From 5eb163bc0370016873b7f629068eed7ec12dee9b Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Thu, 7 Oct 2004 20:21:14 +0000 Subject: [PATCH 002/549] Initial revision git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@2 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- fail2ban | 151 +++++++++++++++++ log-test/current | 4 + log-test/test | 431 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 586 insertions(+) create mode 100755 fail2ban create mode 100644 log-test/current create mode 100644 log-test/test diff --git a/fail2ban b/fail2ban new file mode 100755 index 00000000..2936021a --- /dev/null +++ b/fail2ban @@ -0,0 +1,151 @@ +#!/usr/bin/env python + +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# Author: Cyril Jaquier +# +# $Revision$ + +import posix,sys,os +import string,re,time + +def checkForRoot(): + """ Check for root user. + """ + uid = `posix.getuid()` + if uid == '0': + return True + else: + return False + +def executeCmd(cmd): + return #os.system(cmd) + +def unBanIP(ip): + iptables = 'iptables -D INPUT -i eth0 -s '+ip+' -j DROP' + executeCmd(iptables) + print iptables + +def banIP(ip): + iptables = 'iptables -I INPUT 1 -i eth0 -s '+ip+' -j DROP' + executeCmd(iptables) + print iptables + +def checkForUnBan(banList, currentTime, banTime): + """ Check for user to remove from ban list. + """ + iterBanList = banList.iteritems() + for i in range(len(banList)): + element = iterBanList.next() + ip = element[0] + btime = element[1] + if btime < currentTime-banTime: + del banList[ip] + unBanIP(ip) + print '`->', currentTime + return banList + +def checkForBan(retryList, banList, currentTime): + iterRetry = retryList.iteritems() + for i in range(len(retryList)): + element = iterRetry.next() + retry = element[1][0] + ip = element[0] + if element[1][0] > 2 and not banList.has_key(ip): + banList[ip] = currentTime + banIP(ip) + print '`->', currentTime + return banList + +def flushBanList(banList): + iterBanList = banList.iteritems() + for i in range(len(banList)): + element = iterBanList.next() + ip = element[0] + unBanIP(ip) + +def parseLogLine(line): + """ Match sshd failed password log + """ + if re.search("Failed password", line): + matchIP = re.search("(?:\d{1,3}\.){3}\d{1,3}", line) + return matchIP + +if __name__ == "__main__": + + if not checkForRoot(): + print "You must be root." + #sys.exit(-1) + + logPath = './log/temp' + banTime = 60 + ignoreIPs = '127.0.0.1' + + lastModTime = 0 + banList = dict() + while True: + try: + currentTime = time.time() + + banList = checkForUnBan(banList, currentTime, banTime) + + try: + pwdFailStats = os.stat(logPath) + except OSError: + print "Unable to get stat on", logPath + sys.exit(-1) + + if lastModTime == pwdFailStats.st_mtime: + time.sleep(1) + continue + + print logPath, 'has been modified' + lastModTime = pwdFailStats.st_mtime + + try: + pwdfail = open(logPath) + except OSError: + print "Unable to open", logPath + sys.exit(-1) + + retryList = dict() + for line in pwdfail.readlines(): + match = parseLogLine(line) + if match: + ip = match.group() + date = list(time.strptime(line[0:15], "%b %d %H:%M:%S")) + date[0] = time.gmtime()[0] + unixTime = time.mktime(date) + if unixTime < currentTime-banTime: + continue + if re.search(ip, ignoreIPs): + print 'Ignore ', ip + continue + print 'Found', ip, 'at', unixTime + if retryList.has_key(`ip`): + retryList[`ip`] = (retryList[`ip`][0]+1,unixTime) + else: + retryList[`ip`] = (1,unixTime) + + pwdfail.close() + + banList = checkForBan(retryList, banList, currentTime) + except KeyboardInterrupt: + print 'Restoring iptables...' + flushBanList(banList) + print 'Exiting...' + sys.exit(0) diff --git a/log-test/current b/log-test/current new file mode 100644 index 00000000..6537a6aa --- /dev/null +++ b/log-test/current @@ -0,0 +1,4 @@ + - Last output repeated 2 times - +Oct 7 11:47:08 [sshd] Failed password for illegal user test from 69.182.27.122 port 34015 ssh2 +Oct 7 11:47:09 [sshd] Failed password for illegal user guest from 69.182.27.122 port 34068 ssh2 +Oct 7 11:47:11 [sshd] Failed password for illegal user admin from 69.182.27.122 port 34127 ssh2 diff --git a/log-test/test b/log-test/test new file mode 100644 index 00000000..81e0e87f --- /dev/null +++ b/log-test/test @@ -0,0 +1,431 @@ +Sep 28 13:18:43 [sshd] Failed password for illegal user test from 211.112.229.69 port 59506 ssh2 +Sep 28 13:18:45 [sshd] Failed password for illegal user guest from 211.112.229.69 port 59584 ssh2 +Sep 28 13:18:48 [sshd] Failed password for illegal user admin from 211.112.229.69 port 59668 ssh2 +Sep 28 13:18:51 [sshd] Failed password for illegal user admin from 211.112.229.69 port 59746 ssh2 +Sep 28 13:18:54 [sshd] Failed password for illegal user user from 211.112.229.69 port 59809 ssh2 +Sep 28 13:18:57 [sshd] Failed password for illegal user root from 211.112.229.69 port 59881 ssh2 +Sep 28 13:19:00 [sshd] Failed password for illegal user root from 211.112.229.69 port 59944 ssh2 +Sep 28 13:19:03 [sshd] Failed password for illegal user root from 211.112.229.69 port 59999 ssh2 +Sep 28 13:19:06 [sshd] Failed password for illegal user test from 211.112.229.69 port 60055 ssh2 +Sep 28 21:05:25 [sshd(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.128.local.home user=cyril +Sep 28 21:05:27 [sshd] error: PAM: Authentication failure for cyril from 192.168.0.128.local.home +Sep 29 03:45:18 [sshd] Failed password for illegal user nobody from 203.198.168.66 port 55927 ssh2 +Sep 29 03:45:21 [sshd] Failed password for illegal user patrick from 203.198.168.66 port 55973 ssh2 +Sep 29 03:45:23 [sshd] Failed password for illegal user patrick from 203.198.168.66 port 56010 ssh2 +Sep 29 03:45:26 [sshd] Failed password for illegal user root from 203.198.168.66 port 56060 ssh2 +Sep 29 03:45:29 [sshd] Failed password for illegal user root from 203.198.168.66 port 56107 ssh2 +Sep 29 03:45:32 [sshd] Failed password for illegal user root from 203.198.168.66 port 56152 ssh2 +Sep 29 03:45:34 [sshd] Failed password for illegal user root from 203.198.168.66 port 56200 ssh2 +Sep 29 03:45:37 [sshd] Failed password for illegal user root from 203.198.168.66 port 56243 ssh2 +Sep 29 03:45:40 [sshd] Failed password for illegal user rolo from 203.198.168.66 port 56288 ssh2 +Sep 29 03:45:43 [sshd] Failed password for illegal user iceuser from 203.198.168.66 port 56333 ssh2 +Sep 29 03:45:46 [sshd] Failed password for illegal user horde from 203.198.168.66 port 56379 ssh2 +Sep 29 03:45:48 [sshd] Failed password for illegal user cyrus from 203.198.168.66 port 56425 ssh2 +Sep 29 03:45:52 [sshd] Failed password for illegal user www from 203.198.168.66 port 56470 ssh2 +Sep 29 03:45:55 [sshd] Failed password for illegal user wwwrun from 203.198.168.66 port 56534 ssh2 +Sep 29 03:45:58 [sshd] Failed password for illegal user matt from 203.198.168.66 port 56572 ssh2 +Sep 29 03:46:01 [sshd] Failed password for illegal user test from 203.198.168.66 port 56616 ssh2 +Sep 29 03:46:03 [sshd] Failed password for illegal user test from 203.198.168.66 port 56660 ssh2 +Sep 29 03:46:06 [sshd] Failed password for illegal user test from 203.198.168.66 port 56704 ssh2 +Sep 29 03:46:09 [sshd] Failed password for illegal user test from 203.198.168.66 port 56752 ssh2 +Sep 29 03:46:12 [sshd] Failed password for illegal user www-data from 203.198.168.66 port 56795 ssh2 +Sep 29 03:46:15 [sshd] Failed password for illegal user mysql from 203.198.168.66 port 56839 ssh2 +Sep 29 03:46:17 [sshd] Failed password for illegal user operator from 203.198.168.66 port 56882 ssh2 +Sep 29 03:46:20 [sshd] Failed password for illegal user adm from 203.198.168.66 port 56929 ssh2 +Sep 29 03:46:23 [sshd] Failed password for illegal user apache from 203.198.168.66 port 56971 ssh2 +Sep 29 03:46:26 [sshd] Failed password for illegal user irc from 203.198.168.66 port 57011 ssh2 +Sep 29 03:46:29 [sshd] Failed password for illegal user irc from 203.198.168.66 port 57060 ssh2 +Sep 29 03:46:31 [sshd] Failed password for illegal user adm from 203.198.168.66 port 57100 ssh2 +Sep 29 03:46:34 [sshd] Failed password for illegal user root from 203.198.168.66 port 57148 ssh2 +Sep 29 03:46:37 [sshd] Failed password for illegal user root from 203.198.168.66 port 57194 ssh2 +Sep 29 03:46:40 [sshd] Failed password for illegal user root from 203.198.168.66 port 57236 ssh2 +Sep 29 03:46:43 [sshd] Failed password for illegal user jane from 203.198.168.66 port 57281 ssh2 +Sep 29 03:46:45 [sshd] Failed password for illegal user pamela from 203.198.168.66 port 57328 ssh2 +Sep 29 03:46:48 [sshd] Failed password for illegal user root from 203.198.168.66 port 57372 ssh2 +Sep 29 03:46:51 [sshd] Failed password for illegal user root from 203.198.168.66 port 57418 ssh2 +Sep 29 03:46:54 [sshd] Failed password for illegal user root from 203.198.168.66 port 57463 ssh2 +Sep 29 03:46:57 [sshd] Failed password for illegal user root from 203.198.168.66 port 57506 ssh2 +Sep 29 03:46:59 [sshd] Failed password for illegal user root from 203.198.168.66 port 57549 ssh2 +Sep 29 03:47:02 [sshd] Failed password for illegal user cosmin from 203.198.168.66 port 57594 ssh2 +Sep 29 03:47:05 [sshd] Failed password for illegal user root from 203.198.168.66 port 57637 ssh2 +Sep 29 03:47:08 [sshd] Failed password for illegal user root from 203.198.168.66 port 57689 ssh2 +Sep 29 03:47:11 [sshd] Failed password for illegal user root from 203.198.168.66 port 57730 ssh2 +Sep 29 03:47:13 [sshd] Failed password for illegal user root from 203.198.168.66 port 57774 ssh2 +Sep 29 03:47:16 [sshd] Failed password for illegal user root from 203.198.168.66 port 57820 ssh2 +Sep 29 03:47:19 [sshd] Failed password for illegal user root from 203.198.168.66 port 57866 ssh2 +Sep 29 03:47:22 [sshd] Failed password for illegal user root from 203.198.168.66 port 57901 ssh2 +Sep 29 03:47:25 [sshd] Failed password for illegal user root from 203.198.168.66 port 57944 ssh2 +Sep 29 03:47:27 [sshd] Failed password for illegal user root from 203.198.168.66 port 57990 ssh2 +Sep 29 03:47:31 [sshd] Failed password for illegal user root from 203.198.168.66 port 58031 ssh2 +Sep 29 03:47:34 [sshd] Failed password for illegal user root from 203.198.168.66 port 58098 ssh2 +Sep 29 03:47:37 [sshd] Failed password for illegal user root from 203.198.168.66 port 58137 ssh2 +Sep 29 03:47:40 [sshd] Failed password for illegal user root from 203.198.168.66 port 58183 ssh2 +Sep 29 03:47:42 [sshd] Failed password for illegal user root from 203.198.168.66 port 58228 ssh2 +Sep 29 03:47:45 [sshd] Failed password for illegal user root from 203.198.168.66 port 58273 ssh2 +Sep 29 03:47:48 [sshd] Failed password for illegal user root from 203.198.168.66 port 58314 ssh2 +Sep 29 03:47:51 [sshd] Failed password for illegal user root from 203.198.168.66 port 58358 ssh2 +Sep 29 03:47:54 [sshd] Failed password for illegal user root from 203.198.168.66 port 58401 ssh2 +Sep 29 03:47:56 [sshd] Failed password for illegal user root from 203.198.168.66 port 58443 ssh2 +Sep 29 03:47:59 [sshd] Failed password for illegal user root from 203.198.168.66 port 58484 ssh2 +Sep 29 03:48:02 [sshd] Failed password for illegal user root from 203.198.168.66 port 58528 ssh2 +Sep 29 03:48:05 [sshd] Failed password for illegal user root from 203.198.168.66 port 58574 ssh2 +Sep 29 03:48:07 [sshd] Failed password for illegal user root from 203.198.168.66 port 58613 ssh2 +Sep 29 03:48:10 [sshd] Failed password for illegal user root from 203.198.168.66 port 58662 ssh2 +Sep 29 03:48:13 [sshd] Failed password for illegal user root from 203.198.168.66 port 58703 ssh2 +Sep 29 03:48:16 [sshd] Failed password for illegal user root from 203.198.168.66 port 58748 ssh2 +Sep 29 03:48:19 [sshd] Failed password for illegal user root from 203.198.168.66 port 58792 ssh2 +Sep 29 03:48:21 [sshd] Failed password for illegal user root from 203.198.168.66 port 58839 ssh2 +Sep 29 03:48:24 [sshd] Failed password for illegal user root from 203.198.168.66 port 58880 ssh2 +Sep 29 03:48:27 [sshd] Failed password for illegal user root from 203.198.168.66 port 58926 ssh2 +Sep 29 03:48:30 [sshd] Failed password for illegal user root from 203.198.168.66 port 58967 ssh2 +Sep 29 03:48:33 [sshd] Failed password for illegal user root from 203.198.168.66 port 59012 ssh2 +Sep 29 03:48:35 [sshd] Failed password for illegal user root from 203.198.168.66 port 59052 ssh2 +Sep 29 03:48:38 [sshd] Failed password for illegal user root from 203.198.168.66 port 59095 ssh2 +Sep 29 03:48:41 [sshd] Failed password for illegal user root from 203.198.168.66 port 59140 ssh2 +Sep 29 03:48:44 [sshd] Failed password for illegal user root from 203.198.168.66 port 59182 ssh2 +Sep 29 03:48:47 [sshd] Failed password for illegal user cip52 from 203.198.168.66 port 59222 ssh2 +Sep 29 03:48:49 [sshd] Failed password for illegal user cip51 from 203.198.168.66 port 59264 ssh2 +Sep 29 03:48:52 [sshd] Failed password for illegal user root from 203.198.168.66 port 59309 ssh2 +Sep 29 03:48:55 [sshd] Failed password for illegal user noc from 203.198.168.66 port 59351 ssh2 +Sep 29 03:48:58 [sshd] Failed password for illegal user root from 203.198.168.66 port 59395 ssh2 +Sep 29 03:49:01 [sshd] Failed password for illegal user root from 203.198.168.66 port 59432 ssh2 +Sep 29 03:49:04 [sshd] Failed password for illegal user root from 203.198.168.66 port 59479 ssh2 +Sep 29 03:49:07 [sshd] Failed password for illegal user root from 203.198.168.66 port 59951 ssh2 +Sep 29 03:49:11 [sshd] Failed password for illegal user webmaster from 203.198.168.66 port 60006 ssh2 +Sep 29 03:49:14 [sshd] Failed password for illegal user data from 203.198.168.66 port 60463 ssh2 +Sep 29 03:49:17 [sshd] Failed password for illegal user user from 203.198.168.66 port 60880 ssh2 +Sep 29 03:49:20 [sshd] Failed password for illegal user user from 203.198.168.66 port 60947 ssh2 +Sep 29 03:49:23 [sshd] Failed password for illegal user user from 203.198.168.66 port 33137 ssh2 +Sep 29 03:49:26 [sshd] Failed password for illegal user web from 203.198.168.66 port 33572 ssh2 +Sep 29 03:49:31 [sshd] Failed password for illegal user web from 203.198.168.66 port 33630 ssh2 +Sep 29 03:49:34 [sshd] Failed password for illegal user oracle from 203.198.168.66 port 34129 ssh2 +Sep 29 03:49:39 [sshd] Failed password for illegal user sybase from 203.198.168.66 port 34558 ssh2 +Sep 29 03:49:42 [sshd] Failed password for illegal user master from 203.198.168.66 port 35018 ssh2 +Sep 29 03:49:45 [sshd] Failed password for illegal user account from 203.198.168.66 port 35095 ssh2 +Sep 29 03:49:48 [sshd] Failed password for illegal user backup from 203.198.168.66 port 35506 ssh2 +Sep 29 03:49:51 [sshd] Failed password for illegal user server from 203.198.168.66 port 35935 ssh2 +Sep 29 03:49:54 [sshd] Failed password for illegal user adam from 203.198.168.66 port 36016 ssh2 +Sep 29 03:49:57 [sshd] Failed password for illegal user alan from 203.198.168.66 port 36399 ssh2 +Sep 29 03:49:59 [sshd] Failed password for illegal user frank from 203.198.168.66 port 36488 ssh2 +Sep 29 03:50:04 [sshd] Failed password for illegal user george from 203.198.168.66 port 36876 ssh2 +Sep 29 03:50:07 [sshd] Failed password for illegal user henry from 203.198.168.66 port 37333 ssh2 +Sep 29 03:50:11 [sshd] Failed password for illegal user john from 203.198.168.66 port 37423 ssh2 +Sep 29 03:50:14 [sshd] Failed password for illegal user root from 203.198.168.66 port 37837 ssh2 +Sep 29 03:50:16 [sshd] Failed password for illegal user root from 203.198.168.66 port 38210 ssh2 +Sep 29 03:50:19 [sshd] Failed password for illegal user root from 203.198.168.66 port 38286 ssh2 +Sep 29 03:50:22 [sshd] Failed password for illegal user root from 203.198.168.66 port 38653 ssh2 +Sep 29 03:50:26 [sshd] Failed password for illegal user root from 203.198.168.66 port 38749 ssh2 +Sep 29 03:50:29 [sshd] Failed password for illegal user test from 203.198.168.66 port 39162 ssh2 +Sep 29 10:19:26 [sshd] Failed password for illegal user test from 24.19.0.105 port 3765 ssh2 +Sep 29 10:19:32 [sshd] Failed password for illegal user guest from 24.19.0.105 port 3846 ssh2 +Sep 29 10:19:39 [sshd] Failed password for illegal user admin from 24.19.0.105 port 3929 ssh2 +Sep 29 10:19:45 [sshd] Failed password for illegal user admin from 24.19.0.105 port 3992 ssh2 +Sep 29 10:19:49 [sshd] Failed password for illegal user user from 24.19.0.105 port 4057 ssh2 +Sep 29 10:19:54 [sshd] Failed password for illegal user root from 24.19.0.105 port 4115 ssh2 +Sep 29 10:19:58 [sshd] Failed password for illegal user root from 24.19.0.105 port 4170 ssh2 +Sep 29 10:20:01 [sshd] Failed password for illegal user root from 24.19.0.105 port 4202 ssh2 +Sep 29 10:20:04 [sshd] Failed password for illegal user test from 24.19.0.105 port 4242 ssh2 +Oct 1 15:53:46 [sshd] Failed password for illegal user test from 210.51.173.75 port 40940 ssh2 +Oct 1 15:53:53 [sshd] Failed password for illegal user guest from 210.51.173.75 port 41196 ssh2 +Oct 1 15:53:59 [sshd] Failed password for illegal user admin from 210.51.173.75 port 41480 ssh2 +Oct 1 15:54:05 [sshd] Failed password for illegal user admin from 210.51.173.75 port 41738 ssh2 +Oct 1 15:54:12 [sshd] Failed password for illegal user user from 210.51.173.75 port 42036 ssh2 +Oct 1 15:54:18 [sshd] Failed password for illegal user root from 210.51.173.75 port 42393 ssh2 +Oct 1 15:54:24 [sshd] Failed password for illegal user root from 210.51.173.75 port 42721 ssh2 +Oct 1 15:54:30 [sshd] Failed password for illegal user root from 210.51.173.75 port 42984 ssh2 +Oct 1 15:54:36 [sshd] Failed password for illegal user test from 210.51.173.75 port 43299 ssh2 +Oct 2 20:24:36 [sshd] Failed password for illegal user test from 220.64.223.249 port 2460 ssh2 +Oct 2 20:24:39 [sshd] Failed password for illegal user guest from 220.64.223.249 port 2527 ssh2 +Oct 2 20:24:42 [sshd] Failed password for illegal user admin from 220.64.223.249 port 2584 ssh2 +Oct 2 20:24:45 [sshd] Failed password for illegal user admin from 220.64.223.249 port 2645 ssh2 +Oct 2 20:24:48 [sshd] Failed password for illegal user user from 220.64.223.249 port 2708 ssh2 +Oct 2 20:24:51 [sshd] Failed password for illegal user root from 220.64.223.249 port 2794 ssh2 +Oct 2 20:24:54 [sshd] Failed password for illegal user root from 220.64.223.249 port 2868 ssh2 +Oct 2 20:24:58 [sshd] Failed password for illegal user root from 220.64.223.249 port 2931 ssh2 +Oct 2 20:25:01 [sshd] Failed password for illegal user test from 220.64.223.249 port 2994 ssh2 +Oct 3 02:17:47 [sshd] Failed password for illegal user nobody from 216.65.197.170 port 54324 ssh2 +Oct 3 02:17:48 [sshd] Failed password for illegal user patrick from 216.65.197.170 port 54491 ssh2 +Oct 3 02:17:50 [sshd] Failed password for illegal user patrick from 216.65.197.170 port 54669 ssh2 +Oct 3 02:17:52 [sshd] Failed password for illegal user root from 216.65.197.170 port 54845 ssh2 +Oct 3 02:17:53 [sshd] Failed password for illegal user root from 216.65.197.170 port 55021 ssh2 +Oct 3 02:17:55 [sshd] Failed password for illegal user root from 216.65.197.170 port 55201 ssh2 +Oct 3 02:17:57 [sshd] Failed password for illegal user root from 216.65.197.170 port 55381 ssh2 +Oct 3 02:17:59 [sshd] Failed password for illegal user root from 216.65.197.170 port 55553 ssh2 +Oct 3 02:18:00 [sshd] Failed password for illegal user rolo from 216.65.197.170 port 55730 ssh2 +Oct 3 02:18:02 [sshd] Failed password for illegal user iceuser from 216.65.197.170 port 55892 ssh2 +Oct 3 02:18:04 [sshd] Failed password for illegal user horde from 216.65.197.170 port 56054 ssh2 +Oct 3 02:18:05 [sshd] Failed password for illegal user cyrus from 216.65.197.170 port 56231 ssh2 +Oct 3 02:18:07 [sshd] Failed password for illegal user www from 216.65.197.170 port 56412 ssh2 +Oct 3 02:18:09 [sshd] Failed password for illegal user wwwrun from 216.65.197.170 port 56594 ssh2 +Oct 3 02:18:11 [sshd] Failed password for illegal user matt from 216.65.197.170 port 56755 ssh2 +Oct 3 02:18:12 [sshd] Failed password for illegal user test from 216.65.197.170 port 56928 ssh2 +Oct 3 02:18:14 [sshd] Failed password for illegal user test from 216.65.197.170 port 57112 ssh2 +Oct 3 02:18:16 [sshd] Failed password for illegal user test from 216.65.197.170 port 57292 ssh2 +Oct 3 02:18:17 [sshd] Failed password for illegal user test from 216.65.197.170 port 57465 ssh2 +Oct 3 02:18:19 [sshd] Failed password for illegal user www-data from 216.65.197.170 port 57631 ssh2 +Oct 3 02:18:21 [sshd] Failed password for illegal user mysql from 216.65.197.170 port 57802 ssh2 +Oct 3 02:18:22 [sshd] Failed password for illegal user operator from 216.65.197.170 port 57989 ssh2 +Oct 3 02:18:24 [sshd] Failed password for illegal user adm from 216.65.197.170 port 58151 ssh2 +Oct 3 02:18:26 [sshd] Failed password for illegal user apache from 216.65.197.170 port 58319 ssh2 +Oct 3 02:18:28 [sshd] Failed password for illegal user irc from 216.65.197.170 port 58492 ssh2 +Oct 3 02:18:29 [sshd] Failed password for illegal user irc from 216.65.197.170 port 58662 ssh2 +Oct 3 02:18:31 [sshd] Failed password for illegal user adm from 216.65.197.170 port 58818 ssh2 +Oct 3 02:18:33 [sshd] Failed password for illegal user root from 216.65.197.170 port 58976 ssh2 +Oct 3 02:18:34 [sshd] Failed password for illegal user root from 216.65.197.170 port 59147 ssh2 +Oct 3 02:18:36 [sshd] Failed password for illegal user root from 216.65.197.170 port 59306 ssh2 +Oct 3 02:18:38 [sshd] Failed password for illegal user jane from 216.65.197.170 port 59474 ssh2 +Oct 3 02:18:40 [sshd] Failed password for illegal user pamela from 216.65.197.170 port 59644 ssh2 +Oct 3 02:18:41 [sshd] Failed password for illegal user root from 216.65.197.170 port 59797 ssh2 +Oct 3 02:18:43 [sshd] Failed password for illegal user root from 216.65.197.170 port 59963 ssh2 +Oct 3 02:18:45 [sshd] Failed password for illegal user root from 216.65.197.170 port 60139 ssh2 +Oct 3 02:18:47 [sshd] Failed password for illegal user root from 216.65.197.170 port 60308 ssh2 +Oct 3 02:18:48 [sshd] Failed password for illegal user root from 216.65.197.170 port 60479 ssh2 +Oct 3 02:18:50 [sshd] Failed password for illegal user cosmin from 216.65.197.170 port 60654 ssh2 +Oct 3 02:18:52 [sshd] Failed password for illegal user root from 216.65.197.170 port 60830 ssh2 +Oct 3 02:18:54 [sshd] Failed password for illegal user root from 216.65.197.170 port 60992 ssh2 +Oct 3 02:18:55 [sshd] Failed password for illegal user root from 216.65.197.170 port 32945 ssh2 +Oct 3 02:18:58 [sshd] Failed password for illegal user root from 216.65.197.170 port 33101 ssh2 +Oct 3 02:18:59 [sshd] Failed password for illegal user root from 216.65.197.170 port 33343 ssh2 +Oct 3 02:19:02 [sshd] Failed password for illegal user root from 216.65.197.170 port 33501 ssh2 +Oct 3 02:19:03 [sshd] Failed password for illegal user root from 216.65.197.170 port 33733 ssh2 +Oct 3 02:19:05 [sshd] Failed password for illegal user root from 216.65.197.170 port 33892 ssh2 +Oct 3 02:19:07 [sshd] Failed password for illegal user root from 216.65.197.170 port 34066 ssh2 +Oct 3 02:19:08 [sshd] Failed password for illegal user root from 216.65.197.170 port 34212 ssh2 +Oct 3 02:19:10 [sshd] Failed password for illegal user root from 216.65.197.170 port 34376 ssh2 +Oct 3 02:19:12 [sshd] Failed password for illegal user root from 216.65.197.170 port 34535 ssh2 +Oct 3 02:19:14 [sshd] Failed password for illegal user root from 216.65.197.170 port 34704 ssh2 +Oct 3 02:19:16 [sshd] Failed password for illegal user root from 216.65.197.170 port 34853 ssh2 +Oct 3 02:19:18 [sshd] Failed password for illegal user root from 216.65.197.170 port 35092 ssh2 +Oct 3 02:19:19 [sshd] Failed password for illegal user root from 216.65.197.170 port 35261 ssh2 +Oct 3 02:19:21 [sshd] Failed password for illegal user root from 216.65.197.170 port 35425 ssh2 +Oct 3 02:19:23 [sshd] Failed password for illegal user root from 216.65.197.170 port 35583 ssh2 +Oct 3 02:19:24 [sshd] Failed password for illegal user root from 216.65.197.170 port 35753 ssh2 +Oct 3 02:19:26 [sshd] Failed password for illegal user root from 216.65.197.170 port 35901 ssh2 +Oct 3 02:19:28 [sshd] Failed password for illegal user root from 216.65.197.170 port 36068 ssh2 +Oct 3 02:19:30 [sshd] Failed password for illegal user root from 216.65.197.170 port 36227 ssh2 +Oct 3 02:19:33 [sshd] Failed password for illegal user root from 216.65.197.170 port 36453 ssh2 +Oct 3 02:19:34 [sshd] Failed password for illegal user root from 216.65.197.170 port 36673 ssh2 +Oct 3 02:19:36 [sshd] Failed password for illegal user root from 216.65.197.170 port 36823 ssh2 +Oct 3 02:19:38 [sshd] Failed password for illegal user root from 216.65.197.170 port 36981 ssh2 +Oct 3 02:19:39 [sshd] Failed password for illegal user root from 216.65.197.170 port 37152 ssh2 +Oct 3 02:19:41 [sshd] Failed password for illegal user root from 216.65.197.170 port 37310 ssh2 +Oct 3 02:19:43 [sshd] Failed password for illegal user root from 216.65.197.170 port 37484 ssh2 +Oct 3 02:19:45 [sshd] Failed password for illegal user root from 216.65.197.170 port 37644 ssh2 +Oct 3 02:19:46 [sshd] Failed password for illegal user root from 216.65.197.170 port 37827 ssh2 +Oct 3 02:19:48 [sshd] Failed password for illegal user root from 216.65.197.170 port 37989 ssh2 +Oct 3 02:19:50 [sshd] Failed password for illegal user root from 216.65.197.170 port 38163 ssh2 +Oct 3 02:19:52 [sshd] Failed password for illegal user root from 216.65.197.170 port 38329 ssh2 +Oct 3 02:19:54 [sshd] Failed password for illegal user root from 216.65.197.170 port 38559 ssh2 +Oct 3 02:19:56 [sshd] Failed password for illegal user root from 216.65.197.170 port 38735 ssh2 +Oct 3 02:19:58 [sshd] Failed password for illegal user cip52 from 216.65.197.170 port 38893 ssh2 +Oct 3 02:20:00 [sshd] Failed password for illegal user cip51 from 216.65.197.170 port 39109 ssh2 +Oct 3 02:20:01 [sshd] Failed password for illegal user root from 216.65.197.170 port 39282 ssh2 +Oct 3 02:20:03 [sshd] Failed password for illegal user noc from 216.65.197.170 port 39448 ssh2 +Oct 3 02:20:05 [sshd] Failed password for illegal user root from 216.65.197.170 port 39621 ssh2 +Oct 3 02:20:06 [sshd] Failed password for illegal user root from 216.65.197.170 port 39781 ssh2 +Oct 3 02:20:08 [sshd] Failed password for illegal user root from 216.65.197.170 port 39958 ssh2 +Oct 3 02:20:10 [sshd] Failed password for illegal user root from 216.65.197.170 port 40125 ssh2 +Oct 3 02:20:12 [sshd] Failed password for illegal user webmaster from 216.65.197.170 port 40316 ssh2 +Oct 3 02:20:13 [sshd] Failed password for illegal user data from 216.65.197.170 port 40473 ssh2 +Oct 3 02:20:15 [sshd] Failed password for illegal user user from 216.65.197.170 port 40645 ssh2 +Oct 3 02:20:17 [sshd] Failed password for illegal user user from 216.65.197.170 port 40800 ssh2 +Oct 3 02:20:19 [sshd] Failed password for illegal user user from 216.65.197.170 port 40965 ssh2 +Oct 3 02:20:20 [sshd] Failed password for illegal user web from 216.65.197.170 port 41120 ssh2 +Oct 3 02:20:22 [sshd] Failed password for illegal user web from 216.65.197.170 port 41300 ssh2 +Oct 3 02:20:24 [sshd] Failed password for illegal user oracle from 216.65.197.170 port 41468 ssh2 +Oct 3 02:20:25 [sshd] Failed password for illegal user sybase from 216.65.197.170 port 41642 ssh2 +Oct 3 02:20:27 [sshd] Failed password for illegal user master from 216.65.197.170 port 41809 ssh2 +Oct 3 02:20:29 [sshd] Failed password for illegal user account from 216.65.197.170 port 41987 ssh2 +Oct 3 02:20:31 [sshd] Failed password for illegal user backup from 216.65.197.170 port 42143 ssh2 +Oct 3 02:20:32 [sshd] Failed password for illegal user server from 216.65.197.170 port 42316 ssh2 +Oct 3 02:20:34 [sshd] Failed password for illegal user adam from 216.65.197.170 port 42481 ssh2 +Oct 3 02:20:36 [sshd] Failed password for illegal user alan from 216.65.197.170 port 42647 ssh2 +Oct 3 02:20:37 [sshd] Failed password for illegal user frank from 216.65.197.170 port 42817 ssh2 +Oct 3 02:20:39 [sshd] Failed password for illegal user george from 216.65.197.170 port 42993 ssh2 +Oct 3 02:20:41 [sshd] Failed password for illegal user henry from 216.65.197.170 port 43170 ssh2 +Oct 3 02:20:43 [sshd] Failed password for illegal user john from 216.65.197.170 port 43319 ssh2 +Oct 3 02:20:44 [sshd] Failed password for illegal user root from 216.65.197.170 port 43504 ssh2 +Oct 3 02:20:46 [sshd] Failed password for illegal user root from 216.65.197.170 port 43664 ssh2 +Oct 3 02:20:48 [sshd] Failed password for illegal user root from 216.65.197.170 port 43844 ssh2 +Oct 3 02:20:49 [sshd] Failed password for illegal user root from 216.65.197.170 port 44008 ssh2 +Oct 3 02:20:51 [sshd] Failed password for illegal user root from 216.65.197.170 port 44182 ssh2 +Oct 3 02:20:53 [sshd] Failed password for illegal user test from 216.65.197.170 port 44338 ssh2 +Oct 3 06:37:34 [sshd] Failed password for illegal user nobody from 217.56.33.194 port 1969 ssh2 +Oct 3 06:37:36 [sshd] Failed password for illegal user patrick from 217.56.33.194 port 2002 ssh2 +Oct 3 06:37:37 [sshd] Failed password for illegal user patrick from 217.56.33.194 port 2039 ssh2 +Oct 3 06:37:38 [sshd] Failed password for illegal user root from 217.56.33.194 port 2070 ssh2 +Oct 3 06:37:40 [sshd] Failed password for illegal user root from 217.56.33.194 port 2109 ssh2 +Oct 3 06:37:41 [sshd] Failed password for illegal user root from 217.56.33.194 port 2142 ssh2 +Oct 3 06:37:42 [sshd] Failed password for illegal user root from 217.56.33.194 port 2173 ssh2 +Oct 3 06:37:44 [sshd] Failed password for illegal user root from 217.56.33.194 port 2211 ssh2 +Oct 3 06:37:45 [sshd] Failed password for illegal user rolo from 217.56.33.194 port 2244 ssh2 +Oct 3 06:37:46 [sshd] Failed password for illegal user iceuser from 217.56.33.194 port 2272 ssh2 +Oct 3 06:37:48 [sshd] Failed password for illegal user horde from 217.56.33.194 port 2305 ssh2 +Oct 3 06:37:49 [sshd] Failed password for illegal user cyrus from 217.56.33.194 port 2337 ssh2 +Oct 3 06:37:50 [sshd] Failed password for illegal user www from 217.56.33.194 port 2373 ssh2 +Oct 3 06:37:52 [sshd] Failed password for illegal user wwwrun from 217.56.33.194 port 2407 ssh2 +Oct 3 06:37:53 [sshd] Failed password for illegal user matt from 217.56.33.194 port 2439 ssh2 +Oct 3 06:37:55 [sshd] Failed password for illegal user test from 217.56.33.194 port 2466 ssh2 +Oct 3 06:37:56 [sshd] Failed password for illegal user test from 217.56.33.194 port 2501 ssh2 +Oct 3 06:37:57 [sshd] Failed password for illegal user test from 217.56.33.194 port 2533 ssh2 +Oct 3 06:37:59 [sshd] Failed password for illegal user test from 217.56.33.194 port 2567 ssh2 +Oct 3 06:38:00 [sshd] Failed password for illegal user www-data from 217.56.33.194 port 2605 ssh2 +Oct 3 06:38:01 [sshd] Failed password for illegal user mysql from 217.56.33.194 port 2635 ssh2 +Oct 3 06:38:03 [sshd] Failed password for illegal user operator from 217.56.33.194 port 2667 ssh2 +Oct 3 06:38:04 [sshd] Failed password for illegal user adm from 217.56.33.194 port 2697 ssh2 +Oct 3 06:38:05 [sshd] Failed password for illegal user apache from 217.56.33.194 port 2733 ssh2 +Oct 3 06:38:07 [sshd] Failed password for illegal user irc from 217.56.33.194 port 2768 ssh2 +Oct 3 06:38:08 [sshd] Failed password for illegal user irc from 217.56.33.194 port 2804 ssh2 +Oct 3 06:38:09 [sshd] Failed password for illegal user adm from 217.56.33.194 port 2837 ssh2 +Oct 3 06:38:11 [sshd] Failed password for illegal user root from 217.56.33.194 port 2872 ssh2 +Oct 3 06:38:13 [sshd] Failed password for illegal user root from 217.56.33.194 port 2907 ssh2 +Oct 3 06:38:14 [sshd] Failed password for illegal user root from 217.56.33.194 port 2950 ssh2 +Oct 3 06:38:16 [sshd] Failed password for illegal user jane from 217.56.33.194 port 2986 ssh2 +Oct 3 06:38:17 [sshd] Failed password for illegal user pamela from 217.56.33.194 port 3019 ssh2 +Oct 3 06:38:18 [sshd] Failed password for illegal user root from 217.56.33.194 port 3053 ssh2 +Oct 3 06:38:20 [sshd] Failed password for illegal user root from 217.56.33.194 port 3085 ssh2 +Oct 3 06:38:21 [sshd] Failed password for illegal user root from 217.56.33.194 port 3115 ssh2 +Oct 3 06:38:22 [sshd] Failed password for illegal user root from 217.56.33.194 port 3147 ssh2 +Oct 3 06:38:24 [sshd] Failed password for illegal user root from 217.56.33.194 port 3177 ssh2 +Oct 3 06:38:25 [sshd] Failed password for illegal user cosmin from 217.56.33.194 port 3208 ssh2 +Oct 3 06:38:26 [sshd] Failed password for illegal user root from 217.56.33.194 port 3239 ssh2 +Oct 3 06:38:28 [sshd] Failed password for illegal user root from 217.56.33.194 port 3272 ssh2 +Oct 3 06:38:29 [sshd] Failed password for illegal user root from 217.56.33.194 port 3302 ssh2 +Oct 3 06:38:30 [sshd] Failed password for illegal user root from 217.56.33.194 port 3336 ssh2 +Oct 3 06:38:32 [sshd] Failed password for illegal user root from 217.56.33.194 port 3367 ssh2 +Oct 3 06:38:33 [sshd] Failed password for illegal user root from 217.56.33.194 port 3403 ssh2 +Oct 3 06:38:34 [sshd] Failed password for illegal user root from 217.56.33.194 port 3432 ssh2 +Oct 3 06:38:36 [sshd] Failed password for illegal user root from 217.56.33.194 port 3458 ssh2 +Oct 3 06:38:37 [sshd] Failed password for illegal user root from 217.56.33.194 port 3494 ssh2 +Oct 3 06:38:38 [sshd] Failed password for illegal user root from 217.56.33.194 port 3525 ssh2 +Oct 3 06:38:40 [sshd] Failed password for illegal user root from 217.56.33.194 port 3554 ssh2 +Oct 3 06:38:41 [sshd] Failed password for illegal user root from 217.56.33.194 port 3590 ssh2 +Oct 3 06:38:42 [sshd] Failed password for illegal user root from 217.56.33.194 port 3623 ssh2 +Oct 3 06:38:44 [sshd] Failed password for illegal user root from 217.56.33.194 port 3654 ssh2 +Oct 3 06:38:45 [sshd] Failed password for illegal user root from 217.56.33.194 port 3690 ssh2 +Oct 3 06:38:46 [sshd] Failed password for illegal user root from 217.56.33.194 port 3720 ssh2 +Oct 3 06:38:48 [sshd] Failed password for illegal user root from 217.56.33.194 port 3752 ssh2 +Oct 3 06:38:49 [sshd] Failed password for illegal user root from 217.56.33.194 port 3785 ssh2 +Oct 3 06:38:51 [sshd] Failed password for illegal user root from 217.56.33.194 port 3817 ssh2 +Oct 3 06:38:52 [sshd] Failed password for illegal user root from 217.56.33.194 port 3853 ssh2 +Oct 3 06:38:53 [sshd] Failed password for illegal user root from 217.56.33.194 port 3886 ssh2 +Oct 3 06:38:55 [sshd] Failed password for illegal user root from 217.56.33.194 port 3923 ssh2 +Oct 3 06:38:56 [sshd] Failed password for illegal user root from 217.56.33.194 port 3955 ssh2 +Oct 3 06:38:57 [sshd] Failed password for illegal user root from 217.56.33.194 port 3983 ssh2 +Oct 3 06:38:59 [sshd] Failed password for illegal user root from 217.56.33.194 port 4016 ssh2 +Oct 3 06:39:00 [sshd] Failed password for illegal user root from 217.56.33.194 port 4045 ssh2 +Oct 3 06:39:01 [sshd] Failed password for illegal user root from 217.56.33.194 port 4073 ssh2 +Oct 3 06:39:03 [sshd] Failed password for illegal user root from 217.56.33.194 port 4110 ssh2 +Oct 3 06:39:04 [sshd] Failed password for illegal user root from 217.56.33.194 port 4140 ssh2 +Oct 3 06:39:05 [sshd] Failed password for illegal user root from 217.56.33.194 port 4171 ssh2 +Oct 3 06:39:07 [sshd] Failed password for illegal user root from 217.56.33.194 port 4201 ssh2 +Oct 3 06:39:08 [sshd] Failed password for illegal user root from 217.56.33.194 port 4235 ssh2 +Oct 3 06:39:09 [sshd] Failed password for illegal user root from 217.56.33.194 port 4267 ssh2 +Oct 3 06:39:11 [sshd] Failed password for illegal user root from 217.56.33.194 port 4300 ssh2 +Oct 3 06:39:12 [sshd] Failed password for illegal user root from 217.56.33.194 port 4326 ssh2 +Oct 3 06:39:13 [sshd] Failed password for illegal user root from 217.56.33.194 port 4358 ssh2 +Oct 3 06:39:15 [sshd] Failed password for illegal user cip52 from 217.56.33.194 port 4390 ssh2 +Oct 3 06:39:16 [sshd] Failed password for illegal user cip51 from 217.56.33.194 port 4427 ssh2 +Oct 3 06:39:18 [sshd] Failed password for illegal user root from 217.56.33.194 port 4459 ssh2 +Oct 3 06:39:19 [sshd] Failed password for illegal user noc from 217.56.33.194 port 4492 ssh2 +Oct 3 06:39:20 [sshd] Failed password for illegal user root from 217.56.33.194 port 4526 ssh2 +Oct 3 06:39:22 [sshd] Failed password for illegal user root from 217.56.33.194 port 4557 ssh2 +Oct 3 06:39:23 [sshd] Failed password for illegal user root from 217.56.33.194 port 4588 ssh2 +Oct 3 06:39:24 [sshd] Failed password for illegal user root from 217.56.33.194 port 4618 ssh2 +Oct 3 06:39:26 [sshd] Failed password for illegal user webmaster from 217.56.33.194 port 4652 ssh2 +Oct 3 06:39:27 [sshd] Failed password for illegal user data from 217.56.33.194 port 4679 ssh2 +Oct 3 06:39:28 [sshd] Failed password for illegal user user from 217.56.33.194 port 4716 ssh2 +Oct 3 06:39:30 [sshd] Failed password for illegal user user from 217.56.33.194 port 4744 ssh2 +Oct 3 06:39:31 [sshd] Failed password for illegal user user from 217.56.33.194 port 4777 ssh2 +Oct 3 06:39:32 [sshd] Failed password for illegal user web from 217.56.33.194 port 4808 ssh2 +Oct 3 06:39:34 [sshd] Failed password for illegal user web from 217.56.33.194 port 4842 ssh2 +Oct 3 06:39:35 [sshd] Failed password for illegal user oracle from 217.56.33.194 port 4869 ssh2 +Oct 3 06:39:36 [sshd] Failed password for illegal user sybase from 217.56.33.194 port 4899 ssh2 +Oct 3 06:39:38 [sshd] Failed password for illegal user master from 217.56.33.194 port 4933 ssh2 +Oct 3 06:39:39 [sshd] Failed password for illegal user account from 217.56.33.194 port 4969 ssh2 +Oct 3 06:39:40 [sshd] Failed password for illegal user backup from 217.56.33.194 port 4999 ssh2 +Oct 3 06:39:42 [sshd] Failed password for illegal user server from 217.56.33.194 port 1051 ssh2 +Oct 3 06:39:43 [sshd] Failed password for illegal user adam from 217.56.33.194 port 1082 ssh2 +Oct 3 06:39:44 [sshd] Failed password for illegal user alan from 217.56.33.194 port 1114 ssh2 +Oct 3 06:39:46 [sshd] Failed password for illegal user frank from 217.56.33.194 port 1141 ssh2 +Oct 3 06:39:47 [sshd] Failed password for illegal user george from 217.56.33.194 port 1174 ssh2 +Oct 3 06:39:49 [sshd] Failed password for illegal user henry from 217.56.33.194 port 1205 ssh2 +Oct 3 06:39:50 [sshd] Failed password for illegal user john from 217.56.33.194 port 1236 ssh2 +Oct 3 06:39:51 [sshd] Failed password for illegal user root from 217.56.33.194 port 1271 ssh2 +Oct 3 06:39:53 [sshd] Failed password for illegal user root from 217.56.33.194 port 1300 ssh2 +Oct 3 06:39:55 [sshd] Failed password for illegal user root from 217.56.33.194 port 1332 ssh2 +Oct 3 06:39:56 [sshd] Failed password for illegal user root from 217.56.33.194 port 1380 ssh2 +Oct 3 06:39:57 [sshd] Failed password for illegal user root from 217.56.33.194 port 1412 ssh2 +Oct 3 06:39:59 [sshd] Failed password for illegal user test from 217.56.33.194 port 1449 ssh2 +Oct 4 04:43:59 [sshd] Failed password for illegal user test from 212.204.226.21 port 60349 ssh2 +Oct 4 04:44:03 [sshd] Failed password for illegal user guest from 212.204.226.21 port 60394 ssh2 +Oct 4 04:44:06 [sshd] Failed password for illegal user admin from 212.204.226.21 port 60540 ssh2 +Oct 4 04:44:08 [sshd] Failed password for illegal user admin from 212.204.226.21 port 60620 ssh2 +Oct 4 04:44:11 [sshd] Failed password for illegal user user from 212.204.226.21 port 60679 ssh2 +Oct 4 04:44:14 [sshd] Failed password for illegal user root from 212.204.226.21 port 60773 ssh2 +Oct 4 04:44:15 [sshd] Failed password for illegal user root from 212.204.226.21 port 60828 ssh2 +Oct 4 04:44:18 [sshd] Failed password for illegal user root from 212.204.226.21 port 60880 ssh2 +Oct 4 04:44:21 [sshd] Failed password for illegal user test from 212.204.226.21 port 60957 ssh2 +Oct 4 09:32:21 [sshd] Failed password for illegal user test from 62.141.56.70 port 45600 ssh2 +Oct 4 09:32:27 [sshd] Failed password for illegal user guest from 62.141.56.70 port 47635 ssh2 +Oct 4 09:32:32 [sshd] Failed password for illegal user admin from 62.141.56.70 port 49967 ssh2 +Oct 4 09:32:37 [sshd] Failed password for illegal user admin from 62.141.56.70 port 52093 ssh2 +Oct 4 09:32:42 [sshd] Failed password for illegal user user from 62.141.56.70 port 53840 ssh2 +Oct 4 09:32:47 [sshd] Failed password for illegal user root from 62.141.56.70 port 55568 ssh2 +Oct 4 09:32:51 [sshd] Failed password for illegal user root from 62.141.56.70 port 57526 ssh2 +Oct 4 09:32:51 [sshd] Failed password for illegal user root from 62.141.56.70 port 58454 ssh2 +Oct 4 09:32:52 [sshd] Failed password for illegal user test from 62.141.56.70 port 58819 ssh2 +Oct 4 14:09:11 [sshd] Failed password for illegal user test from 211.234.125.100 port 46642 ssh2 +Oct 4 14:09:18 [sshd] Failed password for illegal user guest from 211.234.125.100 port 46788 ssh2 +Oct 4 14:09:23 [sshd] Failed password for illegal user admin from 211.234.125.100 port 46886 ssh2 +Oct 4 14:09:30 [sshd] Failed password for illegal user admin from 211.234.125.100 port 46960 ssh2 +Oct 4 14:09:43 [sshd] Failed password for illegal user user from 211.234.125.100 port 47025 ssh2 +Oct 6 04:13:11 [sshd] Failed password for illegal user test from 64.246.30.17 port 58277 ssh2 +Oct 6 04:13:13 [sshd] Failed password for illegal user guest from 64.246.30.17 port 58360 ssh2 +Oct 6 04:13:15 [sshd] Failed password for illegal user admin from 64.246.30.17 port 58428 ssh2 +Oct 6 04:13:17 [sshd] Failed password for illegal user admin from 64.246.30.17 port 58514 ssh2 +Oct 6 22:13:56 [sshd] Failed password for illegal user test from 61.11.98.217 port 45434 ssh2 +Oct 6 22:14:00 [sshd] Failed password for illegal user guest from 61.11.98.217 port 45586 ssh2 +Oct 6 22:14:05 [sshd] Failed password for illegal user admin from 61.11.98.217 port 45672 ssh2 +Oct 6 22:14:10 [sshd] Failed password for illegal user admin from 61.11.98.217 port 45748 ssh2 +Oct 6 22:14:18 [sshd] Failed password for illegal user user from 61.11.98.217 port 45833 ssh2 +Oct 7 00:25:34 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37086 ssh2 +Oct 7 00:25:34 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37086 ssh2 + - Last output repeated twice - +Oct 7 00:26:27 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37089 ssh2 + - Last output repeated 2 times - +Oct 7 00:26:37 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37092 ssh2 + - Last output repeated 2 times - +Oct 7 00:27:21 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37095 ssh2 + - Last output repeated twice - +Oct 7 00:51:31 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37130 ssh2 + - Last output repeated 2 times - +Oct 7 00:51:48 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37138 ssh2 + - Last output repeated 2 times - +Oct 7 00:52:02 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37141 ssh2 +Oct 7 00:56:10 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37153 ssh2 + - Last output repeated 2 times - +Oct 7 00:56:41 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37156 ssh2 + - Last output repeated 2 times - +Oct 7 00:57:00 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37159 ssh2 +Oct 7 00:58:17 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37162 ssh2 + - Last output repeated 2 times - +Oct 7 00:58:29 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37165 ssh2 + - Last output repeated 2 times - +Oct 7 00:58:39 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37168 ssh2 +Oct 7 01:00:32 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37171 ssh2 + - Last output repeated 2 times - +Oct 7 01:00:44 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37175 ssh2 + - Last output repeated 2 times - +Oct 7 01:01:23 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37178 ssh2 + - Last output repeated 2 times - +Oct 7 01:03:01 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37181 ssh2 + - Last output repeated 2 times - +Oct 7 01:03:12 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37184 ssh2 + - Last output repeated 2 times - +Oct 7 01:03:20 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37187 ssh2 + - Last output repeated 2 times - +Oct 8 11:47:08 [sshd] Failed password for illegal user test from 69.182.27.122 port 34015 ssh2 +Oct 8 11:47:09 [sshd] Failed password for illegal user guest from 69.182.27.122 port 34068 ssh2 +Oct 8 11:47:11 [sshd] Failed password for illegal user admin from 69.182.27.122 port 34127 ssh2 +Oct 9 21:54:11 yellow sshd[16069]: Failed password for cyril from 212.41.79.210 port 29404 ssh2 From f9430284498529454a935c71fa9c103a62d95fdd Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Sat, 9 Oct 2004 15:33:33 +0000 Subject: [PATCH 003/549] - Some object-oriented code testing git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@6 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- fail2ban | 22 ++++++++++++++++++- firewall/__init__.py | 25 +++++++++++++++++++++ firewall/firewall.py | 52 ++++++++++++++++++++++++++++++++++++++++++++ firewall/iptables.py | 41 ++++++++++++++++++++++++++++++++++ 4 files changed, 139 insertions(+), 1 deletion(-) create mode 100644 firewall/__init__.py create mode 100644 firewall/firewall.py create mode 100644 firewall/iptables.py diff --git a/fail2ban b/fail2ban index 2936021a..278a118f 100755 --- a/fail2ban +++ b/fail2ban @@ -20,9 +20,17 @@ # # $Revision$ +__author__ = "Cyril Jaquier" +__version__ = "$Revision$" +__date__ = "$Date$" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__license__ = "GPL" + import posix,sys,os import string,re,time +from firewall.iptables import Iptables + def checkForRoot(): """ Check for root user. """ @@ -32,6 +40,7 @@ def checkForRoot(): else: return False +# start: To be removed def executeCmd(cmd): return #os.system(cmd) @@ -44,6 +53,7 @@ def banIP(ip): iptables = 'iptables -I INPUT 1 -i eth0 -s '+ip+' -j DROP' executeCmd(iptables) print iptables +# end: def checkForUnBan(banList, currentTime, banTime): """ Check for user to remove from ban list. @@ -87,11 +97,21 @@ def parseLogLine(line): if __name__ == "__main__": + # start: For object oriented testing + f = Iptables() + f.banIP('11', 1231) + f.banIP('13', 1232) + f.banIP('13', 1233) + f.unBanIP('11') + f.viewBanList() + f.flushBanList() + # end: + if not checkForRoot(): print "You must be root." #sys.exit(-1) - logPath = './log/temp' + logPath = './log-test/test' banTime = 60 ignoreIPs = '127.0.0.1' diff --git a/firewall/__init__.py b/firewall/__init__.py new file mode 100644 index 00000000..76dba873 --- /dev/null +++ b/firewall/__init__.py @@ -0,0 +1,25 @@ +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# Author: Cyril Jaquier +# +# $Revision$ + +__author__ = "Cyril Jaquier" +__version__ = "$Revision$" +__date__ = "$Date$" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__license__ = "GPL" \ No newline at end of file diff --git a/firewall/firewall.py b/firewall/firewall.py new file mode 100644 index 00000000..0a937d77 --- /dev/null +++ b/firewall/firewall.py @@ -0,0 +1,52 @@ +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# Author: Cyril Jaquier +# +# $Revision$ + +__author__ = "Cyril Jaquier" +__version__ = "$Revision$" +__date__ = "$Date$" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__license__ = "GPL" + +class Firewall: + + banList = dict() + + def addBanIP(self, ip, time): + self.banList[ip] = time + + def delBanIP(self, ip): + del self.banList[ip] + + def flushBanList(self): + iterBanList = self.banList.iteritems() + for i in range(len(self.banList)): + element = iterBanList.next() + ip = element[0] + self.unBanIP(ip) + + def executeCmd(self, cmd): + return #os.system(cmd) + + def viewBanList(self): + iterBanList = self.banList.iteritems() + for i in range(len(self.banList)): + element = iterBanList.next() + print element + diff --git a/firewall/iptables.py b/firewall/iptables.py new file mode 100644 index 00000000..fcee9652 --- /dev/null +++ b/firewall/iptables.py @@ -0,0 +1,41 @@ +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# Author: Cyril Jaquier +# +# $Revision$ + +__author__ = "Cyril Jaquier" +__version__ = "$Revision$" +__date__ = "$Date$" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__license__ = "GPL" + +from firewall import Firewall + +class Iptables(Firewall): + + def banIP(self, ip, time): + query = 'iptables -I INPUT 1 -i eth0 -s '+str(ip)+' -j DROP' + self.addBanIP(ip, time) + self.executeCmd(query) + print query + + def unBanIP(self, ip): + query = 'iptables -D INPUT -i eth0 -s '+str(ip)+' -j DROP' + self.delBanIP(ip) + self.executeCmd(query) + print query From 7e00b03a9382ee08fad8d9f40b9d60cc70f144f4 Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Sun, 10 Oct 2004 13:33:40 +0000 Subject: [PATCH 004/549] - add log reader classes. Currently support metalog and sshd but should handle others services and syslog yet git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@7 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- logreader/__init__.py | 25 ++++++++++++++++ logreader/logreader.py | 67 ++++++++++++++++++++++++++++++++++++++++++ logreader/metalog.py | 65 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 157 insertions(+) create mode 100644 logreader/__init__.py create mode 100644 logreader/logreader.py create mode 100644 logreader/metalog.py diff --git a/logreader/__init__.py b/logreader/__init__.py new file mode 100644 index 00000000..76dba873 --- /dev/null +++ b/logreader/__init__.py @@ -0,0 +1,25 @@ +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# Author: Cyril Jaquier +# +# $Revision$ + +__author__ = "Cyril Jaquier" +__version__ = "$Revision$" +__date__ = "$Date$" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__license__ = "GPL" \ No newline at end of file diff --git a/logreader/logreader.py b/logreader/logreader.py new file mode 100644 index 00000000..492ed76d --- /dev/null +++ b/logreader/logreader.py @@ -0,0 +1,67 @@ +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# Author: Cyril Jaquier +# +# $Revision$ + +__author__ = "Cyril Jaquier" +__version__ = "$Revision$" +__date__ = "$Date$" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__license__ = "GPL" + +import os, sys + +class LogReader: + + def __init__(self, logPath, findTime = 3600): + self.logPath = logPath + self.findTime = findTime + self.ignoreIpList = [] + self.lastModTime = 0 + + def addIgnoreIP(self, ip): + self.ignoreIpList.append(ip) + + def inIgnoreIPList(self, ip): + return ip in self.ignoreIpList + + def openLogFile(self): + try: + fileHandler = open(self.logPath) + except OSError: + print "Unable to open", self.logPath + sys.exit(-1) + return fileHandler + + def isModified(self): + try: + logStats = os.stat(self.logPath) + except OSError: + print "Unable to get stat on", logPath + sys.exit(-1) + + if self.lastModTime == logStats.st_mtime: + return False + else: + print self.logPath, 'has been modified' + self.lastModTime = logStats.st_mtime + return True + + def getPwdFailure(self): + failList = self.getFailInfo(self.findTime) + return failList diff --git a/logreader/metalog.py b/logreader/metalog.py new file mode 100644 index 00000000..20a64766 --- /dev/null +++ b/logreader/metalog.py @@ -0,0 +1,65 @@ +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# Author: Cyril Jaquier +# +# $Revision$ + +__author__ = "Cyril Jaquier" +__version__ = "$Revision$" +__date__ = "$Date$" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__license__ = "GPL" + +import re, time + +from logreader import LogReader + +class Metalog(LogReader): + + def getFailInfo(self, findTime): + ipList = dict() + logFile = self.openLogFile() + for line in logFile.readlines(): + match = self.parseLogLine(line) + if match: + ip = match[0] + unixTime = match[1] + if unixTime < time.time()-self.findTime: + continue + if self.inIgnoreIPList(ip): + print 'Ignore', ip + continue + print 'Found', ip, 'at', unixTime + if ipList.has_key(ip): + ipList[ip] = (ipList[ip][0]+1, unixTime) + else: + ipList[ip] = (1, unixTime) + logFile.close() + return ipList + + def parseLogLine(self, line): + """ Match sshd failed password log + """ + if re.search("Failed password", line): + matchIP = re.search("(?:\d{1,3}\.){3}\d{1,3}", line) + if matchIP: + date = list(time.strptime(line[0:15], "%b %d %H:%M:%S")) + date[0] = time.gmtime()[0] + unixTime = time.mktime(date) + return [matchIP.group(), unixTime] + else: + return False From 0de46864a1ba5443e719043d718e7d3c1e523996 Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Sun, 10 Oct 2004 13:34:02 +0000 Subject: [PATCH 005/549] - update some dates git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@8 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- log-test/test | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/log-test/test b/log-test/test index 81e0e87f..30fc4868 100644 --- a/log-test/test +++ b/log-test/test @@ -425,7 +425,7 @@ Oct 7 01:03:12 [sshd] Failed password for illegal user tata from 128.178.164.52 - Last output repeated 2 times - Oct 7 01:03:20 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37187 ssh2 - Last output repeated 2 times - -Oct 8 11:47:08 [sshd] Failed password for illegal user test from 69.182.27.122 port 34015 ssh2 -Oct 8 11:47:09 [sshd] Failed password for illegal user guest from 69.182.27.122 port 34068 ssh2 -Oct 8 11:47:11 [sshd] Failed password for illegal user admin from 69.182.27.122 port 34127 ssh2 -Oct 9 21:54:11 yellow sshd[16069]: Failed password for cyril from 212.41.79.210 port 29404 ssh2 +Oct 11 11:47:08 [sshd] Failed password for illegal user test from 69.182.27.122 port 34015 ssh2 +Oct 11 11:47:09 [sshd] Failed password for illegal user guest from 69.182.27.122 port 34068 ssh2 +Oct 11 11:47:11 [sshd] Failed password for illegal user admin from 69.182.27.122 port 34127 ssh2 +Oct 12 21:54:11 yellow sshd[16069]: Failed password for cyril from 212.41.79.210 port 29404 ssh2 From 68ab4b0b26cee2c96ff8751e94b396692b0ecce4 Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Sun, 10 Oct 2004 13:35:11 +0000 Subject: [PATCH 006/549] - a few changes and corrections git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@9 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- firewall/firewall.py | 38 ++++++++++++++++++++++++++++++++++---- firewall/iptables.py | 14 +++++--------- 2 files changed, 39 insertions(+), 13 deletions(-) diff --git a/firewall/firewall.py b/firewall/firewall.py index 0a937d77..76632a75 100644 --- a/firewall/firewall.py +++ b/firewall/firewall.py @@ -24,24 +24,54 @@ __date__ = "$Date$" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" +import time + class Firewall: banList = dict() - def addBanIP(self, ip, time): - self.banList[ip] = time + def __init__(self, banTime): + self.banTime = banTime + + def addBanIP(self, ip): + if not self.inBanList(ip): + self.banList[ip] = time.time() + self.executeCmd(self.banIP(ip)) + else: + print ip, "already in ban list" def delBanIP(self, ip): - del self.banList[ip] + if self.inBanList(ip): + del self.banList[ip] + self.executeCmd(self.unBanIP(ip)) + else: + print ip, "not in ban list" + + def inBanList(self, ip): + return self.banList.has_key(ip) + + def checkForUnBan(self): + """ Check for user to remove from ban list. + """ + banListTemp = self.banList.copy() + iterBanList = banListTemp.iteritems() + for i in range(len(self.banList)): + element = iterBanList.next() + ip = element[0] + btime = element[1] + if btime < time.time()-self.banTime: + self.delBanIP(ip) + print '`->', time.time() def flushBanList(self): iterBanList = self.banList.iteritems() for i in range(len(self.banList)): element = iterBanList.next() ip = element[0] - self.unBanIP(ip) + self.delBanIP(ip) def executeCmd(self, cmd): + print cmd return #os.system(cmd) def viewBanList(self): diff --git a/firewall/iptables.py b/firewall/iptables.py index fcee9652..8206e631 100644 --- a/firewall/iptables.py +++ b/firewall/iptables.py @@ -28,14 +28,10 @@ from firewall import Firewall class Iptables(Firewall): - def banIP(self, ip, time): - query = 'iptables -I INPUT 1 -i eth0 -s '+str(ip)+' -j DROP' - self.addBanIP(ip, time) - self.executeCmd(query) - print query + def banIP(self, ip): + query = 'iptables -I INPUT 1 -i eth0 -s '+ip+' -j DROP' + return query def unBanIP(self, ip): - query = 'iptables -D INPUT -i eth0 -s '+str(ip)+' -j DROP' - self.delBanIP(ip) - self.executeCmd(query) - print query + query = 'iptables -D INPUT -i eth0 -s '+ip+' -j DROP' + return query From 012301b64411850e449bbc7d0aa42b68553350fa Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Sun, 10 Oct 2004 13:35:52 +0000 Subject: [PATCH 007/549] - Complete rewrite to use the log-reader and firewall classes git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@10 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- fail2ban | 127 +++++++------------------------------------------------ 1 file changed, 15 insertions(+), 112 deletions(-) diff --git a/fail2ban b/fail2ban index 278a118f..c2cae5df 100755 --- a/fail2ban +++ b/fail2ban @@ -26,10 +26,10 @@ __date__ = "$Date$" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" -import posix,sys,os -import string,re,time +import posix, time, sys from firewall.iptables import Iptables +from logreader.metalog import Metalog def checkForRoot(): """ Check for root user. @@ -40,132 +40,35 @@ def checkForRoot(): else: return False -# start: To be removed -def executeCmd(cmd): - return #os.system(cmd) - -def unBanIP(ip): - iptables = 'iptables -D INPUT -i eth0 -s '+ip+' -j DROP' - executeCmd(iptables) - print iptables - -def banIP(ip): - iptables = 'iptables -I INPUT 1 -i eth0 -s '+ip+' -j DROP' - executeCmd(iptables) - print iptables -# end: - -def checkForUnBan(banList, currentTime, banTime): - """ Check for user to remove from ban list. - """ - iterBanList = banList.iteritems() - for i in range(len(banList)): - element = iterBanList.next() - ip = element[0] - btime = element[1] - if btime < currentTime-banTime: - del banList[ip] - unBanIP(ip) - print '`->', currentTime - return banList - -def checkForBan(retryList, banList, currentTime): - iterRetry = retryList.iteritems() - for i in range(len(retryList)): - element = iterRetry.next() - retry = element[1][0] - ip = element[0] - if element[1][0] > 2 and not banList.has_key(ip): - banList[ip] = currentTime - banIP(ip) - print '`->', currentTime - return banList - -def flushBanList(banList): - iterBanList = banList.iteritems() - for i in range(len(banList)): - element = iterBanList.next() - ip = element[0] - unBanIP(ip) - -def parseLogLine(line): - """ Match sshd failed password log - """ - if re.search("Failed password", line): - matchIP = re.search("(?:\d{1,3}\.){3}\d{1,3}", line) - return matchIP - if __name__ == "__main__": - # start: For object oriented testing - f = Iptables() - f.banIP('11', 1231) - f.banIP('13', 1232) - f.banIP('13', 1233) - f.unBanIP('11') - f.viewBanList() - f.flushBanList() - # end: + fireWall = Iptables(600) + logFile = Metalog("./log-test/test", 600) if not checkForRoot(): print "You must be root." #sys.exit(-1) - logPath = './log-test/test' - banTime = 60 - ignoreIPs = '127.0.0.1' + logFile.addIgnoreIP("127.0.0.1") - lastModTime = 0 - banList = dict() while True: - try: - currentTime = time.time() + try: + fireWall.checkForUnBan() - banList = checkForUnBan(banList, currentTime, banTime) - - try: - pwdFailStats = os.stat(logPath) - except OSError: - print "Unable to get stat on", logPath - sys.exit(-1) - - if lastModTime == pwdFailStats.st_mtime: + if not logFile.isModified(): time.sleep(1) continue - print logPath, 'has been modified' - lastModTime = pwdFailStats.st_mtime + failList = logFile.getPwdFailure() - try: - pwdfail = open(logPath) - except OSError: - print "Unable to open", logPath - sys.exit(-1) + iterFailList = failList.iteritems() + for i in range(len(failList)): + element = iterFailList.next() + if element[1][0] > 2: + fireWall.addBanIP(element[0]) - retryList = dict() - for line in pwdfail.readlines(): - match = parseLogLine(line) - if match: - ip = match.group() - date = list(time.strptime(line[0:15], "%b %d %H:%M:%S")) - date[0] = time.gmtime()[0] - unixTime = time.mktime(date) - if unixTime < currentTime-banTime: - continue - if re.search(ip, ignoreIPs): - print 'Ignore ', ip - continue - print 'Found', ip, 'at', unixTime - if retryList.has_key(`ip`): - retryList[`ip`] = (retryList[`ip`][0]+1,unixTime) - else: - retryList[`ip`] = (1,unixTime) - - pwdfail.close() - - banList = checkForBan(retryList, banList, currentTime) except KeyboardInterrupt: print 'Restoring iptables...' - flushBanList(banList) + fireWall.flushBanList() print 'Exiting...' sys.exit(0) From 5fc0a651635377fe1faa5bdcdb56aa0835382636 Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Sun, 10 Oct 2004 23:41:07 +0000 Subject: [PATCH 008/549] - removing this file. Replaced by fail2ban.py git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@11 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- fail2ban | 74 -------------------------------------------------------- 1 file changed, 74 deletions(-) delete mode 100755 fail2ban diff --git a/fail2ban b/fail2ban deleted file mode 100755 index c2cae5df..00000000 --- a/fail2ban +++ /dev/null @@ -1,74 +0,0 @@ -#!/usr/bin/env python - -# This file is part of Fail2Ban. -# -# Fail2Ban is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# Fail2Ban is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with Fail2Ban; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -# Author: Cyril Jaquier -# -# $Revision$ - -__author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" -__copyright__ = "Copyright (c) 2004 Cyril Jaquier" -__license__ = "GPL" - -import posix, time, sys - -from firewall.iptables import Iptables -from logreader.metalog import Metalog - -def checkForRoot(): - """ Check for root user. - """ - uid = `posix.getuid()` - if uid == '0': - return True - else: - return False - -if __name__ == "__main__": - - fireWall = Iptables(600) - logFile = Metalog("./log-test/test", 600) - - if not checkForRoot(): - print "You must be root." - #sys.exit(-1) - - logFile.addIgnoreIP("127.0.0.1") - - while True: - try: - fireWall.checkForUnBan() - - if not logFile.isModified(): - time.sleep(1) - continue - - failList = logFile.getPwdFailure() - - iterFailList = failList.iteritems() - for i in range(len(failList)): - element = iterFailList.next() - if element[1][0] > 2: - fireWall.addBanIP(element[0]) - - except KeyboardInterrupt: - print 'Restoring iptables...' - fireWall.flushBanList() - print 'Exiting...' - sys.exit(0) From 5c9c6e82cf976968e89ad4fba99458b13ed32bb5 Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Sun, 10 Oct 2004 23:41:08 +0000 Subject: [PATCH 009/549] This commit was manufactured by cvs2svn to create branch 'FAIL2BAN-0_5'. git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_5@12 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- fail2ban | 171 ---------------- firewall/firewall.py | 52 ----- firewall/iptables.py | 41 ---- log-test/current | 4 - log-test/test | 431 ----------------------------------------- logreader/logreader.py | 67 ------- logreader/metalog.py | 65 ------- 7 files changed, 831 deletions(-) delete mode 100755 fail2ban delete mode 100644 firewall/firewall.py delete mode 100644 firewall/iptables.py delete mode 100644 log-test/current delete mode 100644 log-test/test delete mode 100644 logreader/logreader.py delete mode 100644 logreader/metalog.py diff --git a/fail2ban b/fail2ban deleted file mode 100755 index 278a118f..00000000 --- a/fail2ban +++ /dev/null @@ -1,171 +0,0 @@ -#!/usr/bin/env python - -# This file is part of Fail2Ban. -# -# Fail2Ban is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# Fail2Ban is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with Fail2Ban; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -# Author: Cyril Jaquier -# -# $Revision$ - -__author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" -__copyright__ = "Copyright (c) 2004 Cyril Jaquier" -__license__ = "GPL" - -import posix,sys,os -import string,re,time - -from firewall.iptables import Iptables - -def checkForRoot(): - """ Check for root user. - """ - uid = `posix.getuid()` - if uid == '0': - return True - else: - return False - -# start: To be removed -def executeCmd(cmd): - return #os.system(cmd) - -def unBanIP(ip): - iptables = 'iptables -D INPUT -i eth0 -s '+ip+' -j DROP' - executeCmd(iptables) - print iptables - -def banIP(ip): - iptables = 'iptables -I INPUT 1 -i eth0 -s '+ip+' -j DROP' - executeCmd(iptables) - print iptables -# end: - -def checkForUnBan(banList, currentTime, banTime): - """ Check for user to remove from ban list. - """ - iterBanList = banList.iteritems() - for i in range(len(banList)): - element = iterBanList.next() - ip = element[0] - btime = element[1] - if btime < currentTime-banTime: - del banList[ip] - unBanIP(ip) - print '`->', currentTime - return banList - -def checkForBan(retryList, banList, currentTime): - iterRetry = retryList.iteritems() - for i in range(len(retryList)): - element = iterRetry.next() - retry = element[1][0] - ip = element[0] - if element[1][0] > 2 and not banList.has_key(ip): - banList[ip] = currentTime - banIP(ip) - print '`->', currentTime - return banList - -def flushBanList(banList): - iterBanList = banList.iteritems() - for i in range(len(banList)): - element = iterBanList.next() - ip = element[0] - unBanIP(ip) - -def parseLogLine(line): - """ Match sshd failed password log - """ - if re.search("Failed password", line): - matchIP = re.search("(?:\d{1,3}\.){3}\d{1,3}", line) - return matchIP - -if __name__ == "__main__": - - # start: For object oriented testing - f = Iptables() - f.banIP('11', 1231) - f.banIP('13', 1232) - f.banIP('13', 1233) - f.unBanIP('11') - f.viewBanList() - f.flushBanList() - # end: - - if not checkForRoot(): - print "You must be root." - #sys.exit(-1) - - logPath = './log-test/test' - banTime = 60 - ignoreIPs = '127.0.0.1' - - lastModTime = 0 - banList = dict() - while True: - try: - currentTime = time.time() - - banList = checkForUnBan(banList, currentTime, banTime) - - try: - pwdFailStats = os.stat(logPath) - except OSError: - print "Unable to get stat on", logPath - sys.exit(-1) - - if lastModTime == pwdFailStats.st_mtime: - time.sleep(1) - continue - - print logPath, 'has been modified' - lastModTime = pwdFailStats.st_mtime - - try: - pwdfail = open(logPath) - except OSError: - print "Unable to open", logPath - sys.exit(-1) - - retryList = dict() - for line in pwdfail.readlines(): - match = parseLogLine(line) - if match: - ip = match.group() - date = list(time.strptime(line[0:15], "%b %d %H:%M:%S")) - date[0] = time.gmtime()[0] - unixTime = time.mktime(date) - if unixTime < currentTime-banTime: - continue - if re.search(ip, ignoreIPs): - print 'Ignore ', ip - continue - print 'Found', ip, 'at', unixTime - if retryList.has_key(`ip`): - retryList[`ip`] = (retryList[`ip`][0]+1,unixTime) - else: - retryList[`ip`] = (1,unixTime) - - pwdfail.close() - - banList = checkForBan(retryList, banList, currentTime) - except KeyboardInterrupt: - print 'Restoring iptables...' - flushBanList(banList) - print 'Exiting...' - sys.exit(0) diff --git a/firewall/firewall.py b/firewall/firewall.py deleted file mode 100644 index 0a937d77..00000000 --- a/firewall/firewall.py +++ /dev/null @@ -1,52 +0,0 @@ -# This file is part of Fail2Ban. -# -# Fail2Ban is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# Fail2Ban is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with Fail2Ban; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -# Author: Cyril Jaquier -# -# $Revision$ - -__author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" -__copyright__ = "Copyright (c) 2004 Cyril Jaquier" -__license__ = "GPL" - -class Firewall: - - banList = dict() - - def addBanIP(self, ip, time): - self.banList[ip] = time - - def delBanIP(self, ip): - del self.banList[ip] - - def flushBanList(self): - iterBanList = self.banList.iteritems() - for i in range(len(self.banList)): - element = iterBanList.next() - ip = element[0] - self.unBanIP(ip) - - def executeCmd(self, cmd): - return #os.system(cmd) - - def viewBanList(self): - iterBanList = self.banList.iteritems() - for i in range(len(self.banList)): - element = iterBanList.next() - print element - diff --git a/firewall/iptables.py b/firewall/iptables.py deleted file mode 100644 index fcee9652..00000000 --- a/firewall/iptables.py +++ /dev/null @@ -1,41 +0,0 @@ -# This file is part of Fail2Ban. -# -# Fail2Ban is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# Fail2Ban is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with Fail2Ban; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -# Author: Cyril Jaquier -# -# $Revision$ - -__author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" -__copyright__ = "Copyright (c) 2004 Cyril Jaquier" -__license__ = "GPL" - -from firewall import Firewall - -class Iptables(Firewall): - - def banIP(self, ip, time): - query = 'iptables -I INPUT 1 -i eth0 -s '+str(ip)+' -j DROP' - self.addBanIP(ip, time) - self.executeCmd(query) - print query - - def unBanIP(self, ip): - query = 'iptables -D INPUT -i eth0 -s '+str(ip)+' -j DROP' - self.delBanIP(ip) - self.executeCmd(query) - print query diff --git a/log-test/current b/log-test/current deleted file mode 100644 index 6537a6aa..00000000 --- a/log-test/current +++ /dev/null @@ -1,4 +0,0 @@ - - Last output repeated 2 times - -Oct 7 11:47:08 [sshd] Failed password for illegal user test from 69.182.27.122 port 34015 ssh2 -Oct 7 11:47:09 [sshd] Failed password for illegal user guest from 69.182.27.122 port 34068 ssh2 -Oct 7 11:47:11 [sshd] Failed password for illegal user admin from 69.182.27.122 port 34127 ssh2 diff --git a/log-test/test b/log-test/test deleted file mode 100644 index 81e0e87f..00000000 --- a/log-test/test +++ /dev/null @@ -1,431 +0,0 @@ -Sep 28 13:18:43 [sshd] Failed password for illegal user test from 211.112.229.69 port 59506 ssh2 -Sep 28 13:18:45 [sshd] Failed password for illegal user guest from 211.112.229.69 port 59584 ssh2 -Sep 28 13:18:48 [sshd] Failed password for illegal user admin from 211.112.229.69 port 59668 ssh2 -Sep 28 13:18:51 [sshd] Failed password for illegal user admin from 211.112.229.69 port 59746 ssh2 -Sep 28 13:18:54 [sshd] Failed password for illegal user user from 211.112.229.69 port 59809 ssh2 -Sep 28 13:18:57 [sshd] Failed password for illegal user root from 211.112.229.69 port 59881 ssh2 -Sep 28 13:19:00 [sshd] Failed password for illegal user root from 211.112.229.69 port 59944 ssh2 -Sep 28 13:19:03 [sshd] Failed password for illegal user root from 211.112.229.69 port 59999 ssh2 -Sep 28 13:19:06 [sshd] Failed password for illegal user test from 211.112.229.69 port 60055 ssh2 -Sep 28 21:05:25 [sshd(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.128.local.home user=cyril -Sep 28 21:05:27 [sshd] error: PAM: Authentication failure for cyril from 192.168.0.128.local.home -Sep 29 03:45:18 [sshd] Failed password for illegal user nobody from 203.198.168.66 port 55927 ssh2 -Sep 29 03:45:21 [sshd] Failed password for illegal user patrick from 203.198.168.66 port 55973 ssh2 -Sep 29 03:45:23 [sshd] Failed password for illegal user patrick from 203.198.168.66 port 56010 ssh2 -Sep 29 03:45:26 [sshd] Failed password for illegal user root from 203.198.168.66 port 56060 ssh2 -Sep 29 03:45:29 [sshd] Failed password for illegal user root from 203.198.168.66 port 56107 ssh2 -Sep 29 03:45:32 [sshd] Failed password for illegal user root from 203.198.168.66 port 56152 ssh2 -Sep 29 03:45:34 [sshd] Failed password for illegal user root from 203.198.168.66 port 56200 ssh2 -Sep 29 03:45:37 [sshd] Failed password for illegal user root from 203.198.168.66 port 56243 ssh2 -Sep 29 03:45:40 [sshd] Failed password for illegal user rolo from 203.198.168.66 port 56288 ssh2 -Sep 29 03:45:43 [sshd] Failed password for illegal user iceuser from 203.198.168.66 port 56333 ssh2 -Sep 29 03:45:46 [sshd] Failed password for illegal user horde from 203.198.168.66 port 56379 ssh2 -Sep 29 03:45:48 [sshd] Failed password for illegal user cyrus from 203.198.168.66 port 56425 ssh2 -Sep 29 03:45:52 [sshd] Failed password for illegal user www from 203.198.168.66 port 56470 ssh2 -Sep 29 03:45:55 [sshd] Failed password for illegal user wwwrun from 203.198.168.66 port 56534 ssh2 -Sep 29 03:45:58 [sshd] Failed password for illegal user matt from 203.198.168.66 port 56572 ssh2 -Sep 29 03:46:01 [sshd] Failed password for illegal user test from 203.198.168.66 port 56616 ssh2 -Sep 29 03:46:03 [sshd] Failed password for illegal user test from 203.198.168.66 port 56660 ssh2 -Sep 29 03:46:06 [sshd] Failed password for illegal user test from 203.198.168.66 port 56704 ssh2 -Sep 29 03:46:09 [sshd] Failed password for illegal user test from 203.198.168.66 port 56752 ssh2 -Sep 29 03:46:12 [sshd] Failed password for illegal user www-data from 203.198.168.66 port 56795 ssh2 -Sep 29 03:46:15 [sshd] Failed password for illegal user mysql from 203.198.168.66 port 56839 ssh2 -Sep 29 03:46:17 [sshd] Failed password for illegal user operator from 203.198.168.66 port 56882 ssh2 -Sep 29 03:46:20 [sshd] Failed password for illegal user adm from 203.198.168.66 port 56929 ssh2 -Sep 29 03:46:23 [sshd] Failed password for illegal user apache from 203.198.168.66 port 56971 ssh2 -Sep 29 03:46:26 [sshd] Failed password for illegal user irc from 203.198.168.66 port 57011 ssh2 -Sep 29 03:46:29 [sshd] Failed password for illegal user irc from 203.198.168.66 port 57060 ssh2 -Sep 29 03:46:31 [sshd] Failed password for illegal user adm from 203.198.168.66 port 57100 ssh2 -Sep 29 03:46:34 [sshd] Failed password for illegal user root from 203.198.168.66 port 57148 ssh2 -Sep 29 03:46:37 [sshd] Failed password for illegal user root from 203.198.168.66 port 57194 ssh2 -Sep 29 03:46:40 [sshd] Failed password for illegal user root from 203.198.168.66 port 57236 ssh2 -Sep 29 03:46:43 [sshd] Failed password for illegal user jane from 203.198.168.66 port 57281 ssh2 -Sep 29 03:46:45 [sshd] Failed password for illegal user pamela from 203.198.168.66 port 57328 ssh2 -Sep 29 03:46:48 [sshd] Failed password for illegal user root from 203.198.168.66 port 57372 ssh2 -Sep 29 03:46:51 [sshd] Failed password for illegal user root from 203.198.168.66 port 57418 ssh2 -Sep 29 03:46:54 [sshd] Failed password for illegal user root from 203.198.168.66 port 57463 ssh2 -Sep 29 03:46:57 [sshd] Failed password for illegal user root from 203.198.168.66 port 57506 ssh2 -Sep 29 03:46:59 [sshd] Failed password for illegal user root from 203.198.168.66 port 57549 ssh2 -Sep 29 03:47:02 [sshd] Failed password for illegal user cosmin from 203.198.168.66 port 57594 ssh2 -Sep 29 03:47:05 [sshd] Failed password for illegal user root from 203.198.168.66 port 57637 ssh2 -Sep 29 03:47:08 [sshd] Failed password for illegal user root from 203.198.168.66 port 57689 ssh2 -Sep 29 03:47:11 [sshd] Failed password for illegal user root from 203.198.168.66 port 57730 ssh2 -Sep 29 03:47:13 [sshd] Failed password for illegal user root from 203.198.168.66 port 57774 ssh2 -Sep 29 03:47:16 [sshd] Failed password for illegal user root from 203.198.168.66 port 57820 ssh2 -Sep 29 03:47:19 [sshd] Failed password for illegal user root from 203.198.168.66 port 57866 ssh2 -Sep 29 03:47:22 [sshd] Failed password for illegal user root from 203.198.168.66 port 57901 ssh2 -Sep 29 03:47:25 [sshd] Failed password for illegal user root from 203.198.168.66 port 57944 ssh2 -Sep 29 03:47:27 [sshd] Failed password for illegal user root from 203.198.168.66 port 57990 ssh2 -Sep 29 03:47:31 [sshd] Failed password for illegal user root from 203.198.168.66 port 58031 ssh2 -Sep 29 03:47:34 [sshd] Failed password for illegal user root from 203.198.168.66 port 58098 ssh2 -Sep 29 03:47:37 [sshd] Failed password for illegal user root from 203.198.168.66 port 58137 ssh2 -Sep 29 03:47:40 [sshd] Failed password for illegal user root from 203.198.168.66 port 58183 ssh2 -Sep 29 03:47:42 [sshd] Failed password for illegal user root from 203.198.168.66 port 58228 ssh2 -Sep 29 03:47:45 [sshd] Failed password for illegal user root from 203.198.168.66 port 58273 ssh2 -Sep 29 03:47:48 [sshd] Failed password for illegal user root from 203.198.168.66 port 58314 ssh2 -Sep 29 03:47:51 [sshd] Failed password for illegal user root from 203.198.168.66 port 58358 ssh2 -Sep 29 03:47:54 [sshd] Failed password for illegal user root from 203.198.168.66 port 58401 ssh2 -Sep 29 03:47:56 [sshd] Failed password for illegal user root from 203.198.168.66 port 58443 ssh2 -Sep 29 03:47:59 [sshd] Failed password for illegal user root from 203.198.168.66 port 58484 ssh2 -Sep 29 03:48:02 [sshd] Failed password for illegal user root from 203.198.168.66 port 58528 ssh2 -Sep 29 03:48:05 [sshd] Failed password for illegal user root from 203.198.168.66 port 58574 ssh2 -Sep 29 03:48:07 [sshd] Failed password for illegal user root from 203.198.168.66 port 58613 ssh2 -Sep 29 03:48:10 [sshd] Failed password for illegal user root from 203.198.168.66 port 58662 ssh2 -Sep 29 03:48:13 [sshd] Failed password for illegal user root from 203.198.168.66 port 58703 ssh2 -Sep 29 03:48:16 [sshd] Failed password for illegal user root from 203.198.168.66 port 58748 ssh2 -Sep 29 03:48:19 [sshd] Failed password for illegal user root from 203.198.168.66 port 58792 ssh2 -Sep 29 03:48:21 [sshd] Failed password for illegal user root from 203.198.168.66 port 58839 ssh2 -Sep 29 03:48:24 [sshd] Failed password for illegal user root from 203.198.168.66 port 58880 ssh2 -Sep 29 03:48:27 [sshd] Failed password for illegal user root from 203.198.168.66 port 58926 ssh2 -Sep 29 03:48:30 [sshd] Failed password for illegal user root from 203.198.168.66 port 58967 ssh2 -Sep 29 03:48:33 [sshd] Failed password for illegal user root from 203.198.168.66 port 59012 ssh2 -Sep 29 03:48:35 [sshd] Failed password for illegal user root from 203.198.168.66 port 59052 ssh2 -Sep 29 03:48:38 [sshd] Failed password for illegal user root from 203.198.168.66 port 59095 ssh2 -Sep 29 03:48:41 [sshd] Failed password for illegal user root from 203.198.168.66 port 59140 ssh2 -Sep 29 03:48:44 [sshd] Failed password for illegal user root from 203.198.168.66 port 59182 ssh2 -Sep 29 03:48:47 [sshd] Failed password for illegal user cip52 from 203.198.168.66 port 59222 ssh2 -Sep 29 03:48:49 [sshd] Failed password for illegal user cip51 from 203.198.168.66 port 59264 ssh2 -Sep 29 03:48:52 [sshd] Failed password for illegal user root from 203.198.168.66 port 59309 ssh2 -Sep 29 03:48:55 [sshd] Failed password for illegal user noc from 203.198.168.66 port 59351 ssh2 -Sep 29 03:48:58 [sshd] Failed password for illegal user root from 203.198.168.66 port 59395 ssh2 -Sep 29 03:49:01 [sshd] Failed password for illegal user root from 203.198.168.66 port 59432 ssh2 -Sep 29 03:49:04 [sshd] Failed password for illegal user root from 203.198.168.66 port 59479 ssh2 -Sep 29 03:49:07 [sshd] Failed password for illegal user root from 203.198.168.66 port 59951 ssh2 -Sep 29 03:49:11 [sshd] Failed password for illegal user webmaster from 203.198.168.66 port 60006 ssh2 -Sep 29 03:49:14 [sshd] Failed password for illegal user data from 203.198.168.66 port 60463 ssh2 -Sep 29 03:49:17 [sshd] Failed password for illegal user user from 203.198.168.66 port 60880 ssh2 -Sep 29 03:49:20 [sshd] Failed password for illegal user user from 203.198.168.66 port 60947 ssh2 -Sep 29 03:49:23 [sshd] Failed password for illegal user user from 203.198.168.66 port 33137 ssh2 -Sep 29 03:49:26 [sshd] Failed password for illegal user web from 203.198.168.66 port 33572 ssh2 -Sep 29 03:49:31 [sshd] Failed password for illegal user web from 203.198.168.66 port 33630 ssh2 -Sep 29 03:49:34 [sshd] Failed password for illegal user oracle from 203.198.168.66 port 34129 ssh2 -Sep 29 03:49:39 [sshd] Failed password for illegal user sybase from 203.198.168.66 port 34558 ssh2 -Sep 29 03:49:42 [sshd] Failed password for illegal user master from 203.198.168.66 port 35018 ssh2 -Sep 29 03:49:45 [sshd] Failed password for illegal user account from 203.198.168.66 port 35095 ssh2 -Sep 29 03:49:48 [sshd] Failed password for illegal user backup from 203.198.168.66 port 35506 ssh2 -Sep 29 03:49:51 [sshd] Failed password for illegal user server from 203.198.168.66 port 35935 ssh2 -Sep 29 03:49:54 [sshd] Failed password for illegal user adam from 203.198.168.66 port 36016 ssh2 -Sep 29 03:49:57 [sshd] Failed password for illegal user alan from 203.198.168.66 port 36399 ssh2 -Sep 29 03:49:59 [sshd] Failed password for illegal user frank from 203.198.168.66 port 36488 ssh2 -Sep 29 03:50:04 [sshd] Failed password for illegal user george from 203.198.168.66 port 36876 ssh2 -Sep 29 03:50:07 [sshd] Failed password for illegal user henry from 203.198.168.66 port 37333 ssh2 -Sep 29 03:50:11 [sshd] Failed password for illegal user john from 203.198.168.66 port 37423 ssh2 -Sep 29 03:50:14 [sshd] Failed password for illegal user root from 203.198.168.66 port 37837 ssh2 -Sep 29 03:50:16 [sshd] Failed password for illegal user root from 203.198.168.66 port 38210 ssh2 -Sep 29 03:50:19 [sshd] Failed password for illegal user root from 203.198.168.66 port 38286 ssh2 -Sep 29 03:50:22 [sshd] Failed password for illegal user root from 203.198.168.66 port 38653 ssh2 -Sep 29 03:50:26 [sshd] Failed password for illegal user root from 203.198.168.66 port 38749 ssh2 -Sep 29 03:50:29 [sshd] Failed password for illegal user test from 203.198.168.66 port 39162 ssh2 -Sep 29 10:19:26 [sshd] Failed password for illegal user test from 24.19.0.105 port 3765 ssh2 -Sep 29 10:19:32 [sshd] Failed password for illegal user guest from 24.19.0.105 port 3846 ssh2 -Sep 29 10:19:39 [sshd] Failed password for illegal user admin from 24.19.0.105 port 3929 ssh2 -Sep 29 10:19:45 [sshd] Failed password for illegal user admin from 24.19.0.105 port 3992 ssh2 -Sep 29 10:19:49 [sshd] Failed password for illegal user user from 24.19.0.105 port 4057 ssh2 -Sep 29 10:19:54 [sshd] Failed password for illegal user root from 24.19.0.105 port 4115 ssh2 -Sep 29 10:19:58 [sshd] Failed password for illegal user root from 24.19.0.105 port 4170 ssh2 -Sep 29 10:20:01 [sshd] Failed password for illegal user root from 24.19.0.105 port 4202 ssh2 -Sep 29 10:20:04 [sshd] Failed password for illegal user test from 24.19.0.105 port 4242 ssh2 -Oct 1 15:53:46 [sshd] Failed password for illegal user test from 210.51.173.75 port 40940 ssh2 -Oct 1 15:53:53 [sshd] Failed password for illegal user guest from 210.51.173.75 port 41196 ssh2 -Oct 1 15:53:59 [sshd] Failed password for illegal user admin from 210.51.173.75 port 41480 ssh2 -Oct 1 15:54:05 [sshd] Failed password for illegal user admin from 210.51.173.75 port 41738 ssh2 -Oct 1 15:54:12 [sshd] Failed password for illegal user user from 210.51.173.75 port 42036 ssh2 -Oct 1 15:54:18 [sshd] Failed password for illegal user root from 210.51.173.75 port 42393 ssh2 -Oct 1 15:54:24 [sshd] Failed password for illegal user root from 210.51.173.75 port 42721 ssh2 -Oct 1 15:54:30 [sshd] Failed password for illegal user root from 210.51.173.75 port 42984 ssh2 -Oct 1 15:54:36 [sshd] Failed password for illegal user test from 210.51.173.75 port 43299 ssh2 -Oct 2 20:24:36 [sshd] Failed password for illegal user test from 220.64.223.249 port 2460 ssh2 -Oct 2 20:24:39 [sshd] Failed password for illegal user guest from 220.64.223.249 port 2527 ssh2 -Oct 2 20:24:42 [sshd] Failed password for illegal user admin from 220.64.223.249 port 2584 ssh2 -Oct 2 20:24:45 [sshd] Failed password for illegal user admin from 220.64.223.249 port 2645 ssh2 -Oct 2 20:24:48 [sshd] Failed password for illegal user user from 220.64.223.249 port 2708 ssh2 -Oct 2 20:24:51 [sshd] Failed password for illegal user root from 220.64.223.249 port 2794 ssh2 -Oct 2 20:24:54 [sshd] Failed password for illegal user root from 220.64.223.249 port 2868 ssh2 -Oct 2 20:24:58 [sshd] Failed password for illegal user root from 220.64.223.249 port 2931 ssh2 -Oct 2 20:25:01 [sshd] Failed password for illegal user test from 220.64.223.249 port 2994 ssh2 -Oct 3 02:17:47 [sshd] Failed password for illegal user nobody from 216.65.197.170 port 54324 ssh2 -Oct 3 02:17:48 [sshd] Failed password for illegal user patrick from 216.65.197.170 port 54491 ssh2 -Oct 3 02:17:50 [sshd] Failed password for illegal user patrick from 216.65.197.170 port 54669 ssh2 -Oct 3 02:17:52 [sshd] Failed password for illegal user root from 216.65.197.170 port 54845 ssh2 -Oct 3 02:17:53 [sshd] Failed password for illegal user root from 216.65.197.170 port 55021 ssh2 -Oct 3 02:17:55 [sshd] Failed password for illegal user root from 216.65.197.170 port 55201 ssh2 -Oct 3 02:17:57 [sshd] Failed password for illegal user root from 216.65.197.170 port 55381 ssh2 -Oct 3 02:17:59 [sshd] Failed password for illegal user root from 216.65.197.170 port 55553 ssh2 -Oct 3 02:18:00 [sshd] Failed password for illegal user rolo from 216.65.197.170 port 55730 ssh2 -Oct 3 02:18:02 [sshd] Failed password for illegal user iceuser from 216.65.197.170 port 55892 ssh2 -Oct 3 02:18:04 [sshd] Failed password for illegal user horde from 216.65.197.170 port 56054 ssh2 -Oct 3 02:18:05 [sshd] Failed password for illegal user cyrus from 216.65.197.170 port 56231 ssh2 -Oct 3 02:18:07 [sshd] Failed password for illegal user www from 216.65.197.170 port 56412 ssh2 -Oct 3 02:18:09 [sshd] Failed password for illegal user wwwrun from 216.65.197.170 port 56594 ssh2 -Oct 3 02:18:11 [sshd] Failed password for illegal user matt from 216.65.197.170 port 56755 ssh2 -Oct 3 02:18:12 [sshd] Failed password for illegal user test from 216.65.197.170 port 56928 ssh2 -Oct 3 02:18:14 [sshd] Failed password for illegal user test from 216.65.197.170 port 57112 ssh2 -Oct 3 02:18:16 [sshd] Failed password for illegal user test from 216.65.197.170 port 57292 ssh2 -Oct 3 02:18:17 [sshd] Failed password for illegal user test from 216.65.197.170 port 57465 ssh2 -Oct 3 02:18:19 [sshd] Failed password for illegal user www-data from 216.65.197.170 port 57631 ssh2 -Oct 3 02:18:21 [sshd] Failed password for illegal user mysql from 216.65.197.170 port 57802 ssh2 -Oct 3 02:18:22 [sshd] Failed password for illegal user operator from 216.65.197.170 port 57989 ssh2 -Oct 3 02:18:24 [sshd] Failed password for illegal user adm from 216.65.197.170 port 58151 ssh2 -Oct 3 02:18:26 [sshd] Failed password for illegal user apache from 216.65.197.170 port 58319 ssh2 -Oct 3 02:18:28 [sshd] Failed password for illegal user irc from 216.65.197.170 port 58492 ssh2 -Oct 3 02:18:29 [sshd] Failed password for illegal user irc from 216.65.197.170 port 58662 ssh2 -Oct 3 02:18:31 [sshd] Failed password for illegal user adm from 216.65.197.170 port 58818 ssh2 -Oct 3 02:18:33 [sshd] Failed password for illegal user root from 216.65.197.170 port 58976 ssh2 -Oct 3 02:18:34 [sshd] Failed password for illegal user root from 216.65.197.170 port 59147 ssh2 -Oct 3 02:18:36 [sshd] Failed password for illegal user root from 216.65.197.170 port 59306 ssh2 -Oct 3 02:18:38 [sshd] Failed password for illegal user jane from 216.65.197.170 port 59474 ssh2 -Oct 3 02:18:40 [sshd] Failed password for illegal user pamela from 216.65.197.170 port 59644 ssh2 -Oct 3 02:18:41 [sshd] Failed password for illegal user root from 216.65.197.170 port 59797 ssh2 -Oct 3 02:18:43 [sshd] Failed password for illegal user root from 216.65.197.170 port 59963 ssh2 -Oct 3 02:18:45 [sshd] Failed password for illegal user root from 216.65.197.170 port 60139 ssh2 -Oct 3 02:18:47 [sshd] Failed password for illegal user root from 216.65.197.170 port 60308 ssh2 -Oct 3 02:18:48 [sshd] Failed password for illegal user root from 216.65.197.170 port 60479 ssh2 -Oct 3 02:18:50 [sshd] Failed password for illegal user cosmin from 216.65.197.170 port 60654 ssh2 -Oct 3 02:18:52 [sshd] Failed password for illegal user root from 216.65.197.170 port 60830 ssh2 -Oct 3 02:18:54 [sshd] Failed password for illegal user root from 216.65.197.170 port 60992 ssh2 -Oct 3 02:18:55 [sshd] Failed password for illegal user root from 216.65.197.170 port 32945 ssh2 -Oct 3 02:18:58 [sshd] Failed password for illegal user root from 216.65.197.170 port 33101 ssh2 -Oct 3 02:18:59 [sshd] Failed password for illegal user root from 216.65.197.170 port 33343 ssh2 -Oct 3 02:19:02 [sshd] Failed password for illegal user root from 216.65.197.170 port 33501 ssh2 -Oct 3 02:19:03 [sshd] Failed password for illegal user root from 216.65.197.170 port 33733 ssh2 -Oct 3 02:19:05 [sshd] Failed password for illegal user root from 216.65.197.170 port 33892 ssh2 -Oct 3 02:19:07 [sshd] Failed password for illegal user root from 216.65.197.170 port 34066 ssh2 -Oct 3 02:19:08 [sshd] Failed password for illegal user root from 216.65.197.170 port 34212 ssh2 -Oct 3 02:19:10 [sshd] Failed password for illegal user root from 216.65.197.170 port 34376 ssh2 -Oct 3 02:19:12 [sshd] Failed password for illegal user root from 216.65.197.170 port 34535 ssh2 -Oct 3 02:19:14 [sshd] Failed password for illegal user root from 216.65.197.170 port 34704 ssh2 -Oct 3 02:19:16 [sshd] Failed password for illegal user root from 216.65.197.170 port 34853 ssh2 -Oct 3 02:19:18 [sshd] Failed password for illegal user root from 216.65.197.170 port 35092 ssh2 -Oct 3 02:19:19 [sshd] Failed password for illegal user root from 216.65.197.170 port 35261 ssh2 -Oct 3 02:19:21 [sshd] Failed password for illegal user root from 216.65.197.170 port 35425 ssh2 -Oct 3 02:19:23 [sshd] Failed password for illegal user root from 216.65.197.170 port 35583 ssh2 -Oct 3 02:19:24 [sshd] Failed password for illegal user root from 216.65.197.170 port 35753 ssh2 -Oct 3 02:19:26 [sshd] Failed password for illegal user root from 216.65.197.170 port 35901 ssh2 -Oct 3 02:19:28 [sshd] Failed password for illegal user root from 216.65.197.170 port 36068 ssh2 -Oct 3 02:19:30 [sshd] Failed password for illegal user root from 216.65.197.170 port 36227 ssh2 -Oct 3 02:19:33 [sshd] Failed password for illegal user root from 216.65.197.170 port 36453 ssh2 -Oct 3 02:19:34 [sshd] Failed password for illegal user root from 216.65.197.170 port 36673 ssh2 -Oct 3 02:19:36 [sshd] Failed password for illegal user root from 216.65.197.170 port 36823 ssh2 -Oct 3 02:19:38 [sshd] Failed password for illegal user root from 216.65.197.170 port 36981 ssh2 -Oct 3 02:19:39 [sshd] Failed password for illegal user root from 216.65.197.170 port 37152 ssh2 -Oct 3 02:19:41 [sshd] Failed password for illegal user root from 216.65.197.170 port 37310 ssh2 -Oct 3 02:19:43 [sshd] Failed password for illegal user root from 216.65.197.170 port 37484 ssh2 -Oct 3 02:19:45 [sshd] Failed password for illegal user root from 216.65.197.170 port 37644 ssh2 -Oct 3 02:19:46 [sshd] Failed password for illegal user root from 216.65.197.170 port 37827 ssh2 -Oct 3 02:19:48 [sshd] Failed password for illegal user root from 216.65.197.170 port 37989 ssh2 -Oct 3 02:19:50 [sshd] Failed password for illegal user root from 216.65.197.170 port 38163 ssh2 -Oct 3 02:19:52 [sshd] Failed password for illegal user root from 216.65.197.170 port 38329 ssh2 -Oct 3 02:19:54 [sshd] Failed password for illegal user root from 216.65.197.170 port 38559 ssh2 -Oct 3 02:19:56 [sshd] Failed password for illegal user root from 216.65.197.170 port 38735 ssh2 -Oct 3 02:19:58 [sshd] Failed password for illegal user cip52 from 216.65.197.170 port 38893 ssh2 -Oct 3 02:20:00 [sshd] Failed password for illegal user cip51 from 216.65.197.170 port 39109 ssh2 -Oct 3 02:20:01 [sshd] Failed password for illegal user root from 216.65.197.170 port 39282 ssh2 -Oct 3 02:20:03 [sshd] Failed password for illegal user noc from 216.65.197.170 port 39448 ssh2 -Oct 3 02:20:05 [sshd] Failed password for illegal user root from 216.65.197.170 port 39621 ssh2 -Oct 3 02:20:06 [sshd] Failed password for illegal user root from 216.65.197.170 port 39781 ssh2 -Oct 3 02:20:08 [sshd] Failed password for illegal user root from 216.65.197.170 port 39958 ssh2 -Oct 3 02:20:10 [sshd] Failed password for illegal user root from 216.65.197.170 port 40125 ssh2 -Oct 3 02:20:12 [sshd] Failed password for illegal user webmaster from 216.65.197.170 port 40316 ssh2 -Oct 3 02:20:13 [sshd] Failed password for illegal user data from 216.65.197.170 port 40473 ssh2 -Oct 3 02:20:15 [sshd] Failed password for illegal user user from 216.65.197.170 port 40645 ssh2 -Oct 3 02:20:17 [sshd] Failed password for illegal user user from 216.65.197.170 port 40800 ssh2 -Oct 3 02:20:19 [sshd] Failed password for illegal user user from 216.65.197.170 port 40965 ssh2 -Oct 3 02:20:20 [sshd] Failed password for illegal user web from 216.65.197.170 port 41120 ssh2 -Oct 3 02:20:22 [sshd] Failed password for illegal user web from 216.65.197.170 port 41300 ssh2 -Oct 3 02:20:24 [sshd] Failed password for illegal user oracle from 216.65.197.170 port 41468 ssh2 -Oct 3 02:20:25 [sshd] Failed password for illegal user sybase from 216.65.197.170 port 41642 ssh2 -Oct 3 02:20:27 [sshd] Failed password for illegal user master from 216.65.197.170 port 41809 ssh2 -Oct 3 02:20:29 [sshd] Failed password for illegal user account from 216.65.197.170 port 41987 ssh2 -Oct 3 02:20:31 [sshd] Failed password for illegal user backup from 216.65.197.170 port 42143 ssh2 -Oct 3 02:20:32 [sshd] Failed password for illegal user server from 216.65.197.170 port 42316 ssh2 -Oct 3 02:20:34 [sshd] Failed password for illegal user adam from 216.65.197.170 port 42481 ssh2 -Oct 3 02:20:36 [sshd] Failed password for illegal user alan from 216.65.197.170 port 42647 ssh2 -Oct 3 02:20:37 [sshd] Failed password for illegal user frank from 216.65.197.170 port 42817 ssh2 -Oct 3 02:20:39 [sshd] Failed password for illegal user george from 216.65.197.170 port 42993 ssh2 -Oct 3 02:20:41 [sshd] Failed password for illegal user henry from 216.65.197.170 port 43170 ssh2 -Oct 3 02:20:43 [sshd] Failed password for illegal user john from 216.65.197.170 port 43319 ssh2 -Oct 3 02:20:44 [sshd] Failed password for illegal user root from 216.65.197.170 port 43504 ssh2 -Oct 3 02:20:46 [sshd] Failed password for illegal user root from 216.65.197.170 port 43664 ssh2 -Oct 3 02:20:48 [sshd] Failed password for illegal user root from 216.65.197.170 port 43844 ssh2 -Oct 3 02:20:49 [sshd] Failed password for illegal user root from 216.65.197.170 port 44008 ssh2 -Oct 3 02:20:51 [sshd] Failed password for illegal user root from 216.65.197.170 port 44182 ssh2 -Oct 3 02:20:53 [sshd] Failed password for illegal user test from 216.65.197.170 port 44338 ssh2 -Oct 3 06:37:34 [sshd] Failed password for illegal user nobody from 217.56.33.194 port 1969 ssh2 -Oct 3 06:37:36 [sshd] Failed password for illegal user patrick from 217.56.33.194 port 2002 ssh2 -Oct 3 06:37:37 [sshd] Failed password for illegal user patrick from 217.56.33.194 port 2039 ssh2 -Oct 3 06:37:38 [sshd] Failed password for illegal user root from 217.56.33.194 port 2070 ssh2 -Oct 3 06:37:40 [sshd] Failed password for illegal user root from 217.56.33.194 port 2109 ssh2 -Oct 3 06:37:41 [sshd] Failed password for illegal user root from 217.56.33.194 port 2142 ssh2 -Oct 3 06:37:42 [sshd] Failed password for illegal user root from 217.56.33.194 port 2173 ssh2 -Oct 3 06:37:44 [sshd] Failed password for illegal user root from 217.56.33.194 port 2211 ssh2 -Oct 3 06:37:45 [sshd] Failed password for illegal user rolo from 217.56.33.194 port 2244 ssh2 -Oct 3 06:37:46 [sshd] Failed password for illegal user iceuser from 217.56.33.194 port 2272 ssh2 -Oct 3 06:37:48 [sshd] Failed password for illegal user horde from 217.56.33.194 port 2305 ssh2 -Oct 3 06:37:49 [sshd] Failed password for illegal user cyrus from 217.56.33.194 port 2337 ssh2 -Oct 3 06:37:50 [sshd] Failed password for illegal user www from 217.56.33.194 port 2373 ssh2 -Oct 3 06:37:52 [sshd] Failed password for illegal user wwwrun from 217.56.33.194 port 2407 ssh2 -Oct 3 06:37:53 [sshd] Failed password for illegal user matt from 217.56.33.194 port 2439 ssh2 -Oct 3 06:37:55 [sshd] Failed password for illegal user test from 217.56.33.194 port 2466 ssh2 -Oct 3 06:37:56 [sshd] Failed password for illegal user test from 217.56.33.194 port 2501 ssh2 -Oct 3 06:37:57 [sshd] Failed password for illegal user test from 217.56.33.194 port 2533 ssh2 -Oct 3 06:37:59 [sshd] Failed password for illegal user test from 217.56.33.194 port 2567 ssh2 -Oct 3 06:38:00 [sshd] Failed password for illegal user www-data from 217.56.33.194 port 2605 ssh2 -Oct 3 06:38:01 [sshd] Failed password for illegal user mysql from 217.56.33.194 port 2635 ssh2 -Oct 3 06:38:03 [sshd] Failed password for illegal user operator from 217.56.33.194 port 2667 ssh2 -Oct 3 06:38:04 [sshd] Failed password for illegal user adm from 217.56.33.194 port 2697 ssh2 -Oct 3 06:38:05 [sshd] Failed password for illegal user apache from 217.56.33.194 port 2733 ssh2 -Oct 3 06:38:07 [sshd] Failed password for illegal user irc from 217.56.33.194 port 2768 ssh2 -Oct 3 06:38:08 [sshd] Failed password for illegal user irc from 217.56.33.194 port 2804 ssh2 -Oct 3 06:38:09 [sshd] Failed password for illegal user adm from 217.56.33.194 port 2837 ssh2 -Oct 3 06:38:11 [sshd] Failed password for illegal user root from 217.56.33.194 port 2872 ssh2 -Oct 3 06:38:13 [sshd] Failed password for illegal user root from 217.56.33.194 port 2907 ssh2 -Oct 3 06:38:14 [sshd] Failed password for illegal user root from 217.56.33.194 port 2950 ssh2 -Oct 3 06:38:16 [sshd] Failed password for illegal user jane from 217.56.33.194 port 2986 ssh2 -Oct 3 06:38:17 [sshd] Failed password for illegal user pamela from 217.56.33.194 port 3019 ssh2 -Oct 3 06:38:18 [sshd] Failed password for illegal user root from 217.56.33.194 port 3053 ssh2 -Oct 3 06:38:20 [sshd] Failed password for illegal user root from 217.56.33.194 port 3085 ssh2 -Oct 3 06:38:21 [sshd] Failed password for illegal user root from 217.56.33.194 port 3115 ssh2 -Oct 3 06:38:22 [sshd] Failed password for illegal user root from 217.56.33.194 port 3147 ssh2 -Oct 3 06:38:24 [sshd] Failed password for illegal user root from 217.56.33.194 port 3177 ssh2 -Oct 3 06:38:25 [sshd] Failed password for illegal user cosmin from 217.56.33.194 port 3208 ssh2 -Oct 3 06:38:26 [sshd] Failed password for illegal user root from 217.56.33.194 port 3239 ssh2 -Oct 3 06:38:28 [sshd] Failed password for illegal user root from 217.56.33.194 port 3272 ssh2 -Oct 3 06:38:29 [sshd] Failed password for illegal user root from 217.56.33.194 port 3302 ssh2 -Oct 3 06:38:30 [sshd] Failed password for illegal user root from 217.56.33.194 port 3336 ssh2 -Oct 3 06:38:32 [sshd] Failed password for illegal user root from 217.56.33.194 port 3367 ssh2 -Oct 3 06:38:33 [sshd] Failed password for illegal user root from 217.56.33.194 port 3403 ssh2 -Oct 3 06:38:34 [sshd] Failed password for illegal user root from 217.56.33.194 port 3432 ssh2 -Oct 3 06:38:36 [sshd] Failed password for illegal user root from 217.56.33.194 port 3458 ssh2 -Oct 3 06:38:37 [sshd] Failed password for illegal user root from 217.56.33.194 port 3494 ssh2 -Oct 3 06:38:38 [sshd] Failed password for illegal user root from 217.56.33.194 port 3525 ssh2 -Oct 3 06:38:40 [sshd] Failed password for illegal user root from 217.56.33.194 port 3554 ssh2 -Oct 3 06:38:41 [sshd] Failed password for illegal user root from 217.56.33.194 port 3590 ssh2 -Oct 3 06:38:42 [sshd] Failed password for illegal user root from 217.56.33.194 port 3623 ssh2 -Oct 3 06:38:44 [sshd] Failed password for illegal user root from 217.56.33.194 port 3654 ssh2 -Oct 3 06:38:45 [sshd] Failed password for illegal user root from 217.56.33.194 port 3690 ssh2 -Oct 3 06:38:46 [sshd] Failed password for illegal user root from 217.56.33.194 port 3720 ssh2 -Oct 3 06:38:48 [sshd] Failed password for illegal user root from 217.56.33.194 port 3752 ssh2 -Oct 3 06:38:49 [sshd] Failed password for illegal user root from 217.56.33.194 port 3785 ssh2 -Oct 3 06:38:51 [sshd] Failed password for illegal user root from 217.56.33.194 port 3817 ssh2 -Oct 3 06:38:52 [sshd] Failed password for illegal user root from 217.56.33.194 port 3853 ssh2 -Oct 3 06:38:53 [sshd] Failed password for illegal user root from 217.56.33.194 port 3886 ssh2 -Oct 3 06:38:55 [sshd] Failed password for illegal user root from 217.56.33.194 port 3923 ssh2 -Oct 3 06:38:56 [sshd] Failed password for illegal user root from 217.56.33.194 port 3955 ssh2 -Oct 3 06:38:57 [sshd] Failed password for illegal user root from 217.56.33.194 port 3983 ssh2 -Oct 3 06:38:59 [sshd] Failed password for illegal user root from 217.56.33.194 port 4016 ssh2 -Oct 3 06:39:00 [sshd] Failed password for illegal user root from 217.56.33.194 port 4045 ssh2 -Oct 3 06:39:01 [sshd] Failed password for illegal user root from 217.56.33.194 port 4073 ssh2 -Oct 3 06:39:03 [sshd] Failed password for illegal user root from 217.56.33.194 port 4110 ssh2 -Oct 3 06:39:04 [sshd] Failed password for illegal user root from 217.56.33.194 port 4140 ssh2 -Oct 3 06:39:05 [sshd] Failed password for illegal user root from 217.56.33.194 port 4171 ssh2 -Oct 3 06:39:07 [sshd] Failed password for illegal user root from 217.56.33.194 port 4201 ssh2 -Oct 3 06:39:08 [sshd] Failed password for illegal user root from 217.56.33.194 port 4235 ssh2 -Oct 3 06:39:09 [sshd] Failed password for illegal user root from 217.56.33.194 port 4267 ssh2 -Oct 3 06:39:11 [sshd] Failed password for illegal user root from 217.56.33.194 port 4300 ssh2 -Oct 3 06:39:12 [sshd] Failed password for illegal user root from 217.56.33.194 port 4326 ssh2 -Oct 3 06:39:13 [sshd] Failed password for illegal user root from 217.56.33.194 port 4358 ssh2 -Oct 3 06:39:15 [sshd] Failed password for illegal user cip52 from 217.56.33.194 port 4390 ssh2 -Oct 3 06:39:16 [sshd] Failed password for illegal user cip51 from 217.56.33.194 port 4427 ssh2 -Oct 3 06:39:18 [sshd] Failed password for illegal user root from 217.56.33.194 port 4459 ssh2 -Oct 3 06:39:19 [sshd] Failed password for illegal user noc from 217.56.33.194 port 4492 ssh2 -Oct 3 06:39:20 [sshd] Failed password for illegal user root from 217.56.33.194 port 4526 ssh2 -Oct 3 06:39:22 [sshd] Failed password for illegal user root from 217.56.33.194 port 4557 ssh2 -Oct 3 06:39:23 [sshd] Failed password for illegal user root from 217.56.33.194 port 4588 ssh2 -Oct 3 06:39:24 [sshd] Failed password for illegal user root from 217.56.33.194 port 4618 ssh2 -Oct 3 06:39:26 [sshd] Failed password for illegal user webmaster from 217.56.33.194 port 4652 ssh2 -Oct 3 06:39:27 [sshd] Failed password for illegal user data from 217.56.33.194 port 4679 ssh2 -Oct 3 06:39:28 [sshd] Failed password for illegal user user from 217.56.33.194 port 4716 ssh2 -Oct 3 06:39:30 [sshd] Failed password for illegal user user from 217.56.33.194 port 4744 ssh2 -Oct 3 06:39:31 [sshd] Failed password for illegal user user from 217.56.33.194 port 4777 ssh2 -Oct 3 06:39:32 [sshd] Failed password for illegal user web from 217.56.33.194 port 4808 ssh2 -Oct 3 06:39:34 [sshd] Failed password for illegal user web from 217.56.33.194 port 4842 ssh2 -Oct 3 06:39:35 [sshd] Failed password for illegal user oracle from 217.56.33.194 port 4869 ssh2 -Oct 3 06:39:36 [sshd] Failed password for illegal user sybase from 217.56.33.194 port 4899 ssh2 -Oct 3 06:39:38 [sshd] Failed password for illegal user master from 217.56.33.194 port 4933 ssh2 -Oct 3 06:39:39 [sshd] Failed password for illegal user account from 217.56.33.194 port 4969 ssh2 -Oct 3 06:39:40 [sshd] Failed password for illegal user backup from 217.56.33.194 port 4999 ssh2 -Oct 3 06:39:42 [sshd] Failed password for illegal user server from 217.56.33.194 port 1051 ssh2 -Oct 3 06:39:43 [sshd] Failed password for illegal user adam from 217.56.33.194 port 1082 ssh2 -Oct 3 06:39:44 [sshd] Failed password for illegal user alan from 217.56.33.194 port 1114 ssh2 -Oct 3 06:39:46 [sshd] Failed password for illegal user frank from 217.56.33.194 port 1141 ssh2 -Oct 3 06:39:47 [sshd] Failed password for illegal user george from 217.56.33.194 port 1174 ssh2 -Oct 3 06:39:49 [sshd] Failed password for illegal user henry from 217.56.33.194 port 1205 ssh2 -Oct 3 06:39:50 [sshd] Failed password for illegal user john from 217.56.33.194 port 1236 ssh2 -Oct 3 06:39:51 [sshd] Failed password for illegal user root from 217.56.33.194 port 1271 ssh2 -Oct 3 06:39:53 [sshd] Failed password for illegal user root from 217.56.33.194 port 1300 ssh2 -Oct 3 06:39:55 [sshd] Failed password for illegal user root from 217.56.33.194 port 1332 ssh2 -Oct 3 06:39:56 [sshd] Failed password for illegal user root from 217.56.33.194 port 1380 ssh2 -Oct 3 06:39:57 [sshd] Failed password for illegal user root from 217.56.33.194 port 1412 ssh2 -Oct 3 06:39:59 [sshd] Failed password for illegal user test from 217.56.33.194 port 1449 ssh2 -Oct 4 04:43:59 [sshd] Failed password for illegal user test from 212.204.226.21 port 60349 ssh2 -Oct 4 04:44:03 [sshd] Failed password for illegal user guest from 212.204.226.21 port 60394 ssh2 -Oct 4 04:44:06 [sshd] Failed password for illegal user admin from 212.204.226.21 port 60540 ssh2 -Oct 4 04:44:08 [sshd] Failed password for illegal user admin from 212.204.226.21 port 60620 ssh2 -Oct 4 04:44:11 [sshd] Failed password for illegal user user from 212.204.226.21 port 60679 ssh2 -Oct 4 04:44:14 [sshd] Failed password for illegal user root from 212.204.226.21 port 60773 ssh2 -Oct 4 04:44:15 [sshd] Failed password for illegal user root from 212.204.226.21 port 60828 ssh2 -Oct 4 04:44:18 [sshd] Failed password for illegal user root from 212.204.226.21 port 60880 ssh2 -Oct 4 04:44:21 [sshd] Failed password for illegal user test from 212.204.226.21 port 60957 ssh2 -Oct 4 09:32:21 [sshd] Failed password for illegal user test from 62.141.56.70 port 45600 ssh2 -Oct 4 09:32:27 [sshd] Failed password for illegal user guest from 62.141.56.70 port 47635 ssh2 -Oct 4 09:32:32 [sshd] Failed password for illegal user admin from 62.141.56.70 port 49967 ssh2 -Oct 4 09:32:37 [sshd] Failed password for illegal user admin from 62.141.56.70 port 52093 ssh2 -Oct 4 09:32:42 [sshd] Failed password for illegal user user from 62.141.56.70 port 53840 ssh2 -Oct 4 09:32:47 [sshd] Failed password for illegal user root from 62.141.56.70 port 55568 ssh2 -Oct 4 09:32:51 [sshd] Failed password for illegal user root from 62.141.56.70 port 57526 ssh2 -Oct 4 09:32:51 [sshd] Failed password for illegal user root from 62.141.56.70 port 58454 ssh2 -Oct 4 09:32:52 [sshd] Failed password for illegal user test from 62.141.56.70 port 58819 ssh2 -Oct 4 14:09:11 [sshd] Failed password for illegal user test from 211.234.125.100 port 46642 ssh2 -Oct 4 14:09:18 [sshd] Failed password for illegal user guest from 211.234.125.100 port 46788 ssh2 -Oct 4 14:09:23 [sshd] Failed password for illegal user admin from 211.234.125.100 port 46886 ssh2 -Oct 4 14:09:30 [sshd] Failed password for illegal user admin from 211.234.125.100 port 46960 ssh2 -Oct 4 14:09:43 [sshd] Failed password for illegal user user from 211.234.125.100 port 47025 ssh2 -Oct 6 04:13:11 [sshd] Failed password for illegal user test from 64.246.30.17 port 58277 ssh2 -Oct 6 04:13:13 [sshd] Failed password for illegal user guest from 64.246.30.17 port 58360 ssh2 -Oct 6 04:13:15 [sshd] Failed password for illegal user admin from 64.246.30.17 port 58428 ssh2 -Oct 6 04:13:17 [sshd] Failed password for illegal user admin from 64.246.30.17 port 58514 ssh2 -Oct 6 22:13:56 [sshd] Failed password for illegal user test from 61.11.98.217 port 45434 ssh2 -Oct 6 22:14:00 [sshd] Failed password for illegal user guest from 61.11.98.217 port 45586 ssh2 -Oct 6 22:14:05 [sshd] Failed password for illegal user admin from 61.11.98.217 port 45672 ssh2 -Oct 6 22:14:10 [sshd] Failed password for illegal user admin from 61.11.98.217 port 45748 ssh2 -Oct 6 22:14:18 [sshd] Failed password for illegal user user from 61.11.98.217 port 45833 ssh2 -Oct 7 00:25:34 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37086 ssh2 -Oct 7 00:25:34 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37086 ssh2 - - Last output repeated twice - -Oct 7 00:26:27 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37089 ssh2 - - Last output repeated 2 times - -Oct 7 00:26:37 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37092 ssh2 - - Last output repeated 2 times - -Oct 7 00:27:21 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37095 ssh2 - - Last output repeated twice - -Oct 7 00:51:31 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37130 ssh2 - - Last output repeated 2 times - -Oct 7 00:51:48 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37138 ssh2 - - Last output repeated 2 times - -Oct 7 00:52:02 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37141 ssh2 -Oct 7 00:56:10 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37153 ssh2 - - Last output repeated 2 times - -Oct 7 00:56:41 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37156 ssh2 - - Last output repeated 2 times - -Oct 7 00:57:00 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37159 ssh2 -Oct 7 00:58:17 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37162 ssh2 - - Last output repeated 2 times - -Oct 7 00:58:29 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37165 ssh2 - - Last output repeated 2 times - -Oct 7 00:58:39 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37168 ssh2 -Oct 7 01:00:32 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37171 ssh2 - - Last output repeated 2 times - -Oct 7 01:00:44 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37175 ssh2 - - Last output repeated 2 times - -Oct 7 01:01:23 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37178 ssh2 - - Last output repeated 2 times - -Oct 7 01:03:01 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37181 ssh2 - - Last output repeated 2 times - -Oct 7 01:03:12 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37184 ssh2 - - Last output repeated 2 times - -Oct 7 01:03:20 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37187 ssh2 - - Last output repeated 2 times - -Oct 8 11:47:08 [sshd] Failed password for illegal user test from 69.182.27.122 port 34015 ssh2 -Oct 8 11:47:09 [sshd] Failed password for illegal user guest from 69.182.27.122 port 34068 ssh2 -Oct 8 11:47:11 [sshd] Failed password for illegal user admin from 69.182.27.122 port 34127 ssh2 -Oct 9 21:54:11 yellow sshd[16069]: Failed password for cyril from 212.41.79.210 port 29404 ssh2 diff --git a/logreader/logreader.py b/logreader/logreader.py deleted file mode 100644 index 492ed76d..00000000 --- a/logreader/logreader.py +++ /dev/null @@ -1,67 +0,0 @@ -# This file is part of Fail2Ban. -# -# Fail2Ban is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# Fail2Ban is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with Fail2Ban; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -# Author: Cyril Jaquier -# -# $Revision$ - -__author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" -__copyright__ = "Copyright (c) 2004 Cyril Jaquier" -__license__ = "GPL" - -import os, sys - -class LogReader: - - def __init__(self, logPath, findTime = 3600): - self.logPath = logPath - self.findTime = findTime - self.ignoreIpList = [] - self.lastModTime = 0 - - def addIgnoreIP(self, ip): - self.ignoreIpList.append(ip) - - def inIgnoreIPList(self, ip): - return ip in self.ignoreIpList - - def openLogFile(self): - try: - fileHandler = open(self.logPath) - except OSError: - print "Unable to open", self.logPath - sys.exit(-1) - return fileHandler - - def isModified(self): - try: - logStats = os.stat(self.logPath) - except OSError: - print "Unable to get stat on", logPath - sys.exit(-1) - - if self.lastModTime == logStats.st_mtime: - return False - else: - print self.logPath, 'has been modified' - self.lastModTime = logStats.st_mtime - return True - - def getPwdFailure(self): - failList = self.getFailInfo(self.findTime) - return failList diff --git a/logreader/metalog.py b/logreader/metalog.py deleted file mode 100644 index 20a64766..00000000 --- a/logreader/metalog.py +++ /dev/null @@ -1,65 +0,0 @@ -# This file is part of Fail2Ban. -# -# Fail2Ban is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# Fail2Ban is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with Fail2Ban; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -# Author: Cyril Jaquier -# -# $Revision$ - -__author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" -__copyright__ = "Copyright (c) 2004 Cyril Jaquier" -__license__ = "GPL" - -import re, time - -from logreader import LogReader - -class Metalog(LogReader): - - def getFailInfo(self, findTime): - ipList = dict() - logFile = self.openLogFile() - for line in logFile.readlines(): - match = self.parseLogLine(line) - if match: - ip = match[0] - unixTime = match[1] - if unixTime < time.time()-self.findTime: - continue - if self.inIgnoreIPList(ip): - print 'Ignore', ip - continue - print 'Found', ip, 'at', unixTime - if ipList.has_key(ip): - ipList[ip] = (ipList[ip][0]+1, unixTime) - else: - ipList[ip] = (1, unixTime) - logFile.close() - return ipList - - def parseLogLine(self, line): - """ Match sshd failed password log - """ - if re.search("Failed password", line): - matchIP = re.search("(?:\d{1,3}\.){3}\d{1,3}", line) - if matchIP: - date = list(time.strptime(line[0:15], "%b %d %H:%M:%S")) - date[0] = time.gmtime()[0] - unixTime = time.mktime(date) - return [matchIP.group(), unixTime] - else: - return False From 4602bb1bfc8ce9f63aaaa323e1b1b9ecd293cf30 Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Sun, 10 Oct 2004 23:44:24 +0000 Subject: [PATCH 010/549] - Add this file with .py extension in order to by recognize as Python source file with pydev (Eclipse plugin) - Add command line options: -v (verbose mode), -h (help), -b (background) - Add daemon function found on aspn.activestate.com git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@14 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- fail2ban.py | 176 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 176 insertions(+) create mode 100755 fail2ban.py diff --git a/fail2ban.py b/fail2ban.py new file mode 100755 index 00000000..4acae8e3 --- /dev/null +++ b/fail2ban.py @@ -0,0 +1,176 @@ +#!/usr/bin/env python + +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# Author: Cyril Jaquier +# +# $Revision$ + +__author__ = "Cyril Jaquier" +__version__ = "$Revision$" +__date__ = "$Date$" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__license__ = "GPL" + +import posix, time, sys, getopt, os, signal + +from firewall.iptables import Iptables +from logreader.metalog import Metalog + +def usage(): + print "fail2ban [-h][-v][-b]" + sys.exit(0) + +def checkForRoot(): + """ Check for root user. + """ + uid = `posix.getuid()` + if uid == '0': + return True + else: + return False + +def createDaemon(): + """Detach a process from the controlling terminal and run it in the + background as a daemon. + + http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/278731 + """ + + try: + # Fork a child process so the parent can exit. This will return control + # to the command line or shell. This is required so that the new process + # is guaranteed not to be a process group leader. We have this guarantee + # because the process GID of the parent is inherited by the child, but + # the child gets a new PID, making it impossible for its PID to equal its + # PGID. + pid = os.fork() + except OSError, e: + return((e.errno, e.strerror)) # ERROR (return a tuple) + + if (pid == 0): # The first child. + + # Next we call os.setsid() to become the session leader of this new + # session. The process also becomes the process group leader of the + # new process group. Since a controlling terminal is associated with a + # session, and this new session has not yet acquired a controlling + # terminal our process now has no controlling terminal. This shouldn't + # fail, since we're guaranteed that the child is not a process group + # leader. + os.setsid() + + # When the first child terminates, all processes in the second child + # are sent a SIGHUP, so it's ignored. + signal.signal(signal.SIGHUP, signal.SIG_IGN) + + try: + # Fork a second child to prevent zombies. Since the first child is + # a session leader without a controlling terminal, it's possible for + # it to acquire one by opening a terminal in the future. This second + # fork guarantees that the child is no longer a session leader, thus + # preventing the daemon from ever acquiring a controlling terminal. + pid = os.fork() # Fork a second child. + except OSError, e: + return((e.errno, e.strerror)) # ERROR (return a tuple) + + if (pid == 0): # The second child. + # Ensure that the daemon doesn't keep any directory in use. Failure + # to do this could make a filesystem unmountable. + #os.chdir("/") + # Give the child complete control over permissions. + os.umask(0) + else: + os._exit(0) # Exit parent (the first child) of the second child. + else: + os._exit(0) # Exit parent of the first child. + + # Close all open files. Try the system configuration variable, SC_OPEN_MAX, + # for the maximum number of open files to close. If it doesn't exist, use + # the default value (configurable). + try: + maxfd = os.sysconf("SC_OPEN_MAX") + except (AttributeError, ValueError): + maxfd = 256 # default maximum + + for fd in range(0, maxfd): + try: + os.close(fd) + except OSError: # ERROR (ignore) + pass + + # Redirect the standard file descriptors to /dev/null. + os.open("/dev/null", os.O_RDONLY) # standard input (0) + #os.open("/dev/null", os.O_RDWR) # standard output (1) + os.open("/tmp/fail2ban.log", os.O_CREAT|os.O_APPEND|os.O_RDWR) # standard output (1) + #os.open("/dev/null", os.O_RDWR) # standard error (2) + os.open("/tmp/fail2ban.log", os.O_CREAT|os.O_APPEND|os.O_RDWR) # standard error (2) + + return(0) + + +if __name__ == "__main__": + + try: + optList, args = getopt.getopt(sys.argv[1:], 'hvb') + except getopt.GetoptError: + usage() + + verbose = False + for opt in optList: + if opt[0] == "-h": + usage() + if opt[0] == "-v": + verbose = True + if opt[0] == "-b": + retCode = createDaemon() + if retCode != 0: + print "Unable to start daemon" + sys.exit(-1) + + if not checkForRoot(): + print "You must be root." + #sys.exit(-1) + + fireWall = Iptables(600, verbose = verbose) + logFile = Metalog("./log-test/test", 600, verbose = verbose) + + logFile.addIgnoreIP("127.0.0.1") + + while True: + try: + sys.stdout.flush() + sys.stderr.flush() + + fireWall.checkForUnBan() + + if not logFile.isModified(): + time.sleep(1) + continue + + failList = logFile.getPwdFailure() + + iterFailList = failList.iteritems() + for i in range(len(failList)): + element = iterFailList.next() + if element[1][0] > 2: + fireWall.addBanIP(element[0]) + + except KeyboardInterrupt: + print 'Restoring iptables...' + fireWall.flushBanList() + print 'Exiting...' + sys.exit(0) From e561e39583ad4b866dbd2153e001b6dbf8201264 Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Sun, 10 Oct 2004 23:46:58 +0000 Subject: [PATCH 011/549] - Add verbose option git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@15 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- firewall/firewall.py | 15 ++++++++++----- logreader/logreader.py | 6 ++++-- logreader/metalog.py | 6 ++++-- 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/firewall/firewall.py b/firewall/firewall.py index 76632a75..09e9ccae 100644 --- a/firewall/firewall.py +++ b/firewall/firewall.py @@ -30,22 +30,25 @@ class Firewall: banList = dict() - def __init__(self, banTime): + def __init__(self, banTime, verbose = False): self.banTime = banTime + self.verbose = verbose def addBanIP(self, ip): if not self.inBanList(ip): self.banList[ip] = time.time() self.executeCmd(self.banIP(ip)) else: - print ip, "already in ban list" + if self.verbose: + print ip, "already in ban list" def delBanIP(self, ip): if self.inBanList(ip): del self.banList[ip] self.executeCmd(self.unBanIP(ip)) else: - print ip, "not in ban list" + if self.verbose: + print ip, "not in ban list" def inBanList(self, ip): return self.banList.has_key(ip) @@ -61,7 +64,8 @@ class Firewall: btime = element[1] if btime < time.time()-self.banTime: self.delBanIP(ip) - print '`->', time.time() + if self.verbose: + print '`->', time.time() def flushBanList(self): iterBanList = self.banList.iteritems() @@ -71,7 +75,8 @@ class Firewall: self.delBanIP(ip) def executeCmd(self, cmd): - print cmd + if self.verbose: + print cmd return #os.system(cmd) def viewBanList(self): diff --git a/logreader/logreader.py b/logreader/logreader.py index 492ed76d..f17711f8 100644 --- a/logreader/logreader.py +++ b/logreader/logreader.py @@ -28,11 +28,12 @@ import os, sys class LogReader: - def __init__(self, logPath, findTime = 3600): + def __init__(self, logPath, findTime = 3600, verbose = False): self.logPath = logPath self.findTime = findTime self.ignoreIpList = [] self.lastModTime = 0 + self.verbose = verbose def addIgnoreIP(self, ip): self.ignoreIpList.append(ip) @@ -58,7 +59,8 @@ class LogReader: if self.lastModTime == logStats.st_mtime: return False else: - print self.logPath, 'has been modified' + if self.verbose: + print self.logPath, 'has been modified' self.lastModTime = logStats.st_mtime return True diff --git a/logreader/metalog.py b/logreader/metalog.py index 20a64766..c8e3db12 100644 --- a/logreader/metalog.py +++ b/logreader/metalog.py @@ -41,9 +41,11 @@ class Metalog(LogReader): if unixTime < time.time()-self.findTime: continue if self.inIgnoreIPList(ip): - print 'Ignore', ip + if self.verbose: + print 'Ignore', ip continue - print 'Found', ip, 'at', unixTime + if self.verbose: + print 'Found', ip, 'at', unixTime if ipList.has_key(ip): ipList[ip] = (ipList[ip][0]+1, unixTime) else: From be1755cac12afb93d9c74ce9c5e0295c8ba1a090 Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Mon, 11 Oct 2004 10:21:56 +0000 Subject: [PATCH 012/549] - Change quoting style git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@16 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- firewall/iptables.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/firewall/iptables.py b/firewall/iptables.py index 8206e631..c06a2dd3 100644 --- a/firewall/iptables.py +++ b/firewall/iptables.py @@ -29,9 +29,9 @@ from firewall import Firewall class Iptables(Firewall): def banIP(self, ip): - query = 'iptables -I INPUT 1 -i eth0 -s '+ip+' -j DROP' + query = "iptables -I INPUT 1 -i eth0 -s "+ip+" -j DROP" return query def unBanIP(self, ip): - query = 'iptables -D INPUT -i eth0 -s '+ip+' -j DROP' + query = "iptables -D INPUT -i eth0 -s "+ip+" -j DROP" return query From c286d568555896e33cade457d870630e35ea16c4 Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Mon, 11 Oct 2004 10:22:41 +0000 Subject: [PATCH 013/549] - Add log4py support - Remove old verbose mode - Add debug feature git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@17 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- firewall/firewall.py | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/firewall/firewall.py b/firewall/firewall.py index 09e9ccae..72ecc7cd 100644 --- a/firewall/firewall.py +++ b/firewall/firewall.py @@ -24,36 +24,36 @@ __date__ = "$Date$" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" -import time +import time, os class Firewall: banList = dict() - def __init__(self, banTime, verbose = False): + def __init__(self, banTime, logSys): self.banTime = banTime - self.verbose = verbose + self.logSys = logSys - def addBanIP(self, ip): + def addBanIP(self, ip, debug): if not self.inBanList(ip): + self.logSys.info("Ban "+ip) self.banList[ip] = time.time() - self.executeCmd(self.banIP(ip)) + self.executeCmd(self.banIP(ip), debug) else: - if self.verbose: - print ip, "already in ban list" + self.logSys.info(ip+" already in ban list") - def delBanIP(self, ip): + def delBanIP(self, ip, debug): if self.inBanList(ip): + self.logSys.info("Unban "+ip) del self.banList[ip] - self.executeCmd(self.unBanIP(ip)) + self.executeCmd(self.unBanIP(ip), debug) else: - if self.verbose: - print ip, "not in ban list" + self.logSys.info(ip+" not in ban list") def inBanList(self, ip): return self.banList.has_key(ip) - def checkForUnBan(self): + def checkForUnBan(self, debug): """ Check for user to remove from ban list. """ banListTemp = self.banList.copy() @@ -63,21 +63,21 @@ class Firewall: ip = element[0] btime = element[1] if btime < time.time()-self.banTime: - self.delBanIP(ip) - if self.verbose: - print '`->', time.time() + self.delBanIP(ip, debug) - def flushBanList(self): + def flushBanList(self, debug): iterBanList = self.banList.iteritems() for i in range(len(self.banList)): element = iterBanList.next() ip = element[0] - self.delBanIP(ip) + self.delBanIP(ip, debug) - def executeCmd(self, cmd): - if self.verbose: - print cmd - return #os.system(cmd) + def executeCmd(self, cmd, debug): + self.logSys.debug(cmd) + if not debug: + return os.system(cmd) + else: + return None def viewBanList(self): iterBanList = self.banList.iteritems() From a2ea1164b3ed987c8ef9e30874a1c7e4adf079bc Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Mon, 11 Oct 2004 10:23:53 +0000 Subject: [PATCH 014/549] - Add log4py support - Remove old verbose mode git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@18 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- logreader/logreader.py | 11 +++++------ logreader/metalog.py | 6 ++---- 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/logreader/logreader.py b/logreader/logreader.py index f17711f8..9c134307 100644 --- a/logreader/logreader.py +++ b/logreader/logreader.py @@ -28,12 +28,12 @@ import os, sys class LogReader: - def __init__(self, logPath, findTime = 3600, verbose = False): + def __init__(self, logPath, logSys, findTime = 3600): self.logPath = logPath self.findTime = findTime self.ignoreIpList = [] self.lastModTime = 0 - self.verbose = verbose + self.logSys = logSys def addIgnoreIP(self, ip): self.ignoreIpList.append(ip) @@ -45,7 +45,7 @@ class LogReader: try: fileHandler = open(self.logPath) except OSError: - print "Unable to open", self.logPath + self.logSys.error("Unable to open "+self.logPath) sys.exit(-1) return fileHandler @@ -53,14 +53,13 @@ class LogReader: try: logStats = os.stat(self.logPath) except OSError: - print "Unable to get stat on", logPath + self.logSys.error("Unable to get stat on "+self.logPath) sys.exit(-1) if self.lastModTime == logStats.st_mtime: return False else: - if self.verbose: - print self.logPath, 'has been modified' + self.logSys.debug(self.logPath+" has been modified") self.lastModTime = logStats.st_mtime return True diff --git a/logreader/metalog.py b/logreader/metalog.py index c8e3db12..31b4d564 100644 --- a/logreader/metalog.py +++ b/logreader/metalog.py @@ -41,11 +41,9 @@ class Metalog(LogReader): if unixTime < time.time()-self.findTime: continue if self.inIgnoreIPList(ip): - if self.verbose: - print 'Ignore', ip + self.logSys.debug("Ignore "+ip) continue - if self.verbose: - print 'Found', ip, 'at', unixTime + self.logSys.debug("Found "+ip) if ipList.has_key(ip): ipList[ip] = (ipList[ip][0]+1, unixTime) else: From 8eb470019c3884af2f9196a149974f0fd91270e1 Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Mon, 11 Oct 2004 10:26:39 +0000 Subject: [PATCH 015/549] - Add log4py support - Remove old verbose mode - Add debug feature - Add option -f . This is the log file to read from - Add option -l . This is the file to log fail2ban messages - Add option -d. Allow fail2ban to run without root permissions. Do not execute OS command git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@19 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- fail2ban.py | 57 +++++++++++++++++++++++++++++++++++------------------ 1 file changed, 38 insertions(+), 19 deletions(-) diff --git a/fail2ban.py b/fail2ban.py index 4acae8e3..895d2092 100755 --- a/fail2ban.py +++ b/fail2ban.py @@ -27,12 +27,13 @@ __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" import posix, time, sys, getopt, os, signal +import log4py from firewall.iptables import Iptables from logreader.metalog import Metalog def usage(): - print "fail2ban [-h][-v][-b]" + print "fail2ban [-h][-v][-b][-d][-f ][-l ]" sys.exit(0) def checkForRoot(): @@ -90,7 +91,7 @@ def createDaemon(): if (pid == 0): # The second child. # Ensure that the daemon doesn't keep any directory in use. Failure # to do this could make a filesystem unmountable. - #os.chdir("/") + os.chdir("/") # Give the child complete control over permissions. os.umask(0) else: @@ -114,39 +115,57 @@ def createDaemon(): # Redirect the standard file descriptors to /dev/null. os.open("/dev/null", os.O_RDONLY) # standard input (0) - #os.open("/dev/null", os.O_RDWR) # standard output (1) - os.open("/tmp/fail2ban.log", os.O_CREAT|os.O_APPEND|os.O_RDWR) # standard output (1) - #os.open("/dev/null", os.O_RDWR) # standard error (2) - os.open("/tmp/fail2ban.log", os.O_CREAT|os.O_APPEND|os.O_RDWR) # standard error (2) + os.open("/dev/null", os.O_RDWR) # standard output (1) + os.open("/dev/null", os.O_RDWR) # standard error (2) return(0) if __name__ == "__main__": + logSys = log4py.Logger().get_instance() + logSys.set_formatstring("%T %L %M") + try: - optList, args = getopt.getopt(sys.argv[1:], 'hvb') + optList, args = getopt.getopt(sys.argv[1:], 'hvbdf:l:') except getopt.GetoptError: usage() - verbose = False + debug = False + logFilePath = "/var/log/pwdfail/current" + for opt in optList: if opt[0] == "-h": usage() if opt[0] == "-v": - verbose = True + logSys.set_loglevel(log4py.LOGLEVEL_VERBOSE) if opt[0] == "-b": retCode = createDaemon() + logSys.set_target("/tmp/fail2ban.log") if retCode != 0: - print "Unable to start daemon" + logSys.error("Unable to start daemon") sys.exit(-1) + if opt[0] == "-d": + debug = True + logSys.set_loglevel(log4py.LOGLEVEL_DEBUG) + logSys.set_formatstring(log4py.FMT_DEBUG) + if opt[0] == "-f": + logFilePath = opt[1] + if opt[0] == "-l": + try: + open(opt[1], "a") + logSys.set_target(opt[1]) + except IOError: + logSys.error("Unable to log to "+opt[1]) + logSys.error("Use default output for logging") if not checkForRoot(): - print "You must be root." - #sys.exit(-1) + logSys.error("You must be root") + if not debug: + sys.exit(-1) - fireWall = Iptables(600, verbose = verbose) - logFile = Metalog("./log-test/test", 600, verbose = verbose) + fireWall = Iptables(600, logSys) + logFile = Metalog(logFilePath, logSys, 600) logFile.addIgnoreIP("127.0.0.1") @@ -155,7 +174,7 @@ if __name__ == "__main__": sys.stdout.flush() sys.stderr.flush() - fireWall.checkForUnBan() + fireWall.checkForUnBan(debug) if not logFile.isModified(): time.sleep(1) @@ -167,10 +186,10 @@ if __name__ == "__main__": for i in range(len(failList)): element = iterFailList.next() if element[1][0] > 2: - fireWall.addBanIP(element[0]) + fireWall.addBanIP(element[0], debug) except KeyboardInterrupt: - print 'Restoring iptables...' - fireWall.flushBanList() - print 'Exiting...' + logSys.info("Restoring iptables...") + fireWall.flushBanList(debug) + logSys.info("Exiting...") sys.exit(0) From bb896fb391ed6fcb63d256eb4c87702b3b323442 Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Tue, 12 Oct 2004 21:40:50 +0000 Subject: [PATCH 016/549] - Add a debug message when adding ip to ignore list git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@20 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- logreader/logreader.py | 1 + 1 file changed, 1 insertion(+) diff --git a/logreader/logreader.py b/logreader/logreader.py index 9c134307..1e52ace2 100644 --- a/logreader/logreader.py +++ b/logreader/logreader.py @@ -36,6 +36,7 @@ class LogReader: self.logSys = logSys def addIgnoreIP(self, ip): + self.logSys.debug("Add "+ip+" to ignore list") self.ignoreIpList.append(ip) def inIgnoreIPList(self, ip): From 4eeb61c0e163a429ffeccfa10fb1270e6af98bd4 Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Tue, 12 Oct 2004 21:44:09 +0000 Subject: [PATCH 017/549] - Update help message - Add -i option: ignore ip list. Space separated ip list - Add -t option: ban time in seconds. 600 to ban ip for 10 minutes - Add a info message saying that fail2ban is running git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@21 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- fail2ban.py | 44 +++++++++++++++++++++++++++++++++++++++----- 1 file changed, 39 insertions(+), 5 deletions(-) diff --git a/fail2ban.py b/fail2ban.py index 895d2092..5b813a3a 100755 --- a/fail2ban.py +++ b/fail2ban.py @@ -29,11 +29,28 @@ __license__ = "GPL" import posix, time, sys, getopt, os, signal import log4py +# Appends our own modules path +sys.path.append('/usr/lib/fail2ban') + from firewall.iptables import Iptables from logreader.metalog import Metalog +from version import version def usage(): - print "fail2ban [-h][-v][-b][-d][-f ][-l ]" + print "Usage: fail2ban.py [OPTIONS]" + print + print "Fail2Ban v"+version+" reads log file that contains password failure report" + print "and bans the corresponding IP address using iptables." + print + print " -b start fail2ban in background" + print " -d start fail2ban in debug mode" + print " -f read password failure from FILE" + print " -h display this help message" + print " -l log message in FILE" + print " -t