SOLVED Ubuntu /var/log/auth.log and others are empty
I have detected a problem on my Ubuntu server.
If the topic does not belong here, please let me know directly and delete it...
I was wondering why fail2ban does not lock anything. And then I noticed that even though there are incorrect logins via ssh, the file /var/log/auth.log remains empty.
I noticed other empty files:
alternatives.log, fontconfig.log, bootstrap.log, cloudron-setup.log.
But I have no idea if this is normal.
The server was installed the day before yesterday by netcup.de. Here the automatic installation with the Ubuntu 18.04 LTS Image with preinstalled Cloudron was used.
I just tried a new installation (after a snapshot). The problem remains.
But maybe this is all normal and I am doing something else wrong?!
Thanks for your help!
@dieter This is normal. Cloudron does not use fail2ban. For SSH login, we recommend to simply use SSH keys - https://cloudron.io/documentation/security/#securing-ssh-access . That way, blocking IPs and monitoring them etc is superfluous.
That said, we are looking into adding some firewall related features in Cloudron in coming release. But it won't be IP based, it will be more like an application firewall which will block/rate limit specific routes (like login route of an app).
Thanks @girish for your answer. But exactly over the page you gave me I came to fail2ban.
I installed and tested it and then found out that it does not work. If you write that it is normal that nothing is recorded in the file, it can not work either.
It's good to read that you are working on a firewall solution and that ssh keys can be used to secure access, but currently the given solution does not work with fail2ban, which can lead to a false sense of security.
To make myself clearer:
I was only going to use fail2ban to block brute force SSH logins, as indicated.
@dieter I found that the SSH logs are in
journalctl -u ssh. It's also important to have the syslog facility *disabled in
# Logging #SyslogFacility AUTH #LogLevel INFO
Just to clarify: cloudron does not setup/manage SSH configs. This seems to be just standard ubuntu configuration.
To add here, SSHd configs are very often VPS provider specific even, not just Ubuntu. So ideally Cloudron should not try to manage too much around that, since then this might interfere with for example SSH recovery strategies from VPS provider.
Generally it is always a good idea to use ssh keys instead of password.