On 17/08/2021 05:53, Allan Wind wrote:
On 2021-08-16T16:58:46, Allan Wind wrote:
2021-08-16T04:10:35.924+00:00 pawan sshd[424228]: error:
kex_exchange_identification: Connection closed by remote host
2021-08-16T04:10:35.924+00:00 pawan sshd[424228]: Connection closed by
205.185.113.128 port 35352
I am using mode=aggressive but found that the events are being
(silently) ignored (ugh).
Upon careful review of sshd.conf (identical to master) it appears that
this only works if you modify the sshd_config to enable
LogLevel VERBOSE which cause sshd to omit an additional log event
(obviously for a different port):
2021-08-17T02:01:59.674+00:00 pawan sshd[604981]: Connection from
213.202.233.91 port 41152 on 71.126.254.78 port 22 rdomain ""
which then permits prefregex to match on that line to establish the
session. The comment in the sshd.conf was not helpful to me, as it
talks about how to enable the "Connection from" event,
but it should talk about why you want to do that, i.e. the
lines of filters without a HOST argument.
/Allan
I don't know if it is helpful but f2b can monitor multi-line events. I
just don't know how to do it so I can't give any more information.
Nick
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
