Closed watchingfun closed 4 months ago
This messages are not authentication issues directly, thus don't belong to the failures in normal
mode.
It is rather a matter of ddos
(or aggressive
) modes.
Add mode = aggressive
to the jail if you want match them together with authentication failures:
[sshd]
+ mode = aggressive
enabled = true
mode = aggressive
i try in /etc/fail2ban/jail.local
and restart fail2ban server, but it's not work, Finally, I edited and modified mode = aggressive
in /etc/fail2ban/filter.d/sshd.conf
and restarted the service , it's successfully.
why jail.local is not work
mode = aggressive
i try in
/etc/fail2ban/jail.local
and restart fail2ban server, but it's not work, Finally, I edited and modifiedmode = aggressive
in/etc/fail2ban/filter.d/sshd.conf
and restarted the service , it's successfully. why jail.local is not work
oh my bad, i find reason; filter = sshd
can't work with mode = aggressive
i change to filter = sshd[mode=aggressive]
it's ok
Yes, default filter
definition looks like this:
https://github.com/fail2ban/fail2ban/blob/65e9c411ef7a78b302e974724bfce782df4eb57e/config/jail.conf#L167
In this case (you haven't overwritten the default filter
parameter), setting of mode
would work properly.
By the way:
Otherwise exact that things could happen. Let alone you wouldn't know later which parameters are really needed.
Environment:
Service, project or product which log or journal should be monitored
Log or journal information
Any additional information
Relevant lines from monitored log files:
failures in sense of fail2ban filter (fail2ban must match):
legitimate messages (fail2ban should not consider as failures):
extra:
The ip I use is 103.151.173.102 add
^Disconnected from authenticating user <F-USER>.*?</F-USER> <HOST>%(__suff)s$
to /etc/fail2ban/filter.d/sshd.conf , /var/log/fail2ban.log finally has logs, and [found] and [ban] can be normal