So a user has proposed an extended version of the
sshd config that can address this issue?
So has anybody tested that this works? It looks
like someone suggested this alternate file:
https://github.com/fail2ban/fail2ban/blob/0.10/config/filter.d/sshd.conf
But does this command 'mode=ddos' actually work?
Or is another way to deal with this to edit the existing filter.d/sshd.conf and
add this to cmnfailre ?
^Did not receive identification string from <HOST>
I'm not very experienced at modding the f2b
config, so as much detail as possible is appreciated.
- Mike
At 08:54 AM 2/23/2019, Robert Kudyba wrote:
See Â
<https://sourceforge.net/p/fail2ban/mailman/message/35739624/>https://sourceforge.net/p/fail2ban/mailman/message/35739624/
  1. rule to block probes on sshd? (Mike)
----------------------------------------------------------------------
Message: 1
Date: Fri, 22 Feb 2019 11:33:26 -0600
From: Mike <<mailto:[email protected]>[email protected]>
To:
<mailto:[email protected]>[email protected]
Subject: [Fail2ban-users] rule to block probes on sshd?
Message-ID:
<<mailto:[email protected]>[email protected]>
Content-Type: text/plain; charset="us-ascii"; format=flowed
I'm seeing entries in my auth log like this:
Feb 22 10:19:45 myhost sshd[24551]: Connection from 118.126.65.175
port 59244 on x.x.x.x port 22
Feb 22 10:19:45 myhost sshd[24551]: Did not receive identification
string from 118.126.65.175 port 59244
There is no login attempt, so f2b is not noticing, but someone has
stumbled upon the non-standard port I'm running sshd off of. I
assume this is some sort of NMAP probe?
Is there a way to set up a rule to trigger a ban from this type of
activity?  Can this be done without triggering legit connections?
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
