[Fail2ban-users] Problem with sshd-ddos filter

Patrick PICHON Wed, 25 Jan 2017 03:25:44 -0800

Hello,

I'm having problem to get sshd-ddos triggering action. From the 
configuration and from the log it looks like things are working, but 
there is no trigger of action !


Do I miss something ?

Thanks in advance for your support
Patrick

Fedora 25 with systemd/journalctl

Packages installed are :
fail2ban-systemd-0.9.6-2.fc25.noarch
fail2ban-server-0.9.6-2.fc25.noarch
fail2ban-sendmail-0.9.6-2.fc25.noarch
fail2ban-mail-0.9.6-2.fc25.noarch
fail2ban-0.9.6-2.fc25.noarch
fail2ban-firewalld-0.9.6-2.fc25.noarch

==========
/etc/fail2ban/filter.d/sshd-ddos[INCLUDES]

# Read common prefixes. If any customizations available -- read them 
from
# common.local
before = common.conf

[Definition]
_daemon = sshd
failregex = ^%(__prefix_line)sDid not receive identification string from 
<HOST>\s*$
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
# Author: Yaroslav Halchenko

======
/etc/fail2ban/jail.d/sshd-ddos.conf
[sshd-ddos]
enabled = true
port = 23,20022
findtime = 600
bantime = 600


=======
fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:   sshd-ddos


fail2ban-client status sshd-ddos
Status for the jail: sshd-ddos
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
    |- Currently banned:        0
    |- Total banned:    0
    `- Banned IP list:


Here after is an extract of the fail2ban log (in DEBUG mode)
  identification string from 15.203.163.254 port 57692'
2017-01-25 11:53:06,613 fail2ban.filtersystemd  [30722]: DEBUG   Read 
systemd journal entry: '2017-01-25T11:53:06.206739pitchoun.pipiche.net 
sshd[30729]: Did not receive identification string from 15.203.163.254 
port 57712'
2017-01-25 11:53:12,362 fail2ban.filtersystemd  [30722]: DEBUG   Read 
systemd journal entry: '2017-01-25T11:53:11.983178pitchoun.pipiche.net 
sshd[30733]: Did not receive identification string from 15.203.163.254 
port 57716'
2017-01-25 11:53:13,862 fail2ban.filtersystemd  [30722]: DEBUG   Read 
systemd journal entry: '2017-01-25T11:53:13.544886pitchoun.pipiche.net 
sshd[30696]: Did not receive identification string from 62.215.52.6 port 
17877'
2017-01-25 11:53:17,612 fail2ban.filtersystemd  [30722]: DEBUG   Read 
systemd journal entry: '2017-01-25T11:53:17.247066pitchoun.pipiche.net 
sshd[30740]: Did not receive identification string from 15.203.163.254 
port 57718'
2017-01-25 11:53:20,618 fail2ban.filtersystemd  [30722]: DEBUG   Read 
systemd journal entry: '2017-01-25T11:53:20.399851pitchoun.pipiche.net 
sshd[30744]: Did not receive identification string from 15.203.163.254 
port 57722'
2017-01-25 11:54:25,612 fail2ban.filtersystemd  [30722]: DEBUG   Read 
systemd journal entry: '2017-01-25T11:54:25.353911pitchoun.pipiche.net 
sshd[30748]: Did not receive identification string from 201.194.252.161 
port 42002'
2017-01-25 12:01:17,551 fail2ban.transmitter    [30722]: DEBUG   
Command: ['status']
2017-01-25 12:01:35,906 fail2ban.transmitter    [30722]: DEBUG   
Command: ['status', 'sshd-ddos']

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[Fail2ban-users] Problem with sshd-ddos filter

Reply via email to