Suspiciously high number of authentication failures?

My YunoHost server

Hardware: Olimex Lime 2
YunoHost version: 11.1.7
I have access to my server : Through SSH | through the webadmin |
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : my SSH port is already different from the default one.

Description of my issue

Hi, since February 17th, I got a warning from the diagnosis tool :

[WARNING] There’s been a suspiciously high number of authentication failures recently. You may want to make sure that fail2ban is running and is correctly configured, or use a custom port for SSH as explained in Security | Yunohost Documentation.

I don’t understand why, because I didn’t personnaly attempt to login the days before this message. Fail2ban is working and I got nothing suspicious in the logs (hastebin). Still I restarted it. My SSH port is already custom. I did nothing before this happened.
Has someone an idea on what is wrong or how to investigate it ?

Have you change the number with

yunohost settings set security.ssh.port -v <new_ssh_port_number>

Or with the settings interface in the web admin ?

If no it’s possible that fail2ban doesn’t protect your specif port number.

1 Like

I’m not sure because I did it a long time ago when I installed the server, but I think I directly edited the sshd_config file. By the way, this rises another alert from the diagnosis tool, but since the beginning so I silenced it.
The web admin prompts the correct custom port. In the firewall, the 22 port is closed, and my custom ssh port is open.
How can I check which ports are protected by fail2ban ?

I still didn’t solve the problem. I tried to change the ssh port from the webadmin but no progress. Does anyone has another idea, what should I check ?

What is the output of this command : iptables-save | grep INPUT | grep f2b-sshd ?

You should have something like -A INPUT -p tcp -m multiport --dports YOURSSHPORT -j f2b-sshd, with YOURSSHPORT the SSH port number.

Interestingly, the command returns nothing.
When I do : iptables-save only
I got several lines with my open ports, including the one for ssh, but there is no “f2b-sshd” at the end : -A INPUT -p tcp -m tcp --dport MYSSHPORT -j ACCEPT

Could it be a symptom of the real issue ?
I remember a long time ago having a problem by being banned myself from my SSH port (but it was at least 2 versions of Debian ago :sweat_smile: ) and I may have change the configuration of fail2ban so as to regain access. I don’t know if this is a lead towards the problem ?

You should have a line like -A INPUT -p tcp -m multiport --dports MYSSHPORT -j f2b-sshd

Had more or less the same issue last year (because I done a stupid thing when I tried to had a jail) => SSH : Multiple tentatives de connexion malgré fail2ban - #5 by Kit

Let’s recheck properly :

  • cat /etc/fail2ban/jail.d/yunohost-jails.conf : is the sshd jail in the output ? Is the ssh port the new one ?
  • yunohost settings get security.ssh.port : let’s double-check if the right port is monitored.
  • yunohost service status yunohost-firewall fail2ban: are the firewall and f2b services running ?
  • Did you tried to restart the firewall and f2b services ?

Yes, I got this, the port is correct :

enabled = true

returns the right port also.

And yunohost service status yunohost-firewall fail2ban returns :

  configuration: valid
  description: Protects against brute-force and other kinds of attacks from the Internet
  last_state_change: 2023-03-04 12:15:20
  start_on_boot: enabled
  status: running
  configuration: unknown
  description: Manages open and close connection ports to services
  last_state_change: 2023-02-12 23:15:05
  start_on_boot: enabled
  status: running

I already restarted my server several times…

By reading your own topic, I looked into my jail.d, and I found a “my_ssh_port.conf” file, I think I remember I created it after I got my own IP banned. The file contains :

ignoreip =    (<- it is my PC local IP)


So it may be a duplicate of the yunohost-jails.conf file, but nothing contradictory.