marckn
n00b
Joined: 28 Apr 2006
Posts: 11
|
 Posted: Sat May 16, 2015 9:06 pm Post subject: A question about fail2ban filters |
 |
|
Hi everyone,
I've just moved to fail2ban+iptables after my old server died (wow, now I'm really leaving old x86_32 behind)
Now... I think it works like a charm but I see that fail2ban is not detecting preauth:
| Code: |
May 16 04:56:43 nas sshd[11460]: SSH: Server;Ltype: Version;Remote: 222.89.166.12-60200;Protocol: 2.0;Client: PUTTY
May 16 04:56:44 nas sshd[11460]: SSH: Server;Ltype: Kex;Remote: 222.89.166.12-60200;Enc: aes128-ctr;MAC: hmac-sha1;Comp: none [preauth]
May 16 04:56:45 nas sshd[11460]: Received disconnect from 222.89.166.12: 11: [preauth]
|
I guess this is not really a failed login attempt and so it is not considered as a threat but, I'd like to make sure of this point. So, what's happening exactly when I get these three entries
in my log? Is it still a malicious action coming from someone? If so, what's the point? Just probing ? And if it's malicious and s/he is probing, why not ban him outright?
Just a curiosity.... I don't think the cutting-edge, world-changing technologies being developed in my home network are in danger of being exposed 
Bye,
Marco |
|
Networking & Security
