[sslh] fail2ban
Yves Rutschle
yves at naryves.com
Tue Feb 14 10:40:43 CET 2012
Hi Yves,
On Tue, Feb 14, 2012 at 09:58:58AM +0100, Yves (theYinYeti) wrote:
> I tried finding on Google, but couldn't, how fail2ban can be
> configured to work with sslh.
> I'd like, that SSH and HTTPS connections through sslh seem to come
> from where they should, and not from 127.0.0.1.
> Is it possible?
This has been discussed already but there is currently no
solution. Basically it's not possible to have the source
addresses in sshd and httpd.
I haven't tried it, but I think it should be possible to run
fail2ban directly on the sslh log:
Jan 10 10:11:07 thelonious sslh[23183]: connection from 84.14.115.254:36373 to 192.168.0.250:443 forwarded to 127.0.0.1:22
This is enough to see there is connection from 84.14.115.254
to ssh. Basically it's not quite normal to see many ssh
connection from the same IP address, so you should be able
to make a rule to ban the source IP after "some"
connections.
This would cause a problem if you have many users connecting
to sslh from the same IP address, but I don't think that's a
common use case.
Please let me know if you get something working, as I'd like
to add a solution to the Web site.
Cheers,
Y.
More information about the sslh
mailing list