Hi all,
I have to confess I find the existing filters somewhat opaque, so I
might be missing something.
I have lines like these in my logs (reported by logcheck, in this case):
Mar 6 16:17:38 akl-host6 sshd[33035]: error: kex_exchange_identification:
Connection closed by remote host
Mar 6 16:17:38 akl-host6 sshd[33035]: Connection closed by 46.19.139.18 port
32834
Mar 6 16:17:54 akl-host6 sshd[33038]: error: kex_exchange_identification:
Connection closed by remote host
Mar 6 16:17:54 akl-host6 sshd[33038]: Connection closed by 45.125.65.126 port
45184
To a human, it's easy to see that those come in pairs, and that if
they're frequent, they're probably attacks. But the line that shows an
error doesn't have an IP address, and the line with an IP address isn't
obviously an error.
Is it still possible to find those and ban them?
Thanks,
Richard
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users