github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #2404 from benrubson/badprotocol 

filter.d/sshd.conf: matches "Bad protocol version identification" in ddos and aggressive modes.
pull/2406/head
Sergey G. Brester 2019-07-22 12:47:39 +02:00 committed by GitHub
parent 119401fced eb308d0fc8
commit 0dfd4f1f41
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
config/filter.d/sshd.conf
View File

@ -65,6 +65,7 @@ mdre-normal =
mdrp-normal-suff-onclosed = (?:%(__suff)s|\s*)$
mdre-ddos = ^Did not receive identification string from <HOST>
^Bad protocol version identification '.*' from <HOST>
^Connection <F-MLFFORGET>reset</F-MLFFORGET> by <HOST>
^Connection <F-MLFFORGET>closed</F-MLFFORGET> by%(__authng_user)s <HOST>%(__on_port_opt)s\s+\[preauth\]\s*$
^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:

1
fail2ban/tests/config/filter.d/zzz-sshd-obsolete-multiline.conf
View File

@ -56,6 +56,7 @@ cmnfailre = ^%(__prefix_line_sl)s[aA]uthentication (?:failure|error|failed) for
mdre-normal =
mdre-ddos = ^%(__prefix_line_sl)sDid not receive identification string from <HOST>
^%(__prefix_line_sl)sBad protocol version identification '.*' from <HOST>
^%(__prefix_line_sl)sConnection closed by%(__authng_user)s <HOST>%(__on_port_opt)s\s+\[preauth\]\s*$
^%(__prefix_line_sl)sConnection reset by <HOST>
^%(__prefix_line_ml1)sSSH: Server;Ltype: (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:.*%(__prefix_line_ml2)sRead from socket failed: Connection reset by peer%(__suff)s$

4
fail2ban/tests/files/logs/sshd
View File

@ -267,6 +267,10 @@ Mar 19 16:47:50 srv sshd[5672]: Disconnected from authenticating user admin 192.
Jun 7 01:10:56 host sshd[5937]: Did not receive identification string from 69.61.56.114
# failJSON: { "time": "2005-06-07T01:11:57", "match": true , "host": "192.0.2.5", "desc": "refactored message (with port now, gh-2062)" }
Jun 7 01:11:57 host sshd[8782]: Did not receive identification string from 192.0.2.5 port 35836
# failJSON: { "time": "2005-06-07T01:11:58", "match": true , "host": "69.61.56.115", "desc": "bad protocol version, gh-2404" }
Jun 7 01:11:58 host sshd[8783]: Bad protocol version identification 'dummy string' from 69.61.56.115 port 31778
# failJSON: { "time": "2005-06-07T01:11:58", "match": true , "host": "69.61.56.115", "desc": "check inject on ident" }
Jun 7 01:11:58 host sshd[8783]: Bad protocol version identification 'dummy string' from 192.0.2.1' from 69.61.56.115 port 31778
# gh-864(1):
# failJSON: { "match": false }