named and fail2ban messages are bothering

Issues related to configuring your network
mahmood
Posts: 122
Joined: 2017/06/04 12:21:09

named and fail2ban messages are bothering

Post by mahmood » 2017/06/04 12:25:04

Hello,
On a new installed Centos-6.6, I see a lot of messages about named, fail2ban, snmpd services and I don't understand them. As I search the web, there are some explanations but it is not clear for me, why should I get these messages?

Code: Select all

Jun  4 15:16:48 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Ban 31.207.47.50
Jun  4 15:17:58 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Ban 116.31.116.53
Jun  4 15:20:47 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Ban 118.184.49.245
Jun  4 15:22:54 cluster named[2464]: error (network unreachable) resolving '118-163-71-101.hinet-ip.hinet.net/AAAA/IN': 2001:503:a83e::2:30#53
Jun  4 15:24:43 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Ban 195.3.144.216
Jun  4 15:26:48 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Unban 31.207.47.50
Jun  4 15:27:58 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Unban 116.31.116.53
Jun  4 15:30:22 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Ban 116.31.116.53
Jun  4 15:30:48 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Unban 118.184.49.245
Jun  4 15:34:44 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Unban 195.3.144.216
Jun  4 15:37:42 cluster named[2464]: error (network unreachable) resolving '12.226.229.223.in-addr.arpa/PTR/IN': 2001:43f8:110::10#53
Jun  4 15:37:42 cluster named[2464]: error (network unreachable) resolving '12.226.229.223.in-addr.arpa/PTR/IN': 2001:13c7:7010::53#53
Jun  4 15:37:43 cluster named[2464]: error (unexpected RCODE REFUSED) resolving '12.226.229.223.in-addr.arpa/PTR/IN': 202.56.230.6#53
Jun  4 15:37:43 cluster named[2464]: error (network unreachable) resolving '12.226.229.223.in-addr.arpa/PTR/IN': 2404:a800:0:14::3212#53
Jun  4 15:37:43 cluster named[2464]: error (network unreachable) resolving '12.226.229.223.in-addr.arpa/PTR/IN': 2404:a800:0:b::9#53
Jun  4 15:37:43 cluster named[2464]: error (network unreachable) resolving '12.226.229.223.in-addr.arpa/PTR/IN': 2404:a800:0:14::1:1212#53
Jun  4 15:37:43 cluster named[2464]: error (unexpected RCODE REFUSED) resolving '12.226.229.223.in-addr.arpa/PTR/IN': 202.56.230.5#53
Jun  4 15:37:44 cluster named[2464]: error (unexpected RCODE REFUSED) resolving '12.226.229.223.in-addr.arpa/PTR/IN': 202.56.230.5#53
Jun  4 15:37:44 cluster named[2464]: error (unexpected RCODE REFUSED) resolving '12.226.229.223.in-addr.arpa/PTR/IN': 202.56.230.6#53
Jun  4 15:37:44 cluster named[2464]: error (network unreachable) resolving '12.226.229.223.in-addr.arpa/PTR/IN': 2404:a800:0:b::9#53
Jun  4 15:37:44 cluster named[2464]: error (network unreachable) resolving '12.226.229.223.in-addr.arpa/PTR/IN': 2404:a800:0:14::3212#53
Jun  4 15:37:44 cluster named[2464]: error (network unreachable) resolving '12.226.229.223.in-addr.arpa/PTR/IN': 2404:a800:0:14::1:1212#53
Jun  4 15:37:56 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Ban 223.229.226.12
Jun  4 15:40:22 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Unban 116.31.116.53
Jun  4 15:40:32 cluster named[2464]: error (network unreachable) resolving '53.116.31.116.in-addr.arpa/PTR/IN': 2001:dd8:6::101#53
Jun  4 15:41:37 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Ban 116.31.116.53
Jun  4 15:47:57 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Unban 223.229.226.12
Jun  4 15:51:31 cluster snmpd[2785]: Connection from UDP: [46.208.33.154]:9307->[172.20.54.10]
Jun  4 15:51:31 cluster snmpd[2785]: Connection from UDP: [46.208.33.154]:9307->[172.20.54.10]
Jun  4 15:51:31 cluster snmpd[2785]: Connection from UDP: [46.208.33.154]:9307->[172.20.54.10]
Jun  4 15:51:38 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Unban 116.31.116.53
Jun  4 15:51:56 cluster snmpd[2785]: Connection from UDP: [46.208.33.154]:9307->[172.20.54.10]
Jun  4 15:52:20 cluster snmpd[2785]: Connection from UDP: [46.208.33.154]:9307->[172.20.54.10]
Jun  4 15:52:20 cluster snmpd[2785]: Connection from UDP: [46.208.33.154]:9307->[172.20.54.10]
Jun  4 15:52:21 cluster snmpd[2785]: Connection from UDP: [46.208.33.154]:9307->[172.20.54.10]
Jun  4 15:52:43 cluster snmpd[2785]: Connection from UDP: [46.208.33.154]:9307->[172.20.54.10]
Jun  4 15:52:44 cluster snmpd[2785]: Connection from UDP: [46.208.33.154]:9307->[172.20.54.10]
Jun  4 15:53:08 cluster snmpd[2785]: Connection from UDP: [46.208.33.154]:9307->[172.20.54.10]
Jun  4 15:55:03 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Ban 116.31.116.53
Jun  4 16:01:01 cluster python: ganglia news loading gmon.news: mia load full
Jun  4 16:04:52 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Ban 118.184.49.245
Jun  4 16:05:04 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Unban 116.31.116.53
Jun  4 16:06:41 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Ban 116.31.116.53
Jun  4 16:14:53 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Unban 118.184.49.245
Jun  4 16:16:42 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Unban 116.31.116.53
Jun  4 16:18:04 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Ban 116.31.116.53
Jun  4 16:28:05 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Unban 116.31.116.53
Jun  4 16:29:39 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Ban 116.31.116.53
Jun  4 16:39:39 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Unban 116.31.116.53
Jun  4 16:41:12 cluster fail2ban.actions[3182]: WARNING [ssh-iptables] Ban 116.31.116.53
Jun  4 16:41:37 cluster snmpd[2785]: Connection from UDP: [27.5.232.19]:3658->[172.20.54.10]
Jun  4 16:41:37 cluster snmpd[2785]: Connection from UDP: [27.5.232.19]:3658->[172.20.54.10]
Jun  4 16:41:37 cluster snmpd[2785]: Connection from UDP: [27.5.232.19]:3658->[172.20.54.10]
Jun  4 16:41:37 cluster snmpd[2785]: Connection from UDP: [27.5.232.19]:3658->[172.20.54.10]
Jun  4 16:41:37 cluster snmpd[2785]: Connection from UDP: [27.5.232.19]:3658->[172.20.54.10]
Jun  4 16:42:00 cluster snmpd[2785]: Connection from UDP: [27.5.232.19]:3658->[172.20.54.10]
Jun  4 16:42:00 cluster snmpd[2785]: Connection from UDP: [27.5.232.19]:3658->[172.20.54.10]
Jun  4 16:42:00 cluster snmpd[2785]: Connection from UDP: [27.5.232.19]:3658->[172.20.54.10]
Jun  4 16:42:00 cluster snmpd[2785]: Connection from UDP: [27.5.232.19]:3658->[172.20.54.10]
Jun  4 16:42:00 cluster snmpd[2785]: Connection from UDP: [27.5.232.19]:3658->[172.20.54.10]
Jun  4 16:42:22 cluster snmpd[2785]: Connection from UDP: [27.5.232.19]:3658->[172.20.54.10]
Jun  4 16:42:22 cluster snmpd[2785]: Connection from UDP: [27.5.232.19]:3658->[172.20.54.10]
Jun  4 16:42:22 cluster snmpd[2785]: Connection from UDP: [27.5.232.19]:3658->[172.20.54.10]

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: named and fail2ban messages are bothering

Post by TrevorH » 2017/06/04 12:43:19

1) Don't use 6.6.. It's from 2014 and has 3 years worth of unpatched security vulnerabilities present, some of them serious.

The fail2ban messages there are for information and are telling you that certain ip addresses that are trying to brute force your ssh users/passwords have been banned. This is normal and good but perhaps you want to look at disabling password auto for ssh altogether and switching over to use public/private keys instead.

The named messages all seem to do with attempting to reach other nameservers via ipv6. Do you have a valid ipv6 address on the machine?

The snmpd messages are also normal and are there because your snmpd daemon is running with default logging. Perhaps you want to adjust your /etc/sysconfig/snmpd file to pass parameters to it to reduce the log level. Mine currently says

Code: Select all

OPTIONS="-LS 4 d -Lf /dev/null -p /var/run/snmpd.pid"
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

mahmood
Posts: 122
Joined: 2017/06/04 12:21:09

Re: named and fail2ban messages are bothering

Post by mahmood » 2017/06/04 12:59:05

Thanks for the replies. In fact, I am using Rocks cluster 6.2 which is based on Centos 6.6. I mean all command and configs are the same as Centos.
There is no 7.x version for Rocks and I then I have to use older versions (older than current).
The fail2ban messages there are for information and are telling you that certain ip addresses that are trying to brute force your ssh users/passwords have been banned.
WOW... every 2 minutes (roughly) it receives such messages. Is that normal?? Should I do some more protections?
Do you have a valid ipv6 address on the machine?
No I don't have..
Perhaps you want to adjust your /etc/sysconfig/snmpd file to pass parameters to it to reduce the log level.
I set as yours. After service restart, I am waiting to see if previous messages are gone from log file.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: named and fail2ban messages are bothering

Post by TrevorH » 2017/06/04 13:06:58

There is no 7.x version for Rocks and I then I have to use older versions (older than current).
That doesn't stop you updating to the latest 6.x. Previous minor versions - i.e less than 6.9 which is current - are not supported, not secure and need updating. If you need to do something with rocks to update then you need to ask them but running 6.6 is stupid.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

mahmood
Posts: 122
Joined: 2017/06/04 12:21:09

Re: named and fail2ban messages are bothering

Post by mahmood » 2017/06/05 11:49:54

Hi,
The named messages all seem to do with attempting to reach other nameservers via ipv6. Do you have a valid ipv6 address on the machine?
Can you help me with this problem. As I said, there is not IPV6.

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: named and fail2ban messages are bothering

Post by lightman47 » 2017/06/11 13:06:13

]every 2 minutes (roughly) it receives such messages. Is that normal??
Unfortunately, yes. The bot networks are very busy hammering away. The difference between you and others is that you've installed fail2ban and can now "see" them. ;)

Actually, others can too, but probably don't navigate /var/log/secure often nor get fail2ban logs.

tunk
Posts: 1205
Joined: 2017/02/22 15:08:17

Re: named and fail2ban messages are bothering

Post by tunk » 2017/06/11 18:36:24

You can also use lastb to see who tried and then failed to login.
If possible, you could update the firewall to only accept logins from local subnets.

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: named and fail2ban messages are bothering

Post by lightman47 » 2017/06/11 18:48:36

{sidetrack}
You can also use lastb to see who tried and then failed to login.
Thank you for that !!!!!!!!!

mahmood
Posts: 122
Joined: 2017/06/04 12:21:09

Re: named and fail2ban messages are bothering

Post by mahmood » 2017/06/12 14:40:47

The output of lastb command shows useful information. for example, I see some user names which do not exist in our system. See:

Code: Select all

ubnt     ssh:notty    188.16.123.30    Mon Jun 12 15:54 - 15:54  (00:00)
But that doesn't show if it has successful or unsuccessful login. Any idea?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: named and fail2ban messages are bothering

Post by TrevorH » 2017/06/12 14:46:57

From man lastb ...
Lastb is the same as last, except that by default it shows a log of the file /var/log/btmp, which contains all the
bad login attempts.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply