[Python-modules-team] Bug#949746: fail2ban: bad sshd filter rule for "Connection reset by ..."
Slavko
linux at slavino.sk
Fri Jan 24 12:37:58 GMT 2020
Package: fail2ban
Version: 0.10.2-2.1
Recently i found these lines in auth.log:
sshd[5157]: Connection reset by authenticating user root IP.AD.DR.ES
port 56014 [preauth]
This line is incorrectly parsed by fail2ban an always produces fail2ban warning:
fail2ban.ipdns [834]: WARNING Unable to find a corresponding
IP address for authenticating: [Errno -3] Temporary failure in name
resolution
Result is, that offending IP is not banned.
IMO, it is caused by the "mdre-ddos" filter rule in sshd.conf, where
incorrect "authenticating" as hostname is captured:
^Connection <F-MLFFORGET>reset</F-MLFFORGET> by
<HOST>%(__on_port_opt)s%(__suff)s
I append this rule (as example) before the above mentioned, which
captures correct host:
^Connection <F-MLFFORGET>reset</F-MLFFORGET> by authenticating user \S+
<HOST>
regards
--
Slavko
https://www.slavino.sk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: Digitálny podpis OpenPGP
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20200124/cbc772de/attachment.sig>
More information about the Python-modules-team
mailing list