Yes, the "mode = ddos" is correct. It is a special feature of the sshd
jail.
If you look at /etc/fail2ban/filter.d/sshd.conf you will see the lines I
have pasted in below. These add extra failregexes to the jail, which means
the jail becomes much stronger.
I have "mode = aggressive" in my jail.local - that means I have all the
extra features, and more IP addresses are banned. You can see that if I
select "mode = aggressive", the conf file adds the "ddos" and "extra"
regexes.
I hope I haven't confused things :-)
*Relevant lines from /etc/fail2ban/filter.d/sshd.conf*
mdre-normal =
mdre-ddos = ^Did not receive identification string from <HOST>%(__suff)s$
^Connection <F-MLFFORGET>reset</F-MLFFORGET> by
<HOST>%(__on_port_opt)s%(__suff)s
^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL>
(?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:
^Read from socket failed: Connection
<F-MLFFORGET>reset</F-MLFFORGET> by peer%(__suff)s
mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from
<HOST>%(__on_port_opt)s:\s*14: No supported authentication methods
available%(__suff)s$
^Unable to negotiate with <HOST>%(__on_port_opt)s: no matching
(?:cipher|key exchange method) found.
^Unable to negotiate a (?:cipher|key exchange method)%(__suff)s$
mdre-aggressive = %(mdre-ddos)s
%(mdre-extra)s
Tony Collins
RMT Tier 1 Health & Safety Representative
Edgware Road Traincrew Depot
07949 228324
On 8 July 2018 at 07:59, Gregory Schultz <[email protected]> wrote:
> Hello,
>
> I’m new at fail2ban and noticed that everything is up and running. The
> part of unfamiliar with is adding DDOS protection to SSH. Is this correct?
>
> [DEFAULT]
> ignoreip = 127.0.0.1/8
> bantime = 36000
> findtime = 600
> maxretry = 3
> destemail = [email redact]
> sender = [email redact]
> mta = sendmail
> action = %(action_mwl)s
>
>
> [sshd]
> enabled = true
> logpath = %(sshd_log)s
> port = [port number redacted] (not using port 22)
> banaction = iptables-multiport
> mode = ddos
>
> Thanks.
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
