> Then I copied the attached sshd-ddos.conf to /etc/fail2ban/filter.d/ and
> restarted fail2ban.
I would also run
fail2ban-client status ssh-ddos
to make sure that it is up ;-)
> I am still looking at what is happening, so that this gets tested before
> you and upstream have some beer ;)
that would be difficult - he is in Europe and I am in the states
;-)
> Just for the sake of detail, my ssh server listens on two ports: 22 and
> 443 (don't ask, you really don't want to know), so this could either
> trigger false positives or miss some "attacks", but this is my local
> problem, and I have read your doc about multi-port module support in
> iptables, so I understand this problem is not easy to solve, and none of
> your bussiness really.
Actually multiple port banning should not be difficult at all...
hm... might be worth creating iptables-multiport action... hm...
actually README multiport entry is a bit outdated since 0.6 version of
fail2ban... since now we have nice infrastructure for different actions
- I will add iptables-multiport ;-) hold on... actually there is an
issue which forbids easy multiport adoption at the moment... I will
buzz upstream and I think we will come up with some nice solution ;)
For now I would suggest to make action
iptables-noport
where to remove --dport completely - so you will check all the traffic
and ban hosts completely... or manually craft iptables-sshports and
hardcode ports into iptables rules as
-m multiport --dports 22,443
> Would it be helpful if I did that? I would be very glad to.
for me it would be helpful if you send me smth like
zgrep "Did not receive identification string from" /var/log/auth.log*gz | grep
-v UNKNOWN | awk '{print $12;}' | sort | uniq -c | sort -n -r | awk '{print
$1;}'
(mention that I am to use awk not cut -d " " since that one screwed
your results -- " " would be split twice...)
That would give me idea what maxretry should be (I hope)
or may be just send me those all lines - so I could see how they are
arranged in time
> Cheers!
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
