One of the most annoying emails
logcheck produces includes massive numbers of lines such as
Jul 19 07:58:42 devmike sshd[12535]: Illegal user andres from ::ffff:61.235.150.99
Jul 19 07:58:45 devmike sshd[12537]: Illegal user andres from ::ffff:61.235.150.99
Jul 19 07:58:48 devmike sshd[12539]: Illegal user andres from ::ffff:61.235.150.99
Jul 19 07:58:51 devmike sshd[12541]: Illegal user barbara from ::ffff:61.235.150.99
Jul 19 07:58:54 devmike sshd[12543]: Illegal user barbara from ::ffff:61.235.150.99
Jul 19 07:58:57 devmike sshd[12545]: Illegal user barbara from ::ffff:61.235.150.99
Jul 19 07:58:59 devmike sshd[12547]: Illegal user adine from ::ffff:61.235.150.99
Jul 19 07:59:02 devmike sshd[12549]: Illegal user adine from ::ffff:61.235.150.99
Jul 19 07:59:05 devmike sshd[12551]: Illegal user adine from ::ffff:61.235.150.99
... and so on for some 220 lines.
Those failed sshd authentications get logged in /var/log/auth.log, one of the files
fail2ban (I suppose from 'if it fails, send it to ban') reads. There's a
Debian package, so I wgetted it into /var/cache/archives/ and first ran `dpkg --simulate -i fail2ban_0.5.0-1_all.deb`, got no errors, so I ditched --simulate, and it installed and started. Unlike (many? most?) packages, it doesn't put its .conf in /etc/[package name]/. Instead, it writes a sane /etc/fail2ban.conf file. (Sane, as in looking it over, it won't do anything insane.) Running, it
temporarily bans failure-prone addresses by updating existing firewall rules
(from the description in the .deb) by doing, for example `iptables -I INPUT 1 -i eth0 -s
-j DROP`.
Most of the machines perpetrating this crap are from China, Korea or European addresses, and I never even bothered emailing abuse@. Occasionally, I'd email folks in the U.S., but at least half the time, it's not worth the effort. Let's see how it performs.