No Graeham. What I'm trying to do is block anything that tries to connect
that is not a SoftEther client. So, for the logged text ....
2021-08-26 01:28:34.121 On the TCP Listener (Port 443), a Client (IP
address 128.14.209.162, Host name "zl-dal-us-gp3-wk107.internet-census.org",
Port number 38470) has connected.
2021-08-26 01:28:34.121 For the client (IP address: 128.14.209.162, host
name: "zl-dal-us-gp3-wk107.internet-census.org", port number: 38470),
connection "CID-584" has been created.
2021-08-26 01:28:34.959 SSL communication for connection "CID-584" has been
started. The encryption algorithm name is "RC4-MD5".
2021-08-26 01:28:41.847 Connection "CID-584" terminated by the cause "A
client which is non-SoftEther VPN software has connected to the port."
(code 5).
2021-08-26 01:28:41.857 Connection "CID-584" has been terminated.
2021-08-26 01:28:41.857 The connection with the client (IP address
128.14.209.162, Port number 38470) has been disconnected.
... I am hoping that the rule below works ...
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
#Enable multi line support. Doesn't work with versions < 0.9
[Init]
maxlines = 3
# The regular expression filter follows
[Definition]
failregex =IP address: <HOST>.*\n.*\n.*A client which is non-SoftEther VPN
software has connected to the port\..*\n
ignoreregex =
I have, so far, tested the failregex on a regexp expression evaluator and
the match is successful. I don't know how to debug this using fail2ban
tools. Does the maxlines = 3 actually allow matching across three lines of
logged text?
On Fri, 27 Aug 2021 at 07:23, Graham B. <fail2...@chuckerytowers.plus.com>
wrote:
> On Thu, 26 Aug 2021, Myron wrote:
>
> > Date: Thu, 26 Aug 2021 19:24:01
> > From: Myron <my...@co-hop.uk>
> > To: fail2ban-users@lists.sourceforge.net
> > Subject: [Fail2ban-users] I'm stuck on how to create a particular
> SoftEther
> > event
> >
> > I hope someone can help me with this as this I'm struggling with. I
> wish to implement an immediate ban on this type of event:
> >
> > 2021-08-26 00:52:21.681 The connection with the client (IP address
> 157.245.59.23, Port number 59420) has been disconnected.
> > 2021-08-26 01:28:34.121 On the TCP Listener (Port 443), a Client (IP
> address 128.14.209.162, Host name
> > "zl-dal-us-gp3-wk107.internet-census.org", Port number 38470) has
> connected.
> > 2021-08-26 01:28:34.121 For the client (IP address: 128.14.209.162, host
> name: "zl-dal-us-gp3-wk107.internet-census.org", port
> > number: 38470), connection "CID-584" has been created.
> > 2021-08-26 01:28:34.959 SSL communication for connection "CID-584" has
> been started. The encryption algorithm name is "RC4-MD5".
> > 2021-08-26 01:28:41.847 Connection "CID-584" terminated by the cause "A
> client which is non-SoftEther VPN software has connected
> > to the port." (code 5).
> > 2021-08-26 01:28:41.857 Connection "CID-584" has been terminated.
> >
> > I am not sure on how to construct a fail2ban to ban filter to, in this
> example, ban 128.14.209.162 when the string "(code 5)" is
> > recorded by SoftEther.
> >
> > [I'm also still trying to wrap my head round RegEx. I'm finding it not
> easy to put together.]
> >
> >
> >
>
> Hello Myron,
>
> If the connections always come from this organisation
> ("internet-census.org"), you might be wasting your time in attempting to
> block them. According to their Web page at
> https://www.internet-census.org/home.html, they are assessing security on
> the Internet. (We would want verification of their motives, though.)
>
> The same page also tells us how to opt out of the scanning process.
>
> I hope this helps,
> --
> Graham
> Normal spelling will be rezhumed assune asp ossibul.
>
>
>
>
> <a href="http://english-1329209197.spampoison.com";>Get free spam bait
> here.</a>
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
