On 6/03/22 20:54, Dominic Raferd wrote:
On 06/03/2022 04:35, Richard Hector wrote:
I have lines like these in my logs (reported by logcheck, in this case):
Mar 6 16:17:38 akl-host6 sshd[33035]: error:
kex_exchange_identification: Connection closed by remote host
Mar 6 16:17:38 akl-host6 sshd[33035]: Connection closed by
46.19.139.18 port 32834
Mar 6 16:17:54 akl-host6 sshd[33038]: error:
kex_exchange_identification: Connection closed by remote host
Mar 6 16:17:54 akl-host6 sshd[33038]: Connection closed by
45.125.65.126 port 45184
To a human, it's easy to see that those come in pairs, and that if
they're frequent, they're probably attacks. But the line that shows an
error doesn't have an IP address, and the line with an IP address
isn't obviously an error. Is it still possible to find those and ban
them?
Assuming you are using failban 0.11+ or perhaps 0.10+ (check yours with
'fail2ban-client version), see the updated sshd jail at
https://raw.githubusercontent.com/fail2ban/fail2ban/master/config/filter.d/sshd.conf.
Save it as /etc/fail2ban/filter.d/sshd.local and reload this jail with
'fail2ban-client reload sshd'.
Thanks Dominic - now I just need to wait for some more attacks, to see
if it worked :-)
Cheers,
Richard
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
