Yaroslav Halchenko wrote: > > Then I copied the attached sshd-ddos.conf to /etc/fail2ban/filter.d/ > > and restarted fail2ban. > I would also run > fail2ban-client status ssh-ddos > to make sure that it is up ;-)
[EMAIL PROTECTED]> fail2ban-client status ssh-ddos
Status for the jail: ssh-ddos
|- filter
| |- Currently failed: 2
| `- Total failed: 28
`- action
|- Currently banned: 2
`- Total banned: 2
> > I am still looking at what is happening, so that this gets tested
> > before you and upstream have some beer ;)
>
> that would be difficult - he is in Europe and I am in the states ;-)
So you guys do not have beer together? What a boring upstream! ;)
> zgrep "Did not receive identification string from"
> /var/log/auth.log*gz | grep -v UNKNOWN | awk '{print $12;}' | sort |
> uniq -c | sort -n -r | awk '{print $1;}'
Attached and compressed.
[EMAIL PROTECTED]>zgrep "Did not receive identification string from"
/var/log/auth.log*gz | grep -v UNKNOWN | awk '{print $12;}' | sort | uniq -c |
sort -n -r | awk '{print
$1;}' > ips_log
[EMAIL PROTECTED]>grep "Did not receive identification string from"
/var/log/auth.log | grep -v UNKNOWN | awk '{print $12;}' | sort | uniq -c |
sort -n -r | awk '{print
$1;}' > ips_log
auth.log auth.log.0 auth.log.1.gz auth.log.2.gz auth.log.3.gz
auth.log.4.gz auth.log.5.gz auth.log.6.gz
[EMAIL PROTECTED]>grep "Did not receive identification string from"
/var/log/auth.log /var/log/auth.log.0 | grep -v UNKNOWN | awk '{print $12;}' |
sort | uniq -c | sort -n -r | awk '{print
$1;}' > ips_log_recent
> or may be just send me those all lines - so I could see how they are
> arranged in time
Ok, I'll just email you all the logs, privately
A bit of success and happiness here:
Dec 29 16:53:39 aenima snoopy[3852]: [amaya, uid:0 sid:14809]:
/etc/init.d/fail2ban start
Dec 29 16:53:39 aenima snoopy[3853]: [amaya, uid:0 sid:14809]:
/usr/bin/fail2ban-client status
Dec 29 16:53:39 aenima snoopy[3854]: [amaya, uid:0 sid:14809]:
start-stop-daemon --start --quiet --chuid root --exec /usr/bin/fail2ban-client
-- start
Dec 29 16:53:39 aenima snoopy[3854]: [amaya, uid:0 sid:14809]:
/usr/bin/fail2ban-client start
Dec 29 16:53:39 aenima snoopy[3855]: [amaya, uid:0 sid:14809]: fail2ban-server
-b -s /tmp/fail2ban.sock
Dec 29 16:53:39 aenima snoopy[3855]: [amaya, uid:0 sid:14809]: fail2ban-server
-b -s /tmp/fail2ban.sock
Dec 29 16:53:39 aenima snoopy[3904]: [amaya, uid:0 sid:14809]: /usr/bin/tput
hpa 60
Dec 29 16:53:39 aenima snoopy[3905]: [amaya, uid:0 sid:14809]: /usr/bin/tput
setaf 1
Dec 29 16:53:39 aenima snoopy[3906]: [amaya, uid:0 sid:14809]: /usr/bin/tput
setaf 1
Dec 29 16:53:39 aenima snoopy[3907]: [amaya, uid:0 sid:14809]: /usr/bin/tput op
Dec 29 16:53:40 aenima snoopy[3909]: [(null), uid:0 sid:3856]: iptables -N
fail2ban-ssh
Dec 29 16:53:40 aenima snoopy[3910]: [(null), uid:0 sid:3856]: iptables -A
fail2ban-ssh -j RETURN
Dec 29 16:53:40 aenima snoopy[3908]: [(null), uid:0 sid:3856]: iptables -I
INPUT -p tcp --dport ssh -j fail2ban-ssh
Dec 29 16:53:40 aenima snoopy[3912]: [(null), uid:0 sid:3856]: iptables -N
fail2ban-ssh-ddos
Dec 29 16:53:40 aenima snoopy[3913]: [(null), uid:0 sid:3856]: iptables -A
fail2ban-ssh-ddos -j RETURN
Dec 29 16:53:40 aenima snoopy[3911]: [(null), uid:0 sid:3856]: iptables -I
INPUT -p tcp --dport ssh -j fail2ban-ssh-ddos
Dec 29 16:53:40 aenima snoopy[3914]: [(null), uid:0 sid:3914]: /usr/sbin/sshd -R
Dec 29 16:53:40 aenima sshd[3914]: Did not receive identification string from
84.197.215.6
Dec 29 16:53:41 aenima snoopy[3915]: [(null), uid:0 sid:3915]: /usr/sbin/sshd -R
Dec 29 16:53:41 aenima sshd[3915]: Did not receive identification string from
84.197.215.6
Dec 29 16:53:42 aenima snoopy[3916]: [(null), uid:0 sid:3916]: /usr/sbin/sshd -R
Dec 29 16:53:42 aenima sshd[3916]: Did not receive identification string from
84.197.215.6
Dec 29 16:53:43 aenima snoopy[3917]: [(null), uid:0 sid:3917]: /usr/sbin/sshd -R
Dec 29 16:53:43 aenima sshd[3917]: Did not receive identification string from
84.197.215.6
Dec 29 16:53:44 aenima snoopy[3918]: [(null), uid:0 sid:3918]: /usr/sbin/sshd -R
Dec 29 16:53:44 aenima sshd[3918]: Did not receive identification string from
84.197.215.6
Dec 29 16:53:45 aenima snoopy[3920]: [(null), uid:0 sid:3856]: iptables -L INPUT
Dec 29 16:53:45 aenima snoopy[3921]: [(null), uid:0 sid:3856]: grep -q
fail2ban-ssh-ddos
Dec 29 16:53:45 aenima snoopy[3922]: [(null), uid:0 sid:3856]: iptables -I
fail2ban-ssh-ddos 1 -s 84.56.170.141 -j DROP
Dec 29 16:53:46 aenima snoopy[3923]: [(null), uid:0 sid:3923]: /usr/sbin/sshd -R
Dec 29 16:53:46 aenima sshd[3923]: Did not receive identification string from
84.197.215.6
Dec 29 16:53:46 aenima snoopy[3925]: [(null), uid:0 sid:3856]: iptables -L INPUT
Dec 29 16:53:46 aenima snoopy[3926]: [(null), uid:0 sid:3856]: grep -q
fail2ban-ssh-ddos
Dec 29 16:53:46 aenima snoopy[3927]: [(null), uid:0 sid:3856]: iptables -I
fail2ban-ssh-ddos 1 -s 84.197.215.6 -j DROP
Yay!
--
ยท''`. If I can't dance to it, it's not my revolution
: :' : -- Emma Goldman
`. `' Proudly running Debian GNU/Linux (unstable)
`- www.amayita.com www.malapecora.com www.chicasduras.com
ips_log.gz
Description: Binary data
ips_log_recent.gz
Description: Binary data
