> Hi Klaus,
> Does https://linux.die.net/man/5/hosts_access, especially host.deny, provide > a solution? > Regards, > Paul sorry. my bavarian friend whose only a declaration. ist a number from bavaria. he's unknown. tomororrow will it change inbto a bavarian from china. or a chinese (smiling) people from bavaria. will say, the ip's will differ. why hosts_access? why WE ALL are using and loving fail2ban! THEREFOR! ;-) greats from klaus, the saxonian! ;-) > -----Oorspronkelijk bericht----- > Van: Klaus Lehmann <[email protected]> > Verzonden: maandag 12 november 2018 13:57 > Aan: [email protected] > Onderwerp: [Fail2ban-users] sshd: Received disconnect from xxx.xxx.xxx.xxx > port 58404:11: Bye Bye [preauth] is an attack > Hi, > this is definitely an attack: > Nov 12 08:10:16 linuxserver sshd[10216]: Connection from xxx.xxx.xxx.xxx > port 58404 on 192.168.2.2 port 22 Nov 12 08:10:17 linuxserver sshd[10216]: > Received disconnect from xxx.xxx.xxx.xxx port 58404:11: Bye Bye [preauth] > Nov 12 08:10:17 linuxserver sshd[10216]: Disconnected from xxx.xxx.xxx.xxx > port 58404 [preauth] there are no more lines in journalctl.... > info: xxx.xxx.xxx.xxx is some bullshit from bavaria there are no loginnames! > this is definitely not an attack, it's my login: > Nov 12 11:36:23 linuxserver sshd[12895]: Connection from 84.156.117.187 port > 55468 on 192.168.2.2 port 22 Nov 12 11:36:23 linuxserver sshd[12895]: > Postponed keyboard-interactive for root from 84.156.117.187 port 55468 ssh2 > [preauth] Nov 12 11:36:23 linuxserver sshd[12895]: Postponed > keyboard-interactive/pam for root from 84.156.117.187 port 55468 ssh2 > [preauth] Nov 12 11:36:23 linuxserver sshd[12895]: Accepted > keyboard-interactive/pam for root from 84.156.117.187 port 55468 ssh2 Nov 12 > 11:36:23 linuxserver sshd[12895]: pam_unix(sshd:session): session opened for > user root by (uid=0) Nov 12 11:36:23 linuxserver systemd-logind[1035]: New > session 37 of user root. > Nov 12 11:36:23 linuxserver systemd[1]: Started Session 37 of user root. > Nov 12 11:36:24 linuxserver sshd[12895]: User child is on pid 12899 Nov 12 > 11:36:24 linuxserver sshd[12899]: Starting session: shell on pts/0 for root > from 84.156.117.187 port 55468 id 0 Nov 12 11:36:25 linuxserver su[12930]: > (to root) root on pts/0 Nov 12 11:36:25 linuxserver su[12930]: > pam_unix(su:session): session opened for user root by root(uid=1023) Nov 12 > 11:36:25 linuxserver su[12930]: pam_systemd(su:session): Cannot create > session: Already running in a session Nov 12 11:36:49 linuxserver su[12930]: > pam_unix(su:session): session closed for user root Nov 12 11:36:50 > linuxserver sshd[12899]: Close session: user root from 84.156.117.187 port > 55468 id 0 Nov 12 11:36:50 linuxserver sshd[12899]: Received disconnect from > 84.156.117.187 port 55468:11: disconnected by user Nov 12 11:36:50 > linuxserver sshd[12899]: Disconnected from 84.156.117.187 port 55468 Nov 12 > 11:36:50 linuxserver sshd[12895]: pam_unix(sshd:session): session closed for > user root > info: 84.156.117.187 is german telekom (my provider) loginname is root (not > in reality!) we'll see more discussion (aprox 10 lines!) about > loggin_procedure, than from bavaria > my question: HOW can I ban my "bad bavarian friend" off my server? > ================================================================= > who can I define in fail2ban-rules, that this is NOT a friendly visit? > Nov 12 08:10:16 linuxserver sshd[10216]: Connection from xxx.xxx.xxx.xxx > port 58404 on 192.168.2.2 port 22 Nov 12 08:10:17 linuxserver sshd[10216]: > Received disconnect from xxx.xxx.xxx.xxx port 58404:11: Bye Bye [preauth] > Nov 12 08:10:17 linuxserver sshd[10216]: Disconnected from xxx.xxx.xxx.xxx > port 58404 [preauth] > can I really define this? > I we have a closer look an the "good german" from telekom I will !same! > lines: > Nov 12 11:36:23 linuxserver sshd[12895]: Connection from 84.156.117.187 port > 55468 on 192.168.2.2 port 22 Nov 12 11:36:50 linuxserver sshd[12899]: > Received disconnect from 84.156.117.187 port 55468:11: disconnected by user > Nov 12 11:36:50 linuxserver sshd[12899]: Disconnected from 84.156.117.187 > port 55468 > But I have no lines like: > Nov 12 11:36:23 linuxserver sshd[12895]: Postponed keyboard-interactive for > root from 84.156.117.187 port 55468 ssh2 [preauth] and so on. there's on > bavarina side no existing user! there's not any user! > A moment please: > ================ > Between those three lines, there's a difference!!!! > Nov 12 08:10:17 linuxserver sshd[10216]: Received disconnect from > xxx.xxx.xxx.xxx port 58404:11: Bye Bye [preauth] "Bye Bye" !!!!!! > Searching in /etc/fail2ban/filter.s/sshd.conf cmnfailre = > ^<F-NOFAIL>Received > <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from > <HOST>%(__on_port_opt)s:\s*11: > 1st: this isn't working! > 2nd: if we get this working, than ist better to define this like > this: ^<F-NOFAIL>Received > <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from > <HOST>%(__on_port_opt)s:\s*11: "Bye Bye [preauth]" > good idea? > and: > in jail.local I have strong rules: > [sshd] > enabled = true > mode = aggressive > port = ssh > logpath = %(sshd_log)s > backend = %(sshd_backend)s > journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd bantime = 1d > maxretry = 0 --->> maxretry = 0 !!!! > I wish to those bavarian users OFF from my servers ;-) how? > does there anybody have the same problem? > thanks and yours Klaus > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- Mit freundlichen Grüßen, Ihr Klaus Lehmann http://allegronet.de * eMail: [email protected] * phone: 03528-452 807(fax 809) * mobil: 0171-953 7843 allegronet.de * Klaus Lehmann * D-01454 Radeberg * Bahnhofstr. 1 zuständiges Finanzamt: FA Hoyerswerda; zuständige Kammer: IHK Dresden; zuständige Aufsichtsbehörde: Gewerbeamt Radeberg; USt-IdNr: DE247550760 * Software für zufriedene Bibliothekare: 1000x bewaehrt und ergiebig * Bereits 4x allegro-utf8. Buchen Sie die allegro-Roadshow. Yes we can! * Internetkataloge & WebHosting für Allegro-C & Web 2.0 mit VuFind * 2011-12: Sponsor: Peter-Sodann-Bibliothek+IFLA:allegro-utf8 * 2013-14: Bolero 64bit.+allegro-zdb: endlich. + eBooks * 2015-16: allegro-vufind.+ allegro-imd.Die weltgrößte(?) Filmdatenbank * 2017-18: Exporte. Marc und Co. Marc ist sehr different Lesen Sie auf http://portal.allegronet.de/allegrowerkstatt/allegro-windows die Wahrheit zur Zukunft von allegro-C. Bilden Sie sich Ihre eigene Meinung! Lesen Sie! Am Montag, 12. November 2018 um 14:40 schrieben Sie: > Hi Klaus, > Does https://linux.die.net/man/5/hosts_access, especially host.deny, provide > a solution? > Regards, > Paul > -----Oorspronkelijk bericht----- > Van: Klaus Lehmann <[email protected]> > Verzonden: maandag 12 november 2018 13:57 > Aan: [email protected] > Onderwerp: [Fail2ban-users] sshd: Received disconnect from xxx.xxx.xxx.xxx > port 58404:11: Bye Bye [preauth] is an attack > Hi, > this is definitely an attack: > Nov 12 08:10:16 linuxserver sshd[10216]: Connection from xxx.xxx.xxx.xxx > port 58404 on 192.168.2.2 port 22 Nov 12 08:10:17 linuxserver sshd[10216]: > Received disconnect from xxx.xxx.xxx.xxx port 58404:11: Bye Bye [preauth] > Nov 12 08:10:17 linuxserver sshd[10216]: Disconnected from xxx.xxx.xxx.xxx > port 58404 [preauth] there are no more lines in journalctl.... > info: xxx.xxx.xxx.xxx is some bullshit from bavaria there are no loginnames! > this is definitely not an attack, it's my login: > Nov 12 11:36:23 linuxserver sshd[12895]: Connection from 84.156.117.187 port > 55468 on 192.168.2.2 port 22 Nov 12 11:36:23 linuxserver sshd[12895]: > Postponed keyboard-interactive for root from 84.156.117.187 port 55468 ssh2 > [preauth] Nov 12 11:36:23 linuxserver sshd[12895]: Postponed > keyboard-interactive/pam for root from 84.156.117.187 port 55468 ssh2 > [preauth] Nov 12 11:36:23 linuxserver sshd[12895]: Accepted > keyboard-interactive/pam for root from 84.156.117.187 port 55468 ssh2 Nov 12 > 11:36:23 linuxserver sshd[12895]: pam_unix(sshd:session): session opened for > user root by (uid=0) Nov 12 11:36:23 linuxserver systemd-logind[1035]: New > session 37 of user root. > Nov 12 11:36:23 linuxserver systemd[1]: Started Session 37 of user root. > Nov 12 11:36:24 linuxserver sshd[12895]: User child is on pid 12899 Nov 12 > 11:36:24 linuxserver sshd[12899]: Starting session: shell on pts/0 for root > from 84.156.117.187 port 55468 id 0 Nov 12 11:36:25 linuxserver su[12930]: > (to root) root on pts/0 Nov 12 11:36:25 linuxserver su[12930]: > pam_unix(su:session): session opened for user root by root(uid=1023) Nov 12 > 11:36:25 linuxserver su[12930]: pam_systemd(su:session): Cannot create > session: Already running in a session Nov 12 11:36:49 linuxserver su[12930]: > pam_unix(su:session): session closed for user root Nov 12 11:36:50 > linuxserver sshd[12899]: Close session: user root from 84.156.117.187 port > 55468 id 0 Nov 12 11:36:50 linuxserver sshd[12899]: Received disconnect from > 84.156.117.187 port 55468:11: disconnected by user Nov 12 11:36:50 > linuxserver sshd[12899]: Disconnected from 84.156.117.187 port 55468 Nov 12 > 11:36:50 linuxserver sshd[12895]: pam_unix(sshd:session): session closed for > user root > info: 84.156.117.187 is german telekom (my provider) loginname is root (not > in reality!) we'll see more discussion (aprox 10 lines!) about > loggin_procedure, than from bavaria > my question: HOW can I ban my "bad bavarian friend" off my server? > ================================================================= > who can I define in fail2ban-rules, that this is NOT a friendly visit? > Nov 12 08:10:16 linuxserver sshd[10216]: Connection from xxx.xxx.xxx.xxx > port 58404 on 192.168.2.2 port 22 Nov 12 08:10:17 linuxserver sshd[10216]: > Received disconnect from xxx.xxx.xxx.xxx port 58404:11: Bye Bye [preauth] > Nov 12 08:10:17 linuxserver sshd[10216]: Disconnected from xxx.xxx.xxx.xxx > port 58404 [preauth] > can I really define this? > I we have a closer look an the "good german" from telekom I will !same! > lines: > Nov 12 11:36:23 linuxserver sshd[12895]: Connection from 84.156.117.187 port > 55468 on 192.168.2.2 port 22 Nov 12 11:36:50 linuxserver sshd[12899]: > Received disconnect from 84.156.117.187 port 55468:11: disconnected by user > Nov 12 11:36:50 linuxserver sshd[12899]: Disconnected from 84.156.117.187 > port 55468 > But I have no lines like: > Nov 12 11:36:23 linuxserver sshd[12895]: Postponed keyboard-interactive for > root from 84.156.117.187 port 55468 ssh2 [preauth] and so on. there's on > bavarina side no existing user! there's not any user! > A moment please: > ================ > Between those three lines, there's a difference!!!! > Nov 12 08:10:17 linuxserver sshd[10216]: Received disconnect from > xxx.xxx.xxx.xxx port 58404:11: Bye Bye [preauth] "Bye Bye" !!!!!! > Searching in /etc/fail2ban/filter.s/sshd.conf cmnfailre = > ^<F-NOFAIL>Received > <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from > <HOST>%(__on_port_opt)s:\s*11: > 1st: this isn't working! > 2nd: if we get this working, than ist better to define this like > this: ^<F-NOFAIL>Received > <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from > <HOST>%(__on_port_opt)s:\s*11: "Bye Bye [preauth]" > good idea? > and: > in jail.local I have strong rules: > [sshd] > enabled = true > mode = aggressive > port = ssh > logpath = %(sshd_log)s > backend = %(sshd_backend)s > journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd bantime = 1d > maxretry = 0 --->> maxretry = 0 !!!! > I wish to those bavarian users OFF from my servers ;-) how? > does there anybody have the same problem? > thanks and yours Klaus > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
