From Fail2ban
Revision as of 11:39, 10 January 2012 by Yakatz (Talk | contribs)

Jump to: navigation, search

OpenSSH (Open Secure Shell) is a set of free software computer programs providing encrypted communication sessions over a computer network using the SSH protocol. It was created as an open alternative to the proprietary Secure Shell software. The project is led by Theo de Raadt from Calgary, Alberta in Canada.

From Wikipedia, the free encyclopedia

  • Aug 14 11:52:00 i60p295 sshd[11437]: Failed password for illegal user test123 from ::ffff: port 51381 ssh2
  • Aug 14 11:57:59 i60p295 sshd[12365]: Failed publickey for toto from ::ffff: port 51332 ssh2


The regular expressions below are proposed failregex for this software. Multiple regular expressions for failregex will only work with a version of Fail2ban greater than or equal to 0.7.6.

The tag <HOST> in the regular expressions below is just an alias for (?:::f{4,6}:)?(?P<host>\S+). The replacement is done automatically by Fail2ban when adding the regular expression. At the moment, exactly one named group host or <HOST> tag must be present in each regular expression.

Please, before editing this section, propose your changes in the discussion page first.

  • Authentication failure for .* from <HOST>
  • Failed [-/\w] for .* from <HOST>
  • [iI](?:llegal|nvalid) user .* from <HOST>

Penalty for invalid user

sshdfilter has a penalty for invalid users. In other words, invalid users may get 2 attempts while invalid password for valid users get 5 attempts. How can that be done in fail2ban?

A convincing argument against doing this says that it lets an attacker know whether or not a username is valid, and thus dramatically decreases the search space of a brute-force attack.

Log IP Addresses

In your OpenSSH config (frequently /etc/ssh/sshd_config), include the line

UseDNS no