Yaroslav Halchenko wrote: > > Then I copied the attached sshd-ddos.conf to /etc/fail2ban/filter.d/ > > and restarted fail2ban. > I would also run > fail2ban-client status ssh-ddos > to make sure that it is up ;-)
[EMAIL PROTECTED]> fail2ban-client status ssh-ddos Status for the jail: ssh-ddos |- filter | |- Currently failed: 2 | `- Total failed: 28 `- action |- Currently banned: 2 `- Total banned: 2 > > I am still looking at what is happening, so that this gets tested > > before you and upstream have some beer ;) > > that would be difficult - he is in Europe and I am in the states ;-) So you guys do not have beer together? What a boring upstream! ;) > zgrep "Did not receive identification string from" > /var/log/auth.log*gz | grep -v UNKNOWN | awk '{print $12;}' | sort | > uniq -c | sort -n -r | awk '{print $1;}' Attached and compressed. [EMAIL PROTECTED]>zgrep "Did not receive identification string from" /var/log/auth.log*gz | grep -v UNKNOWN | awk '{print $12;}' | sort | uniq -c | sort -n -r | awk '{print $1;}' > ips_log [EMAIL PROTECTED]>grep "Did not receive identification string from" /var/log/auth.log | grep -v UNKNOWN | awk '{print $12;}' | sort | uniq -c | sort -n -r | awk '{print $1;}' > ips_log auth.log auth.log.0 auth.log.1.gz auth.log.2.gz auth.log.3.gz auth.log.4.gz auth.log.5.gz auth.log.6.gz [EMAIL PROTECTED]>grep "Did not receive identification string from" /var/log/auth.log /var/log/auth.log.0 | grep -v UNKNOWN | awk '{print $12;}' | sort | uniq -c | sort -n -r | awk '{print $1;}' > ips_log_recent > or may be just send me those all lines - so I could see how they are > arranged in time Ok, I'll just email you all the logs, privately A bit of success and happiness here: Dec 29 16:53:39 aenima snoopy[3852]: [amaya, uid:0 sid:14809]: /etc/init.d/fail2ban start Dec 29 16:53:39 aenima snoopy[3853]: [amaya, uid:0 sid:14809]: /usr/bin/fail2ban-client status Dec 29 16:53:39 aenima snoopy[3854]: [amaya, uid:0 sid:14809]: start-stop-daemon --start --quiet --chuid root --exec /usr/bin/fail2ban-client -- start Dec 29 16:53:39 aenima snoopy[3854]: [amaya, uid:0 sid:14809]: /usr/bin/fail2ban-client start Dec 29 16:53:39 aenima snoopy[3855]: [amaya, uid:0 sid:14809]: fail2ban-server -b -s /tmp/fail2ban.sock Dec 29 16:53:39 aenima snoopy[3855]: [amaya, uid:0 sid:14809]: fail2ban-server -b -s /tmp/fail2ban.sock Dec 29 16:53:39 aenima snoopy[3904]: [amaya, uid:0 sid:14809]: /usr/bin/tput hpa 60 Dec 29 16:53:39 aenima snoopy[3905]: [amaya, uid:0 sid:14809]: /usr/bin/tput setaf 1 Dec 29 16:53:39 aenima snoopy[3906]: [amaya, uid:0 sid:14809]: /usr/bin/tput setaf 1 Dec 29 16:53:39 aenima snoopy[3907]: [amaya, uid:0 sid:14809]: /usr/bin/tput op Dec 29 16:53:40 aenima snoopy[3909]: [(null), uid:0 sid:3856]: iptables -N fail2ban-ssh Dec 29 16:53:40 aenima snoopy[3910]: [(null), uid:0 sid:3856]: iptables -A fail2ban-ssh -j RETURN Dec 29 16:53:40 aenima snoopy[3908]: [(null), uid:0 sid:3856]: iptables -I INPUT -p tcp --dport ssh -j fail2ban-ssh Dec 29 16:53:40 aenima snoopy[3912]: [(null), uid:0 sid:3856]: iptables -N fail2ban-ssh-ddos Dec 29 16:53:40 aenima snoopy[3913]: [(null), uid:0 sid:3856]: iptables -A fail2ban-ssh-ddos -j RETURN Dec 29 16:53:40 aenima snoopy[3911]: [(null), uid:0 sid:3856]: iptables -I INPUT -p tcp --dport ssh -j fail2ban-ssh-ddos Dec 29 16:53:40 aenima snoopy[3914]: [(null), uid:0 sid:3914]: /usr/sbin/sshd -R Dec 29 16:53:40 aenima sshd[3914]: Did not receive identification string from 84.197.215.6 Dec 29 16:53:41 aenima snoopy[3915]: [(null), uid:0 sid:3915]: /usr/sbin/sshd -R Dec 29 16:53:41 aenima sshd[3915]: Did not receive identification string from 84.197.215.6 Dec 29 16:53:42 aenima snoopy[3916]: [(null), uid:0 sid:3916]: /usr/sbin/sshd -R Dec 29 16:53:42 aenima sshd[3916]: Did not receive identification string from 84.197.215.6 Dec 29 16:53:43 aenima snoopy[3917]: [(null), uid:0 sid:3917]: /usr/sbin/sshd -R Dec 29 16:53:43 aenima sshd[3917]: Did not receive identification string from 84.197.215.6 Dec 29 16:53:44 aenima snoopy[3918]: [(null), uid:0 sid:3918]: /usr/sbin/sshd -R Dec 29 16:53:44 aenima sshd[3918]: Did not receive identification string from 84.197.215.6 Dec 29 16:53:45 aenima snoopy[3920]: [(null), uid:0 sid:3856]: iptables -L INPUT Dec 29 16:53:45 aenima snoopy[3921]: [(null), uid:0 sid:3856]: grep -q fail2ban-ssh-ddos Dec 29 16:53:45 aenima snoopy[3922]: [(null), uid:0 sid:3856]: iptables -I fail2ban-ssh-ddos 1 -s 84.56.170.141 -j DROP Dec 29 16:53:46 aenima snoopy[3923]: [(null), uid:0 sid:3923]: /usr/sbin/sshd -R Dec 29 16:53:46 aenima sshd[3923]: Did not receive identification string from 84.197.215.6 Dec 29 16:53:46 aenima snoopy[3925]: [(null), uid:0 sid:3856]: iptables -L INPUT Dec 29 16:53:46 aenima snoopy[3926]: [(null), uid:0 sid:3856]: grep -q fail2ban-ssh-ddos Dec 29 16:53:46 aenima snoopy[3927]: [(null), uid:0 sid:3856]: iptables -I fail2ban-ssh-ddos 1 -s 84.197.215.6 -j DROP Yay! -- ยท''`. If I can't dance to it, it's not my revolution : :' : -- Emma Goldman `. `' Proudly running Debian GNU/Linux (unstable) `- www.amayita.com www.malapecora.com www.chicasduras.com
ips_log.gz
Description: Binary data
ips_log_recent.gz
Description: Binary data