On 8/03/22 00:11, Dominic Raferd wrote:
On 07/03/2022 10:37, Richard Hector wrote:
On 7/03/22 23:15, Richard Hector wrote:
On 6/03/22 20:54, Dominic Raferd wrote:
On 06/03/2022 04:35, Richard Hector wrote:
I have lines like these in my logs (reported by logcheck, in this
case):
Mar 6 16:17:38 akl-host6 sshd[33035]: error:
kex_exchange_identification: Connection closed by remote host
Mar 6 16:17:38 akl-host6 sshd[33035]: Connection closed by
46.19.139.18 port 32834
Mar 6 16:17:54 akl-host6 sshd[33038]: error:
kex_exchange_identification: Connection closed by remote host
Mar 6 16:17:54 akl-host6 sshd[33038]: Connection closed by
45.125.65.126 port 45184
To a human, it's easy to see that those come in pairs, and that if
they're frequent, they're probably attacks. But the line that shows
an error doesn't have an IP address, and the line with an IP
address isn't obviously an error. Is it still possible to find
those and ban them?
Assuming you are using failban 0.11+ or perhaps 0.10+ (check yours
with 'fail2ban-client version), see the updated sshd jail at
https://raw.githubusercontent.com/fail2ban/fail2ban/master/config/filter.d/sshd.conf.
Save it as /etc/fail2ban/filter.d/sshd.local and reload this jail
with 'fail2ban-client reload sshd'.
Thanks Dominic - now I just need to wait for some more attacks, to
see if it worked :-)
It appears not - I can see more similar lines in the logs since the
reload, and no 'Found' lines in fail2ban.log :-(
Looking into this a bit further, the message 'error:
kex_exchange_identification: Connection closed by remote host'
apparently reflects disruption of key exchange communication between the
machines, probably because the incoming client dropped the connection.
This does not necessarily indicate an attack (as you realise).
On my system f2b does not block these instances. Also on my system
(OpenSSH_8.2p1 Ubuntu-4ubuntu0.4) there is no subsequent log entry
giving the ip address (even with LogLevel VERBOSE), you have to get the
ip by backtracking to the earlier corresponding (by pid) 'Connection
from' message.
I am now doubtful if fail2ban can catch such things.
I've now set sshd to mode = aggressive - it now does seem to catch those
lines (going by timestamp) (though I don't know how). My system is
Debian 11 (bullseye) with OpenSSH_8.4p1, so slightly newer. I tried
LogLevel VERBOSE first, but changed it back. I haven't tried going back
to the shipped version of sshd.conf with mode = aggressive.
Cheers,
Richard
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
