-
I'm getting a lot of alerts with the following:
How do I add a filter to my jail.local to block the IP address? I already have a failregex to block "Bad protocol version identification" trying to access sshd.
Thanks. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
Well, I'm unsure why you assign this log messages to sshd, where it is obviously runcloud (and probably you'd need to protect http port (80,443) instead of sshd port (22). Anyway, if you nevertheless need to extend sshd's failregex, you would need to match the string starting from [sshd]
failregex = %(known/failregex)s
^runcloud\[\d+\]: echo: http: TLS handshake error from <ADDR>:\d+ to test it with fail2ban-regex try this: # replace systemd-journal with log-filename if it file-related jail:
fail2ban-regex systemd-journal 'sshd[failregex="^runcloud\[\d+\]: echo: http: TLS handshake error from <ADDR>:\d+"]' However I guess it'd be totally different jail, e. g. something like that: [runcloud]
port = 80,443
logpath = ...
journalmatch = ...
failregex = ^\s*\S+ runcloud\[\d+\]: echo: http: TLS handshake error from <ADDR>:\d+
...
enabled = true |
Beta Was this translation helpful? Give feedback.
Well, I'm unsure why you assign this log messages to sshd, where it is obviously runcloud (and probably you'd need to protect http port (80,443) instead of sshd port (22).
Anyway, if you nevertheless need to extend sshd's failregex, you would need to match the string starting from
runcloud ...
, because timestamp would be captured by datepattern andserver
part byprefregex
of sshd-filter, so it'd be something like that:to test it with fail2ban-regex try this: