After about a month since my last update let's check our logs and see how the slightly stricter security measures are holding up.
Dec 2 11:28:43 defestri sshd: Invalid user administraator from 126.96.36.199 Dec 2 11:28:43 defestri sshd: Invalid user administrador from 188.8.131.52 Dec 2 11:28:44 defestri sshd: Invalid user administranto from 184.108.40.206 Dec 2 11:28:44 defestri sshd: Invalid user administrate from 220.127.116.11 Dec 2 11:28:45 defestri sshd: Invalid user administrateur from 18.104.22.168 Dec 2 20:31:43 defestri sshd: Invalid user lukas from 22.214.171.124 Dec 2 20:31:44 defestri sshd: Invalid user ottomar from 126.96.36.199 Dec 2 20:31:45 defestri sshd: Invalid user pankraz from 188.8.131.52 Dec 2 20:31:46 defestri sshd: Invalid user lucas from 184.108.40.206 Dec 2 20:56:05 defestri sshd: Invalid user pomelnic from 220.127.116.11 Dec 2 20:56:51 defestri sshd: Invalid user ram from 18.104.22.168 Dec 2 20:56:52 defestri sshd: Invalid user jake from 22.214.171.124 Dec 2 21:09:22 defestri sshd: Invalid user admin from 126.96.36.199
As we can see there's still plenty of log in attempts coming in, although slightly less than last time. We can see how fail2ban is going by having a quick look at it's log.
2013-12-02 11:28:45,147 fail2ban.actions: WARNING [ssh] Ban 188.8.131.52 2013-12-02 20:31:46,725 fail2ban.actions: WARNING [ssh] Ban 184.108.40.206 2013-12-02 20:56:53,357 fail2ban.actions: WARNING [ssh] Ban 220.127.116.11
So we can see it has successfully banned the three IPs that have attempted to break in three or more times in the log.
Out of curiosity I've written a parser to parse the auth.log and fail2ban.log and see not only the IPs (and the countries) these attempts are coming from but also the usernames they're trying to log in with. The files are up on my Github here.
The auth-log parser script basically looks through the log, pulling out attempts for the last month, checks the location of the attempts using ipinfodb's API then uses jinja2 to output it into a HTML file.
From here I'd like to get the auth-log parser to run as a cron job every month, parse the log in attempts from the previous month and output it to a page visible on this site. On the side of security however, next up I think I'll get fail2ban to monitor it's own log, banning people who have been banned multiple times before. Then we should hopefully have a more secure server.
UPDATE: I've seen changed the parser into the program Scrutiny which does output into the database.