Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

com.jcraft.jsch ssh attempts - fail2ban?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6656
Location: The soundosphere
PostPosted: Tue Jan 17, 2017 12:19 am    Post subject: com.jcraft.jsch ssh attempts - fail2ban? Reply with quote
I see this in /var/log/messages:
Code:

Jan 17 00:07:48 (servername) sshd[28590]: error: Received disconnect from 85.111.38.130 port 55986:3: com.jcraft.jsch.JSchException: Auth fail [preauth]


What is this? Found something about ssh over java. Since I don't do that, I'm thinking I'd like to have a fail2ban jail monitor for this and ban IP addresses doing this. How would I write such a jail?
_________________
decibel Linux: https://decibellinux.org
Github: https://github.com/Gentoo-Music-and-Audio-Technology
Facebook: https://www.facebook.com/decibellinux
Discord: https://discord.gg/73XV24dNPN
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 9888
Location: almost Mile High in the USA
PostPosted: Tue Jan 17, 2017 1:33 am    Post subject: Reply with quote
I believe that string is user defined before they disconnect... Since they already tried to connect, the damage is already done.

I don't think it really matters what they put there, it's all not authorized.

These are the close strings of the last thousand or so ssh disconnects I had on my server
Code:
    376  Bye Bye [preauth]
      1  Closed due to user request.
    167  Closed due to user request. [preauth]
     83  disconnected by user
      4  disconnect [preauth]
      5  java.net.SocketTimeoutException: Read timed out [preauth]
      1  PECL/ssh2 (AITCHTEETEEPEE:pecl.php.net/packages/ssh2) [preauth]
    814   [preauth]
      2  User request [preauth]

note that AITCHTEETEEPEE: is http:// in my logfile, and I didn't want it to autolink and pollute google. note that the vast majority is "blank" ... not much can be done to filter these. (and I would suspect some of these may be me aborting my own ssh connections.)
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy