[Python-modules-team] Bug#949746: fail2ban: bad sshd filter rule for "Connection reset by ..."

Slavko linux at slavino.sk
Fri Jan 24 12:37:58 GMT 2020


Package: fail2ban
Version: 0.10.2-2.1

Recently i found these lines in auth.log:

sshd[5157]: Connection reset by authenticating user root IP.AD.DR.ES
port 56014 [preauth]

This line is incorrectly parsed by fail2ban an always produces fail2ban warning:

fail2ban.ipdns          [834]: WARNING Unable to find a corresponding
IP address for authenticating: [Errno -3] Temporary failure in name
resolution

Result is, that offending IP is not banned.

IMO, it is caused by the "mdre-ddos" filter rule in sshd.conf, where
incorrect "authenticating" as hostname is captured:

^Connection <F-MLFFORGET>reset</F-MLFFORGET> by
<HOST>%(__on_port_opt)s%(__suff)s

I append this rule (as example) before the above mentioned, which
captures correct host:

^Connection <F-MLFFORGET>reset</F-MLFFORGET> by authenticating user \S+
<HOST>

regards

-- 
Slavko
https://www.slavino.sk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: Digitálny podpis OpenPGP
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20200124/cbc772de/attachment.sig>


More information about the Python-modules-team mailing list