr 28, 2024 at 9:31 AM Frank Bures buresf@gmail.com wrote:
Hi,
My machine is exposed to the wild and I was seeing hundreds of connection attempts per day in my logs and in fail2ban.log.
All these nefarious activities ceased after upgrade to F40.
Question: Is there something fundamentally different in F40 connectivity? I can still connect from outside on pre-defined ports using ssh so my ISP is not blocking anything.
I would try this update and see if it fixes your problem. There's also a new release but I want this to go stable first.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-95a6cdf26b
Thanks, Richard
On 2024-04-28 10:58, Richard Shaw wrote:
On Sun, Apr 28, 2024 at 9:31 AM Frank Bures <buresf@gmail.com mailto:buresf@gmail.com> wrote:
Hi, My machine is exposed to the wild and I was seeing hundreds of connection attempts per day in my logs and in fail2ban.log. All these nefarious activities ceased after upgrade to F40. Question: Is there something fundamentally different in F40 connectivity? I can still connect from outside on pre-defined ports using ssh so my ISP is not blocking anything.I would try this update and see if it fixes your problem. There's also a new release but I want this to go stable first.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-95a6cdf26b https://bodhi.fedoraproject.org/updates/FEDORA-2024-95a6cdf26b
Installed the update. Will report.
Cheers Frank
On 4/28/24 10:31 AM, Frank Bures wrote:
Hi,
My machine is exposed to the wild and I was seeing hundreds of connection attempts per day in my logs and in fail2ban.log.
All these nefarious activities ceased after upgrade to F40.
Question: Is there something fundamentally different in F40 connectivity? I can still connect from outside on pre-defined ports using ssh so my ISP is not blocking anything.
I also use fail2ban to keep the riff-raff out of my home web server. I also have ssh on a non-standard port and smtp and imap/pop. I saw no difference between 39 and 40. I even have some jails set to aggressive mode plus one wrong move and the IP is banned. Sorry, but I have to ask. It is running, right? What are the lines in the fail2ban log when it starts? Can you connect from the outside to whatever ports you have open? Does "sudo systemctl status fail2ban" tell you anything?
Charlie
On 2024-04-28 11:03, Charles Dennett wrote:
On 4/28/24 10:31 AM, Frank Bures wrote:
Hi,
My machine is exposed to the wild and I was seeing hundreds of connection attempts per day in my logs and in fail2ban.log.
All these nefarious activities ceased after upgrade to F40.
Question: Is there something fundamentally different in F40 connectivity? I can still connect from outside on pre-defined ports using ssh so my ISP is not blocking anything.
I also use fail2ban to keep the riff-raff out of my home web server. I also have ssh on a non-standard port and smtp and imap/pop. I saw no difference between 39 and 40. I even have some jails set to aggressive mode plus one wrong move and the IP is banned. Sorry, but I have to ask. It is running, right? What are the lines in the fail2ban log when it starts? Can you connect from the outside to whatever ports you have open? Does "sudo systemctl status fail2ban" tell you anything?
Those were the first things I checked. Everything is OK.
The problem is that there are no connection attempts in /var/log/secure or /var/log/messages so obviously f2b has nothing to do. There are only legitimate connections by me in the logs. Where have all the attackers gone?
Cheers Frank
On 28 Apr 2024, at 16:31, Frank Bures buresf@gmail.com wrote:
The problem is that there are no connection attempts in /var/log/secure or /var/log/messages so obviously f2b has nothing to do.
Maybe the logs are in the journal and nothing is updating the legacy /var/log files? What does journalctl report?
Barry
On 2024-04-28 11:39, Barry wrote:
On 28 Apr 2024, at 16:31, Frank Bures buresf@gmail.com wrote:
The problem is that there are no connection attempts in /var/log/secure or /var/log/messages so obviously f2b has nothing to do.
Maybe the logs are in the journal and nothing is updating the legacy /var/log files? What does journalctl report?
Barry
That was it!
How do I make sshd to log to secure as before?
Thanks Frank
On 2024-04-28 12:59, Frank Bures wrote:
On 2024-04-28 11:39, Barry wrote:
On 28 Apr 2024, at 16:31, Frank Bures buresf@gmail.com wrote:
The problem is that there are no connection attempts in /var/log/secure or /var/log/messages so obviously f2b has nothing to do.
Maybe the logs are in the journal and nothing is updating the legacy /var/log files? What does journalctl report?
Barry
That was it!
How do I make sshd to log to secure as before?
OK, here's the deal.
The problem has nothing to do with f2b and everything to do with EERO update that coincided with my F40 upgrade. The previous version of EERO firmware apparently quietly ignored its firewall settings and let anything through. The new firmware re-established the proper functioning firewall, hence only my pre-defined sshd ports were left open. As no attacker hit them, there was nothing for f2b to do. I tested the hypothesis by opening port 22 on EERO and bang, f2b is as busy as before.
I apologize for my hasty posting.
Cheers Frank
On Sun, Apr 28, 2024 at 12:59:49PM -0400, Frank Bures wrote:
On 2024-04-28 11:39, Barry wrote:
On 28 Apr 2024, at 16:31, Frank Bures buresf@gmail.com wrote:
The problem is that there are no connection attempts in /var/log/secure or /var/log/messages so obviously f2b has nothing to do.
Maybe the logs are in the journal and nothing is updating the legacy /var/log files? What does journalctl report?
Barry
That was it!
How do I make sshd to log to secure as before?
Best to just use journalctl, logging to other files generally just duplicates what's also found in the journald log.
journalctl -u sshd
And more per "man journalctl".
-
Barry -
Charles Dennett -
Frank Bures -
Patrick Mansfield -
Richard Shaw