Yaroslav Halchenko wrote:
> > Then I copied the attached sshd-ddos.conf to /etc/fail2ban/filter.d/
> > and restarted fail2ban.
> I would also run
> fail2ban-client status ssh-ddos
> to make sure that it is up ;-)

[EMAIL PROTECTED]> fail2ban-client status ssh-ddos
Status for the jail: ssh-ddos
|- filter
|  |- Currently failed:         2
|  `- Total failed:             28
`- action
   |- Currently banned:         2
   `- Total banned:             2

> > I am still looking at what is happening, so that this gets tested
> > before you and upstream have some beer ;)
> 
> that would be difficult - he is in Europe and I am in the states ;-)

So you guys do not have beer together? What a boring upstream! ;)

> zgrep "Did not receive identification string from"
> /var/log/auth.log*gz  | grep -v UNKNOWN | awk '{print $12;}' | sort |
> uniq -c | sort -n -r | awk '{print $1;}'

Attached and compressed.
[EMAIL PROTECTED]>zgrep "Did not receive identification string from" 
/var/log/auth.log*gz  | grep -v UNKNOWN | awk '{print $12;}' | sort | uniq -c | 
sort -n -r | awk '{print
$1;}' > ips_log
[EMAIL PROTECTED]>grep "Did not receive identification string from" 
/var/log/auth.log  | grep -v UNKNOWN | awk '{print $12;}' | sort | uniq -c | 
sort -n -r | awk '{print
$1;}' > ips_log
auth.log       auth.log.0     auth.log.1.gz  auth.log.2.gz  auth.log.3.gz  
auth.log.4.gz  auth.log.5.gz  auth.log.6.gz
[EMAIL PROTECTED]>grep "Did not receive identification string from" 
/var/log/auth.log /var/log/auth.log.0  | grep -v UNKNOWN | awk '{print $12;}' | 
sort | uniq -c | sort -n -r | awk '{print
$1;}' > ips_log_recent


> or may be just send me those all lines - so I could see how they are
> arranged in time

Ok, I'll just email you all the logs, privately 

A bit of success and happiness here:

Dec 29 16:53:39 aenima snoopy[3852]: [amaya, uid:0 sid:14809]: 
/etc/init.d/fail2ban start
Dec 29 16:53:39 aenima snoopy[3853]: [amaya, uid:0 sid:14809]: 
/usr/bin/fail2ban-client status
Dec 29 16:53:39 aenima snoopy[3854]: [amaya, uid:0 sid:14809]: 
start-stop-daemon --start --quiet --chuid root --exec /usr/bin/fail2ban-client 
-- start
Dec 29 16:53:39 aenima snoopy[3854]: [amaya, uid:0 sid:14809]: 
/usr/bin/fail2ban-client start
Dec 29 16:53:39 aenima snoopy[3855]: [amaya, uid:0 sid:14809]: fail2ban-server 
-b -s /tmp/fail2ban.sock
Dec 29 16:53:39 aenima snoopy[3855]: [amaya, uid:0 sid:14809]: fail2ban-server 
-b -s /tmp/fail2ban.sock
Dec 29 16:53:39 aenima snoopy[3904]: [amaya, uid:0 sid:14809]: /usr/bin/tput 
hpa 60
Dec 29 16:53:39 aenima snoopy[3905]: [amaya, uid:0 sid:14809]: /usr/bin/tput 
setaf 1
Dec 29 16:53:39 aenima snoopy[3906]: [amaya, uid:0 sid:14809]: /usr/bin/tput 
setaf 1
Dec 29 16:53:39 aenima snoopy[3907]: [amaya, uid:0 sid:14809]: /usr/bin/tput op
Dec 29 16:53:40 aenima snoopy[3909]: [(null), uid:0 sid:3856]: iptables -N 
fail2ban-ssh
Dec 29 16:53:40 aenima snoopy[3910]: [(null), uid:0 sid:3856]: iptables -A 
fail2ban-ssh -j RETURN
Dec 29 16:53:40 aenima snoopy[3908]: [(null), uid:0 sid:3856]: iptables -I 
INPUT -p tcp --dport ssh -j fail2ban-ssh
Dec 29 16:53:40 aenima snoopy[3912]: [(null), uid:0 sid:3856]: iptables -N 
fail2ban-ssh-ddos
Dec 29 16:53:40 aenima snoopy[3913]: [(null), uid:0 sid:3856]: iptables -A 
fail2ban-ssh-ddos -j RETURN
Dec 29 16:53:40 aenima snoopy[3911]: [(null), uid:0 sid:3856]: iptables -I 
INPUT -p tcp --dport ssh -j fail2ban-ssh-ddos
Dec 29 16:53:40 aenima snoopy[3914]: [(null), uid:0 sid:3914]: /usr/sbin/sshd -R
Dec 29 16:53:40 aenima sshd[3914]: Did not receive identification string from 
84.197.215.6
Dec 29 16:53:41 aenima snoopy[3915]: [(null), uid:0 sid:3915]: /usr/sbin/sshd -R
Dec 29 16:53:41 aenima sshd[3915]: Did not receive identification string from 
84.197.215.6
Dec 29 16:53:42 aenima snoopy[3916]: [(null), uid:0 sid:3916]: /usr/sbin/sshd -R
Dec 29 16:53:42 aenima sshd[3916]: Did not receive identification string from 
84.197.215.6
Dec 29 16:53:43 aenima snoopy[3917]: [(null), uid:0 sid:3917]: /usr/sbin/sshd -R
Dec 29 16:53:43 aenima sshd[3917]: Did not receive identification string from 
84.197.215.6
Dec 29 16:53:44 aenima snoopy[3918]: [(null), uid:0 sid:3918]: /usr/sbin/sshd -R
Dec 29 16:53:44 aenima sshd[3918]: Did not receive identification string from 
84.197.215.6
Dec 29 16:53:45 aenima snoopy[3920]: [(null), uid:0 sid:3856]: iptables -L INPUT
Dec 29 16:53:45 aenima snoopy[3921]: [(null), uid:0 sid:3856]: grep -q 
fail2ban-ssh-ddos
Dec 29 16:53:45 aenima snoopy[3922]: [(null), uid:0 sid:3856]: iptables -I 
fail2ban-ssh-ddos 1 -s 84.56.170.141 -j DROP
Dec 29 16:53:46 aenima snoopy[3923]: [(null), uid:0 sid:3923]: /usr/sbin/sshd -R
Dec 29 16:53:46 aenima sshd[3923]: Did not receive identification string from 
84.197.215.6
Dec 29 16:53:46 aenima snoopy[3925]: [(null), uid:0 sid:3856]: iptables -L INPUT
Dec 29 16:53:46 aenima snoopy[3926]: [(null), uid:0 sid:3856]: grep -q 
fail2ban-ssh-ddos
Dec 29 16:53:46 aenima snoopy[3927]: [(null), uid:0 sid:3856]: iptables -I 
fail2ban-ssh-ddos 1 -s 84.197.215.6 -j DROP

Yay!



-- 
  ยท''`.             If I can't dance to it, it's not my revolution
 : :' :                                            -- Emma Goldman
 `. `'           Proudly running Debian GNU/Linux (unstable)
   `-     www.amayita.com  www.malapecora.com  www.chicasduras.com

Attachment: ips_log.gz
Description: Binary data

Attachment: ips_log_recent.gz
Description: Binary data

Reply via email to