[Fail2ban-users] ban on disconnect before preauth

Sun, 07 Feb 2021 19:34:32 -0800 

Can anyone help with this?
I need to ban the following log entries
Feb  7 14:08:30 web sshd[2820237]: Disconnected from authenticating user root 146.56.231.240 port 41748 [preauth] Feb  7 14:09:04 web sshd[2820247]: Received disconnect from 146.56.231.240 port 50812:11: Bye Bye [preauth] Feb  7 14:09:04 web sshd[2820247]: Disconnected from authenticating user root 146.56.231.240 port 50812 [preauth] Feb  7 14:09:34 web sshd[2820249]: Received disconnect from 146.56.231.240 port 56382:11: Bye Bye [preauth] Feb  7 14:09:34 web sshd[2820249]: Disconnected from authenticating user root 146.56.231.240 port 56382 [preauth] Feb  7 14:10:00 web sshd[2820259]: Received disconnect from 146.56.231.240 port 57958:11: Bye Bye [preauth] Feb  7 14:10:01 web sshd[2820259]: Disconnected from authenticating user root 146.56.231.240 port 57958 [preauth] Feb  7 14:10:26 web sshd[2820264]: Received disconnect from 146.56.231.240 port 59534:11: Bye Bye [preauth] Feb  7 14:10:26 web sshd[2820264]: Disconnected from authenticating user root 146.56.231.240 port 59534 [preauth] Feb  7 14:10:56 web sshd[2820274]: Received disconnect from 146.56.231.240 port 34040:11: Bye Bye [preauth] Feb  7 14:10:56 web sshd[2820274]: Disconnected from authenticating user root 146.56.231.240 port 34040 [preauth] Feb  7 14:10:57 web sshd[2820276]: Received disconnect from 221.181.185.198 port 15288:11:  [preauth] Feb  7 14:10:57 web sshd[2820276]: Disconnected from authenticating user root 221.181.185.198 port 15288 [preauth] Feb  7 14:11:30 web sshd[2820278]: Received disconnect from 146.56.231.240 port 42890:11: Bye Bye [preauth] 
My jails for sshd  ban on 1 failed log enrty in 5 minutes

My sshd jail
[ssh-iptables]
enabled  = true
filter   = sshd
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]              %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] 
logpath  = /var/log/secure
maxretry = 1
bantime = 1209600


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to