I'm still a little confused.. Is this feature
available and all I have to do is include a certain option in my configuration?
like
mode=xxx?
btw, that post is over 4 years old, so I'm
wondering if there is more recent information,
and whether it does actually still apply and if
anybody else is using these more aggressive settings? Especially on CentOS.
At 04:17 PM 2/23/2019, Robert Kudyba wrote:
It's built-in to the latest versions seeÂ
<https://www.google.com/amp/s/amp.reddit.com/r/sysadmin/comments/2tnlf5/how_tofail2ban_aggressive/>https://www.google.com/amp/s/amp.reddit.com/r/sysadmin/comments/2tnlf5/how_tofail2ban_aggressive/
for some examples.Â
On Sat, Feb 23, 2019, 2:13 PM Mike <<mailto:[email protected]>[email protected]>
wrote:
So a user has proposed an extended version of
the sshd config that can address this issue?
So has anybody tested that this works?  It
looks like someone suggested this alternate file:
<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_fail2ban_fail2ban_blob_0.10_config_filter.d_sshd.conf&d=DwMFAw&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=vLLRme5aV0gePITBo5MsXk1sHMs_VJrJqI9zWdiQqZg&s=zpcVACdjGO7BznR92Ffn7etjiTUx8v-LYxdr21LXY-U&e=>https://github.com/fail2ban/fail2ban/blob/0.10/config/filter.d/sshd.conf
But does this command 'mode=ddos' actually work?
Or is another way to deal with this to edit the
existing filter.d/sshd.conf and
add this to cmnfailre ?
 ^Did not receive identification string from <HOST>
I'm not very experienced at modding the f2b
config, so as much detail as possible is appreciated.
- Mike
At 08:54 AM 2/23/2019, Robert Kudyba wrote:
Seeà Ã
<https://urldefense.proofpoint.com/v2/url?u=https-3A__sourceforge.net_p_fail2ban_mailman_message_35739624_&d=DwMFAw&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=vLLRme5aV0gePITBo5MsXk1sHMs_VJrJqI9zWdiQqZg&s=BpcQvDd-lcdEeQw3pN_7yFtIT1j5KvUs1Jih9rEiKZM&e=>https://sourceforge.net/p/fail2ban/mailman/message/35739624/
ÃÂ Ã 1. rule to block probes on sshd? (Mike)
----------------------------------------------------------------------
Message: 1
Date: Fri, 22 Feb 2019 11:33:26 -0600
From: Mike <<mailto:[email protected]>[email protected]>
To:
<mailto:[email protected]>[email protected]
Subject: [Fail2ban-users] rule to block probes on sshd?
Message-ID:
<<mailto:[email protected]>
[email protected]>
Content-Type: text/plain; charset="us-ascii"; format=flowed
I'm seeing entries in my auth log like this:
Feb 22 10:19:45 myhost sshd[24551]: Connection from 118.126.65.175
port 59244 on x.x.x.x port 22
Feb 22 10:19:45 myhost sshd[24551]: Did not receive identification
string from 118.126.65.175 port 59244
There is no login attempt, so f2b is not noticing, but someone has
stumbled upon the non-standard port I'm running sshd off of.ÃÂ I
assume this is some sort of NMAP probe?
Is there a way to set up a rule to trigger a ban from this type of
activity?ÃÂ Ã Can this be done without triggering legit connections?
_______________________________________________
Fail2ban-users mailing list
<mailto:[email protected]>[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
