thanks tom,

yes, it is often the same ip.  for example in yesterday's log i see the ip 189.50.1.206 attempting to connect about 10 times per minute for 5 hours straight.  every attempt generates these two lines in the auth.log:

sshd[9816]: Received disconnect from 189.50.1.206: 11: Bye Bye [preauth]
sshd[9818]: reverse mapping checking getaddrinfo for ns2.caroneonline.com.br [189.50.1.206] failed - POSSIBLE BREAK-IN ATTEMPT!

i really don't know how much of a threat this is but it doesn't look particularly friendly and i'm usually curious when my logs scream something like "POSSIBLE BREAK-IN ATTEMPT!" in all caps.  that being said, my ssh accepts key only now, so in theory there's not much of anything that should be a threat.  before i stopped allowing passworded logins i was getting thousands of brute force login attempts per day.

i really don't know, what's your opinion?  is this a threat?  should i even bother running fail2ban with key only ssh or is that enough by itself?

-billy-


On Sat, Aug 24, 2013 at 3:21 AM, Tom Hendrikx <tom@whyscream.net> wrote:
On 24-08-13 00:36, billynoah wrote:
> hello everyone,
>
> receiving this msg in my auth.log over and over:
>
> /Received disconnect from (some.ip.add.ress): Bye Bye [preauth]/
> /
> /
> but fail2ban is not banning the associated ip.  can anyone help me? what
> do i need to do to get fail2ban to recognize this and ban the ip?  is
> this even a threat?
>
> thanks
>
> billy
>

Your questions are in the wrong order :)

The first question should be 'what is causing this?', then you should
determine whether it is an actual threat, then you could add a line in
f2b for it :)

AFAIK, the log line comes from ssh, and indicate a connection from
something that doesn't try (or is able) to authenticate. This could be a
probe or portscan, but it could also be a monitoring tool that only
connects to the ssh port to find if it's still up (f.i.nagios monitoring
ssh remotely). A monitoring process would typically come back every n
minutes.

As far as it being a threat: it doesn't try to auth, so even with 100
connects a day it doesn't do any kind of dictionary attack. Do you even
see the same ip coming back multiple times?

Now, are the connects a threat to you, or not?

--
Tom

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users