Regex para vários sshd Desconexão recebida de… [preauth]

Question

Regex para vários sshd Desconexão recebida de… [preauth]

#1 resposta do (14 votos)

6

Qual regex fail2ban detectaria logs como esses?

Apr  9 08:48:28 server sshd[1856]: Received disconnect from 43.255.190.117: 11:  [preauth]
Apr  9 09:06:05 server sshd[1936]: Received disconnect from 43.255.191.159: 11:  [preauth]
Apr  9 09:06:10 server sshd[1938]: Received disconnect from 43.255.190.126: 11:  [preauth]
Apr  9 09:31:12 server sshd[2005]: Received disconnect from 43.255.190.123: 11:  [preauth]
Apr  9 09:37:06 server sshd[2013]: Received disconnect from 43.255.190.149: 11:  [preauth]
Apr  9 09:53:55 server sshd[2036]: Received disconnect from 43.255.190.149: 11:  [preauth]
Apr  9 10:16:59 server sshd[2368]: Received disconnect from 43.255.190.165: 11:  [preauth]
Apr  9 10:47:30 server sshd[3800]: Received disconnect from 43.255.190.150: 11:  [preauth]
Apr  9 11:04:01 server sshd[6855]: Received disconnect from 43.255.190.131: 11:  [preauth]

e / ou com Bye Bye

Apr  9 12:29:59 server sshd[7764]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:00 server sshd[7766]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:01 server sshd[7768]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:03 server sshd[7776]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:04 server sshd[7778]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:05 server sshd[7780]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:06 server sshd[7782]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:07 server sshd[7784]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:08 server sshd[7786]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:10 server sshd[7788]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:11 server sshd[7790]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:12 server sshd[7792]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:13 server sshd[7794]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:14 server sshd[7796]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:15 server sshd[7798]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]
Apr  9 12:30:17 server sshd[7800]: Received disconnect from 180.210.234.87: 11: Bye Bye [preauth]

O que essas pessoas estão fazendo, eu gostaria de uma regra do fail2ban para isso. Aparentemente eles não estão fazendo mais nada para tropeçar no fail2ban, apesar da frequência das tentativas.

regex fail2ban

por JB0x2D1 10.04.2015 / 01:45

1 resposta

Tags regex fail2ban

Por que o r10k é chamado r10k? [fechadas] Qual SO está sendo executado no meu contêiner do Docker?

score 14 · Accepted Answer

Você pode usar esta regra:

^%(__prefix_line)sReceived disconnect from <HOST>: 11: (Bye Bye)? \[preauth\]$

Para testá-lo com fail2ban-regex ou egrep, você pode despir o ^%(__prefix_line)s desde o início. Adicione esta linha à variável failregex no seu /etc/fail2ban/filter.d/sshd.conf .

Uma corrida com fail2ban-regex me deu esses resultados, confirmando que a regra corresponde:

Running tests
=============

Use regex file : sshd.conf
Use log file   : /var/log/auth.log


Results
=======

Failregex
|- Regular expressions:
[...]
|  [11] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?|[\[\(]?sshd(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Received disconnect from <HOST>: 11: (Bye Bye)? \[preauth\]$
|
'- Number of matches:
[...]
   [11] 545 match(es)
[...]