Aha - so majority of failures come from such really bad hosts -- good. I
think default value of 6 or maxfailures will be ok ;-)
11363 84.197.215.6
11246 84.122.103.178
6903 84.75.165.67
6229 84.57.82.198
6018 84.74.141.2
Thank you for the information!
> > that would be difficult - he is in Europe and I am in the states ;-)
> So you guys do not have beer together? What a boring upstream! ;)
Just ICQ virtual drinks may be ;-) Or most of the time I just drink his
part myself ;)
Cyril - find attached a patch to ban ssh-ddos attacks. And indeed, we
should have some beer together -- users are complaining! ;-)
> Ok, I'll just email you all the logs, privately
Thanks - I got them and will look into them although it seems that
fail2ban is somewhat effective ;-) so we are good ;)
Happy Holidays!
--
.-.
=------------------------------ /v\ ----------------------------=
Keep in touch // \\ (yoh@|www.)onerussian.com
Yaroslav Halchenko /( )\ ICQ#: 60653192
Linux User ^^-^^ [175555]
#! /bin/sh /usr/share/dpatch/dpatch-run
## 10_ssh-ddos_section.dpatch by Yaroslav Halchenko <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad fail2ban-0.7.4~/config/filter.d/sshd-ddos.conf
fail2ban-0.7.4/config/filter.d/sshd-ddos.conf
--- fail2ban-0.7.4~/config/filter.d/sshd-ddos.conf 1969-12-31
19:00:00.000000000 -0500
+++ fail2ban-0.7.4/config/filter.d/sshd-ddos.conf 2006-12-26
21:59:03.000000000 -0500
@@ -0,0 +1,22 @@
+# Fail2Ban configuration file
+#
+# Author: Yaroslav Halchenko
+#
+# $Revision: 471 $
+#
+
+[Definition]
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile. The
+# host must be matched by a group named "host". The tag "<HOST>" can
+# be used for standard IP/hostname matching.
+# Values: TEXT
+#
+failregex = sshd\[\S*\]: Did not receive identification string from <HOST>
+
+# Option: ignoreregex
+# Notes.: regex to ignore. If this regex matches, the line is ignored.
+# Values: TEXT
+#
+ignoreregex =
diff -urNad fail2ban-0.7.4~/config/jail.conf fail2ban-0.7.4/config/jail.conf
--- fail2ban-0.7.4~/config/jail.conf 2006-10-19 16:13:01.000000000 -0400
+++ fail2ban-0.7.4/config/jail.conf 2006-12-26 22:00:03.000000000 -0500
@@ -33,6 +33,15 @@
logpath = /var/log/sshd.log
maxretry = 5
+[ssh-ddos-iptables]
+
+enabled = false
+filter = sshd-ddos
+action = iptables[name=SSH, port=ssh, protocol=tcp]
+ mail-whois[name=SSH, [EMAIL PROTECTED]
+logpath = /var/log/sshd.log
+maxretry = 5
+
[proftpd-iptables]
enabled = false
