On 08/02/2021 03:30, Doug Preston via Fail2ban-users wrote:
Can anyone help with this?
I need to ban the following log entries
Feb 7 14:08:30 web sshd[2820237]: Disconnected from authenticating
user root 146.56.231.240 port 41748 [preauth]
Feb 7 14:09:04 web sshd[2820247]: Received disconnect from
146.56.231.240 port 50812:11: Bye Bye [preauth]
...
Feb 7 14:11:30 web sshd[2820278]: Received disconnect from
146.56.231.240 port 42890:11: Bye Bye [preauth]
My jails for sshd ban on 1 failed log enrty in 5 minutes
My sshd jail
[ssh-iptables]
enabled = true
filter = sshd
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s,
dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
logpath = /var/log/secure
maxretry = 1
bantime = 1209600
For a 14 day bantime you may need to set a long dbpurgeage in
/etc/fail2ban/fail2ban.local, the default I think is only 1d (86400).
It might depend what version of f2b you are using (fail2ban-client -V
will tell you) but if you have <0.10 I suggest you upgrade it if
possible. Failing that you can try just downloading the latest sshd
filter from the fail2ban github repo and save it as
/etc/fail2ban/filter.d/sshd.local.
Then in /etc/fail2ban/jail.local use sshd (not sshd-iptables) jail with
'maxretry = 1', 'mode = aggressive' and your preferred bantime. This
should enact the long bans you want.
Personally I use shorter bantimes and rely on recidive jail for repeat
offenders.
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
