| View previous topic :: View next topic |
| Author |
Message |
seVes
n00b
Joined: 06 Jan 2011
Posts: 54
Location: Germany
|
 Posted: Thu May 15, 2014 8:09 pm Post subject: fail2ban - or something different? |
 |
|
Hi guys,
i have a dedicated server, which contains several gameservers including a large forum.
I was going to protect this server and i think its working very well - so far. 
iptables is looking good, same as fail2ban but finally i have one more thing what i want to solve.
How can i ban/drop the current connections to my openssh?
It allows only a range of specific users, a highly setup from ciphers and publickey.
password-auth is disabled.
Someone (IP varies) try to connect or ddos or whatever (i dont know), but i want to keep them off. 
auth.log
| Code: |
2014-05-15T21:55:56.685478+02:00 localhost sshd[948]: SSH: Server;Ltype: Version;Remote: 101.79.130.213-56124;Protocol: 2.0;Client: libssh-0.2
2014-05-15T21:55:56.982864+02:00 localhost sshd[948]: SSH: Server;Ltype: Kex;Remote: 101.79.130.213-56124;Enc: aes256-cbc;MAC: hmac-sha1;Comp: none [preauth]
2014-05-15T21:55:57.953608+02:00 localhost sshd[948]: Bad packet length 1048896806. [preauth]
2014-05-15T21:57:42.979844+02:00 localhost sshd[1031]: SSH: Server;Ltype: Version;Remote: 101.79.130.213-38580;Protocol: 2.0;Client: libssh-0.2
2014-05-15T21:57:43.279260+02:00 localhost sshd[1031]: SSH: Server;Ltype: Kex;Remote: 101.79.130.213-38580;Enc: aes256-cbc;MAC: hmac-sha1;Comp: none [preauth]
2014-05-15T21:57:44.254027+02:00 localhost sshd[1031]: Bad packet length 2415357948. [preauth]
2014-05-15T21:59:31.060305+02:00 localhost sshd[1125]: SSH: Server;Ltype: Version;Remote: 101.79.130.213-49271;Protocol: 2.0;Client: libssh-0.2
2014-05-15T21:59:31.356239+02:00 localhost sshd[1125]: SSH: Server;Ltype: Kex;Remote: 101.79.130.213-49271;Enc: aes256-cbc;MAC: hmac-sha1;Comp: none [preauth]
2014-05-15T21:59:32.323148+02:00 localhost sshd[1125]: Bad packet length 3256658487. [preauth]
2014-05-15T22:01:20.377066+02:00 localhost sshd[1320]: SSH: Server;Ltype: Version;Remote: 101.79.130.213-59956;Protocol: 2.0;Client: libssh-0.2
2014-05-15T22:01:20.678677+02:00 localhost sshd[1320]: SSH: Server;Ltype: Kex;Remote: 101.79.130.213-59956;Enc: aes256-cbc;MAC: hmac-sha1;Comp: none [preauth]
2014-05-15T22:01:21.660952+02:00 localhost sshd[1320]: Bad packet length 4235625523. [preauth]
|
Is there a way to make a regex for fail2ban which matches 2 lines instead of one? Because the banning ip is in the above line, while the match-code (bad packet length) is in the second?
Or did you know some other ways?
THANKS for helping!
_________________
Alex / seVes |
|
| Back to top |
|
 |
Maitreya
Guru
Joined: 11 Jan 2006
Posts: 441
|
| Posted: Thu May 15, 2014 9:38 pm Post subject: |
|
|
You should have a a look at sshguard, it is in portage too!
[ur]http://www.sshguard.net/[/url] |
|
| Back to top |
|
|
666threesixes666
Veteran
Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w
|
| Posted: Fri May 16, 2014 7:36 am Post subject: |
|
|
look at the wikis for both packages. i told the douche nozzles up stream about it and they told me to shove it. i warned arch about this behavior of fail2ban also. its a good idea but they've repeatedly ran into that. the issue is years old..... years....
https://wiki.gentoo.org/wiki/Sshguard
https://wiki.gentoo.org/wiki/Fail2ban |
|
| Back to top |
|
|
|
Networking & Security
