From: Yaroslav H. <li...@on...> - 2008-05-12 12:59:23
|
> new line [what do You say?) > ^%(__prefix_line)s(?:error: PAM: )[uU]ser not know to the underlying > [aA]uthentication module for illegal .* from <HOST>\s*$ > please, look closer: "User" or "user", and "Authenti..." or > "autentho..." > I hope, it will work. so did adding that additional failregex helped you? Recently I've indeed seen attacks when large botnet is used, and they try to authenticate just 1-3 times, thus it doesn't trigger banning from fail2ban. That is sad trend in attacks since there is no clear way on how to handle such cases, besides lowering maxretry to 1 or 2. And anyways at least few of logins would be attempted from each of those botnet IPs. Centralized DB of IPs (like denyhosts did) sounds like the only solution here but imho it shouldn't be a single server (like denyhosts did) but rather you start up your own server which receives and pushes those botnets IPs to subscribed authorized clients. That should work nicely if you are administrating considerable number of hosts on public network. Single centralized server (for all fail2ban users) would carry ability to have DoS accomplished using fail2ban, which is imho is unacceptable. -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555] |