Précisions à propos de SSH et des logs (/var/log/auth.log)

Support Debian
#1

Bonjour !

Découvrant actuellement l’administration d’un serveur (l’histoire débutant ici), je m’interroge quant à la signification de certains logs, plus particulièrement ceux concernant l’authentification dans /var/log/auth.log.

Sur ce serveur est donc installé OpenSSH (écoutant sur le port 22 par défaut avec authentification par clé uniquement), ainsi que Fail2Ban car les attaques par brute-force n’ont pas tardées à se manifester bien entendu.

J’en viens aux questions :

Dec 16 06:47:34 libellule sshd[19983]: Address 212.156.5.254 maps to static.turktelekom.com.tr, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Dec 16 06:47:36 libellule sshd[19986]: Address 212.156.5.254 maps to static.turktelekom.com.tr, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Dec 16 06:47:36 libellule sshd[19986]: Invalid user user from 212.156.5.254 Dec 16 06:47:37 libellule sshd[19988]: Address 212.156.5.254 maps to static.turktelekom.com.tr, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Dec 16 06:47:37 libellule sshd[19988]: Invalid user oracle from 212.156.5.254 Dec 16 06:47:38 libellule sshd[19990]: Address 212.156.5.254 maps to static.turktelekom.com.tr, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Dec 16 06:47:38 libellule sshd[19990]: Invalid user test from 212.156.5.254 Dec 16 06:47:40 libellule sshd[19992]: Address 212.156.5.254 maps to static.turktelekom.com.tr, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Dec 16 06:47:40 libellule sshd[19992]: Invalid user testuser from 212.156.5.254 Dec 16 06:47:41 libellule sshd[19994]: Address 212.156.5.254 maps to static.turktelekom.com.tr, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Dec 16 06:47:41 libellule sshd[19994]: Invalid user r00t from 212.156.5.254 Dec 16 06:47:42 libellule sshd[19996]: Address 212.156.5.254 maps to static.turktelekom.com.tr, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Dec 16 06:47:44 libellule sshd[19998]: Address 212.156.5.254 maps to static.turktelekom.com.tr, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Dec 16 06:47:44 libellule sshd[19998]: Invalid user r00t from 212.156.5.254 Dec 16 06:47:45 libellule sshd[20000]: Address 212.156.5.254 maps to static.turktelekom.com.tr, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! Dec 16 06:47:45 libellule sshd[20000]: Invalid user rOOt from 212.156.5.254
Sur cet exemple de logs, deux questions :

  1. Que signifie le “Address x.x.x.x maps […] POSSIBLE BREAK-IN ATTEMPT!” ? Et y’a-t-il matière à s’inquiéter ?

  2. Jusqu’ici Fail2Ban avec sa configuration par défaut a toujours banni l’IP au bout de 6 tentatives d’authentification dans le temps imparti (600sec), or ici on en voit 7. Comment est-ce possible ? Est-ce lié au point mentionné dans la 1ère question ?

  3. Et ma dernière interrogation plus ou moins identique sur ce qu’on peut voir dans ce log, à savoir une flopée de “reverse mapping checking […]” avant la moindre tentative de connexion :

Dec 16 09:14:20 libellule sshd[20071]: reverse mapping checking getaddrinfo for qld58.instant-office.com.au [203.161.130.58] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 16 09:14:24 libellule sshd[20074]: reverse mapping checking getaddrinfo for qld58.instant-office.com.au [203.161.130.58] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 16 09:14:27 libellule sshd[20076]: reverse mapping checking getaddrinfo for qld58.instant-office.com.au [203.161.130.58] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 16 09:14:31 libellule sshd[20078]: reverse mapping checking getaddrinfo for qld58.instant-office.com.au [203.161.130.58] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 16 09:14:34 libellule sshd[20080]: reverse mapping checking getaddrinfo for qld58.instant-office.com.au [203.161.130.58] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 16 09:14:37 libellule sshd[20082]: reverse mapping checking getaddrinfo for qld58.instant-office.com.au [203.161.130.58] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 16 09:14:41 libellule sshd[20084]: reverse mapping checking getaddrinfo for qld58.instant-office.com.au [203.161.130.58] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 16 09:14:45 libellule sshd[20086]: reverse mapping checking getaddrinfo for qld58.instant-office.com.au [203.161.130.58] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 16 09:14:48 libellule sshd[20088]: reverse mapping checking getaddrinfo for qld58.instant-office.com.au [203.161.130.58] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 16 09:14:54 libellule sshd[20090]: reverse mapping checking getaddrinfo for qld58.instant-office.com.au [203.161.130.58] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 16 09:14:58 libellule sshd[20092]: reverse mapping checking getaddrinfo for qld58.instant-office.com.au [203.161.130.58] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 16 09:15:02 libellule sshd[20094]: reverse mapping checking getaddrinfo for qld58.instant-office.com.au [203.161.130.58] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 16 09:15:05 libellule sshd[20096]: reverse mapping checking getaddrinfo for qld58.instant-office.com.au [203.161.130.58] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 16 09:15:08 libellule sshd[20098]: reverse mapping checking getaddrinfo for qld58.instant-office.com.au [203.161.130.58] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 16 09:15:08 libellule sshd[20098]: Invalid user oracle from 203.161.130.58 Dec 16 09:15:12 libellule sshd[20100]: reverse mapping checking getaddrinfo for qld58.instant-office.com.au [203.161.130.58] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 16 09:15:12 libellule sshd[20100]: Invalid user test from 203.161.130.58 Dec 16 09:15:16 libellule sshd[20102]: reverse mapping checking getaddrinfo for qld58.instant-office.com.au [203.161.130.58] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 16 09:15:16 libellule sshd[20102]: Invalid user guest from 203.161.130.58 Dec 16 09:15:20 libellule sshd[20104]: reverse mapping checking getaddrinfo for qld58.instant-office.com.au [203.161.130.58] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 16 09:15:20 libellule sshd[20104]: Invalid user marta from 203.161.130.58 Dec 16 09:15:23 libellule sshd[20106]: reverse mapping checking getaddrinfo for qld58.instant-office.com.au [203.161.130.58] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 16 09:15:23 libellule sshd[20106]: Invalid user anti from 203.161.130.58 Dec 16 09:15:27 libellule sshd[20108]: reverse mapping checking getaddrinfo for qld58.instant-office.com.au [203.161.130.58] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 16 09:15:27 libellule sshd[20108]: Invalid user dragon from 203.161.130.58

Merci à ceux qui m’aideront à y voir plus clair dans tout ceci :slightly_smiling: