Yes it's been available for a while. I'm commuting so I figured I'd send you links that provide example usage in a jail.local file. Have a look also at https://sourceforge.net/p/fail2ban/mailman/message/36362859/
On Sat, Feb 23, 2019, 6:11 PM Mike <[email protected]> wrote: > > I'm still a little confused.. Is this feature available and all I have to > do is include a certain option in my configuration? > > like > > mode=xxx? > > btw, that post is over 4 years old, so I'm wondering if there is more > recent information, and whether it does actually still apply and if anybody > else is using these more aggressive settings? Especially on CentOS. > > > > At 04:17 PM 2/23/2019, Robert Kudyba wrote: > > It's built-in to the latest versions see > https://www.google.com/amp/s/amp.reddit.com/r/sysadmin/comments/2tnlf5/how_tofail2ban_aggressive/ > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.google.com_amp_s_amp.reddit.com_r_sysadmin_comments_2tnlf5_how-5Ftofail2ban-5Faggressive_&d=DwMFAw&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=elL6-x6j5wdwEXqwp0phPF-wZfkAlyTLAvdXs-ppyRU&s=-Ku5dbQhF76vZbLiv67-ioBTjMNItebjL1n00okZzDg&e=> > for some examples. > > On Sat, Feb 23, 2019, 2:13 PM Mike <[email protected]> wrote: > So a user has proposed an extended version of the sshd config that can > address this issue? > > So has anybody tested that this works?  It looks like someone suggested > this alternate file: > > https://github.com/fail2ban/fail2ban/blob/0.10/config/filter.d/sshd.conf > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_fail2ban_fail2ban_blob_0.10_config_filter.d_sshd.conf&d=DwMFAw&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=vLLRme5aV0gePITBo5MsXk1sHMs_VJrJqI9zWdiQqZg&s=zpcVACdjGO7BznR92Ffn7etjiTUx8v-LYxdr21LXY-U&e=> > > But does this command 'mode=ddos' actually work? > > Or is another way to deal with this to edit the existing > filter.d/sshd.conf and > add this to cmnfailre ? > >  ^Did not receive identification string from <HOST> > > I'm not very experienced at modding the f2b config, so as much detail as > possible is appreciated. > > - Mike > > > At 08:54 AM 2/23/2019, Robert Kudyba wrote: > > See  https://sourceforge.net/p/fail2ban/mailman/message/35739624/ > <https://urldefense.proofpoint.com/v2/url?u=https-3A__sourceforge.net_p_fail2ban_mailman_message_35739624_&d=DwMFAw&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=vLLRme5aV0gePITBo5MsXk1sHMs_VJrJqI9zWdiQqZg&s=BpcQvDd-lcdEeQw3pN_7yFtIT1j5KvUs1Jih9rEiKZM&e=> > >   1. rule to block probes on sshd? (Mike) > > ---------------------------------------------------------------------- > Message: 1 Date: Fri, 22 Feb 2019 11:33:26 -0600 From: Mike <[email protected]> > To: [email protected] Subject: [Fail2ban-users] rule > to block probes on sshd? Message-ID: < > [email protected]> Content-Type: text/plain; > charset="us-ascii"; format=flowed > > I'm seeing entries in my auth log like this: > Feb 22 10:19:45 myhost sshd[24551]: Connection from 118.126.65.175 port > 59244 on x.x.x.x port 22 Feb 22 10:19:45 myhost sshd[24551]: Did not > receive identification string from 118.126.65.175 port 59244 > > There is no login attempt, so f2b is not noticing, but someone has stumbled > upon the non-standard port I'm running sshd off of. I assume this is > some sort of NMAP probe? > Is there a way to set up a rule to trigger a ban from this type of > activity? >  Can this be done without triggering legit connections? > > > > > > > > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_fail2ban-2Dusers&d=DwMFAw&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=elL6-x6j5wdwEXqwp0phPF-wZfkAlyTLAvdXs-ppyRU&s=gc8WW78WFcVDngUOEQnpx7bBiDyS7TR6w1Z-nPDDHFI&e=> > >
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
