fail2ban bannt zwar vieles, aktuell schaue ich ab und zu in die auth.log und stoße auf sowas, wobei <ip> immer die selbe IP ist:
Feb 29 14:58:33 <host> sshd[3043]: Connection closed by <ip> [preauth] Feb 29 14:59:01 <host> sshd[3045]: Connection closed by <ip> [preauth] Feb 29 14:59:30 <host> sshd[3047]: Connection closed by <ip> [preauth] Feb 29 14:59:58 <host> sshd[3049]: Connection closed by <ip> [preauth] Feb 29 15:00:27 <host> sshd[3052]: Connection closed by <ip> [preauth] Feb 29 15:00:55 <host> sshd[3054]: Connection closed by <ip> [preauth] Feb 29 15:01:24 <host> sshd[3056]: Connection closed by <ip> [preauth] Feb 29 15:01:53 <host> sshd[3058]: Connection closed by <ip> [preauth] Feb 29 15:02:21 <host> sshd[3060]: Connection closed by <ip> [preauth] Feb 29 15:02:50 <host> sshd[3062]: Connection closed by <ip> [preauth] Feb 29 15:03:18 <host> sshd[3064]: Connection closed by <ip> [preauth] Feb 29 15:03:46 <host> sshd[3066]: Connection closed by <ip> [preauth] Feb 29 15:04:14 <host> sshd[3068]: Connection closed by <ip> [preauth] Feb 29 15:04:43 <host> sshd[3070]: Connection closed by <ip> [preauth] Feb 29 15:05:11 <host> sshd[3072]: Connection closed by <ip> [preauth] Feb 29 15:05:40 <host> sshd[3074]: Connection closed by <ip> [preauth] Feb 29 15:06:08 <host> sshd[3076]: Connection closed by <ip> [preauth] Feb 29 15:06:37 <host> sshd[3078]: Connection closed by <ip> [preauth] Feb 29 15:07:06 <host> sshd[3081]: Connection closed by <ip> [preauth] Feb 29 15:07:34 <host> sshd[3083]: Connection closed by <ip> [preauth]
Also schaue ich per:
sudo iptables -L -n --line-numbers | grep <ip>
ob die IP vielleicht gerade eben erst gebannt wurde, weil das nicht der Fall ist, erledige ich das halt manuell:
sudo fail2ban-client set sshd banip <ip>
Die beiden ssh Jails scheinen zu funktionieren, weil iptables in den Chains f2b-sshd-ddos und f2b-sshd jeweils Einträge hat, welche ich nicht vorgenommen habe.
Die Ausschnitte aus der jail.local, andere Jails sind noch nicht aktiv, Änderungen an anderen Dateien von fail2ban habe ich nicht vorgenommen:
[sshd] enabled =true findtime = 1200 maxretry = 3 bantime = -1 port = ssh logpath = %(sshd_log)s ... [sshd-ddos] # This jail corresponds to the standard configuration in Fail2ban. # The mail-whois action send a notification e-mail with a whois request # in the body. enabled =true findtime = 1200 maxretry = 3 bantime = -1 port = ssh logpath = %(sshd_log)s
Die Frage ist jetzt, wie man die "Connection closed by <ip>" Einträge auch automatisch gebannt bekommt.
Hab die Lösung jetzt anscheinend gefunden:
^%(__prefix_line)sConnection closed by <HOST> \[preauth\]$
zum failregex der /etc/fail2ban/filter.d/sshd.conf hinzufügen und den Dienst reloaden.
Ich beobachte das mal, schicke den Thread jetzt aber trotzdem ab.