It's built-in to the latest versions see https://www.google.com/amp/s/amp.reddit.com/r/sysadmin/comments/2tnlf5/how_tofail2ban_aggressive/ for some examples.
On Sat, Feb 23, 2019, 2:13 PM Mike <[email protected]> wrote: > So a user has proposed an extended version of the sshd config that can > address this issue? > > So has anybody tested that this works? It looks like someone suggested > this alternate file: > > https://github.com/fail2ban/fail2ban/blob/0.10/config/filter.d/sshd.conf > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_fail2ban_fail2ban_blob_0.10_config_filter.d_sshd.conf&d=DwMFAw&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=vLLRme5aV0gePITBo5MsXk1sHMs_VJrJqI9zWdiQqZg&s=zpcVACdjGO7BznR92Ffn7etjiTUx8v-LYxdr21LXY-U&e=> > > But does this command 'mode=ddos' actually work? > > Or is another way to deal with this to edit the existing > filter.d/sshd.conf and > add this to cmnfailre ? > > ^Did not receive identification string from <HOST> > > I'm not very experienced at modding the f2b config, so as much detail as > possible is appreciated. > > - Mike > > > At 08:54 AM 2/23/2019, Robert Kudyba wrote: > > See  https://sourceforge.net/p/fail2ban/mailman/message/35739624/ > <https://urldefense.proofpoint.com/v2/url?u=https-3A__sourceforge.net_p_fail2ban_mailman_message_35739624_&d=DwMFAw&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=vLLRme5aV0gePITBo5MsXk1sHMs_VJrJqI9zWdiQqZg&s=BpcQvDd-lcdEeQw3pN_7yFtIT1j5KvUs1Jih9rEiKZM&e=> > >   1. rule to block probes on sshd? (Mike) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 22 Feb 2019 11:33:26 -0600 > From: Mike <[email protected]> > To: [email protected] > Subject: [Fail2ban-users] rule to block probes on sshd? > Message-ID: < [email protected]> > Content-Type: text/plain; charset="us-ascii"; format=flowed > > > I'm seeing entries in my auth log like this: > > Feb 22 10:19:45 myhost sshd[24551]: Connection from 118.126.65.175 > port 59244 on x.x.x.x port 22 > Feb 22 10:19:45 myhost sshd[24551]: Did not receive identification > string from 118.126.65.175 port 59244 > > > There is no login attempt, so f2b is not noticing, but someone has > stumbled upon the non-standard port I'm running sshd off of. I > assume this is some sort of NMAP probe? > > Is there a way to set up a rule to trigger a ban from this type of > activity?  Can this be done without triggering legit connections? > > > > > > > > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_fail2ban-2Dusers&d=DwMFAw&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=vLLRme5aV0gePITBo5MsXk1sHMs_VJrJqI9zWdiQqZg&s=C65oKB6_GZ2RMSt6JEYhNM8LbOUIL-1KtwuzVXqwoBI&e=> > >
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
