Re: [Fail2ban-users] multiline match?
On 8/03/22 00:11, Dominic Raferd wrote: On 07/03/2022 10:37, Richard Hector wrote: On 7/03/22 23:15, Richard Hector wrote: On 6/03/22 20:54, Dominic Raferd wrote: On 06/03/2022 04:35, Richard Hector wrote: I have lines like these in my logs (reported by logcheck, in this case): Mar 6 16:17:38 akl-host6 sshd[33035]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:38 akl-host6 sshd[33035]: Connection closed by 46.19.139.18 port 32834 Mar 6 16:17:54 akl-host6 sshd[33038]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:54 akl-host6 sshd[33038]: Connection closed by 45.125.65.126 port 45184 To a human, it's easy to see that those come in pairs, and that if they're frequent, they're probably attacks. But the line that shows an error doesn't have an IP address, and the line with an IP address isn't obviously an error. Is it still possible to find those and ban them? Assuming you are using failban 0.11+ or perhaps 0.10+ (check yours with 'fail2ban-client version), see the updated sshd jail at https://raw.githubusercontent.com/fail2ban/fail2ban/master/config/filter.d/sshd.conf. Save it as /etc/fail2ban/filter.d/sshd.local and reload this jail with 'fail2ban-client reload sshd'. Thanks Dominic - now I just need to wait for some more attacks, to see if it worked :-) It appears not - I can see more similar lines in the logs since the reload, and no 'Found' lines in fail2ban.log :-( Looking into this a bit further, the message 'error: kex_exchange_identification: Connection closed by remote host' apparently reflects disruption of key exchange communication between the machines, probably because the incoming client dropped the connection. This does not necessarily indicate an attack (as you realise). On my system f2b does not block these instances. Also on my system (OpenSSH_8.2p1 Ubuntu-4ubuntu0.4) there is no subsequent log entry giving the ip address (even with LogLevel VERBOSE), you have to get the ip by backtracking to the earlier corresponding (by pid) 'Connection from' message. I am now doubtful if fail2ban can catch such things. I've now set sshd to mode = aggressive - it now does seem to catch those lines (going by timestamp) (though I don't know how). My system is Debian 11 (bullseye) with OpenSSH_8.4p1, so slightly newer. I tried LogLevel VERBOSE first, but changed it back. I haven't tried going back to the shipped version of sshd.conf with mode = aggressive. Cheers, Richard ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Re: [Fail2ban-users] multiline match?
On 7/03/22 23:15, Richard Hector wrote: On 6/03/22 20:54, Dominic Raferd wrote: On 06/03/2022 04:35, Richard Hector wrote: I have lines like these in my logs (reported by logcheck, in this case): Mar 6 16:17:38 akl-host6 sshd[33035]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:38 akl-host6 sshd[33035]: Connection closed by 46.19.139.18 port 32834 Mar 6 16:17:54 akl-host6 sshd[33038]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:54 akl-host6 sshd[33038]: Connection closed by 45.125.65.126 port 45184 To a human, it's easy to see that those come in pairs, and that if they're frequent, they're probably attacks. But the line that shows an error doesn't have an IP address, and the line with an IP address isn't obviously an error. Is it still possible to find those and ban them? Assuming you are using failban 0.11+ or perhaps 0.10+ (check yours with 'fail2ban-client version), see the updated sshd jail at https://raw.githubusercontent.com/fail2ban/fail2ban/master/config/filter.d/sshd.conf. Save it as /etc/fail2ban/filter.d/sshd.local and reload this jail with 'fail2ban-client reload sshd'. Thanks Dominic - now I just need to wait for some more attacks, to see if it worked :-) It appears not - I can see more similar lines in the logs since the reload, and no 'Found' lines in fail2ban.log :-( Cheers, Richard ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Re: [Fail2ban-users] multiline match?
On 6/03/22 20:54, Dominic Raferd wrote: On 06/03/2022 04:35, Richard Hector wrote: I have lines like these in my logs (reported by logcheck, in this case): Mar 6 16:17:38 akl-host6 sshd[33035]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:38 akl-host6 sshd[33035]: Connection closed by 46.19.139.18 port 32834 Mar 6 16:17:54 akl-host6 sshd[33038]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:54 akl-host6 sshd[33038]: Connection closed by 45.125.65.126 port 45184 To a human, it's easy to see that those come in pairs, and that if they're frequent, they're probably attacks. But the line that shows an error doesn't have an IP address, and the line with an IP address isn't obviously an error. Is it still possible to find those and ban them? Assuming you are using failban 0.11+ or perhaps 0.10+ (check yours with 'fail2ban-client version), see the updated sshd jail at https://raw.githubusercontent.com/fail2ban/fail2ban/master/config/filter.d/sshd.conf. Save it as /etc/fail2ban/filter.d/sshd.local and reload this jail with 'fail2ban-client reload sshd'. Thanks Dominic - now I just need to wait for some more attacks, to see if it worked :-) Cheers, Richard ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[Fail2ban-users] multiline match?
Hi all, I have to confess I find the existing filters somewhat opaque, so I might be missing something. I have lines like these in my logs (reported by logcheck, in this case): Mar 6 16:17:38 akl-host6 sshd[33035]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:38 akl-host6 sshd[33035]: Connection closed by 46.19.139.18 port 32834 Mar 6 16:17:54 akl-host6 sshd[33038]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:54 akl-host6 sshd[33038]: Connection closed by 45.125.65.126 port 45184 To a human, it's easy to see that those come in pairs, and that if they're frequent, they're probably attacks. But the line that shows an error doesn't have an IP address, and the line with an IP address isn't obviously an error. Is it still possible to find those and ban them? Thanks, Richard ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[Fail2ban-users] IRC channel?
Hi, The page at https://www.fail2ban.org/wiki/index.php/HOWTO_Seek_Help says there's a #fail2ban channel on freenode - is that still the right network? Or is the one on libera.chat the right one now? It has users, but no topic ... Thanks, Richard ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
