Revisiting the auth log

Posted under: Security
- Tagged: SSH, fail2ban

After about a month since my last update let's check our logs and see how the slightly stricter security measures are holding up.

Dec  2 11:28:43 defestri sshd[26001]: Invalid user administraator from
Dec  2 11:28:43 defestri sshd[26003]: Invalid user administrador from
Dec  2 11:28:44 defestri sshd[26005]: Invalid user administranto from
Dec  2 11:28:44 defestri sshd[26007]: Invalid user administrate from
Dec  2 11:28:45 defestri sshd[26009]: Invalid user administrateur from
Dec  2 20:31:43 defestri sshd[26261]: Invalid user lukas from
Dec  2 20:31:44 defestri sshd[26263]: Invalid user ottomar from
Dec  2 20:31:45 defestri sshd[26265]: Invalid user pankraz from
Dec  2 20:31:46 defestri sshd[26267]: Invalid user lucas from
Dec  2 20:56:05 defestri sshd[27794]: Invalid user pomelnic from
Dec  2 20:56:51 defestri sshd[27854]: Invalid user ram from
Dec  2 20:56:52 defestri sshd[27856]: Invalid user jake from
Dec  2 21:09:22 defestri sshd[27868]: Invalid user admin from

As we can see there's still plenty of log in attempts coming in, although slightly less than last time. We can see how fail2ban is going by having a quick look at it's log.

2013-12-02 11:28:45,147 fail2ban.actions: WARNING [ssh] Ban
2013-12-02 20:31:46,725 fail2ban.actions: WARNING [ssh] Ban
2013-12-02 20:56:53,357 fail2ban.actions: WARNING [ssh] Ban

So we can see it has successfully banned the three IPs that have attempted to break in three or more times in the log.

Out of curiosity I've written a parser to parse the auth.log and fail2ban.log and see not only the IPs (and the countries) these attempts are coming from but also the usernames they're trying to log in with. The files are up on my Github here.

The auth-log parser script basically looks through the log, pulling out attempts for the last month, checks the location of the attempts using ipinfodb's API then uses jinja2 to output it into a HTML file.

From here I'd like to get the auth-log parser to run as a cron job every month, parse the log in attempts from the previous month and output it to a page visible on this site. On the side of security however, next up I think I'll get fail2ban to monitor it's own log, banning people who have been banned multiple times before. Then we should hopefully have a more secure server.

UPDATE: I've seen changed the parser into the program Scrutiny which does output into the database.