I had literally 5 non terminal login attempts to root,
Authentication failure for root via sshd from 59.47.112.161 ssh:notty
(China) before Fail2ban did it's job and blocked the IP. This was on the Firewall itself and SSH is only exposed to the LAN subnets.
I am aware that this is common if the SSH server is exposed to the internet but SSH access is supposed to only be available to the company internal network, I VPN into the network if I need to do anything via SSH remotely. I also don't have thousands of log entries for failed root login attempts so it doesn't indicate that I have a config error but you never know. I’ve checked and double checked and can’t find any rules that are inadvertently allowing access to 22. Any suggestions of where all to look would be welcome. If I try log into SSH remotely the connections times out and doesn’t trigger any log entries or warnings.
This was the default config on the firewall setup which I have been running since ClearOS was still called Clarkconnect, this is the first time this has happened. I am not sure if completely disabling root will break the web config gui but I have disabled root SSH login and setup a sudo user.
Can anyone possibly shed some light on how/why this would happen so I can prevent it happing again?
