Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
fail2ban - or something different?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
seVes
n00b
n00b


Joined: 06 Jan 2011
Posts: 54
Location: Germany

PostPosted: Thu May 15, 2014 8:09 pm    Post subject: fail2ban - or something different? Reply with quote

Hi guys,

i have a dedicated server, which contains several gameservers including a large forum.

I was going to protect this server and i think its working very well - so far. :wink:

iptables is looking good, same as fail2ban but finally i have one more thing what i want to solve.

How can i ban/drop the current connections to my openssh?

It allows only a range of specific users, a highly setup from ciphers and publickey.
password-auth is disabled.

Someone (IP varies) try to connect or ddos or whatever (i dont know), but i want to keep them off. :P

auth.log
Code:

2014-05-15T21:55:56.685478+02:00 localhost sshd[948]: SSH: Server;Ltype: Version;Remote: 101.79.130.213-56124;Protocol: 2.0;Client: libssh-0.2
2014-05-15T21:55:56.982864+02:00 localhost sshd[948]: SSH: Server;Ltype: Kex;Remote: 101.79.130.213-56124;Enc: aes256-cbc;MAC: hmac-sha1;Comp: none [preauth]
2014-05-15T21:55:57.953608+02:00 localhost sshd[948]: Bad packet length 1048896806. [preauth]
2014-05-15T21:57:42.979844+02:00 localhost sshd[1031]: SSH: Server;Ltype: Version;Remote: 101.79.130.213-38580;Protocol: 2.0;Client: libssh-0.2
2014-05-15T21:57:43.279260+02:00 localhost sshd[1031]: SSH: Server;Ltype: Kex;Remote: 101.79.130.213-38580;Enc: aes256-cbc;MAC: hmac-sha1;Comp: none [preauth]
2014-05-15T21:57:44.254027+02:00 localhost sshd[1031]: Bad packet length 2415357948. [preauth]
2014-05-15T21:59:31.060305+02:00 localhost sshd[1125]: SSH: Server;Ltype: Version;Remote: 101.79.130.213-49271;Protocol: 2.0;Client: libssh-0.2
2014-05-15T21:59:31.356239+02:00 localhost sshd[1125]: SSH: Server;Ltype: Kex;Remote: 101.79.130.213-49271;Enc: aes256-cbc;MAC: hmac-sha1;Comp: none [preauth]
2014-05-15T21:59:32.323148+02:00 localhost sshd[1125]: Bad packet length 3256658487. [preauth]
2014-05-15T22:01:20.377066+02:00 localhost sshd[1320]: SSH: Server;Ltype: Version;Remote: 101.79.130.213-59956;Protocol: 2.0;Client: libssh-0.2
2014-05-15T22:01:20.678677+02:00 localhost sshd[1320]: SSH: Server;Ltype: Kex;Remote: 101.79.130.213-59956;Enc: aes256-cbc;MAC: hmac-sha1;Comp: none [preauth]
2014-05-15T22:01:21.660952+02:00 localhost sshd[1320]: Bad packet length 4235625523. [preauth]


Is there a way to make a regex for fail2ban which matches 2 lines instead of one? Because the banning ip is in the above line, while the match-code (bad packet length) is in the second?

Or did you know some other ways?

THANKS for helping!
_________________
Alex / seVes
Back to top
View user's profile Send private message
Maitreya
Guru
Guru


Joined: 11 Jan 2006
Posts: 407

PostPosted: Thu May 15, 2014 9:38 pm    Post subject: Reply with quote

You should have a a look at sshguard, it is in portage too!

[ur]http://www.sshguard.net/[/url]
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w

PostPosted: Fri May 16, 2014 7:36 am    Post subject: Reply with quote

look at the wikis for both packages. i told the douche nozzles up stream about it and they told me to shove it. i warned arch about this behavior of fail2ban also. its a good idea but they've repeatedly ran into that. the issue is years old..... years....

https://wiki.gentoo.org/wiki/Sshguard

https://wiki.gentoo.org/wiki/Fail2ban
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum