Re: [Fail2ban-users] multiline match?
On 2022-03-07 11:45, James Moe via Fail2ban-users wrote: > The vertical bar allows multi-line expressions. Below is a sample given the > log entries you provided. > (Sigh.) Do not know what I was thinking. I apologize for the confusing, and wrong, post. -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Re: [Fail2ban-users] multiline match?
On 2022-03-07 03:15, Richard Hector wrote: > Mar 6 16:17:38 akl-host6 sshd[33035]: error: > kex_exchange_identification: Connection closed by remote host > Mar 6 16:17:38 akl-host6 sshd[33035]: Connection closed by > 46.19.139.18 port 32834 > (I am a little late to the party.) The vertical bar allows multi-line expressions. Below is a sample given the log entries you provided. I created a simple failregex for testing. % fail2ban-regex "Mar 6 16:17:38 akl-host6 sshd[33035]: error: kex_exchange_identification: Connection closed by remote host | Mar 6 16:17:38 akl-host6 sshd[33035]: Connection closed by 46.19.139.18 port 32834" "^.* error\: kex_exchange_identification.*Connection closed by port.*" Running tests = Use failregex line : ^.* error\: kex_exchange_identification.*Connectio... Use single line : Mar 6 16:17:38 akl-host6 sshd[33035]: error: kex_... Results === Failregex: 1 total |- #) [# of hits] regular expression | 1) [1] ^.* error\: kex_exchange_identification.*Connection closed by port.* `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [1] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)? `- Lines: 1 lines, 0 ignored, 1 matched, 0 missed [processed in 0.01 sec] -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Re: [Fail2ban-users] multiline match?
On 8/03/22 00:11, Dominic Raferd wrote: On 07/03/2022 10:37, Richard Hector wrote: On 7/03/22 23:15, Richard Hector wrote: On 6/03/22 20:54, Dominic Raferd wrote: On 06/03/2022 04:35, Richard Hector wrote: I have lines like these in my logs (reported by logcheck, in this case): Mar 6 16:17:38 akl-host6 sshd[33035]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:38 akl-host6 sshd[33035]: Connection closed by 46.19.139.18 port 32834 Mar 6 16:17:54 akl-host6 sshd[33038]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:54 akl-host6 sshd[33038]: Connection closed by 45.125.65.126 port 45184 To a human, it's easy to see that those come in pairs, and that if they're frequent, they're probably attacks. But the line that shows an error doesn't have an IP address, and the line with an IP address isn't obviously an error. Is it still possible to find those and ban them? Assuming you are using failban 0.11+ or perhaps 0.10+ (check yours with 'fail2ban-client version), see the updated sshd jail at https://raw.githubusercontent.com/fail2ban/fail2ban/master/config/filter.d/sshd.conf. Save it as /etc/fail2ban/filter.d/sshd.local and reload this jail with 'fail2ban-client reload sshd'. Thanks Dominic - now I just need to wait for some more attacks, to see if it worked :-) It appears not - I can see more similar lines in the logs since the reload, and no 'Found' lines in fail2ban.log :-( Looking into this a bit further, the message 'error: kex_exchange_identification: Connection closed by remote host' apparently reflects disruption of key exchange communication between the machines, probably because the incoming client dropped the connection. This does not necessarily indicate an attack (as you realise). On my system f2b does not block these instances. Also on my system (OpenSSH_8.2p1 Ubuntu-4ubuntu0.4) there is no subsequent log entry giving the ip address (even with LogLevel VERBOSE), you have to get the ip by backtracking to the earlier corresponding (by pid) 'Connection from' message. I am now doubtful if fail2ban can catch such things. I've now set sshd to mode = aggressive - it now does seem to catch those lines (going by timestamp) (though I don't know how). My system is Debian 11 (bullseye) with OpenSSH_8.4p1, so slightly newer. I tried LogLevel VERBOSE first, but changed it back. I haven't tried going back to the shipped version of sshd.conf with mode = aggressive. Cheers, Richard ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Re: [Fail2ban-users] multiline match?
On 07/03/2022 10:37, Richard Hector wrote: On 7/03/22 23:15, Richard Hector wrote: On 6/03/22 20:54, Dominic Raferd wrote: On 06/03/2022 04:35, Richard Hector wrote: I have lines like these in my logs (reported by logcheck, in this case): Mar 6 16:17:38 akl-host6 sshd[33035]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:38 akl-host6 sshd[33035]: Connection closed by 46.19.139.18 port 32834 Mar 6 16:17:54 akl-host6 sshd[33038]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:54 akl-host6 sshd[33038]: Connection closed by 45.125.65.126 port 45184 To a human, it's easy to see that those come in pairs, and that if they're frequent, they're probably attacks. But the line that shows an error doesn't have an IP address, and the line with an IP address isn't obviously an error. Is it still possible to find those and ban them? Assuming you are using failban 0.11+ or perhaps 0.10+ (check yours with 'fail2ban-client version), see the updated sshd jail at https://raw.githubusercontent.com/fail2ban/fail2ban/master/config/filter.d/sshd.conf. Save it as /etc/fail2ban/filter.d/sshd.local and reload this jail with 'fail2ban-client reload sshd'. Thanks Dominic - now I just need to wait for some more attacks, to see if it worked :-) It appears not - I can see more similar lines in the logs since the reload, and no 'Found' lines in fail2ban.log :-( Looking into this a bit further, the message 'error: kex_exchange_identification: Connection closed by remote host' apparently reflects disruption of key exchange communication between the machines, probably because the incoming client dropped the connection. This does not necessarily indicate an attack (as you realise). On my system f2b does not block these instances. Also on my system (OpenSSH_8.2p1 Ubuntu-4ubuntu0.4) there is no subsequent log entry giving the ip address (even with LogLevel VERBOSE), you have to get the ip by backtracking to the earlier corresponding (by pid) 'Connection from' message. I am now doubtful if fail2ban can catch such things. ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Re: [Fail2ban-users] multiline match?
On 7/03/22 23:15, Richard Hector wrote: On 6/03/22 20:54, Dominic Raferd wrote: On 06/03/2022 04:35, Richard Hector wrote: I have lines like these in my logs (reported by logcheck, in this case): Mar 6 16:17:38 akl-host6 sshd[33035]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:38 akl-host6 sshd[33035]: Connection closed by 46.19.139.18 port 32834 Mar 6 16:17:54 akl-host6 sshd[33038]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:54 akl-host6 sshd[33038]: Connection closed by 45.125.65.126 port 45184 To a human, it's easy to see that those come in pairs, and that if they're frequent, they're probably attacks. But the line that shows an error doesn't have an IP address, and the line with an IP address isn't obviously an error. Is it still possible to find those and ban them? Assuming you are using failban 0.11+ or perhaps 0.10+ (check yours with 'fail2ban-client version), see the updated sshd jail at https://raw.githubusercontent.com/fail2ban/fail2ban/master/config/filter.d/sshd.conf. Save it as /etc/fail2ban/filter.d/sshd.local and reload this jail with 'fail2ban-client reload sshd'. Thanks Dominic - now I just need to wait for some more attacks, to see if it worked :-) It appears not - I can see more similar lines in the logs since the reload, and no 'Found' lines in fail2ban.log :-( Cheers, Richard ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Re: [Fail2ban-users] multiline match?
On 6/03/22 20:54, Dominic Raferd wrote: On 06/03/2022 04:35, Richard Hector wrote: I have lines like these in my logs (reported by logcheck, in this case): Mar 6 16:17:38 akl-host6 sshd[33035]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:38 akl-host6 sshd[33035]: Connection closed by 46.19.139.18 port 32834 Mar 6 16:17:54 akl-host6 sshd[33038]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:54 akl-host6 sshd[33038]: Connection closed by 45.125.65.126 port 45184 To a human, it's easy to see that those come in pairs, and that if they're frequent, they're probably attacks. But the line that shows an error doesn't have an IP address, and the line with an IP address isn't obviously an error. Is it still possible to find those and ban them? Assuming you are using failban 0.11+ or perhaps 0.10+ (check yours with 'fail2ban-client version), see the updated sshd jail at https://raw.githubusercontent.com/fail2ban/fail2ban/master/config/filter.d/sshd.conf. Save it as /etc/fail2ban/filter.d/sshd.local and reload this jail with 'fail2ban-client reload sshd'. Thanks Dominic - now I just need to wait for some more attacks, to see if it worked :-) Cheers, Richard ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
Re: [Fail2ban-users] multiline match?
On 06/03/2022 04:35, Richard Hector wrote: I have lines like these in my logs (reported by logcheck, in this case): Mar 6 16:17:38 akl-host6 sshd[33035]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:38 akl-host6 sshd[33035]: Connection closed by 46.19.139.18 port 32834 Mar 6 16:17:54 akl-host6 sshd[33038]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:54 akl-host6 sshd[33038]: Connection closed by 45.125.65.126 port 45184 To a human, it's easy to see that those come in pairs, and that if they're frequent, they're probably attacks. But the line that shows an error doesn't have an IP address, and the line with an IP address isn't obviously an error. Is it still possible to find those and ban them? Assuming you are using failban 0.11+ or perhaps 0.10+ (check yours with 'fail2ban-client version), see the updated sshd jail at https://raw.githubusercontent.com/fail2ban/fail2ban/master/config/filter.d/sshd.conf. Save it as /etc/fail2ban/filter.d/sshd.local and reload this jail with 'fail2ban-client reload sshd'. ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[Fail2ban-users] multiline match?
Hi all, I have to confess I find the existing filters somewhat opaque, so I might be missing something. I have lines like these in my logs (reported by logcheck, in this case): Mar 6 16:17:38 akl-host6 sshd[33035]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:38 akl-host6 sshd[33035]: Connection closed by 46.19.139.18 port 32834 Mar 6 16:17:54 akl-host6 sshd[33038]: error: kex_exchange_identification: Connection closed by remote host Mar 6 16:17:54 akl-host6 sshd[33038]: Connection closed by 45.125.65.126 port 45184 To a human, it's easy to see that those come in pairs, and that if they're frequent, they're probably attacks. But the line that shows an error doesn't have an IP address, and the line with an IP address isn't obviously an error. Is it still possible to find those and ban them? Thanks, Richard ___ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users