added fail2ban configuration examples

This commit is contained in:
Yves Rutschle 2014-03-30 18:51:21 +02:00
parent 7d6cac73d4
commit 6fb234f85e
4 changed files with 49 additions and 0 deletions

View File

@ -3,6 +3,9 @@ vNEXT:
privilege escalation).
(Lars Vogdt)
Example configuration for fail2ban.
(Every Mouw)
v1.16: 11FEB2014
Probes made more resilient, to incoming data
containing NULLs. Also made them behave properly

View File

@ -250,6 +250,18 @@ This will not work:
sslh --listen 192.168.0.1:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:4443
Fail2ban
--------
If using transparent proxying, just use the standard ssh
rules. If you can't or don't want to use transparent
proxying, you can set `fail2ban` rules to block repeated ssh
connections from a same IP address (obviously this depends
on the site, there might be legimite reasons you would get
many connections to ssh from the same IP address...)
See example files in scripts/fail2ban.
Comments? Questions?
====================

View File

@ -0,0 +1,9 @@
# Add the following to your fail2ban jail.conf
# In Debian you'd append it to /etc/fail2ban/jail.local
[sslh-ssh]
enabled = true
filter = sslh-ssh
action = iptables-multiport[name=sslh,port="443"]
logpath = /var/log/messages
maxretry = 5

View File

@ -0,0 +1,25 @@
# Add the following to you fail2ban configuration file
# In Debian it'd go in /etc/fail2ban/filter.d/sslh-ssh.conf
# Fail2Ban filter for sslh demultiplexed ssh
#
# Doesn't (and cannot) detect auth errors,
# but many connection attempts from the same
# origin is reason enough to block.
#
# Verion: 2014-03-28
[INCLUDES]
# no includes
[Definition]
failregex = ^.+ sslh\[.+\]: connection from <HOST>:.+ to .+ forwarded
from .+ to .+:ssh\s*$
ignoreregex =
# Author: Evert Mouw <post@evert.net>