tag 494487 + pending
thanks
Ok - convinced now ;)
Due to its specificity I would prefer to have it as an additional
filter/jail as opposed to integrating it into existing ssh one.
So, please find attached filters.d file and relevant config for
jails.local is smth like following piece
NB feel free to tune maxretry up to your liking and please let me
know what is the sensible one - ie how many times a single IP triggers
such log lines on average. Please let me know so I tune it in shipped
jail.conf before uploading
[ssh-ddos]
enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
The package is in the middle of fixing another bug, so I want to
preclude uploading before I settle the solution for it with
upstream.
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 471 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching.
# Values: TEXT
#
failregex = sshd\[\S*\]: Did not receive identification string from <HOST>
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
