My YunoHost server
Hardware: Olimex Lime 2
YunoHost version: 11.1.7
I have access to my server : Through SSH | through the webadmin |
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : my SSH port is already different from the default one.
Description of my issue
Hi, since February 17th, I got a warning from the diagnosis tool :
[WARNING] There’s been a suspiciously high number of authentication failures recently. You may want to make sure that fail2ban is running and is correctly configured, or use a custom port for SSH as explained in Security | Yunohost Documentation.
I don’t understand why, because I didn’t personnaly attempt to login the days before this message. Fail2ban is working and I got nothing suspicious in the logs (hastebin). Still I restarted it. My SSH port is already custom. I did nothing before this happened.
Has someone an idea on what is wrong or how to investigate it ?
Have you change the number with
yunohost settings set security.ssh.port -v <new_ssh_port_number>
Or with the settings interface in the web admin ?
If no it’s possible that fail2ban doesn’t protect your specif port number.
I’m not sure because I did it a long time ago when I installed the server, but I think I directly edited the sshd_config file. By the way, this rises another alert from the diagnosis tool, but since the beginning so I silenced it.
The web admin prompts the correct custom port. In the firewall, the 22 port is closed, and my custom ssh port is open.
How can I check which ports are protected by fail2ban ?
I still didn’t solve the problem. I tried to change the ssh port from the webadmin but no progress. Does anyone has another idea, what should I check ?
What is the output of this command :
iptables-save | grep INPUT | grep f2b-sshd ?
You should have something like
-A INPUT -p tcp -m multiport --dports YOURSSHPORT -j f2b-sshd, with YOURSSHPORT the SSH port number.
Interestingly, the command returns nothing.
When I do :
I got several lines with my open ports, including the one for ssh, but there is no “f2b-sshd” at the end :
-A INPUT -p tcp -m tcp --dport MYSSHPORT -j ACCEPT
Could it be a symptom of the real issue ?
I remember a long time ago having a problem by being banned myself from my SSH port (but it was at least 2 versions of Debian ago ) and I may have change the configuration of fail2ban so as to regain access. I don’t know if this is a lead towards the problem ?
You should have a line like
-A INPUT -p tcp -m multiport --dports MYSSHPORT -j f2b-sshd
Had more or less the same issue last year (because I done a stupid thing when I tried to add a jail) => SSH : Multiple tentatives de connexion malgré fail2ban - #5 by Kit
Let’s recheck properly :
cat /etc/fail2ban/jail.d/yunohost-jails.conf : is the sshd jail in the output ? Is the ssh port the new one ?
yunohost settings get security.ssh.port : let’s double-check if the right port is monitored.
yunohost service status yunohost-firewall fail2ban: are the firewall and f2b services running ?
- Did you tried to restart the firewall and f2b services ?
Yes, I got this, the port is correct :
port = MYSSHPORT
enabled = true
returns the right port also.
yunohost service status yunohost-firewall fail2ban returns :
description: Protects against brute-force and other kinds of attacks from the Internet
last_state_change: 2023-03-04 12:15:20
description: Manages open and close connection ports to services
last_state_change: 2023-02-12 23:15:05
I already restarted my server several times…
By reading your own topic, I looked into my jail.d, and I found a “my_ssh_port.conf” file, I think I remember I created it after I got my own IP banned. The file contains :
port = MYSSHPORT
ignoreip = 192.168.0.17 (<- it is my PC local IP)
port = MYSSHPORT
So it may be a duplicate of the yunohost-jails.conf file, but nothing contradictory.
I have the same issue.
I followed the thread in SSH : Multiple tentatives de connexion malgré fail2ban (for what I could understand from french language) but I could not find any solution.
The only thing I cannot understand is the “invalid” status in the configuration of yunohost-firewall.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.