Re: [Fail2ban-users] new sshd-attack? "PAM: User not known to the underlying authentication module for illegal"

[Yaroslav H. <li...@on...>]

> new line [what do You say?)
> ^%(__prefix_line)s(?:error: PAM: )[uU]ser not know to the underlying
> [aA]uthentication module for illegal .* from <HOST>\s*$

> please, look closer: "User" or "user", and "Authenti..." or
> "autentho..."
> I hope, it will work.
so did adding that additional failregex helped you? 

Recently I've indeed seen attacks when large botnet is used, and they
try to authenticate just 1-3 times, thus it doesn't trigger banning from
fail2ban. That is sad trend in attacks since there is no clear way on
how to handle such cases, besides lowering maxretry to 1 or 2. And
anyways at least few of logins would be attempted from each of those
botnet IPs.

Centralized DB of IPs (like denyhosts did) sounds like the only solution
here but imho it shouldn't be a single server (like denyhosts did) but
rather you start up your own server which receives and pushes those
botnets IPs to subscribed authorized clients. That should work nicely if
you are administrating considerable number of hosts on public network.
Single centralized server (for all fail2ban users) would carry ability
to have DoS accomplished using fail2ban, which is imho is unacceptable.

-- 
                                  .-.
=------------------------------   /v\  ----------------------------=
Keep in touch                    // \\     (yoh@|www.)onerussian.com
Yaroslav Halchenko              /(   )\               ICQ#: 60653192
                   Linux User    ^^-^^    [175555]