Ticket #856 (new defect)

Opened 18 months ago

Last modified 18 months ago

Blocked IP?

Reported by: sam Owned by: chris
Priority: major Milestone: Maintenance
Component: Unassigned Keywords:
Cc: ade Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.1

Description

Hi Chris

I was trying to SSH into the site and got my password wrong a couple of times.

Shortly afterwards the site appeared to be unavailable from this location.

It seems fine in pingdom/proxy servers.

My guess is something like fail2ban or similar has added this IP to a blacklist?

I wouldn't be too bothered except it's Ade's address and I think he probably wants access..

Could you check the logs if there is a blacklist and remove 146.198.11.57

Thanks

Sam

Change History

comment:1 Changed 18 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 0.0 to 0.1

Yes that IP is blocked, I got this email earlier:

Date: Tue,  2 Jun 2015 13:30:54 +0100 (BST)
From: root@puffin.webarch.net
To: chris@webarchitects.co.uk
Subject: lfd on puffin.webarch.net: blocked 146.198.11.57 (GB/United Kingdom/57.11.198.146.dyn.plus.net)

Time:     Tue Jun  2 13:30:54 2015 +0100
IP:       146.198.11.57 (GB/United Kingdom/57.11.198.146.dyn.plus.net)
Failures: 5 (sshd)
Interval: 300 seconds
Blocked:  Permanent Block

Log entries:

Jun  2 13:29:35 puffin sshd[22620]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=146.198.11.57  user=sam
Jun  2 13:29:37 puffin sshd[22620]: Failed password for sam from 146.198.11.57 port 63849 ssh2
Jun  2 13:29:50 puffin sshd[22620]: Failed password for sam from 146.198.11.57 port 63849 ssh2
Jun  2 13:30:22 puffin sshd[22620]: Failed password for sam from 146.198.11.57 port 63849 ssh2
Jun  2 13:30:53 puffin sshd[25538]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=146.198.11.57  user=sam

So following the documentation, PuffinServer#Falsepositives

csf -dr 146.198.11.57
  Removing rule...
  DROP  all opt -- in !lo out *  146.198.11.57  -> 0.0.0.0/0
  LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 146.198.11.57
csf -g 146.198.11.57
  Chain            num   pkts bytes target     prot opt in     out     source               destination
  No matches found for 146.198.11.57 in iptables

So you should be OK now but I'd urge you to use ssh keys rather than passwords, email me your public key(s) if you are unable to login to add them. Also please use a passphrase on any ssh keys and also keep them and back them up only on encrypted filesystems.

Note: See TracTickets for help on using tickets.