Bug#451093: fail2ban: SSH refused connect from @::ffff:X.Y.Z.W

Tue, 13 Nov 2007 02:15:55 -0800 

Package: fail2ban
Version: 0.8.1-2
Severity: wishlist

The filters:

/etc/fail2ban/filter.d/sshd.conf
/etc/fail2ban/filter.d/sshd-ddos.conf

don't trigger the IP addresses blocked by the /etc/hosts.deny file.
I think is desirable that fail2ban identify these attempts.

I've added the following line to sshd.conf 

failregex = refused connect from <HOST>\s

that correctly work with:

Nov 13 03:42:11 Server sshd[4240]: refused connect from
::ffff:210.21.243.47 (::ffff:210.21.243.47)

but don't work with the following line, from my auth.log:

Nov 11 23:33:27 Server sshd[5174]: refused connect from
_U2FsdGVkX19P3BCJmFBHhjLza8BcMH06WCUVwttMHpE=_@::ffff:218.249.210.161
(::ffff:218.249.210.161)

the error on fail2ban.log file is:

2007-11-12 14:16:33,923 fail2ban.filter : WARNING Unable to find a
corresponding IP address for
_U2FsdGVkX19P3BCJmFBHhjLza8BcMH06WCUVwttMHpE=_@::ffff:218.249.210.161

I think that "<HOST>" macro on filters is bad. I also tried with
"<host>" but without any success.

My configuration files are:

jail.local:
[ssh]
maxretry = 2
protocol = tcp

sshd.local:
[Definition]
failregex = (?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
            Failed [-/\w]+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?\s*$
            ROOT LOGIN REFUSED.* FROM <HOST>\s*$
            [iI](?:llegal|nvalid) user .* from <HOST>\s*$
            User .+ from <HOST> not allowed because not listed in AllowUsers\s*$
            User .+ from <HOST> not allowed because none of user's groups are 
listed in AllowGroups\s*$
            refused connect from <HOST>\s
ignoreregex = 

Thank you for your attention and thank you for package maintaining.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (560, 'testing'), (545, 'testing-proposed-updates'), (540, 
'testing'), (460, 'stable'), (445, 'proposed-updates'), (440, 'stable'), (50, 
'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-2-686 (SMP w/1 CPU core)
Locale: LANG=it_IT, LC_CTYPE=it_IT (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages fail2ban depends on:
ii  iptables                1.3.8.0debian1-1 administration tools for packet fi
ii  lsb-base                3.1-24           Linux Standard Base 3.1 init scrip
ii  python                  2.4.4-6          An interactive high-level object-o
ii  python-central          0.5.15           register and build utility for Pyt

fail2ban recommends no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to