Re: [Fail2ban-users] Fail2ban issue

Thu, 26 May 2016 03:20:03 -0700 

On Wed, May 25, 2016 at 01:42:27PM +0000, Christophe Millon wrote:

Hi,


I'm new here and I have a question.

My fail2ban work well, but for a few days I have an issue. Every morning when I
look my logwatch I see that :


Received disconnect:
   11:  [preauth]
      221.229.162.7 : 7 Time(s)
      221.229.166.101 : 4 Time(s)
      58.218.199.96 : 8 Time(s)
      58.218.204.107 : 3 Time(s)
      58.218.204.211 : 4 Time(s)
      58.218.204.215 : 6 Time(s)
      58.218.204.23 : 3 Time(s)
      58.218.204.32 : 3 Time(s)
      58.218.204.80 : 1 Time(s)
      58.218.211.17 : 9 Time(s)
In the auth.log these IPs occur only with this line : "Received disconnect from x.x.x.x: 11: [preauth]". These addresses are not banned. 

So on my Virtual Machine I try to modify the configuration file /etc/fail2ban/
filter.d/sshd.conf to test if I can ban these IPs, I added in regex this line :
^%(__prefix_line)sReceived disconnect from <HOST> .* [preauth]\s*$  but it
doesn't work.
You probably need "\[preauth\]", otherwise that section will be interpreted as being a character class (i.e. a 'p, or an 'r', or an 'e'...)
Also, check to see if the attempts are spread out over a greater period than your 'findtime' setting. 



How can I ban these IPs?

Thank you for any advice.

Christophe.





------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j



_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



--
For more information, please reread.

Attachment: signature.asc
Description: PGP signature

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to