On Tue, Mar 21, 2017 at 10:41:14AM -0500, Bryan K. Walton wrote: >I'm looking at this closed bug report (from December of 2015): > >https://github.com/fail2ban/fail2ban/issues/1284 > >Is it still correct to say that fail2ban will not block an IP if the SSH logs >record a string like: > >"Did not receive identification string from" > >But an authentication attempt did not occur? (No username/password was >provided) > >In other words, just wanting to verify that the information in the bug report >is still factually correct.
No, it looks[1] like fail2ban CAN ban such events now. However, the filter needs to be configured to include such lines. That is, out of the box, the sshd filter works in "normal" mode, which includes a base set of filters, but it can also run in "ddos", "extra" or "aggressive" mode, which include successively more filters. The bug reporter could use something like: [sshd] mode = ddos to block the line mentioned. [1] https://github.com/fail2ban/fail2ban/blob/0.10/config/filter.d/sshd.conf > >Thanks, >Bryan > >------------------------------------------------------------------------------ >Check out the vibrant tech community on one of the world's most >engaging tech sites, Slashdot.org! http://sdm.link/slashdot >_______________________________________________ >Fail2ban-users mailing list >Fail2ban-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- For more information, please reread. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
