[sslh] SSLH and Fail2ban
Void And Any
voidandany at free.fr
Tue Jan 10 22:01:12 CET 2012
Thanks for your answer, effectivly, it seem to have a problem with the
mailing list...
For Fail2Ban I started to make a rule (jail) but I have a problem, when
I connect with ssh from my enterprise the log does not contain the from
IP but the name of the proxy, which cannot be resolved from outside of
my enterprise :
Jan 10 14:56:13 localhost sslh[30953]: connection from
proxy.xxx.fr:45873 to 192.168.1.111:https forwarded from localhost:47134
to localhost:ssh
So Fail2ban cannot ban IP, any idea why I don't have IP adress instead ?
Yoann
Le 10/01/2012 18:26, Yves Rutschle a écrit :
> Hi, Sorry about the delay, I just realised now that mailman
> wasn't working...
>
> On Thu, Dec 22, 2011 at 10:42:28PM +0100, Void And Any wrote:
>> But I have a question, is sslh compatible with fail2ban ?
>> [...]
>> Is there a solution ?
> I haven't tried it, but I think it should be possible to run
> fail2ban directly on the sslh log:
>
> Jan 10 10:11:07 thelonious sslh[23183]: connection from 84.14.115.254:36373 to 192.168.0.250:443 forwarded to 127.0.0.1:22
>
> This is enough to see there is connection from 84.14.115.254
> to ssh. Basically it's not quite normal to see many ssh
> connection from the same IP address, so you should be able
> to make a rule to ban the source IP after "some"
> connections.
>
> This would cause a problem if you have many users connecting
> to sslh from the same IP address, but I don't think that's a
> common use case.
>
> Y.
>
More information about the sslh
mailing list