[sslh] fail2ban filter
Evert Mouw
post at evert.net
Fri Mar 28 08:22:33 CET 2014
Yesterday I tried to get transparency working. I have one VM that acts
as a proxy and also has sslh installed. Another VM should be accessable
over ssh. No luck. But then I found an old mail in the sslh mailinglist
archives:
> Yves Rutschle yves at naryves.com
> Fri Oct 4 08:23:03 CEST 2013
> An alternative would be to write the appropriate regexp for
> fail2ban, extracting the data from sslh logs:
> sslh[17582]: connection from <...> to <...> forwarded from
localhost:52890 to localhost:ssh
> -> if I see 5 connections to ssh from the same IP address,
> there's something suspicious going on, ban that IP.
Since my proxy has fail2ban installed, I could block brute force attacks
already on the proxy. I just wrote a small fail2ban filter that I have
not extensively tested but that I will use on my own system. Maybe
others can test it as well or improve it. After that, we can maybe
submit the filter to the fail2ban devs or include it with sslh.
--- start of sslh-ssh.conf ---
# Fail2Ban filter for sslh demultiplexed ssh
#
# Doesn't (and cannot) detect auth errors,
# but many connection attempts from the same
# origin is reason enough to block.
#
# Verion: 2014-03-28
[INCLUDES]
# no includes
[Definition]
failregex = ^.+ sslh\[.+\]: connection from <HOST>:.+ to .+ forwarded
from .+ to .+:ssh\s*$
ignoreregex =
# Author: Evert Mouw <post at evert.net>
--- end of sslh-ssh.conf ---
Thanks,
Evert
More information about the sslh
mailing list