OpenSSH
OpenSSH (Open Secure Shell) is a set of free software computer programs providing encrypted communication sessions over a computer network using the SSH protocol. It was created as an open alternative to the proprietary Secure Shell software. The project is led by Theo de Raadt from Calgary, Alberta in Canada.
- Aug 14 11:52:00 i60p295 sshd[11437]: Failed password for illegal user test123 from ::ffff:123.123.123.123 port 51381 ssh2
- Aug 14 11:57:59 i60p295 sshd[12365]: Failed publickey for toto from ::ffff:123.123.123.123 port 51332 ssh2
Failregex
The regular expressions below are proposed failregex for this software. Multiple regular expressions for failregex will only work with a version of Fail2ban greater than or equal to 0.7.6.
The tag <HOST> in the regular expressions below is just an alias for (?:::f{4,6}:)?(?P<host>\S+). The replacement is done automatically by Fail2ban when adding the regular expression. At the moment, exactly one named group host or <HOST> tag must be present in each regular expression.
Please, before editing this section, propose your changes in the discussion page first.
- Authentication failure for .* from <HOST>
- Failed [-/\w] for .* from <HOST>
- ROOT LOGIN REFUSED .* FROM <HOST>
- [iI](?:llegal|nvalid) user .* from <HOST>
Penalty for invalid user
sshdfilter has a penalty for invalid users. In other words, invalid users may get 2 attempts while invalid password for valid users get 5 attempts. How can that be done in fail2ban?
A convincing argument against doing this says that it lets an attacker know whether or not a username is valid, and thus dramatically decreases the search space of a brute-force attack.
Log IP Addresses
In your OpenSSH config (frequently /etc/ssh/sshd_config), include the line
UseDNS no
