Hi there!
Yaroslav Halchenko wrote:
> Have you tried fail2ban solution I've sent? does it work? what
> maxretry is a reasonable one?
I copied this section into my /etc/fail2ban/jail.conf:
[ssh-ddos]
enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
Then I copied the attached sshd-ddos.conf to /etc/fail2ban/filter.d/ and
restarted fail2ban.
I am still looking at what is happening, so that this gets tested before
you and upstream have some beer ;)
Just for the sake of detail, my ssh server listens on two ports: 22 and
443 (don't ask, you really don't want to know), so this could either
trigger false positives or miss some "attacks", but this is my local
problem, and I have read your doc about multi-port module support in
iptables, so I understand this problem is not easy to solve, and none of
your bussiness really.
But, I can easily do some iptables magic in my main fw for ssh to only
listen on port 22, so that this test becomes more accurate.
Would it be helpful if I did that? I would be very glad to.
Cheers!
--
ยท''`. If I can't dance to it, it's not my revolution
: :' : -- Emma Goldman
`. `' Proudly running Debian GNU/Linux (unstable)
`- www.amayita.com www.malapecora.com www.chicasduras.com
